adobe® commerce pro: cloud security overview...for third-party online payment solutions and...
TRANSCRIPT
1
W H I T E P A P E R
Adobe® Commerce Pro: Cloud Security Overview
2
infosheet title - Ticket number
Table of ContentsAdobe Security 3
About Adobe Commerce Pro: Cloud 3
Adobe Commerce Pro: Cloud Key Functionality 3
Adobe Commerce Pro: Cloud Solution Architecture 5
Data encryption 6
Adobe Commerce Pro: Cloud Data Flow Narrative 7
Adobe Commerce Pro:
Cloud User Authentication 8
Administrator Authentication 8
Other Adobe Commerce Pro: Cloud
Administrator Security Options 8
Adobe Commerce Pro:
Cloud Hosting and Security 9
Conclusion 9
3
Adobe SecurityAt Adobe, we know the security of your digital experience is important. Security practices are deeply ingrained into our internal software development, operations processes, and tools. These practices are strictly followed by our cross-functional teams to help prevent, detect, and respond to incidents in an expedient manner. We keep up to date with the latest threats and vulnerabilities through our collaborative work with partners, leading researchers, security research institutions, and other industry organizations. We regularly incorporate advanced security techniques into the products and services we offer.
This white paper describes the defense-in-depth approach and security procedures implemented by Adobe to secure Adobe Commerce Pro: Cloud and its associated data.
About Adobe Commerce Pro: CloudAdobe Commerce Pro: Cloud is a leading solution for digital commerce that supports B2C, B2B, and B2E use cases in a single platform and gives businesses of all sizes unmatched agility and scalability to go to market in highly differentiated ways. Adobe Commerce Pro: Cloud includes tools and features that enable companies to sell online and provide a personalized and unique shopping experience to customers across all devices and digital touchpoints. As part of Adobe Experience Cloud, Adobe Commerce Pro: Cloud is built on an extensible architecture and integrates with Adobe Sensei, our AI platform, to drive product recommendations and help create personalized shopping experiences through creative, content, and merchandising ingenuity that drives digital transformation.
Adobe Commerce Pro: Cloud Key FunctionalityThe Adobe Commerce Pro: Cloud solution includes the following ten (10) key functional services:
• Product Catalog — Contains the list of all products available for purchase online from the merchant.
• Search and Navigate — Allows potential customers to search for a specific product or products on the online store using keywords and then navigate to that product based on the search results.
• Merchandising — Enables the merchant to target a selection of products that are presented to the customer as related products, up-sells, and cross-sells, resulting in dynamic, targeted merchandising.
4
• Cart and Checkout — Allows the merchant to customize the look and feel of the customer’s shopping cart and automatically calculates the order total, along with discount coupons and estimated shipping and tax. Additional options for the checkout process include layout and placing constraints on checkout, such as allowing guest checkout and enforcing a terms and conditions agreement.
• Account Management — Gives merchants the ability to manage customer accounts, including analyzing and understanding purchase history to better discover trends and potential promotions based on customer attributes.
• Pricing — Enables merchants to price products using a number of pricing options that can be used for promotions or to meet the minimum advertised pricing requirements of the manufacturer. Changes to product pricing can be made on schedule or by price rule that is applied at the product level in the shopping cart.
• Offers and Promotions — Presents customers with special offers, promotions, and prices based on their specific attributes or assigned customer group.
• Customer Profile — Includes information about customer activity, such as when the customer last signed in or out of their account, addresses, order statistics, recent orders, shopping cart contents, product reviews, newsletter subscriptions, and more.
• Content Management and Page Builder — Gives merchants the ability to store, update, revise, and delete store and product content in the Adobe content management system (CMS) and push these changes to web pages in the online store.
• Order Management — Defines the order workflow and how to process orders, create invoices, and manage shipments.
Adobe Commerce Pro: Cloud also includes:
• Open GraphQL APIs that expose each of the core commerce services to a wide variety of end-customer applications; and
• REST APIs to allow asynchronous syndication and bulk import/export of data between Adobe Commerce Pro: Cloud and back-office systems of record, such as ERP, CRM, DAM, and pricing solutions.
