The Magento Commerce Cloud architecture is designed to provide a highly secure environment. Each customer is responsible for deployment into their own isolated server environment, separated from other customers. The elements of the production environment in regards to security are described below.
The bulk of the traffic going in and out of the cloud environment comes from the Consumer’s browser. Consumer traffic can be better secured using HTTPS for all pages on the website (using either a shared SSL certification or the customers own SSL certificate for an additional fee). Checkout and account pages are always served using HTTPS. The recommended best practice is to serve all pages under HTTPS.
Content Delivery Network (CDN) & DDoS Protection – Fastly
Fastly provides CDN and DDoS protection. The Fastly CDN helps to isolate direct access to the origin servers. The public DNS only points to the Fastly Network. The Fastly DDOS solution protects against highly disruptive Layer 3 and Layer 4 attacks, and more complex Layer 7 attacks. Layer 7 attacks can be blocked using custom rules based on the entire HTTP / HTTPS request, and based on client and request criteria including headers, cookies, request path, and client IP, or indicators like geolocation.
Web Application Firewall (WAF)
The Fastly Web Application Firewall (WAF) is used to provide additional protection. Fastly’s cloud-based WAF uses third-party rules from commercial and open source sources including the OWASP Core Ruleset. In addition, Magento-specific rules are employed. Customers are better protected from key application-layer attacks, including known injection attacks and malicious inputs, cross site scripting, data exfiltration, HTTP protocol violations, and other OWASP Top 10 threats. The WAF rules are updated by Magento should new vulnerabilities be detected allowing Magento to “virtually patch” security issues in advance of software patches.
The Fastly WAF does not provide rate limiting or bot detection services, nor does it provide complete malware protection. If desired, customers can license a third-party bot detection service compatible with Fastly. Blocking or protection mode of the Fastly WAF is estimated to be enabled during the second half of 2018 and early 2019.
Virtual Private Cloud
The Magento Commerce Cloud Pro production environment is configured as a virtual private cloud (VPC) so that all 3 production servers are isolated and have limited ability to connect in and out of the cloud environment. Only secure connections to the cloud servers are allowed. Secure protocols like SFTP or rsync can be used for file transfers. Customers can use SSH tunnels to secure communications with the application. Access to the AWS VPN Service can be provided for an additional fee. All connections to these servers are controlled using AWS Security Groups, a virtual firewall that limits connections to the environment. Customers’ technical resources may access these servers using SSH.
Magento conducts regular penetration test of the Magento Commerce Cloud system with the out-of-the-box application. Customers are responsible for any penetration testing of their customized application.
Magento Commerce requires payment gateway integrations where credit card data is passed directly from the consumer’s browser to the payment gateway. The card data is never available on the production environment. Actions on the transactions by the eCommerce application are completed using a reference to the transaction from the gateway.
Magento regularly tests the core application code for security vulnerabilities. Patches for defects and security issues are provided to customers. The Magento Product Security Team validates Magento products following OWASP application security guidelines. Several security vulnerability assessment tools and external vendors are used to test and verify compliance. The full code base is scanned with these tools on a periodic basis.
Customers are notified of security patches via direct emails, notifications in the application, and in the Magento Security Center (https://magento.com/security). Customers must ensure that these patches are applied to their customized application within 30 days of release according to the PCI guidelines. Customers must ensure that these patches are applied to their customized application within 30 days of release according to the PCI guidelines.
Magento also provides a Security Scan Tool that enables merchants to regularly monitor their sites and receive updates about known security risks, malware, and unauthorized access. Security Scan is a free service and can be run on any version of Magento Commerce.
To encourage security researchers to identify and report vulnerabilities, Magento has a bug bounty program in addition to internal testing by Magento. Further, the customer is provided the full source code of the application for their own review if desired.
Amazon Elastic Block Store (EBS) is used for storage. All EBS volumes are encrypted using the AES-265 algorithm. This means that the data will be encrypted at rest. The system also encrypts data in transit between the CDN and the origin, and between the origin servers. Customer passwords are stored as hashes. Sensitive credentials including those for the payment gateway are encrypted using the SHA-256 algorithm. The Magento application does not support column or row level encryption or encryption when the data is not at rest, or not in transit between servers.
Read-Only File System
The only way to get executable code into the Magento Commerce production environment is to run it through a provisioning process. This involves pushing source code from your source repository into a remote repository that initiates a deployment process. Access to that deployment target is controlled so you have complete control over who can access the deployment target. All deployments of application code to the production environment are controlled by the customer.
All AWS activities are logged in AWS CloudTrail. Linux, Application Server, and Database logs are all stored on the production servers and in backups. All source code changes are recorded in a Git repository. Deployment history is available in the Magento Commerce Cloud user interface. All support access is logged and support sessions are recorded.
Backups are created every six hours (four times per day) using the AWS EBS Snapshot service. This creates an independent backup on redundant storage. Because the EBS volumes are encrypted, the backups are also encrypted.