Documentation

Security overview

Suggest Edits

Identity Security Insights automatically analyzes identity data, system configurations, and activities across on-premises networks, cloud platforms, SaaS apps, and identity providers (IdPs). This lets you spot and address potential security threats—like privileged access vulnerabilities—before attackers can exploit them.

Monitoring

Monitoring allows Insights to:

  • Collect and forward logs, metrics, and traces to a centralized observability platform
  • Enable audit trails and collect security events, forwarding them to a centralized SIEM platform
  • Implement real-time monitoring to detect anomalies, suspicious behavior, and performance issues
  • Store all logs centrally and restricts access to employees who need them to fulfill their duties

Artificial intelligence (AI) and machine learning (ML)

Insights uses AI and machine learning, directed by security experts, to refine and analyze identity data and spot any unusual activity or anomalies.

Its unique approach elevates raw identity security data to a common semantic level, which allows for more effective processing using AI and ML techniques. Without this, the analysis could miss important patterns. This method allows for more precise focus on privileged access risks across diverse platforms, significantly reducing false positives.

From the first round of analysis, Identity Security Insights generates clear, actionable insights. If AI detects certain patterns that could signal a security issue, it’s flagged for further investigation. These potential threats are then displayed in the user interface with precise, context-rich recommendations and detections.

Data retention and decommissioning

Application data retention: Permanent unless manually deleted. This data includes user, connector, exclusion, and notification configuration.

Processed output retention:

  • Inventory: Purged after 15 days of inactivity
  • Event data: Permanent

Decommission: Data is deleted 38 days after trial or license expiration.

Data collected

Identity Security Insights collects account privileges, including:

  • Permissions
  • Groups
  • Roles
  • Entitlements
  • Application permissions
  • Policy
  • User information (such as email address, user name, user attributes, and user activity, including event logs).

Data ingestion is through in-application, customer-managed first-party and third-party connectors.

The data is used to identify and consolidate accounts, define user roles, and set security permissions. The Identity Security Insights pipeline processes this information to generate identity threat detections and recommendations.

ℹ️

Note

For more information, see Identity Security Insights Connectors.

Identity Security Insights does not share personal identifiable information (PII) or security sensitive data with any third-party service.

Cloud uptime

BeyondTrust's Cloud Service Guide states in Section 4. Availability Service Level, subsection (4) that BeyondTrust's availability SLA for the service shall be 99.9% during a calendar month.

ℹ️

Note

For more information, see BeyondTrust Corporation Cloud Service Guide.

Architecture

Infrastructure

Identity Security Insights is hosted in AWS and leverages Kubernetes' capabilities to ensure the high availability and scalability of our applications and services.

An on-premises service can be optionally deployed within your network to support local functions for Identity Security Insights, such as collecting data from on-premises Active Directory.

Physical security

ℹ️

Note

For more information, see Physical Access in AWS Cloud Security.

Data security and encryption

Storage, backup, and recovery

Identity Security Insights stores customer data securely in a production AWS account, using Amazon S3 and RDS SQL databases.

Amazon S3 ensures 99.999999999% durability for data and enables versioning by default via infrastructure as code (IaC) for added resiliency. Details on AWS S3 data durability can be found here: Data protection in Amazon S3.

RDS databases are backed up daily with encrypted snapshots, retained for 21 days, in line with AWS best practices. Details on the AWS RDS Automated Backup process can be found here: Introduction to backups.

Data recovery is available through the AWS S3 and RDS consoles.

Network security

The production AWS network follows a three-tier networking architecture, consisting of:

  • Presentation tier: Public facing services (such as AWS CloudFront and AWS Application Load Balancers)
  • Workload tier: Workloads (such as nodes for AWS EKS and AWS Lambda functions that require network access)
  • Data tier: Storage media (such as AWS RDS databases)

The data tier is only accessible from the workload tier and does not have outbound internet access. The workload tier is only accessible from the presentation tier.

All network devices and controls are configured to enable:

  • Traffic filtering (such as AWS security groups)
  • Inspection (such as VPC flow logs)
  • Encryption (such as HTTPS-only transit)
  • Principal of least privilege (such as workload identity-based access and ports only open for required tasks)

In AWS, Virtual Private Clouds (VPCs) and Security Groups implement network controls.

IP and port restrictions

For organizations that wish to restrict access to Insights by IP address, you must allow the following public IP addresses.

📘

Note

Determine the location of your tenant by clicking Manage Tenants on the Insights Home page.

US tenants

  • 54.163.153.193
  • 54.225.135.48
  • 50.16.236.14

EU tenants

  • 3.72.126.244
  • 3.78.41.126
  • 3.125.93.216

The on-premises service of Identity Security Insights (Insights Collector) connects to Active Directory using SSL and TCP-636.

ℹ️

Note

For more information see, Insights collector.

Tenant isolation

Within platform services and the lakehouse, tenants are primarily separated using row-level security. Data from all tenants resides in the same data stores, but the user's identity and roles determine which tenants they can access, if any.

Encryption in motion

All internet and intranet connections are encrypted end-to-end and authenticated using industry-standard cryptography (at minimum TLS v1.2, ECDHE_RSA, and AES128-GCM).

Encryption at rest

AES 256 separate keys for each storage container.

Encryption in use

Scoped to least privilege with access granted only to authorized workloads.

Authentication to on-premises services

On-premises services are registered with Identity Security Insights using installation keys for secure communication. Authentication is enabled via OAuth.

Security and compliance

BeyondTrust has established and continues to maintain a thorough information security program to ensure the protection of sensitive data through multiple layers of defense. The program aims to safeguard systems and customer information from internal and external security threats and prevent unauthorized disclosure of this information.

This document aims to detail the various controls, methodologies, and guidelines implemented by BeyondTrust to secure customer information. Robust control measures are implemented to aid our organization in meeting the requirements outlined within ISO/IEC 27001 and ISO/IEC 27701, which are standards for managing information security and data protection.

BeyondTrust holds certifications under these standards and the services environment undergoes a SOC 2 Type II audit which can be shared under an NDA.

ℹ️

Note

For more information, see Industry Certifications & Compliance.

Updated 5 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.