Skip to main content
IAM Strategy Report CIAM Buyer's Guide Contact Us
 

Mobile Menu

Highest Externally Validated Security

Since its founding, Janrain has been a leader in authenticating individuals and securing their digital identities in the cloud. 
In our early days, we co-founded the OpenID foundation and were key contributors to the code that launched the customer identity 
and access management industry. Today, having hosted personal data for our clients for years longer than any of our direct competitors, our 
focus on protecting the digital identities we store for our clients remains at the core of what we do.

Highest externally
validated data
protections of any
CIAM vendor

We understand that our clients' success and, consequently, our own, depends on our commitment to maintaining the security, confidentiality, integrity, and availability of the hosted digital identities of our clients' employees, customers, and third parties whom our clients have authorized to access their online properties or managed devices. That's why our global platform architecture uniquely features field level scoped data access, complete database encryption of data at rest, leading service availability and data reliability, distributed backups, and disaster recovery capabilities second to none. It is why Janrain leads the competition in accredited third party certifications.

  • Schellman
  • IEC
  • AICPA-SOC
  • HIPAA-and-HITECH
  • TRUSTe

"The Forrester WaveTM : Customer Identity and Access Management, Q2 2017"
gives Janrain the highest security score

Industry Security Alerts

Facebook Sept. 2018 security breach

09/28/18

Know more  

Today, Facebook confirmed a breach impacting approximately 90 million user accounts. Janrain is not affected by this data breach, however, any users that use their Facebook login for other services could be if any active sessions are still open.

Out of an abundance of caution, Janrain has reset all Facebook authenticated sessions, requiring all users to log back into any of the services authenticated by Facebook.

Facebook has alerted all affected users and further details are available at https://newsroom.fb.com/news/2018/09/security-update/

09/28/18

Drupal v 7 and 8 Security Releases

04/03/18

Know more  

Drupal has recently announced security updates for Drupal 7 and 8. Janrain's Drupal module does not contain code subject to the vulnerability. However, Janrain clients who have chosen to implement Drupal should already be aware of how important it is to keep Drupal up to date in order to protect their customer data. Janrain is very serious about protecting our customer data and consistently monitors for security threats. We are sending out this courtesy security notification advising you to ensure that you have applied the recent Drupal updates. More information can be seen here: https://www.drupal.org/psa-2018-001

04/03/18

Spectre and Meltdown

01/05/18

Know more  

The Janrain Identity Cloud® runs on AWS; AWS updates protect the underlying infrastructure.  AWS  began applying patches for the the Spectre and Meltdown Vulnerabilities (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754) on 2017-01-03.  AWS’s security bulletin can be seen here: https://aws.amazon.com/security/security-bulletins/AWS-2018-013/ Janrain monitored AWS’s rollout of operating system patches for all of Janrain’s client databases.

01/05/18

Apache Struts

09/27/17

Know more  

Please be advised that the Janrain Identity Cloud does not use Apache Struts in any part of our Identity Cloud. Apache Struts have become a focus for the security industry due to the recently disclosed Equifax customer data breach, but have never been part of Janrain's architecture.

09/27/17

Cloudbleed

03/03/17

Know more  

Janrain is not a Cloudflare client; therefore, Janrain and its services are not impacted by the Cloudflare software bug referred to as "Cloudbleed". For more information on Cloudbleed and its impact, you may refer to this Cloudflare blog post -
https://blog.cloudflare.com/quantifying-the-impact-of-cloudbleed/.

03/03/17

Yahoo account data breach

12/14/16

Know more  

This is a courtesy notification that today Yahoo confirmed that in 2013 more than 1 Billion of their user accounts were subjected to a data breach. Janrain is not affected by this data breach. Yahoo has alerted all affected users and further details are available from Yahoo at
yahoo.com/security-update.

12/14/16

OAuth 2.0

11/21/16

Know more  

A recent academic paper revived concerns about OAuth 2.0 implementation vulnerabilities that could cause mobile application accounts to be hijacked. All parties agree that the OAuth 2.0 protocol is secure. In addition, Janrain confirms that our implementation mechanisms ensure that the Janrain Identity Cloud is not subject to this vulnerability. If you have implementation-specific questions, please file a support ticket.