5
Storefront Headless API’s
ERP CRM DAM Pricing
Back O�ce API’s
Adobe Commerce Pro
Web Voice Custom AppCMSIoTSocial In Store
Key Functionality
ProductCatalog
Search & Navigate
O�ers & Promotions
CustomerPro�le
Cart & Checkout
AccountManagement
Page BuilderContent
Management
OrderManagementPricing
Merchandising
Figure 1: Adobe Commerce Pro: Cloud Key Functionality
Adobe Commerce Pro: Cloud Solution ArchitectureAdobe relies on a content delivery network (CDN) to optimize content flow between users and the Adobe Commerce Pro: Cloud environment. All inbound user traffic is secured using HTTPS, either using a TLS certification included with the Adobe Commerce Pro: Cloud solution (and hosted on the CDN) or the customer’s own TLS certificate. If the customer chooses the latter option, acquisition and management of this certificate to support HTTPS traffic is the customer’s responsibility.
Outbound communications from Adobe Commerce Pro: Cloud to the user are re-encrypted after they are processed by the CDN. The CDN service supports SHA-256 certificates signed by publicly trusted certificate authorities that have a minimum key size of 2048 bits for RSA. All pages are served using HTTPS, by default.
6
The following diagram depicts the Adobe Commerce Pro: Cloud solution architecture:
AvailabilityZone 1
AvailabilityZone 2
AvailabilityZone 3
Elastic Load Balancer
Fastly (Full Page Cache and DDos Protection)
Production Environment
PaymentGateway
DeploymentProcess
SourceControl
Consumer’sBrowser
LoggingPublic Cloud Provider
Backup Storage
Instance 1
Web LayerNginx PHP-FPM
Cache LayerRedis
Instance 2
Web LayerNginx PHP-FPM
Cache LayerRedis
Instance 3
Web LayerNginx PHP-FPM
Cache LayerRedis
HAProxy
File System (Gluster FS)
Elasticsearch
Galera Database Cluster – MariaDB
Figure 2: Adobe Commerce Pro: Cloud solution architecture
Data encryptionAdobe Commerce Pro: Cloud employs strong encryption as defined by PCI DSS 3.2.1 to encrypt documents and assets at rest with AES 256-bit encryption and uses HTTPS TLS v1.2 to protect data in transit.
7
Adobe Commerce Pro: Cloud Data Flow NarrativeWhen a user navigates to an online store powered by Adobe Commerce Pro: Cloud, the request is sent to a content delivery network (CDN). The CDN provided with Commerce Pro: Cloud includes a built-in web application firewall (WAF), which can be configured to scan and block malicious requests and/or traffic.1 If the request is determined to be legitimate, the CDN forwards the request to the Adobe Commerce Pro: Cloud-powered website via HTTPS. In turn, the Adobe back end processes the request and serves the web page via HTTPS to the user.
If the user decides to purchase the product, they add it to their shopping cart and check out. In the checkout process, the user can enter their name, address, phone number, and select their preferred payment option. Adobe Commerce Pro: Cloud includes pre-built integrations for third-party online payment solutions and gateways, including PayPal, Braintree, Klarna, and more. Depending on which payment solution provider the useer chooses, they are redirected to that provider’s site, where they can enter their payment information, including credit card number or bank routing information. Once the payment is confirmed, the user is redirected back to the Adobe Commerce Pro: Cloud-powered store and receives a confirmation of their order.
Adobe Commerce Pro Instance
Warehouse
Services
Browser
RegularHTML
SensitiveInformation
(e.g. CC number)
Payment Gateway(e.g. Braintree)
Fraud Detection(Signifyd)
Redis
Payment Con�rmation/Update Cached
Con�g Data
Payment Records(non-sensitive)
Customers,Products, etc.
Searchable Data(Products, Categories, etc.)
