ÃÛ¶¹ÊÓƵ

DocumentationCommerceSecurity and compliance

Shared responsibility security and operational model

Last update: Fri Sep 06 2024 00:00:00 GMT+0000 (Coordinated Universal Time)

CREATED FOR:

  • Experienced
  • Admin
  • Developer

ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure is a platform-as-a-service (PaaS) offering that relies on a shared responsibility security and operational model. These responsibilities are shared between ÃÛ¶¹ÊÓƵ, the merchant, the cloud service provider, and the content delivery network (CDN) provider. Each party bears distinct responsibility for securing and operating the ÃÛ¶¹ÊÓƵ Commerce application and the merchant-specific code and extensions deployed on cloud infrastructure.

This shared model enables merchants to design and implement a highly flexible, customizable, and scalable solution to meet their business requirements while minimizing operational responsibilities and costs.

In general, ÃÛ¶¹ÊÓƵ is responsible for the following:

  • Developing and maintaining secure core application code
  • Maintaining the security of the platform
  • Ensuring that the platform is SOC 2 and PCI compliant and compatible with PCI-compliant technology components (for example, PHP, Redis)
  • Responding to security issues concerning the core platform
  • Working with cloud service providers and CDN partners to resolve any issues that occur

Merchants are responsible for the following:

  • Maintaining security for custom code and integrations with third-party applications
  • Ensuring secure application development
  • Obtaining PCI certification if requested by the merchant’s payment processor
  • Reacting and responding to security incidents

ÃÛ¶¹ÊÓƵ responsibilities

ÃÛ¶¹ÊÓƵ is responsible for the security and availability of the ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure environment and the core solution code. In addition, ÃÛ¶¹ÊÓƵ is responsible for the necessary activities and mechanisms that maintain the security of the ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure solution, including:

  • Applying server-level security and patches for applications supported by ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure, such as cloud data storage and search capabilities
  • Conducting penetration testing and scanning of the core ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure code
  • Conducting semi-annual reviews and audits of public cloud service providers’ identity and access management (IAM) solutions and permissions management (PCI compliance requirement)
  • Conducting semi-annual reviews and audits of authorized users, including ÃÛ¶¹ÊÓƵ employees and contractors (PCI compliance requirement)
  • Conducting annual testing and documentation of backup and restore functionality
  • Configuring server and perimeter firewalls
  • Connecting and configuring the ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure repository
  • Defining, testing, implementing, and documenting disaster recovery (DR) plans for the areas within ÃÛ¶¹ÊÓƵ’s scope of responsibility
  • Defining global platform web application firewall (WAF) rules
  • Hardening the operating system (OS)
  • Implementing and maintaining the integration of content distribution network (CDN) and application performance management (APM) solutions with ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure
  • Issuing periodic security and other updates for the core ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure code (applying patches is the merchant’s responsibility)
  • Managing merchant support and support access controls (for example, Zendesk)
  • Monitoring, logging, and remediating security incidents concerning the ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure platform infrastructure
  • Monitoring platform operations and providing 24/7 support for ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure merchants
  • Provisioning the production and staging environments
  • Assessing potential security threats to platform operations and infrastructure
  • Scaling computing, storage, grid, and other resources, as described in the service-level agreement (SLA) with the merchant
  • Setting up DNS (ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure platform infrastructure only)
  • Testing the platform for security vulnerabilities

ÃÛ¶¹ÊÓƵ maintains PCI certification for the infrastructure and services used for the ÃÛ¶¹ÊÓƵ Commerce solution. Merchants are responsible for the compliance of custom code, system and network processes, and the organization.

ÃÛ¶¹ÊÓƵ also ensures the availability of the merchant’s infrastructure as agreed upon in the applicable SLA.