11/21/16

Yahoo account data breach

09/22/16

Know more  

This is a courtesy notification that today Yahoo confirmed that in 2014 more than 500M of their user accounts
were subjected to a data breach. Janrain is not affected by this data breach. Yahoo has alerted all affected users and further details are available from Yahoo at
yahoo.com/security-update.

09/22/16

HTTPoxy

07/22/16

Know more  

In light of the current HTTPoxy vulnerability, this is a courtesy security notification advising our clients who have deployed Drupal on their online properties to ensure they have applied all Drupal patches. Please note that the threat is to Drupal and not to Janrain. More information can be found here: https://httpoxy.org/ and https:// www.drupal.org/SA-CORE-2016-003.

07/22/16

ImageMagick

05/25/16

Know more  

Janrain is not affected by the latest ImageMagick vulnerability. Policy files have been updated on all nodes to combat this threat. In addition, all uploaded files have "magic byte" checking performed; all images uploaded for processing will be checked whether they are new or existing images. Industry-recommended remediation was to do one or the other. Janrain is doing both.

05/25/16

DROWN

03/21/16

Know more  

An international group of researchers unveiled a SSL vulnerability referred to as DROWN. At Janrain, we reviewed our architecture and confirmed we do not support any outdated versions of SSL; therefore, Janrain is not vulnerable to DROWN. For more information about DROWN and to check if other systems at your company may be at risk, please visit this site.

03/21/16

GLIBC

02/23/16

Know more  

Janrain is not affected by the GLIBC vulnerability described in CVE-2015-7547. After the vulnerability was disclosed, our team reviewed the vulnerability with AWS Services, our cloud hosting provider. Further details from AWS can be found here.

02/23/16

POODLE SSL

01/05/15

Know more  

Since POODLE affected SSLv3 specifically, we decided to reject all incoming traffic using SSLv3. If you currently use SSL v3, you will need to disable SSL v3 and only use TLS 1.0, 1.1 or 1.2. At this time, our remediation of the POODLE vulnerability has been completed.

01/05/15

BASH Unix Shell Script

09/26/14

Know more  

Janrain has reviewed the BASH vulnerabilities CVE-2014-6271 and CVE-2014-7169 and due to the absence of a vulnerable implementation, we have determined there is no risk of exposure in the Janrain SaaS platform.

09/26/14

OpenSSL SSL/TLS MITM Vulnerability (CVE-2014-0224)

06/09/14

Know more  

A minor vulnerability in the popular OpenSSL cryptographic software library used on many websites worldwide has been uncovered. This does not pose a security risk to Janrain clients, as it would only allow access to data if the SSL stream had already been compromised. Janrain has updated all production systems to resolve the exposure from this vulnerability. Our clients do not need to take any action. Learn more about the vulnerability here: http://www.openssl.org/news/secadv_20140605.txt.

06/09/14

Heartbleed

04/16/14

Know more  

All Social Registration and Social Login endpoints have been patched against the Heartbleed vulnerability.

04/16/14

How we keep your customer identity data secure

Security monitoring, blocking and fraud protections

Janrain performs continuous monitoring of our production environments to monitor the state and health of the Janrain CIAM platform.
Janrain has automatic monitoring and alerting and an on-call staff 24x7x365. Abnormalities trigger alerts to the NOC staff. Detailed Key
Performance Indicator Metrics are gathered on uptime and availability for every service.

Brute force attacks (account take overs)

To protect against brute force attempts against user passwords, Janrain offers account locking functionality, where Janrain locks an account after a specific number of failed attempts from a user. This feature is completely customizable by the customer, so the customer determines when and how to block additional login attempts. In addition, Janrain offers CAPTCHA and SMS based authentication options that a customer may choose to implement as a step-up authentication option at any login attempt threshold.

Brute Force attacks

Advanced persistent distributed attacks

Janrain has experience in successfully staving off distributed attacks and can block numerous sets of dynamic IPs spun up by
malicious actors during an attack. Janrain proactively monitors for bots/malicious activity based on correlating dozens of custom
metrics specific to login and registration.

