Skip to main content
IAM Strategy Report CIAM Buyer's Guide Contact Us
Janrain respects your privacy and will treat the personal data you choose to share with us in accordance with our privacy policy.
 

Raising the bar (again) on identity security and privacy

By Lisa Nicholson | Posted on May 01, 2018

Janrain customer identity security audits

During the last several years managing the security program at Janrain, I have seen society’s expectations of how an individual’s data should be handled change drastically from apathy to outrage. In conjunction, I have seen the importance of information security be internalized by senior management in the wake of well-publicized and damaging breaches where C-levels have seen their peers pilloried and careers ruined. Target, Yahoo, Equifax … the names are household words for all the wrong reasons and the list continues to grow. Protecting identities has become a core business concern, and is no longer a secondary consideration.

How companies view and value customer identity data

As consumer identity and access management (CIAM) has increased in importance, CISOs have joined marketing VPs and line of business owners as frequent sponsors of Janrain projects. Our clients recognize that their customers expect them to be ethical stewards of their data. At Janrain, we approach digital identities with the utmost care and regard for privacy and security. Since our inception, Janrain clients have entrusted us with one of their most valued assets, their customers’ data. Our systems, our processes, and our practices have been engineered to honor their trust.

Consumers are increasingly aware of how much data has been gathered on them and of how data has been stitched together from a wide variety of sources to create an online image of them. Europeans have taken the initiative to improve data transparency in passing the General Data Protection Regulation (GDPR). GDPR recognizes that personal information about an individual belongs to that individual and that businesses using that data need to have the consent of that individual or face the prospect of regulatory action, including potentially significant fines. Canada protects its citizens’ privacy via their PIPEDA regulation. Even though U.S. citizens have not yet clamored for a similar law, the Facebook/Cambridge Analytica issue currently unfolding in the press demonstrates that consumers around the globe, including Americans, expect that companies should protect their data and be transparent about what they collect. Consumers hold companies responsible to handle their data in an ethical manner, not just hold to the letter of the law — especially if that law is lax.

Policies alone are insufficient - why we undergo rigorous audits

It was a timely coincidence that an independent auditor was onsite at Janrain performing the CIAM industry’s first SOC 2 Type 2 Privacy Audit and SOC 2 Type 2 Processing Integrity audit at the exact same time that Facebook was being asked about Cambridge Analytica use of Facebook’s customer’s data. Right now, there’s a lot of attention being paid to digital privacy — our online identities, who has access to them, and who knows what. That’s a good thing. It pushes companies that manage consumer data to step up, be transparent and be accountable when it comes to customer privacy and data security. Protecting identities is Janrain’s business and hence consumer data security and privacy are priorities for Janrain. Our clients trust us to manage and store more than 1.5 billion digital identities around the globe.

Not only was Janrain the pioneer in the CIAM space, Janrain is now the security leader in CIAM. One way this is demonstrated is by the sheer number of compliance and certifications Janrain holds in comparison to its competitors:

  • HIPAA — Proves that Janrain protects every piece of client data, including social data, in storage as if it were a person’s medical data being stored.
  • HITECH — Proves that Janrain protects every piece of client data, including social data, in transmission as if it were a person’s medical data being transmitted.
  • Cloud Security Alliance (CSA) Certification — Janrain is the only CSA-certified CIAM vendor, adhering to the controls that cloud businesses collectively decided are necessary requirements to operate securely, responsibly and ethically in cloud environments.
  • ISO 27001:2013 — Proves that Janrain has effective security and risk management programs.
  • ISO 27018:2014 — Proves that Janrain protects people’s data in the cloud. All 5 SOC 2 Type 2 Trust Principles — SOC 2 defines 5 “Trust Principles.” Most tech companies — including those who claim to be “SOC 2 Compliant” — are only evaluated on the Security Trust Principle. We hold ourselves to a higher standard in being compliant with the Security, Availability, Confidentiality, Processing Integrity and Privacy Trust Principles.

There are currently no approved compliance certification criteria for the EU General Data Protection Regulation. To help demonstrate to our clients that Janrain adheres to the privacy principles and practices at the heart of this important European privacy regulation, however, Janrain obtained ISO 27018 (PII protections in the cloud) last year and SOC 2 Type 2 Privacy Trust Principal compliance this year.

For several years, Janrain has retained qualified third parties to audit its technical and organizational data protection measures against standards that encompass data protection and privacy controls consistent with GDPR requirements, including, but not limited to those for cybersecurity, data breach notification, personal data access control, data minimization, consent and notice, and cross-border data transfers.

TRUSTe audits Jarain's practices against TRUSTe's privacy standards. A-lign audits Janrain's privacy practices against the following standards relevant to the GDPR; ISO 27001:2013 and ISO 27018 (including personal data protections in the cloud) and SOC 2 Type 2 (all five Trust Principles - Security, Availability, Confidentiality, Data Integrity, and Privacy).

How our audits benefit our clients

By obtaining the SOC 2 compliance for Processing Integrity this year, Janrain went above and beyond to demonstrate that what goes on under the hood at Janrain is exactly what we have told our clients we do. The auditor verified configuration specifications, data locations, input validation, API transactions, transaction processing, data integrity, encryption settings and much more.

The auditor also investigated deletion of data - both ours and the way in which our clients delete their end user data. Our clients’ customers can rest assured that Janrain’s external auditor verified that when a Janrain client deletes their customer data, it is truly deleted. The independent auditor checked that only a record noting a numerical identifier remains to provide confirmation the data deletion truly occurred on a specific date. The auditor also verified that when Janrain deletes a client database, it is truly deleted.

Pursuing compliance and adhering to all 5 SOC 2 Trust Service Principles is an extension of our commitment to our clients and their customers. As recent events have demonstrated, it is insufficient to merely have policies and procedures around data privacy and data security. By using independent, third-party auditors, Janrain demonstrates a strict adherence to our policies and procedures that auditors have deemed more than sufficient meet the criteria for Janrain’s industry-leading compliance and certifications. Janrain goes the extra mile to ensure not just the security of customer data, but also data confidentiality, integrity, availability and privacy.

Not only do we share all our audit reports as well as our vulnerability and penetration testing reports with our clients, but we also allow our clients to request that the independent audit firm perform a personalized, under the hood, audit of how Janrain handles their specific applications and data with a personalized report created just for them. I am not aware of anyone else in the industry that provides this.

Transparency is the cornerstone of data stewardship and Janrain’s transparency is why Janrain clients trust Janrain with their most valued asset, their customers’ data.

Popular Posts

About the author

Lisa Nicholson

Director of Information Security

Lisa Nicholson is Janrain's Director of Information Security responsible for cyber security as well as governance, risk, and compliance (GRC). She joined the leading Customer Identity and Access Management company in 2014 leveraging her database, network, quality assurance, testing, project management and security experience to return to the information security fold. Most recently, she worked as a QA manager, SQL developer and SQL DBA for various Portland, OR startups.

View all posts by Lisa Nicholson