Layered Security – Certified Practices
We utilize appropriate administrative, physical, and technical safeguards to help protect the security, confidentiality, and integrity of our customers’ data. We provide security at the systems and applications layers while our cloud provider, Amazon Web Services (AWS), provides security for its infrastructure and data centers.
Janrain has been certified ISO 27001:2013 compliant since 2014 and was re-certified in 2017. Janrain’s ISO 27001:2013 and ISO 27018:2014 certificate is available here, and may be verified by A-Lign,an independent provider of attestation and compliance services, at http://www.a-lign.com/services/iso-27001/methodology-and-inquiries/.
Every Janrain department and all Janrain Identity Cloud CIAM products are included in Janrain’s ISO scope. Janrain is audited for every ISO 27001:2013 and ISO 27018:2014 clause and control. Janrain as an organization uses ISO 27002 as the base code of practice for the controls comprising our Information Security Management System. Janrain is committed to protecting the confidentiality, integrity, and availability of the data and systems which comprise the Janrain Identity CloudTM.
For its part, AWS has successfully completed multiple SAS70 Type II audits and publishes SOC 1, 2, and 3 reports. AWS has also achieved ISO 27001 certification, among others. For details on AWS security, certifications and accreditations, please visit http://aws.amazon.com/security/.
Protecting Data in Motion
All social and conventional (user ID/password) logins and retrieval queries are encrypted using secure socket layer/transport layer security (SSL/TLS), ensuring our customers and their users have a secure connection to our services and their data. We provision, manage, and renew all SSL/TLS certificates on behalf of our customers to secure their communications with Janrain services. These certificates are guaranteed to be at least 2048-bit, for lasting security.
Janrain single sign-on, which passes user authentication state data (and, optionally, identity information) between sites within a predefined circle of trust, manages a hardened whitelist that is verified at the time of transaction prior to passing any sensitive user data. In order to protect personally identifiable information and all other data, access to user data retrieved via Janrain is possible only with a valid access token, which is delivered to our customer during authentication.
Protecting Data at Rest
Each Janrain customer deployment and associated data is isolated in its own logically discrete production environment so that each customer will view only its related information. We validate customer schemas at deployment time to ensure sensitive data elements such as passwords are not stored in the clear. Multitenant security controls, including unique session tokens, configurable session timeout values, and password policies are applied to prevent unauthorized access. We also offer encryption of data at rest, whether in development, production, and backup environments.
We are fully compliant with OAuth 2.0 standards, enabling customers to easily provide their partners, customer service representatives, and other members of their organization with selective access to user data while continuing to protect sensitive user information. Dashboard access is enforced via roles.
Restricting and Monitoring Physical Access
Only authorized operations personnel who have passed the necessary background checks have access to Janrain’s production systems. Access credentials to production systems are never shared between any two Janrain employees. We maintain audit trails for all production access and restrict and monitor physical access at production facilities.
Firewalls, Third Party Testing and Other Safeguards
Additional safeguards deployed for the protection of hosted data include (a) industry standard firewalls for all data entering internal data network from any external source; (b) industry standard virus protection programs and techniques to prevent harmful software code from affecting our services or customer data; and (c) performance monitoring to proactively detect and remediate brute force and denial of service attacks. We also subject our systems and applications to vulnerability scans, penetration testing, and intrusion detection. In addition, Janrain conducts background checks of its employees and contractually requires them to maintain the confidentiality of customer information.
Scalability, Redundancy, Disaster Recovery and Backups
Janrain services are highly scalable and redundant, permitting fluctuations in usage while reducing the threat of significant outages. All customer data is stored in secure AWS data centers with quick replication feasible in the event of a disaster. Data is backed up to servers in a separate data center than the one where a customer’s production data is hosted, reducing the risk of loss.
Janrain provides training about confidentiality, privacy, and information security for all new employees as part of its new hire onboarding training. In addition, all Janrain personnel are required to complete an annual security training and are tested on the materials presented.
We encourage our customers to utilize industry-standard safeguards in protecting their own computer, systems, and networks and to secure their administrative access credentials. And we proactively contact our customers about specific security and service issues when appropriate.