IP-blocking and white listing

Janrain can block IP addresses (geoblocking) from specific countries or regions from registering and/or logging in on a per customer
basis. Janrain can block specific lists of IP addresses (e.g., lists of known bad IP addresses and black hat associated IP addresses).
Janrain can also whitelist IP addresses that are legitimate but exceptions to standard rules or erroneously added to blacklists.

Denial of service attacks

Janrain's ability to withstand DOS attacks was tested by an external third party penetration testing firm, Online business services.
Bot mitigation strategies include rate limiting, to mitigate bot DoS attacks, reCAPTCHA to mitigate bots creating fake user profiles,
and both client and server side validation to ensure that all field values are legitimate.

Trend monitoring

Janrain employs custom API monitoring on a per customer basis in order to establish trends in usage as well as to identify and block abnormal usage patterns. Janrain API monitoring, has proven to be successful to identify and mitigate malicious activity on behalf of the Janrain customers. Janrain values the uniqueness of all of their clients and can implement alerting and blocking rules which reflect the client's inherent trend differentiations. Adjusting a client's custom blocking rules is a very collaborative process between Janrain and the client. Different clients have different risk appetites and risk tolerances affecting trade-offs between blocking some legitimate traffic or assuming some costs of fraud. Advanced persistent attacks might involve multiple adjustments of the custom policy engine rules.

Trend Monitoring

Intrusion detection

OSSEC intrusion detection system automatically reviews logs for suspicious activity on a regular basis.

New account creation fraud protections

Janrain offers CAPTCHA and SMS based authentication options that a customer may choose to implement as a step-up authentication
protection against scripted account creation attacks. Janrain proactively monitors for bots/malicious activity based on correlating dozens
of custom metrics specific to login and registration as well as identifies anomalies specific to Janrain customer's unique traffic patterns.

Janrain Fraud Score

Janrain Fraud Score is an add-on to Janrain Identity Cloud and allows organizations to determine if user accounts registering on or logging into digital properties potentially pose a threat; for example if these accounts are known to have been compromised in the past, are known as scammers, or have shown otherwise harmful behavior. Janrain Fraud Score delivers a reputation score number for an identity in real-time, which can be used to make policy-based decisions about how to treat such identities during account registration, sign-in, or completion of high-value transactions. Accounts can then be blocked from access, partial restrictions might be applied, or additional authentication and identification might be requested.

Janrain Fraud Score

The Janrain security management program

Please see Janrain's ISO 27001 AT-101 and clean SOC 2 Type 2 report for a detailed description of the Janrain security program
information security management system (ISMS). An overview is presented below.

Information security management system

The ISMS at Janrain is defined by the Janrain ISMS Governance Policy and supporting ISMS Manual which are available to clients upon request.
The information security management committee (ISMC) is responsible for ensuring that Janrain maintains conformity to the ISO 27001:2013 and ISO 27018:2014 (PII Protection in the cloud) standards through the implementation of policies and procedures defined within the ISMS.

The ISMC consists of the CEO, CFO, CTO, VP Engineering and Operations, VP Legal and Privacy, VP Product and Information Security Manager. The ISMS also ensures that standards are maintained to continue to also be compliant for: Cloud Security Alliance (CSA star) Level 2 certification, HIPAA/HITECH compliance, Privacy Shield certification, OIDC RP certification, SOC 2 Type 2 (Security, Availability Confidentiality) compliance, TRUSTe certification.

All security policies and procedures are reviewed and approved for use on an annual basis, or more frequently as determined by risk. Risk assessment remediation can result in updates to policies and procedures to ensure they remain effective.

The effectiveness of Janrain's information security management system (ISMS) is measured by quarterly and annual metrics that accurately reflect the status of the implementation and operation of Janrain security systems and controls. All staff receive security and privacy training on hire and annually thereafter.

Information Security Management System

Access control

Is strictly controlled. Access is removed for changes in roles and employee departure. Access Reviews are performed quarterly. Access to
production systems is controlled by VPN, SSH and multi-factor authentication.