Public CloudOptional Media
Storage
Uncached/UncachableRequests
CDN(Fastly)
Elastic Search
Tax RateProvider
ShippingProvider
Adobe Commerce Pro Cloud(HTTPS)
Currency RateProvider
Figure 3: Adobe Commerce Pro: Cloud Data Flow
1Adobe Commerce Pro: Cloud customers may use their own CDN, in which case they are responsible for proper security configuration.
8
A NOTE ABOUT PCI-COMPLIANCE: Adobe Commerce Pro: Cloud is PCI-compliant and does not store credit card information or process payments within its solution. All payments are processed through third-party payment processors. The customer is responsible for verifying that any custom code or extensions to Adobe Commerce Pro: Cloud either do not process and/or store payment information or that those extensions are certified as PCI-compliant if they must handle PII data.
Adobe Commerce Pro: Cloud User AuthenticationAdobe Commerce Pro: Cloud requires authentication with a username and password.
Administrator AuthenticationUsers access the Adobe Admin to manage the store, including products, orders, shipments, CMS content, design of the storefront, customer information, etc. Adobe users have an associated role with permissions that controls access to features, options, and capabilities.
Access to the Adobe Commerce Pro: Cloud Admin panel requires two-factor authentication (2FA) from all devices. The 2FA extension supports multiple authenticators, including Google Authenticator, Authy, Duo, and U2F keys. This applies to Adobe Admin users only; it is not available for storefront customer accounts. For more information about user authentication and configuring 2FA for Adobe Commerce Pro: Cloud, please see https://devdocs.Adobe.com/guides/v2.4/security/two-factor-authentication.html
Other Adobe Commerce Pro: Cloud Administrator Security OptionsAdobe Commerce Pro: Cloud administrators have a range of additional security options that can be implemented for both admin users as well as storefront customers, including:
Content Security Policies — Mitigate against Cross Site Scripting (XSS) and related attacks, including card skimmers, session hijacking, clickjacking, and more. For more information on Adobe CSPs and how to configure them, please see https://devdocs.Adobe.com/guides/v2.4/extension-dev-guide/security/content-security-policies.html
Captcha & Google Recaptcha— Visual devices that ensure that a human being rather than a computer or “bot” is interacting with the site. For more information on these devices, please see https://docs.Adobe.com/user-guide/stores/security-captcha.html and https://docs.Adobe.com/user-guide/stores/security-google-recaptcha.html
9
© May 2021 Adobe. All rights reserved.
Adobe and the Adobe logo are either registered trademarks or trademarks of Adobe in the United States and/or other countries.
Adobe Security Scan Tool — Helps merchants identify potential threats and alerts the Adobe admin of the finding with an automated email notification. For more information on the free Adobe Security Scan tool, please see https://Adobe.com/blog/Adobe-news/secure-your-storefront-enhanced-Adobe-security-scan-tool
More detail about the above-listed and additional security options can be found at https://docs.Adobe.com/user-guide/stores/security.html
Adobe Commerce Pro: Cloud Hosting and SecurityAdobe Commerce Pro: Cloud is hosted in data centers around the world managed by trusted and certified Adobe cloud hosting partners. The specific data center region or location is determined by the customer and is defined in the Adobe sales agreement, which is signed by the customer at the time of purchase.
For more information on Amazon Web Services security, please see https://aws.amazon.com/security
For more information on Microsoft Azure security, please see https://azure.microsoft.com/en-us/services/security-center/
ConclusionThe proactive approach to security and stringent procedures described in this paper help protect the security of Adobe Commerce Pro: Cloud and your confidential data. At Adobe, we take the security of your digital experience very seriously and we continuously monitor the evolving threat landscape to try to stay ahead of malicious activities and help ensure the security our customers’ data.
For more information on Adobe security, please visit www.adobe.com/security
Information in this document is subject to change without notice. For more information on Adobe solutions and controls, please contact your Adobe sales representative. Further details on the Adobe solution, including SLAs, change approval processes, access control procedures, and disaster recovery processes are available.