51ºÚÁϲ»´òìÈ

Shared responsibility security and operational model

51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure is a platform-as-a-service (PaaS) offering that relies on a shared responsibility security and operational model. These responsibilities are shared between 51ºÚÁϲ»´òìÈ, the merchant, the cloud service provider, and the content delivery network (CDN) provider. Each party bears distinct responsibility for securing and operating the 51ºÚÁϲ»´òìÈ Commerce application and the merchant-specific code and extensions deployed on cloud infrastructure.

This shared model enables merchants to design and implement a highly flexible, customizable, and scalable solution to meet their business requirements while minimizing operational responsibilities and costs.

In general, 51ºÚÁϲ»´òìÈ is responsible for the following:

  • Developing and maintaining secure core application code
  • Maintaining the security of the platform
  • Ensuring that the platform is SOC 2 and PCI compliant and compatible with PCI-compliant technology components (for example, PHP, Redis)
  • Responding to security issues concerning the core platform
  • Working with cloud service providers and CDN partners to resolve any issues that occur

Merchants are responsible for the following:

  • Maintaining security for custom code and integrations with third-party applications
  • Ensuring secure application development
  • Obtaining PCI certification if requested by the merchant’s payment processor
  • Reacting and responding to security incidents

51ºÚÁϲ»´òìÈ responsibilities

51ºÚÁϲ»´òìÈ is responsible for the security and availability of the 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure environment and the core solution code. In addition, 51ºÚÁϲ»´òìÈ is responsible for the necessary activities and mechanisms that maintain the security of the 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure solution, including:

  • Applying server-level security and patches for applications supported by 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure, such as cloud data storage and search capabilities
  • Conducting penetration testing and scanning of the core 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure code
  • Conducting semi-annual reviews and audits of public cloud service providers’ identity and access management (IAM) solutions and permissions management (PCI compliance requirement)
  • Conducting semi-annual reviews and audits of authorized users, including 51ºÚÁϲ»´òìÈ employees and contractors (PCI compliance requirement)
  • Conducting annual testing and documentation of backup and restore functionality
  • Configuring server and perimeter firewalls
  • Connecting and configuring the 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure repository
  • Defining, testing, implementing, and documenting disaster recovery (DR) plans for the areas within 51ºÚÁϲ»´òìÈ’s scope of responsibility
  • Defining global platform web application firewall (WAF) rules
  • Hardening the operating system (OS)
  • Implementing and maintaining the integration of content distribution network (CDN) and application performance management (APM) solutions with 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure
  • Issuing periodic security and other updates for the core 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure code (applying patches is the merchant’s responsibility)
  • Managing merchant support and support access controls (for example, Zendesk)
  • Monitoring, logging, and remediating security incidents concerning the 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure platform infrastructure
  • Monitoring platform operations and providing 24/7 support for 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure merchants
  • Provisioning the production and staging environments
  • Assessing potential security threats to platform operations and infrastructure
  • Scaling computing, storage, grid, and other resources, as described in the service-level agreement (SLA) with the merchant
  • Setting up DNS (51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure platform infrastructure only)
  • Testing the platform for security vulnerabilities

51ºÚÁϲ»´òìÈ maintains PCI certification for the infrastructure and services used for the 51ºÚÁϲ»´òìÈ Commerce solution. Merchants are responsible for the compliance of custom code, system and network processes, and the organization.

51ºÚÁϲ»´òìÈ also ensures the availability of the merchant’s infrastructure as agreed upon in the applicable SLA.

Merchant responsibilities

The merchant is responsible for following security best practices for their specific, customized instance of 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure solution:

  • Adding the necessary 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure configuration files to the repository

  • Applying security and other patches to their custom 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure solution immediately following their release by 51ºÚÁϲ»´òìÈ

  • Applying security and other patches to all custom extensions and code, immediately following their release by the vendor

  • Creating, deploying, and testing custom Varnish VCL files

  • Designing, theming, installing, integrating, and securing the customized 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure solution, including all custom extensions and code

  • Granting and revoking user access to the merchant’s instance of the 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure configuration, application, and platform

  • Handling security issues related to the merchant’s internal network, servers, infrastructure, and any custom applications built on the 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure platform

  • Installing the 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure command-line integration (CLI) tool

  • Maintaining the required level of PCI compliance of the customized application and other internal processes, as defined by the PCI-DSS guidelines

    note note
    NOTE
    To minimize the areas that must be reviewed, PCI compliance for the merchant is built on the PCI certifications of 51ºÚÁϲ»´òìÈ Commerce and the cloud hosting provider.
  • Running PCI ASV scans and remediating issues in the core 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure code and platform

