Security in the Adobe Experience Cloud
18 Mar 2018 » MSA
I am sure we have all been concerned about security in the last decade or more. However, since 2013, after the revelations of Edward Snowden, we have begun to be really worried about it. It comes to no surprise that Adobe tools need to be secure too. In the end, you are pouring your marketing data there. I am not a security expert, so always get independent advice. However, in this post I will give an introduction to some security considerations concerning the Adobe stack.
Let me start by illustrating the evolution of security in the last 20 years. Back in the 90’s, when I was in university, the following situation happened to me. I was studying telecommunications engineering, so the professors should be tech-savvy. There was a website where you could buy something (I do not remember what) and it was HTTP only. One professor said that it was no big deal if the website did not have HTTPS, as nobody would want to read the unencrypted data flow. Can you imagine this conversation today? Another example: a couple of weeks ago I was with a bank and they told me they are 24/7 being attacked, trying to find a weakness.
I once heard that the minimum level of security should be paranoid. Initially, I more or less understood it, but did not take it too seriously. Now I completely agree with this statement and could not agree more.
Data in SaaS tools
In the SaaS (software as a service) category we have Adobe Analytics, Adobe Target, Adobe Audience Manager and Adobe Advertising Cloud. These tools are completely hosted and managed by Adobe. This means that you, as an Adobe customer, do not need to worry about the security of them. Adobe has a dedicated team to guarantee the security of them. Besides, as SaaS tools, the code is always up-to-date. If you want to have the details about the security, ask your Customer Success Manager about the security controls in place and the audits.
However, most of these tools allow to import or export data. This is where you are in charge of keeping the data safe to avoid data theft.
- Each tool and each service within each tool supports different protocols to send and receive data. There is no consistency, so always choose the most secure option in each case.
- Some tools still allow to use FTP. Never, ever, use it. If you are providing the FTP server, look for secure alternatives, like SFTP or Amazon S3.
- All Adobe FTP servers also support SFTP, which you should use instead.
- In the particular case of AAM, you can encrypt the inbound data with PGP. Remember that PGP also compresses the data, so do not compress it again.
- Do not send any Personal Identifiable Information (PII) or Directly Identifiable Information (DII) to these tools. This should already be in your contract anyway.
- Do not keep the data in the intermediate storage server. As soon as you have consumed it, delete it.
If you have opted for Adobe Campaign Standard or Adobe Campaign Classic with managed services, all the points of the previous section apply. The only exception is the type of data: PII or DII is more than welcome here. In fact, without it, you will probably not be able to use them. On the flip side of the coin, this means you must be even more concerned about security, as the data you are dealing with is more sensitive. Therefore, only use secure protocols when exchanging data.
However, if you are hosting Adobe Campaign Classic (on-premise or hybrid options), all the security controls will be your responsibility, including the data. On the one hand, since the servers are in your premises, the data never leaves your security perimeter. This is definitely a plus. On the other hand, the architecture becomes your responsibility. Adobe Campaign Classic requires multiple servers: some need to be exposed to the Internet to receive incoming connections, some others need to access the open Internet and, finally, others can be buried deep behind firewalls. And just to make matters more complex, these servers must be able to connect between them.
In summary, do not attempt to install Adobe Campaign Classic without the support of an expert and a carefully designed architecture. Because of these complexities, we are seeing more clients migrating from on-premise/hybrid to managed services.
Adobe Experience Manager
This is probably the most complex tool when it comes to security. By definition, the publish instance is open to the world, which means a greater attack surface is available. That does not mean that the author instance should not be protected, though. I will not cover any more details about AEM security, as it will require its own book. Get a good AEM architect to work with your security experts to secure the tool. Do not just rely on security tips you may find in the Internet.
User Access Security
We tend to put our focus mainly on the data or server security. As a consequence, this part of the chain tends to be very well protected and difficult to attack. In fact, less and less brute-force attacks are successful. On the other hand, the user access control does not usually receive the same level of attention, which is a big mistake. Many of the successful attacks we see today are through phishing, which targets the weakest link in the chain: the users.
Here you have some tips on how to increase the security regarding user management:
- Revoke access to users who do need access any more to the Adobe Experience Cloud. This is especially important in the case of people who leave the company.
- Use Single-Sign On if you have a SAML2 solution in place. If you do not have it yet, it might be a good idea to start a project to implement it across the whole company.
- If you do not have Single-Sign On, go for the “Enterprise ID” option and set the most strict password requirements.
- Create user groups with different permissions. Your requirements will determine these groups.
- Assign users to the most restrictive user group, which still allows them to do their job.
- Do not assign users to tools they do not need.
Are there any other security element you would suggest?