Merchant responsibilities

The merchant is responsible for following security best practices for their specific, customized instance of ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure solution:

  • Adding the necessary ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure configuration files to the repository

  • Applying security and other patches to their custom ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure solution immediately following their release by ÃÛ¶¹ÊÓƵ

  • Applying security and other patches to all custom extensions and code, immediately following their release by the vendor

  • Creating, deploying, and testing custom Varnish VCL files

  • Designing, theming, installing, integrating, and securing the customized ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure solution, including all custom extensions and code

  • Granting and revoking user access to the merchant’s instance of the ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure configuration, application, and platform

  • Handling security issues related to the merchant’s internal network, servers, infrastructure, and any custom applications built on the ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure platform

  • Installing the ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure command-line integration (CLI) tool

  • Maintaining the required level of PCI compliance of the customized application and other internal processes, as defined by the PCI-DSS guidelines

    note note
    NOTE
    To minimize the areas that must be reviewed, PCI compliance for the merchant is built on the PCI certifications of ÃÛ¶¹ÊÓƵ Commerce and the cloud hosting provider.

  • Running PCI ASV scans and remediating issues in the core ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure code and platform

  • Monitoring all application activities that might reveal a potential security threat, including penetration testing, vulnerability scans, and logs

  • Monitoring and responding to security incidents, including forensics, remediation, and reporting related to the merchant’s ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure solution and user accounts

  • Obtaining a DNS provider and configuring and maintaining any merchant-specific DNS records

  • Running performance tests on the customized application

  • Securing access to the platform accounts, instance access, and application

  • Testing and QA of the custom application

  • Maintaining the security of any systems or networks the merchant connects to the ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure application

Cloud Service Provider responsibilities

ÃÛ¶¹ÊÓƵ relies on well-established cloud service providers to host the cloud server infrastructure for ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure. These providers are responsible for security of the network, including routing, switching, and perimeter network security via firewall systems and intrusion detection systems (IDS). Cloud service providers are also responsible for the physical security of data centers that host the ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure solution and the environmental security of data centers.

Cloud service providers are also responsible for:

  • Maintaining PCI DSS, SOC 2, and ISO 27001 certifications for their cloud services
  • Securing the hypervisor
  • Securing the data center, including both physical and network access

CDN provider responsibilities

The ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure solution uses CDN providers to speed page-load time, cache content, and instantly purge outdated content. These providers are also responsible for security issues directly related to or affecting their CDN, and for defining and maintaining CDN WAF rules.

Security responsibilities summary

recommendation-more-help

The following summary table uses the RACI model to show the security responsibilities shared between ÃÛ¶¹ÊÓƵ, the merchant, and the Cloud service provider:

R — Responsible
A — Accountable
C — Consulted
I — Informed

style
shade-box
Task
ÃÛ¶¹ÊÓƵ
Merchant
Cloud service provider
CDN provider
Applying ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure patches
C
R
Applying patches to supporting services
(For example, Nginx or MySQL.)
R
I
Defining origin WAF rules
R
Defining CDN WAF rules
A
R
Deploying platform WAF rules
R
I
Deploying CDN WAF rules
A
I
R
Fixing core bugs in ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure code
R
I
Releasing ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure patches
R
I
Scaling (compute and storage)
R
I
Scaling (PaaS and grid)
R
Ensuring access to source code, including repo.magento.com
R
I
Installing ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure CLI tool
R
Adding ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure configuration files to repository
C
R
Creating a project for the merchant (onboarding UI)
R
I
Connecting repositories to ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure
R
I
Configuring the source repository1
R
I
Creating a user for the release manager (onboarding UI)
R
Deploying code into production
R
Deploying code into staging
R
Integrating external applications and extensions
R
Installing extensions
R
Customizing ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure
R
Testing performance of customized ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure
R
Testing the customized application
R
Theming and design of custom application
R
Creating, deploying, and testing custom Varnish VCLs
C
R
Configuring DNS (platform infrastructure only)
R
C
Developing CDN extension and fixing bugs
A
C
R
Onboarding CDN
R
I
Supporting CDN2
R
I
C
Configuring New Relic APM and Infrastructure applications
R
Installing New Relic APM and Infrastructure applications
R
I
Supporting New Relic APM and Infrastructure applications
R
C
Configuring Nginx3
R
R
Obtaining a DNS provider (Pro only)
C
R
Hardening the OS
R
Provisioning the production and staging environments
R
I
Accessing Zendesk for ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure
R
C
Resolving merchant security issues
C
R
C
Resolving ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure security issues
R
Resolving CDN security issues
A
R
Resolving APM security issues
A
Assisting ÃÛ¶¹ÊÓƵ with security research (software)
R
C
Assisting ÃÛ¶¹ÊÓƵ with security research (scans/audits)
R
C
Performing PCI ASV scans
R
Remediating ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure PCI scans4
R
R
Remediating PaaS PCI scans
R
Managing OS and platform secrets
R
Managing ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure encryption keys
R
Scanning customized ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure instances
R
Monitoring security logs
R
Managing IAMand permissions for ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure
R
Managing support access controls (Teleport)
R
Controlling merchant support and access
R
I
Annual testing and documentation of ÃÛ¶¹ÊÓƵ DR plan and backup and restore
R
Annual testing and documentation of disaster recovery plan
R

