By Lisa Nicholson | Posted on May 01, 2018
During the last several years managing the security program at Janrain, I have seen society’s expectations of how an individual’s data should be handled change drastically from apathy to outrage. In conjunction, I have seen the importance of information security be internalized by senior management in the wake of well-publicized and damaging breaches where C-levels have seen their peers pilloried and careers ruined. Target, Yahoo, Equifax … the names are household words for all the wrong reasons and the list continues to grow. Protecting identities has become a core business concern, and is no longer a secondary consideration.
How companies view and value customer identity data
As consumer identity and access management (CIAM) has increased in importance, CISOs have joined marketing VPs and line of business owners as frequent sponsors of Janrain projects. Our clients recognize that their customers expect them to be ethical stewards of their data. At Janrain, we approach digital identities with the utmost care and regard for privacy and security. Since our inception, Janrain clients have entrusted us with one of their most valued assets, their customers’ data. Our systems, our processes, and our practices have been engineered to honor their trust.
Consumers are increasingly aware of how much data has been gathered on them and of how data has been stitched together from a wide variety of sources to create an online image of them. Europeans have taken the initiative to improve data transparency in passing the General Data Protection Regulation (GDPR). GDPR recognizes that personal information about an individual belongs to that individual and that businesses using that data need to have the consent of that individual or face the prospect of regulatory action, including potentially significant fines. Canada protects its citizens’ privacy via their PIPEDA regulation. Even though U.S. citizens have not yet clamored for a similar law, the Facebook/Cambridge Analytica issue currently unfolding in the press demonstrates that consumers around the globe, including Americans, expect that companies should protect their data and be transparent about what they collect. Consumers hold companies responsible to handle their data in an ethical manner, not just hold to the letter of the law — especially if that law is lax.
Policies alone are insufficient - why we undergo rigorous audits
It was a timely coincidence that an independent auditor was onsite at Janrain performing the CIAM industry’s first SOC 2 Type 2 Privacy Audit and SOC 2 Type 2 Processing Integrity audit at the exact same time that Facebook was being asked about Cambridge Analytica use of Facebook’s customer’s data. Right now, there’s a lot of attention being paid to digital privacy — our online identities, who has access to them, and who knows what. That’s a good thing. It pushes companies that manage consumer data to step up, be transparent and be accountable when it comes to customer privacy and data security. Protecting identities is Janrain’s business and hence consumer data security and privacy are priorities for Janrain. Our clients trust us to manage and store more than 1.5 billion digital identities around the globe.
Not only was Janrain the pioneer in the CIAM space, Janrain is now the security leader in CIAM. One way this is demonstrated is by the sheer number of compliance and certifications Janrain holds in comparison to its competitors:
There are currently no approved compliance certification criteria for the EU General Data Protection Regulation. To help demonstrate to our clients that Janrain adheres to the privacy principles and practices at the heart of this important European privacy regulation, however, Janrain obtained ISO 27018 (PII protections in the cloud) last year and SOC 2 Type 2 Privacy Trust Principal compliance this year.
For several years, Janrain has retained qualified third parties to audit its technical and organizational data protection measures against standards that encompass data protection and privacy controls consistent with GDPR requirements, including, but not limited to those for cybersecurity, data breach notification, personal data access control, data minimization, consent and notice, and cross-border data transfers.
TRUSTe audits Jarain's practices against TRUSTe's privacy standards. A-lign audits Janrain's privacy practices against the following standards relevant to the GDPR; ISO 27001:2013 and ISO 27018 (including personal data protections in the cloud) and SOC 2 Type 2 (all five Trust Principles - Security, Availability, Confidentiality, Data Integrity, and Privacy).
How our audits benefit our clients
By obtaining the SOC 2 compliance for Processing Integrity this year, Janrain went above and beyond to demonstrate that what goes on under the hood at Janrain is exactly what we have told our clients we do. The auditor verified configuration specifications, data locations, input validation, API transactions, transaction processing, data integrity, encryption settings and much more.
The auditor also investigated deletion of data - both ours and the way in which our clients delete their end user data. Our clients’ customers can rest assured that Janrain’s external auditor verified that when a Janrain client deletes their customer data, it is truly deleted. The independent auditor checked that only a record noting a numerical identifier remains to provide confirmation the data deletion truly occurred on a specific date. The auditor also verified that when Janrain deletes a client database, it is truly deleted.
Pursuing compliance and adhering to all 5 SOC 2 Trust Service Principles is an extension of our commitment to our clients and their customers. As recent events have demonstrated, it is insufficient to merely have policies and procedures around data privacy and data security. By using independent, third-party auditors, Janrain demonstrates a strict adherence to our policies and procedures that auditors have deemed more than sufficient meet the criteria for Janrain’s industry-leading compliance and certifications. Janrain goes the extra mile to ensure not just the security of customer data, but also data confidentiality, integrity, availability and privacy.
Not only do we share all our audit reports as well as our vulnerability and penetration testing reports with our clients, but we also allow our clients to request that the independent audit firm perform a personalized, under the hood, audit of how Janrain handles their specific applications and data with a personalized report created just for them. I am not aware of anyone else in the industry that provides this.
Transparency is the cornerstone of data stewardship and Janrain’s transparency is why Janrain clients trust Janrain with their most valued asset, their customers’ data.
How to tell if your identity management is ready for the new data protection regulations…
We just released the latest member of the Janrain product family: Janrain Advanced Policy Manager…
Janrain Information Security Manager, Lisa Nicholson, shares her thoughts on why CSA Level 2 and…