Backups

Customer data is always simultaneously written to encrypted databases in multiple data centers (hot/hot backups) in separate
availability zones. Point-in-time encrypted backups are taken nightly, stored in multiple databases across availability zones and are
kept current with incremental backups taken every 300s.

Business continuity

Business continuity is tested and policies are reviewed on an annual basis. Due to Janrain's high availability deployment model across all available AZs per region, invoking business continuity would require a regional disaster simultaneously impacting all of the availability zones in a region plus each of their backup utilities. There is no single point of failure. Using the US East AZ as an example, there would have to be 30-60 simultaneous failures over separate data centers to invoke business continuity. Please note that we have also tested and have runbooks to transfer customers from one region to another in the exceptionally unlikely event of an entire region of multiple separate data centers being lost simultaneously.

"Security and privacy by design" is one of Janrain's core tenets. Security and privacy is included throughout the software development lifecycle

Business Continuity

Firewalls and zero trust

In addition to an industry standard firewalls for all data entering the internal data network from any external source, Janrain uses security groups which act as virtual firewalls to control inbound and outbound traffic. Security groups provide a network-based blocking mechanism that firewalls also provide. Security groups, however, are easier to manage. Janrain also has architected a zero-trust VPC model to further protect your data. Zero trust is an alternative security model that addresses the shortcomings of failing perimeter-centric strategies by removing the assumption of trust. With zero trust there is no default trust for any entity–including users, devices, applications, and packets–regardless of what it is and its location on or relative to the corporate network. Please see Janrain's high level infrastructure document.

More details can be seen:

  1. http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html
  2. http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html

Field level data scoped access

Janrain has specifically designed scoped access authorization directly into its CIAM platform. Janrain's uniquely designed and customizable scoped access functionality ensures that the sensitive data that a registered user submits is only used for the purpose for which it was submitted. Janrain's CIAM platform enables this scoped access at the field level for however many profile databases you choose to set up. Scoped access provides organizations with the ability to grant granular, field-level access rights for each of the client credentials used when querying a user record. This is critical in reducing the risk of customer data exposure. Scoped access provides an unparalleled ability to grant exactly the type of data access to other systems in an organization's websites, mobile applications, third-party applications, platforms and services that make up a marketing tech stack. It can even be applied to digital agencies who might require select pieces of user data to run a campaign on a company's behalf. Janrain clients also have the option of having different scoped access for different sites that all write to the same database.

Field Level Data Scoped Access

Encryption

All data in transit is encrypted. Janrain leverages encryption to protect data and virtual machine images during transport across and between networks and hypervisor instances. All data in transit utilizes latest SSL encryption standards 2048/256 bit keys and TLS1.1 or greater security protocols. Janrain offers full disk encryption for data at rest and further protects data by ensuring that every access point (UI/APIs for tool, site, application, agency etc ) is scoped for least privilege to ensure that only necessary data fields can be accessed. All multi-availability zones (up to 10 separate data centers each) data replicas and backups are also encrypted.

Other data protections

Abstraction layer

Janrain's services provide a consistent abstraction layer on top of access to the data. The underlying data stores are designed for consistency, reliability, data privacy and optimized for performance.

Other data protections

OAuth 2.0 compliant

Secure data

Each Janrain deployment and associated data is isolated in its own logically discrete production environment. Multitenant security controls, including unique session tokens, configurable session timeout values, and password policies are applied to prevent unauthorized access.

Scoped dashboard access

Dashboard access is enforced via roles. 2FA can be configured for client admins. Client admins control data access to their Janrain application.

Data center security

AWS data center physical access is controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems and other electronic means. Authorized AWS staff utilize multi-factor authentication mechanisms to access data center floors.

Centrally managed anti-virus protection helps prevent harmful software code from affecting our services or customer data.

Schema validation

Janrain validates customer schemas at deployment time to ensure sensitive data elements such as passwords are not stored in the clear.

Bcrypt hashing algorithm

With cost factor of 10 for password protection.

Input validation

For data integrity.

Scans

Janrain engages an industry recognized third party to perform an independent, impartial network penetration and application vulnerability
test annually. Test reports are available to be viewed by Janrain Clients upon request.. The application vulnerability testing is based on
OWASP, SANS, CWE and WASC standards.