1 Only if the ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure repository is used as the main repository. Use of other external repositories is the sole responsibility of the merchant.

2 ÃÛ¶¹ÊÓƵ provides Level 1 support for issues with CDN providers.

3 The merchant is responsible for any Ngnix controls that they configure for their applications.

4 For PCI, penetration testing requirements are shared between ÃÛ¶¹ÊÓƵ and the merchant.

Operational responsibilities summary

The following summary tables clarify the operational responsibilities for ÃÛ¶¹ÊÓƵ and Merchants when developing, deploying, maintaining, and securing ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure.

style
shade-box

Coding and development

Core ÃÛ¶¹ÊÓƵ Commerce code

ÃÛ¶¹ÊÓƵ
Merchant
Publishing updates and patches to ÃÛ¶¹ÊÓƵ Commerce core
R
Availability and patching of the file system
R
Publishing updates and patches to ECE-Tools
R
Core ÃÛ¶¹ÊÓƵ Commerce Application Quality
R

Code repository

ÃÛ¶¹ÊÓƵ
Merchant
Availability of repo.magento.com
R
Availability of ÃÛ¶¹ÊÓƵ Commerce on Cloud Git server
R
Other merchant-selected Code repositories (GitHub, Bitbucket, hosted Git server)
R

Cloud Docker

ÃÛ¶¹ÊÓƵ
Merchant
Making Cloud Docker containers available for download
R
Deployment and setup of Cloud Docker (optional)
R
Any other local development setup
R

Commerce Cloud CLI

ÃÛ¶¹ÊÓƵ
Merchant
Ongoing quality and updating of ECE Tools
R
Installing the latest ECE Tools version
R

Customizations

ÃÛ¶¹ÊÓƵ
Merchant
Custom ÃÛ¶¹ÊÓƵ Commerce modules and code
R
Extensions
R
Custom Integrations
R

Deployments

ÃÛ¶¹ÊÓƵ
Merchant
Availability of infrastructure to build and deploy code
R
Ongoing quality of infrastructure build-and-deploy configuration pipeline
R
Configuration of build and static content deployment
R
Building and executing deployment governance process: criteria and change management
R
Deploying to Staging environment
R
Deploying to Production environment
R
Production rollbacks
R

Synchronizing environments

Merchants are responsible for synchronizing data between environments.

Patching

ÃÛ¶¹ÊÓƵ
Merchant
Installing updates and patches to ECE-Tools
R
Installing updates and patches to ÃÛ¶¹ÊÓƵ Commerce core
R

Website availability

ÃÛ¶¹ÊÓƵ
Merchant
Customized ÃÛ¶¹ÊÓƵ Commerce application and associated websites
R

Performance

ÃÛ¶¹ÊÓƵ
Merchant
Core Application tuning and optimization
R
Custom code tuning and optimization
R
Custom ÃÛ¶¹ÊÓƵ Commerce code
R
Load Testing
R
Performance testing
R

