Enhancing the Centrify Cloud Service via SOC 2, TrustE and Pods

As Centrify offers more of its solutions as an-demand service, it is critical that customers can trust and count on the Centrify Cloud Service as a critical component of their corporate identity and access infrastructure. Centrify has an extensive track record and experience in developing and delivering solutions that are in the critical path of operations in the largest data centers in the world. We have invested a considerable amount of time and resources extending this same trust level to the Centrify Cloud Service so that customers can rest assured that they are receiving a verified, secure, highly available and trustworthy service. In this blog post I want to discuss some of the recent investments we have made to this end.

As a reminder, the Centrify Cloud Service platform delivers secure, enterprise-class mobility with integrated application Single Sign-on (SSO) to improve security and increase workforce productivity in the enterprise. The two major services currently available today via the Centrify Cloud Service are Centrify for Mobile and Centrify for SaaS. An architectural diagram of the Centrify Cloud Service is below, and you can visit this page to get an overview of each of the components.

Active Directory-based Security Infrastructure

So what have been doing lately to make the Centrify Cloud Service more secure, reliable and scalable?

SOC 2 Type II Compliance

AICPA Service Organization Control Reporters

The first item I want to highlight is that Centrify has been extensively audited by independent third parties for adherence to international security, privacy and availability standards. The gold standard audit that many cloud service providers look to get is SOC 2 Type II Compliance, which we announced at the end of March 2013 that we passed this audit.

The SOC 2 report on controls at service organizations uses stringent criteria established by the American Institute of Certified Public Accountants (AICPA). These internationally recognized standards replace the SAS 70 report with outsourced services, addressing technological advances and risks, including cloud services. This comprehensive and independent examination thoroughly investigates and reviews expected practices, verifies these practices are in place, and ensures Centrify meets the high standards set by the AICPA to protect customer and third-party data.

So what does this really mean vis a vis the Centrify Cloud Service? It means that companies who outsource services to an external third party organization extend their attack surface to include this 3rd party, adding to an already large scope for data protection. Questions that naturally get raised include “How does this third party stand against information security standards?” And “How is this 3rd party using your data and ensuring its security?” To address those concerns, SSAE 16 SOC 2 Type II defines multiple criteria based on industry standard best practices, which compliant companies must adhere to by defining controls that meet each criterion. A company who is compliant against Type II has been audited by an independent 3rd party auditor who verifies the controls. Centrify’s zero exception compliance report provides this peace of mind.

TRUSTe and SafeHarbor

TRUSTe logo

The second thing we have been up to vis a vis strengthening our Cloud Service is that as part of our SOC 2 announcement, we also announced that Centrify has been awarded the TRUSTe privacy Trustmark and is Safe Harbor compliant.

Centrify is committed to privacy and transparency. The Centrify Privacy Policy can be viewed here. The TRUSTe mission, as an independent third party, is to accelerate online trust among consumers and organizations globally. Through the process of achieving TRUSTe compliance, our Privacy Policy is scrutinized to ensure it is accurate with respect to our offered services, our services are scanned for potential privacy threats ensuring that you are receiving the expected level of privacy for your users. For more information please visit http://www.truste.com/products-and-services/enterprise-privacy/TRUSTed-websites .

Safe Harbor logo

Centrify and the Centrify Cloud Service also complies with the U.S. – E.U. Safe Harbor framework and the U.S. – Swiss Safe Harbor framework as set forth by the U.S. Department of Commerce regarding collection, use and retention of personal data from European Union member countries and Switzerland. You can learn more about the Safe Harbor program and view our certification by visiting http://www.export.gov/safeharbor/.


The final item I want to bring up is we now have the Centrify Cloud Service running in multiple regional data centers. The Centrify Cloud Service is now operating in Europe and Asia-Pacific in addition to our Americas cloud service.  There are several benefits to this new capability:

  • Customers can select a Region for our Cloud Service that is closer to their organization to increase response time, reducing any potential for Internet latency.

  • Customer data (which is held securely by the Cloud Service) will be located within the continent they are located, e.g. European customers will be able to use the Centrify Cloud Service in Europe in order to meet EU privacy requirements as their protected data will only be held in data centers located in Europe. [Additionally, we are starting work to localize the interfaces to our Cloud Service for both the web User Portal and Cloud Manager as well as the MyCentrify mobile interfaces. I will show you some examples of that in future blog posts.]
  • The Centrify Cloud Service is now built on a “podding” architecture which enables Centrify to rapidly scale out the service as required to meet growing demand for the service and ensure compliance with SLAs and end user response time expectations.

So in summary, you can see we are heavily investing in the availability, reliability, scalability, security and privacy of our Cloud Service to ensure that you can depend on Centrify as a trusted partner and provider.