By Lisa Nicholson | Posted on October 03, 2017
Janrain Information Security Manager, Lisa Nicholson, shares her thoughts on why CSA Level 2 and ISO 27018 certifications are important and talks about the challenges to obtain them.
Security and privacy are (and have always been) top priorities for Janrain, and for obvious reasons. We manage and store over 1.5 billion customer identities for our clients in regions all over the globe. This highly sensitive information is subject to a wide variety of regional data protection regulations. To our clients, their customer profile data is among their most valuable assets; it fuels business intelligence which enables strategic decisions that wouldn’t be possible without it. Their customers have given them their personal data under the assumption that it is safe. They trust our clients who, in turn, trust Janrain. Our clients know that protecting their reputation by protecting their customer data is core to Janrain’s business.
When it comes to security, trust alone is not enough — trust, but verify is a much better concept. We know we run a robust security program but how do we prove that to our clients? Having all our controls verified by independent third parties means that our clients don’t just have to take our word for it. Before Janrain expanded its compliance program past ISO 27001, large enterprise clients used to travel to Janrain to perform onsite audits. While these audits were a great way to showcase that Janrain has its security act together and while they were also a means to strengthen client relationships, having multiple consecutive audits week after week naturally affected operations. This is why Janrain spends the money and effort to obtain and maintain an expanding list of compliance attestations and certifications that we renew regularly via an external audit program.
There has also been a lot of focus recently on the importance of vendor management in the press (such as in this article). The security community has also recognized that it is vital to choose a vendor with a strong security program. In response, companies with SOC 1 and 2 will now have to implement a formal third party vendor management program as of May 1, 2017. Many of Janrain’s clients have robust vendor management programs in place and they appreciate being able to leverage our certifications and compliance attestations; it greatly simplifies things when their own audit time comes around.
This year, Janrain added two new certifications to our compliance portfolio: Cloud Security Alliance (CSA) Level 2 and ISO 27018:2014 (PII Cloud Protection).
As the name suggests, the Janrain Identity Cloud® operates completely in the cloud. Janrain was a pioneer in designing the Janrain Identity Cloud® from the ground up to run in a cloud environment which is quite different from just transferring an existing on-premise application to a remote server. Because Janrain is architected for the cloud, we can almost instantaneously benefit from the R&D efforts of Amazon Web Services (AWS). When AWS products are extended or enhanced, our clients immediately benefit since our architecture is in sync. For example, our clients immediately had the opportunity to take advantage of an expanded global business continuity program when AWS rolled out cross-region read replicas. Our “for the cloud” design and architecture allows Janrain (and by extension Janrain’s clients) to leverage the full potential of modern cloud environments particularly with respect to high availability, redundancy, reliability and performance. On top of all that, the cloud concept offers striking advantages when it comes to cost and economies of scale so that Janrain can offer an identity cloud solution that would be cost prohibitive for companies to develop for themselves. With all these great advantages of cloud computing, we were looking for a way to demonstrate to our clients that we are proactive in keeping the Janrain Identity Cloud secure which made it imperative that Janrain get the two certifications that were created specifically for the cloud – CSA Level 2 Certification and ISO 27018.
Companies today demand assurances that their cloud operations are safe and CISOs of organizations who have not made the leap into the cloud want to be confident that the same controls they have in place on-prem are going to be in place in the cloud.
The Cloud Security Alliance (CSA),, is a not-for-profit organization that formed to promote the use of best practices for providing security assurance within cloud computing. The CSA is continually gaining in importance as more of the world moves away from on-premise solutions and into the cloud since it is the industry forerunner in cloud security standards.
There are currently only two different levels of CSA certifications even though the chart below makes it look like there are three.
Level 1 is simply a self-assessment that companies do themselves without involving an independent auditor. In my opinion, Level 1 CSA Self-Assessment just doesn’t mean much. Anybody can fill out a self-assessment questionnaire, import what is really just their marketing material into the CSA website, and then claim to “have CSA”. It was clear to me that, in order to provide something meaningful to our clients, Janrain had to obtain Level 2 CSA certification, which meant spending the effort and money to get certified by having an accredited, independent third party do an in-depth audit of all the CSA controls. Our intention was for Janrain’s clients to have real confidence that Janrain had done everything possible to operate securely in the cloud.