Logs and monitoring

ÃÛ¶¹ÊÓƵ
Merchant
Rotating Logs
R
Custom ÃÛ¶¹ÊÓƵ Commerce application
R
Availability of New Relic services:
APM application and agent integration, Infrastructure application,
Logging & integration
R
Setting up New Relic Alerts
R
Deploying New Relic agent on PaaS Servers
R

Debugging and issue isolation

ÃÛ¶¹ÊÓƵ
Merchant
Debugging and issue isolation
R
R
Timely support of debugging and issue isolation process
R

Application and service configuration

Commerce application

ÃÛ¶¹ÊÓƵ
Merchant
Application configuration
R
Adding domains to the ÃÛ¶¹ÊÓƵ Commerce application (Base URLs)
R
Configuring PaaS to use Services versions supported by the deployed ÃÛ¶¹ÊÓƵ Commerce version

For example, different Commerce versions are compatible with specific versions of PHP, Redis, and so on.
R

Task scheduling with cron jobs

ÃÛ¶¹ÊÓƵ
Merchant
Availability of default cron jobs
R
Ongoing quality of custom cron jobs
R

Message broker for message queue framework

ÃÛ¶¹ÊÓƵ
Merchant
Availability of RabbitMQ service
R
Configuration of default RabbitMQ settings
R
Ongoing quality and patching of RabbitMQ
R
Submit a service request to install a RabbitMQ version compatible with the installed ÃÛ¶¹ÊÓƵ Commerce version
R

PHP service

ÃÛ¶¹ÊÓƵ
Merchant
Availability of PHP
R
Configuration of default PHP settings
R
Configuration of custom PHP settings
R
Configuration of YAML file to align PHP versions compatible with installed ÃÛ¶¹ÊÓƵ Commerce version
R

Database services

ÃÛ¶¹ÊÓƵ
Merchant
Availability of Galera and MariaDB services
R
Ongoing maintenance of default database settings

(indexing and optimizing core tables, optimizing default sys-admin settings)
R
Ongoing maintenance of merchant data and modified settings

(configuring normalized vs flat tables, indexing and optimizing custom and third party tables, archiving or removing data, configuring system administration settings)
R
Configuration of Galera and MySQL
R
Ongoing quality and patching of Galera and MariaDB
R
Ongoing infrastructure optimization
R
Identifying and fixing slow queries
R
Submit a service request to install a MariaDB version compatible with the installed ÃÛ¶¹ÊÓƵ Commerce version
R
Setting and maintaining merchant-specific data retention policies (ÃÛ¶¹ÊÓƵ’s data retention policies are defined in the merchant agreement)
R

CDN service

ÃÛ¶¹ÊÓƵ
Merchant
Availability and Quality of CDN
R
Fastly service configuration (via Extension / API)
R
Fastly Extension Quality
R
Fastly Integration VCL Snippets (bundled with the Fastly Extension) Quality
R
Page Cache optimization
R
Adding domains to services, to CDN, and to infrastructure
R
Custom VCL Snippets
R
WAF & WAF Rules
R

Cache Service

ÃÛ¶¹ÊÓƵ
Merchant
Availability of Redis service
R
Configuration of default Redis settings
R
Ongoing quality and patching of Redis
R
Submit a service request to install a Redis version compatible with the installed ÃÛ¶¹ÊÓƵ Commerce version
R

Search service

ÃÛ¶¹ÊÓƵ
Merchant
Availability of ElasticSearch
R
Configuration of default ElasticSearch settings
R
Submit a service request to install an ElasticSearch version compatible with the installed ÃÛ¶¹ÊÓƵ Commerce version
R

Email service

ÃÛ¶¹ÊÓƵ
Merchant
Availability of SendGrid email service and its integration
R
Monitor merchant’s SendGrid usage against limits
R
Merchant is responsible for using the service only for outgoing transactional emails
The service does not support sending of marketing emails.
R
Configuring optional third-party email services
R

