Since its founding, Janrain has been a leader in authenticating individuals and securing their digital identities in the cloud.
In our early days, we co-founded the OpenID foundation and were key contributors to the code that launched the customer identity
and access management industry. Today, having hosted personal data for our clients for years longer than any of our direct competitors, our
focus on protecting the digital identities we store for our clients remains at the core of what we do.
We understand that our clients' success and, consequently, our own, depends on our commitment to maintaining the security, confidentiality, integrity, and availability of the hosted digital identities of our clients' employees, customers, and third parties whom our clients have authorized to access their online properties or managed devices. That's why our global platform architecture uniquely features field level scoped data access, complete database encryption of data at rest, leading service availability and data reliability, distributed backups, and disaster recovery capabilities second to none. It is why Janrain leads the competition in accredited third party certifications.
The Janrain Identity Cloud® runs on AWS; AWS updates protect the underlying infrastructure. AWS began applying patches for the the Spectre and Meltdown Vulnerabilities (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754) on 2017-01-03. AWS’s security bulletin can be seen here: https://aws.amazon.com/security/security-bulletins/AWS-2018-013/ Janrain monitored AWS’s rollout of operating system patches for all of Janrain’s client databases.
Please be advised that the Janrain Identity Cloud does not use Apache Struts in any part of our Identity Cloud. Apache Struts have become a focus for the security industry due to the recently disclosed Equifax customer data breach, but have never been part of Janrain's architecture.
Janrain is not a Cloudflare client; therefore, Janrain and its services are not impacted by the Cloudflare software bug referred to as "Cloudbleed". For more information on Cloudbleed and its impact, you may refer to this Cloudflare blog post -
This is a courtesy notification that today Yahoo confirmed that in 2013 more than 1 Billion of their user accounts were subjected to a data breach. Janrain is not affected by this data breach. Yahoo has alerted all affected users and further details are available from Yahoo at
A recent academic paper revived concerns about OAuth 2.0 implementation vulnerabilities that could cause mobile application accounts to be hijacked. All parties agree that the OAuth 2.0 protocol is secure. In addition, Janrain confirms that our implementation mechanisms ensure that the Janrain Identity Cloud is not subject to this vulnerability. If you have implementation-specific questions, please file a support ticket.
This is a courtesy notification that today Yahoo confirmed that in 2014 more than 500M of their user accounts
were subjected to a data breach. Janrain is not affected by this data breach. Yahoo has alerted all affected users and further details are available from Yahoo at
In light of the current HTTPoxy vulnerability, this is a courtesy security notification advising our clients who have deployed Drupal on their online properties to ensure they have applied all Drupal patches. Please note that the threat is to Drupal and not to Janrain. More information can be found here: https://httpoxy.org/ and https:// www.drupal.org/SA-CORE-2016-003.
Janrain is not affected by the latest ImageMagick vulnerability. Policy files have been updated on all nodes to combat this threat. In addition, all uploaded files have "magic byte" checking performed; all images uploaded for processing will be checked whether they are new or existing images. Industry-recommended remediation was to do one or the other. Janrain is doing both.
An international group of researchers unveiled a SSL vulnerability referred to as DROWN. At Janrain, we reviewed our architecture and confirmed we do not support any outdated versions of SSL; therefore, Janrain is not vulnerable to DROWN. For more information about DROWN and to check if other systems at your company may be at risk, please visit this site.
Since POODLE affected SSLv3 specifically, we decided to reject all incoming traffic using SSLv3. If you currently use SSL v3, you will need to disable SSL v3 and only use TLS 1.0, 1.1 or 1.2. At this time, our remediation of the POODLE vulnerability has been completed.
Janrain has reviewed the BASH vulnerabilities CVE-2014-6271 and CVE-2014-7169 and due to the absence of a vulnerable implementation, we have determined there is no risk of exposure in the Janrain SaaS platform.
A minor vulnerability in the popular OpenSSL cryptographic software library used on many websites worldwide has been uncovered. This does not pose a security risk to Janrain clients, as it would only allow access to data if the SSL stream had already been compromised. Janrain has updated all production systems to resolve the exposure from this vulnerability. Our clients do not need to take any action. Learn more about the vulnerability here: http://www.openssl.org/news/secadv_20140605.txt.
All Social Registration and Social Login endpoints have been patched against the Heartbleed vulnerability.
Janrain performs continuous monitoring of our production environments to monitor the state and health of the Janrain CIAM platform.
Janrain has automatic monitoring and alerting and an on-call staff 24x7x365. Abnormalities trigger alerts to the NOC staff. Detailed Key
Performance Indicator Metrics are gathered on uptime and availability for every service.
Janrain has experience in successfully staving off distributed attacks and can block numerous sets of dynamic IPs spun up by
malicious actors during an attack. Janrain proactively monitors for bots/malicious activity based on correlating dozens of custom
metrics specific to login and registration as well as identifies
Janrain can block IP addresses (geoblocking) from specific countries or regions from registering and/or logging in on a per customer
basis. Janrain can block specific lists of IP addresses (e.g., lists of known bad IP addresses and black hat associated IP addresses).
