I recently wrapped up a very busy first year at OneLogin and I am very excited to kick off my second year in a new role; Chief Information Security Officer. This role is a natural progression of my previous role as Director, Risk & Compliance, but with an added emphasis on making sure our Identity Management product strategy aligns with our customers’ information risk management strategy, bolster our security controls both within our service and our internal environment, and working with our customers and prospective users to ensure we are succeeding on these fronts.
It was a very busy year for the company as a whole; 2014 was a transformative year for OneLogin. Our innovative approach to enterprise identity management resonated with customers. We more than doubled in size, our customer and user base increased significantly, and we made a lot of progress strengthening our security posture including:
- Issued a SOC 2 Type 2 based on the 2014 version of the Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy
- Achieve ISO 27001:2013 certification
- Deployed additional security tools including automated source code scanning, intrusion detection systems, and additional access controls to production systems
Hit the ground running
We are kicking off 2015 by completing another initiative we began last year; the issuance of our first SOC 1 Type 2 report. As we continued to expand our customer base, several of our customers needed us to provide a SOC 1 Type 2 report to help them meet their own compliance requirements. Therefore, we committed to issuing a SOC 1 in tandem with our SOC 2 report, and we now have both reports available for customers covering June 1, 2014 to December 31, 2014. Customers can receive copies of these reports by opening up a support ticket or reaching out to their Customer Success Manager.
Another frequent topic in 2014 was our compliance with HIPAA (Health Insurance Portability and Accountability Act) and GLBA (Gramm–Leach–Bliley Act). Since OneLogin does not store electronic protected health information, also known as ePHI, or consumer financial information, we are not subject to compliance with the security requirements of these acts.
However, as we continue to add features and enhancements, there is the possibility that both HIPAA and GLBA might become relevant to our service. We successfully performed a complete mapping of the security requirements for both of these acts to existing OneLogin controls, thereby helping to ensure we are prepared to meet these requirements when needed. These mappings will be included in our SOC 2 report going forward.
More to come
We have several other initiatives targeted for 2015. Hundreds of businesses, including publicly trading companies, trust OneLogin to manage access to their web applications in the cloud and behind their firewall. We work continuously to sustain that trust and I will be busy once again this year advancing an agenda that supports my new role and objectives. More to come next blog!