Third Party services

ÃÛ¶¹ÊÓƵ
Merchant
Availability and quality of third party services
R

Commerce Services extensions

Advance Reporting service

ÃÛ¶¹ÊÓƵ
Merchant
Availability of the Advanced Reporting Service
R
Configuration of Advanced Reporting complies with Advanced Reporting Terms & Conditions
R

Commerce Intelligence

ÃÛ¶¹ÊÓƵ
Merchant
Availability of ÃÛ¶¹ÊÓƵ Commerce Business Intelligence services
R
MBI Data Synchronization processes
R
Detecting MBI synchronization issues
R
Configuring MBI Data Synchronization to ÃÛ¶¹ÊÓƵ Commerce Cloud Pro, Starter, On Premises, or non-ÃÛ¶¹ÊÓƵ Commerce
(API, Data quality and formatting, merchant network,
DB connections both inside and outside of ÃÛ¶¹ÊÓƵ Commerce Cloud DB, over data thresholds)
R
Configuring MBI Data Synchronization to ÃÛ¶¹ÊÓƵ Commerce Cloud Pro
(ÃÛ¶¹ÊÓƵ Commerce Cloud database configuration)
R

Product Recommendations

ÃÛ¶¹ÊÓƵ
Merchant
Availability of Product Recommendations service
R

Network services

Image Optimization

ÃÛ¶¹ÊÓƵ
Merchant
Availability and Quality of Image Optimization
R
Configuration of Image Optimization
R

SSL Certificates

ÃÛ¶¹ÊÓƵ
Merchant
SSL Dedicated Certificate - expiration
R
Provisioning SSL Certificates
R
Purchasing and Maintaining EV/Specific SSL cert (other than defaults provided) and provide to ÃÛ¶¹ÊÓƵ
R

Web Application Firewall (WAF)

ÃÛ¶¹ÊÓƵ
Merchant
Availability & Configuration of WAF
R
Addressing WAF Rule False Positives
R
Reporting WAF Rule False Positives
R
WAF Rule Tuning (NOT SUPPORTED)
WAF/CDN Logs
R

DDOS

ÃÛ¶¹ÊÓƵ
Merchant
Proactive IP Blocking
R
Bot Protection
R
DDOS detection - layer 3-4
R
DDOS detection - layer 7
R
DDOS response
R
ÃÛ¶¹ÊÓƵ
Merchant
Configuring and maintaining PrivateLink connections (if used) with an ÃÛ¶¹ÊÓƵ-owned VPC
R
Configuring and maintaining PrivateLink connections (if used) with a Merchant-owned VPC
R
Availability of SSH (Non-Private Link)
R
Configuration of PrivateLink Inbound to ÃÛ¶¹ÊÓƵ Commerce Cloud Service endpoint
R
Acceptance of PrivateLink Inbound to ÃÛ¶¹ÊÓƵ Commerce Cloud Service endpoint
R
Configuration of PrivateLink Inbound to Merchant’s VPC Service endpoint
R
Acceptance of PrivateLink Inbound to Merchant’s VPC Service endpoint
R
Configuration of PrivateLink integrations (endpoint to account)
R
Configuration of merchant-owned VPC for PrivateLink endpoint

(including any VPN connections)
R

System and infrastructure

App Server

ÃÛ¶¹ÊÓƵ
Merchant
Availability of Nginx
R
Configuration of Nginx
R
Ongoing quality and patching of Nginx
R

Operating system

ÃÛ¶¹ÊÓƵ
Merchant
Availability of Operating System
R
Ongoing quality and patching of Operating System
R

Backup, high availability, and failover

ÃÛ¶¹ÊÓƵ
Merchant
Availability of snapshot and backup process
R
Scheduling backups for Cloud Pro Staging and Production environments
R
Scheduling backups for Cloud Starter and Pro Integration environments
R
Availability of HA / Failover
R

Cloud Servers & Scaling

ÃÛ¶¹ÊÓƵ
Merchant
Availability of CPU resources, data center, disk space
R
Availability and execution of surge capacity or emergency upsizing
R
Requesting surge capacity
R
Monitoring vCPU usage against the limits
R
6ad2ec8d-4e70-43dd-8640-a894018d6404