Janrain can also whitelist IP addresses that are legitimate but exceptions to standard rules or erroneously added to blacklists.
Janrain's ability to withstand DOS attacks was tested by an external third party penetration testing firm, Online business services.
Bot mitigation strategies include rate limiting, to mitigate bot DoS attacks, reCAPTCHA to mitigate bots creating fake user profiles,
and both client and server side validation to ensure that all field values are legitimate.
OSSEC intrusion detection system automatically reviews logs for suspicious activity on a regular basis.
Janrain offers CAPTCHA and SMS based authentication options that a customer may choose to implement as a step-up authentication
protection against scripted account creation attacks. Janrain proactively monitors for bots/malicious activity based on correlating dozens
of custom metrics specific to login and registration as well as identifies anomalies specific to Janrain customer's unique traffic patterns.
Please see Janrain's ISO 27001 AT-101 and clean SOC 2 Type 2 report for a detailed description of the Janrain security program
information security management system (ISMS). An overview is presented below.
The ISMS at Janrain is defined by the Janrain ISMS Governance Policy and supporting ISMS Manual which are available to clients upon request.
The information security management committee (ISMC) is responsible for ensuring that Janrain maintains conformity to the ISO 27001:2013 and
ISO 27018:2014 (PII Protection in the cloud) standards through the implementation of policies and procedures defined within the ISMS.
The ISMC consists of the CEO, CFO, CTO, VP Engineering and Operations, VP Legal and Privacy, VP Product and Information Security Manager. The ISMS also ensures that standards are maintained to continue to also be compliant for: Cloud Security Alliance (CSA star) Level 2 certification, HIPAA/HITECH compliance, Privacy Shield certification, OIDC RP certification, SOC 2 Type 2 (Security, Availability Confidentiality) compliance, TRUSTe certification.
All security policies and procedures are reviewed and approved for use on an annual basis, or more frequently as determined by risk. Risk assessment remediation can result in updates to policies and procedures to ensure they remain effective.
Is strictly controlled. Access is removed for changes in roles and employee departure. Access Reviews are performed quarterly. Access to
production systems is controlled by VPN, SSH and multi-factor authentication.
Customer data is always simultaneously written to encrypted databases in multiple data centers (hot/hot backups) in separate
availability zones. Point-in-time encrypted backups are taken nightly, stored in multiple databases across availability zones and are
kept current with incremental backups taken every 300s.
Business continuity is tested and policies are reviewed on an annual basis. Due to Janrain's high availability deployment model across all available AZs per region, invoking business continuity would require a regional disaster simultaneously impacting all of the availability zones in a region plus each of their backup utilities. There is no single point of failure. Using the US East AZ as an example, there would have to be 30-60 simultaneous failures over separate data centers to invoke business continuity. Please note that we have also tested and have runbooks to transfer customers from one region to another in the exceptionally unlikely event of an entire region of multiple separate data centers being lost simultaneously.
In addition to an industry standard firewalls for all data entering the internal data network from any external source, Janrain uses security groups which act as virtual firewalls to control inbound and outbound traffic. Security groups provide a network-based blocking mechanism that firewalls also provide. Security groups, however, are easier to manage. Janrain also has architected a zero-trust VPC model to further protect your data. Zero trust is an alternative security model that addresses the shortcomings of failing perimeter-centric strategies by removing the assumption of trust. With zero trust there is no default trust for any entity–including users, devices, applications, and packets–regardless of what it is and its location on or relative to the corporate network. Please see Janrain's high level infrastructure document.
More details can be seen:
All data in transit is encrypted. Janrain leverages encryption to protect data and virtual machine images during transport across and between networks and hypervisor instances. All data in transit utilizes latest SSL encryption standards 2048/256 bit keys and TLS1.1 or greater security protocols. Janrain offers full disk encryption for data at rest and further protects data by ensuring that every access point (UI/APIs for tool, site, application, agency etc ) is scoped for least privilege to ensure that only necessary data fields can be accessed. All multi-availability zones (up to 10 separate data centers each) data replicas and backups are also encrypted.
Janrain's services provide a consistent abstraction layer on top of access to the data. The underlying data stores are designed for consistency, reliability, data privacy and optimized for performance.
OAuth 2.0 compliant
Each Janrain deployment and associated data is isolated in its own logically discrete production environment. Multitenant security controls, including unique session tokens, configurable session timeout values, and password policies are applied to prevent unauthorized access.
Dashboard access is enforced via roles. 2FA can be configured for client admins. Client admins control data access to their Janrain application.
AWS data center physical access is controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems and other electronic means. Authorized AWS staff utilize multi-factor authentication mechanisms to access data center floors.
Centrally managed anti-virus protection helps prevent harmful software code from affecting our services or customer data.
Janrain validates customer schemas at deployment time to ensure sensitive data elements such as passwords are not stored in the clear.
With cost factor of 10 for password protection.
For data integrity.
Janrain engages an industry recognized third party to perform an independent, impartial network penetration and application vulnerability
test annually. Test reports are available to be viewed by Janrain Clients upon request.. The application vulnerability testing is based on
OWASP, SANS, CWE and WASC standards.