We decided to work with compliance experts A-LIGN on getting Level 2 CSA certified. We wanted to get the most stringent cloud based certification possible and CSA ‘s Level 3 Continuous Monitoring Certification is in development and hence does not exist at this time.
The CSA Star Overview outlines the three different ways to get CSA third party assessment based Level 2 certification:
We chose to do get Level 2 CSA certified via a CSA STAR Attestation based on SOC because we were about to embark on a SOC audit. So, 5 days before our auditor was due on-site, we updated the statement of work with A-LIGN so that we could be audited for CSA Level 2 simultaneously. We knew that our prospects and clients would want CSA STAR Attestation since it provides for rigorous third party independent assessments of cloud providers. We just didn’t realize quite how rigorous.
A-LIGN allotted an extra week to audit the CSA controls. However, It took an extra four weeks longer than my wildest estimate. I was impressed with the thoroughness with which the A-LIGN auditor examined every detail of the Janrain Identity Cloud The Janrain audit cycle for ISO 27001:2014, ISO 27018:2014, HIPAA, HITECH, CSA and SOC 2 (Security, Availability, and Confidentiality) crescendoed to 12-18 hour days, 7 days a week for 7 weeks straight and then tapered off with additional proof still being provided through July.
I was aware that the CSA controls were exceptionally detailed. But, since Janrain already has a broad base of globally recognized certifications and attestations, I was surprised how many did not overlap with our other compliance controls. Our security and risk management programs were already thoroughly audited since Janrain has been ISO 27001: 2013 certified since 2014. Hence, we were more than prepared for the third party risk management controls for SOC 2 Type 2 that came into effect this May. We were ready to provide proof about how securely Janrain handles customer data and also had proof for up-time, integrity, durability and high availability since, in addition to the Security Common Criteria, Janrain is regularly audited for the Availability and Confidentiality Trust SOC 2 Type 2 Trust Principles. We were ready to demonstrate Janrain’s secure data storage and data transmission capabilities for HIPAA and HITECH Security Rule compliance since Janrain’s clients appreciate that all data stored at Janrain is treated with the same consideration as if it were Protected health information (PHI).
However, when the proof requests started rolling in for CSA from A-LIGN, it was evident that there were very detailed CSA controls that were very pertinent to the Customer Identity and Access Management (CIAM) space and which were unique to the CSA certification. For example, providing evidence that applications and programming interfaces (APIs) are designed, developed, deployed, and tested in accordance with industry standards. The CSA certification necessitated us educating our auditor on the inner-workings of how the Janrain Identity Cloud authenticated identity. I was impressed with the qualifications of our auditor and the thoroughness of the audit reflected his expertise. While I might not have appreciated the robustness of the audit when, at 2am, I was organizing proof that Janrain’s api calls were scoped to only allow access to specific data fields, I am now proud to be able to tell our clients that Janrain has obtained the highest level of CSA Star Certification possible and know that the certification is backed by such an in-depth audit.
Thankfully, the work required to demonstrate that Janrain performs all the additional ISO 27018:2014 controls for PII protections in the cloud was very swift. The reason for this was that so many of the ISO 27018 controls directly linked to many GDPR requirements and data subject rights and we had just done a thorough analysis to prove that Janrain as an organization is GDPR-ready. The Janrain Identity Cloud can either be used as a full data-processing GDPR solution or to enable GDPR compliance.
Obtaining ISO 27018:2014 certification reflected the importance that Janrain places on securing PII in the cloud. ISO 27018 is not a stand alone certification but rather is an “add-on” to ISO 27001. Some organizations choose, for marketing reasons, to obtain a separate, non-accredited certificate but I thought that our discerning clients would prefer Janrain’s ISO 27018 certification to be accredited by ANAB.
SO 27018:2014 and CSA STAR Level 2 are the only two certifications that allow companies a thorough assessment of the security measures of cloud based solutions like the Janrain Identity Cloud®. They keep us vendors honest by providing an independent validation that we do what we say we are doing to keep our client’s data safe. Trust, but verify.
How to tell if your identity management is ready for the new data protection regulations…
We just released the latest member of the Janrain product family: Janrain Advanced Policy Manager…
Janrain Information Security Manager, Lisa Nicholson, shares her thoughts on why CSA Level 2 and…