Janrain has implemented administrative, physical and logical security, data protection, and privacy safeguards to protect the security, confidentiality, availability, integrity, and privacy of its clients’ information and their customers’ data. Since the Janrain Identity Cloud® is hosted in Amazon Web Services (AWS), Janrain provides security at the systems and applications layers while AWS provides infrastructure hardening and data center security. Janrain obtained the highest security score of any CIAM vendor in the latest Forrester Wave report (Customer Identity and Access Management, Q2 2017).
Validated Security and Privacy Controls
- ISO 27001:2013 Certification (Security Program and Risk Management)
- ISO 27018:2014 Certification (PII Protections in the cloud) ,
- SOC 2 Type II (Security, Availability and Confidentiality Trust Principles),
- HIPAA (storage of protected healthcare information) Security Rule Compliant. (Note: All data is stored with the same high level of protection even if it is not healthcare data),
- HITECH (transmission of protected healthcare information) Compliant (Note: All data is transmitted with the same high level of protection even if it is not healthcare data),
- Cloud Security Alliance (CSA star) Level 2 Certification by Independent Attestation. (This is the highest level of CSA certification since CSA Level 3 Continuous certification is currently in development and does not yet exist. CSA Level 1 is merely a self assessment questionnaire posted to the CSA website. Janrain will provide its Level 2 CSA Attestation report and Level 1 questionnaire to interested parties under NDA upon request )
- U.S.-E.U. Privacy Shield Framework), and
- TRUSTe privacy program
Janrain is also compliant for many other security/privacy regulations not previously mentioned. Some examples:
- Open ID Connect Relying Party (OIDC) Certification http://www.oixnet.org/openid-certifications/janrain/
- SOC 2 Type 2 Processing Integrity and Privacy Trust Principles
- CFR – Code of Federal Regulations Title 21, Part 11
Data Center Certifications: AWS has also successfully achieved multiple certifications and compliance including ISO 27001:2013, SOC 2, PCI and others. For details on AWS security, certifications and accreditations, please visit https://aws.amazon.com/compliance/
Janrain executive management has instituted a robust Information Security Management System (ISMS) with auditor verified access control, internal audit, risk assessment and mitigation, change control, training, security incident, and business continuity programs. Janrain employs the principle of least privilege and multi-factor authentication for all production systems. The effectiveness of Janrain’s (ISMS) is measured by quarterly and annual metrics that accurately reflect the status of the implementation and operation of Janrain security and privacy controls.
Backups: Customer data is always simultaneously written to encrypted databases in multiple data centers (hot/hot backups) in separate availability zones. Point-in-time encrypted secondary backups are taken nightly, stored in multiple databases across availability zones and are kept current with incremental backups taken every 300s.
Monitoring: Janrain performs continuous monitoring of our production environments to monitor the state and health of the Janrain Identity Cloud™CIAM platform. Janrain has automatic monitoring and alerting and an on-call staff 24x7x365.
“Security and Privacy by Design” is one of Janrain’s core tenets. Security and Privacy is included throughout the software development lifecycle
Firewalls and Zero Trust in addition to an industry standard firewalls for all data entering the internal data network from any external source, Janrain uses security groups which act as virtual firewalls to control inbound and outbound traffic. Security groups provide a network-based blocking mechanism that firewalls also provide. Security groups, however, are easier to manage. Janrain also has architected a zero-trust VPC model to further protect your data. Zero Trust is an alternative security model that addresses the shortcomings of failing perimeter-centric strategies by removing the assumption of trust. With Zero Trust there is no default trust for any entity—including users, devices, applications, and packets—regardless of what it is and its location on or relative to the corporate network. Please see Janrain’s High Level Infrastructure document. More details can be seen: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html and http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html
Field Level Data Scoped Access Janrain has specifically designed scoped access authorization directly into its CIAM platform. Janrain’s uniquely designed and customizable Scoped Access functionality ensures that the sensitive data that a registered user submits is only used for the purpose for which it was submitted. Janrain’s CIAM platform enables this scoped access at the field level for however many profile databases you choose to set up. Scoped access provides organizations with the ability to grant granular, field-level access rights for each of the client credentials used when querying a user record. This is critical in reducing the risk of customer data exposure. Scoped access provides an unparalleled ability to grant exactly the type of data access to other systems in an organization’s websites, mobile applications, third-party applications, platforms and services that make up a marketing tech stack. It can even be applied to digital agencies who might require select pieces of user data to run a campaign on a company’s behalf. Janrain clients also have the option of having different scoped access for different sites that all write to the same database.
Data Protections All data in transit and at rest is encrypted. Janrain leverages encryption to protect data and virtual machine images during transport across and between networks and hypervisor instances. All data in transit utilizes latest SSL encryption standards 2048/256 bit keys and TLS1.1 or greater security protocols. Janrain offers full disk encryption for data at rest and further protects data by ensuring that every access point (UI/APIs for tool, site, application, agency etc ) is scoped for least privilege to ensure that only necessary data fields can be accessed. All multi-availability zones (up to 10 separate data centers each) data replicas and backups are also encrypted. Please request a copy of our Privacy and Security Overview which describes other data protections such as
- Trend Monitoring
- Fraud protections
- Bot protections
- Janrain Fraud Score
- and more
Penetration and Vulnerability Testing: Janrain engages an industry recognized third party to perform an independent, impartial network penetration and application vulnerability test annually. Test reports are available to be viewed by Janrain Clients upon request.. The application vulnerability testing is based on OWASP, SANS, CWE and WASC standards.