Adobe Commerce is a PaaS platform that relies on a shared responsibilities security model in which Adobe, the customer, and cloud service provider need to maintain the security of the Magento Commerce and customer-specific code and extensions. The Adobe Commerce client responsibilities approach enables customers to design and implement highly flexible solutions while minimizing operational responsibilities and costs. In general, Adobe is responsible for developing and maintaining secure core code, making the platform PCI compliant and updating components (e.g., PHP, Redis).
The customer, in turn, is responsible for maintaining a secure customized application (including the integration of any third-party applications to the customer’s website), ensuring secure application development, obtaining PCI certification if requested by the customer’s payment processor, and reacting and responding to security incidents.
This guide outlines the security responsibilities of each party involved in the MagentoCommerce ecosystem in both narrative and table format.
Adobe Security Responsibilities
Adobe is responsible for the security and availability of the Magento Commerce environment and the core Magento Commerce solution code. In addition, Adobe is responsible for the necessary activities that maintain the security of the Magento Commerce solution, including:
- Applying server-level security and patches for applications supported by Magento Commerce, such as MariaDB and Elastic
- Penetration testing and scanning of the core Magento Commerce code
- Semi-annual reviews/audits of AWS IAM and permissions management
- Semi-annual reviews/audits of OBUI/Teleport users (i.e., Adobe employees and contractors) against authorized user lists2
- Annual testing of and documenting backup and restore functionality
- Configuring server firewalls (i.e., IP tables) and perimeter firewalls (e.g., security groups)
- Connecting and setting up the repository for PaaS
- Defining, testing, implementing, and documenting disaster recovery plans for the areas within its scope of responsibility
- Defining global platform WAF rules
- Hardening the OS
- Implementing and maintaining the integration for New Relic APM and Infrastructure.
- Issuing periodic security and other code updates for the core Magento Commerce code
- Managing customer support and customer support access controls (e.g., Zen Desk)
- Monitoring, logging, and remediating security incidents with respect to the platform infrastructure
- Monitoring platform operations and providing 24/7 support for Magento Commerce customers
- Intitial integration of Fastly, New Relic, and other services
- Provisioning the production and staging environments
- Assessing potential security threats to platform operations and infrastructure
- Running PCI ASV scans and remediating issues in the core Magento Commerce code or platform
- Scaling computing, storage, PaaS, and grid resources, as described in the SLA
- Setting up DNS (platform infrastructure only — Not customer domains)
- Testing the platform for security vulnerabilities
Client Security Responsibilities
The customer is responsible for their specific, customized instance of Magento Commerce the solution, including:
- Adding PaaS configuration files to the repository
- Applying Magento Commerce security and other patchesto their custom Magento Commerce application, extensions, and any custom code immediately following the release
- Creating, deploying, and testing custom Varnish VCLs in Fastly
- Designing, theming, installing, integrating, and securing the customized Magento Commerce application, including all custom extensions and code
- Following security best practices
- Granting and revoking user access to the customer’s instance of the Magento Commerce configuration, application, platform
- Handling security issues related to the customer’s internal network, servers, infrastructure, and any custom applications built on the Magento Commerce platform
- Installing the Magento Commerce CLI tool
- Maintaining the required level of PCI compliance of the customized application and other internal processes, as defined by the PCI-DSS guidelines4
- Monitoring all application activities that might reveal a potential security threat, including penetration testing, vulnerability scans, and logs
- Monitoring and responding to security incidents, including forensics, remediation, and reporting related to the Magento application or customer’s user accounts
- Obtaining a DNS provider as well as configuring and maintaining any customer-specific
- DNS records
- Running performance tests on the customized application
- Securing access to the platform accounts, instance access, and application
- Testing and QA of the custom application
- Maintaing the security of any systems or networks they connect to the environments
Client Responsibilities Spreadsheet
This chart is presented using the RACI model:
R — Responsible
A — Accountable
C —Consulted
I — Informed
Conclusion
The shared responsibility security model of Magento Commerce depends on each party involved in the ecosystem — Adobe, the customer, the cloud service provider, and the content replication provider — to understand their responsibilities and ensure an ongoing commitment to them.
When adhered to properly and consistently, the model delivers nearly unlimited flexibility and customizability for the customer, minimizes their operational responsibilities and costs, and gives them peace of mind that their customized Magento Commerce application is secure.
Reference: Magento Shared Responsibility Guide