  • Monitoring all application activities that might reveal a potential security threat, including penetration testing, vulnerability scans, and logs

  • Monitoring and responding to security incidents, including forensics, remediation, and reporting related to the merchant’s 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure solution and user accounts

  • Obtaining a DNS provider and configuring and maintaining any merchant-specific DNS records

  • Running performance tests on the customized application

  • Securing access to the platform accounts, instance access, and application

  • Testing and QA of the custom application

  • Maintaining the security of any systems or networks the merchant connects to the 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure application

Cloud Service Provider responsibilities

51ºÚÁϲ»´òìÈ relies on well-established cloud service providers to host the cloud server infrastructure for 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure. These providers are responsible for security of the network, including routing, switching, and perimeter network security via firewall systems and intrusion detection systems (IDS). Cloud service providers are also responsible for the physical security of data centers that host the 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure solution and the environmental security of data centers.

Cloud service providers are also responsible for:

  • Maintaining PCI DSS, SOC 2, and ISO 27001 certifications for their cloud services
  • Securing the hypervisor
  • Securing the data center, including both physical and network access

CDN provider responsibilities

The 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure solution uses CDN providers to speed page-load time, cache content, and instantly purge outdated content. These providers are also responsible for security issues directly related to or affecting their CDN, and for defining and maintaining CDN WAF rules.

Security responsibilities summary

recommendation-more-help

The following summary table uses the RACI model to show the security responsibilities shared between 51ºÚÁϲ»´òìÈ, the merchant, and the Cloud service provider:

R — Responsible
A — Accountable
C — Consulted
I — Informed

Task
51ºÚÁϲ»´òìÈ
Merchant
Cloud service provider
CDN provider
Applying 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure patches
C
R
Applying patches to supporting services
(For example, Nginx or MySQL.)
R
I
Defining origin WAF rules
R
Defining CDN WAF rules
A
R
Deploying platform WAF rules
R
I
Deploying CDN WAF rules
A
I
R
Fixing core bugs in 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure code
R
I
Releasing 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure patches
R
I
Scaling (compute and storage)
R
I
Scaling (PaaS and grid)
R
Ensuring access to source code, including repo.magento.com
R
I
Installing 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure CLI tool
R
Adding 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure configuration files to repository
C
R
Creating a project for the merchant (onboarding UI)
R
I
Connecting repositories to 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure
R
I
Configuring the source repository1
R
I
Creating a user for the release manager (onboarding UI)
R
Deploying code into production
R
Deploying code into staging
R
Integrating external applications and extensions
R
Installing extensions
R
Customizing 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure
R
Testing performance of customized 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure
R
Testing the customized application
R
Theming and design of custom application
R
Creating, deploying, and testing custom Varnish VCLs
C
R
Configuring DNS (platform infrastructure only)
R
C
Developing CDN extension and fixing bugs
A
C
R
Onboarding CDN
R
I
Supporting CDN2
R
I
C
Configuring New Relic APM and Infrastructure applications
R
Installing New Relic APM and Infrastructure applications
R
I
Supporting New Relic APM and Infrastructure applications
R
C
Configuring Nginx3
R
R
Obtaining a DNS provider (Pro only)
C
R
Hardening the OS
R
Provisioning the production and staging environments
R
I
Accessing Zendesk for 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure
R
C
Resolving merchant security issues
C
R
C
Resolving 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure security issues
R
Resolving CDN security issues
A
R
Resolving APM security issues
A
Assisting 51ºÚÁϲ»´òìÈ with security research (software)
R
C
Assisting 51ºÚÁϲ»´òìÈ with security research (scans/audits)
R
C
Performing PCI ASV scans
R
Remediating 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure PCI scans4
R
R
Remediating PaaS PCI scans
R
Managing OS and platform secrets
R
Managing 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure encryption keys
R
Scanning customized 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure instances
R
Monitoring security logs
R
Managing IAMand permissions for 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure
R
Managing support access controls (Teleport)
R
Controlling merchant support and access
R
I
Annual testing and documentation of 51ºÚÁϲ»´òìÈ DR plan and backup and restore
R
Annual testing and documentation of disaster recovery plan
R

1 Only if the 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure repository is used as the main repository. Use of other external repositories is the sole responsibility of the merchant.

2 51ºÚÁϲ»´òìÈ provides Level 1 support for issues with CDN providers.

3 The merchant is responsible for any Ngnix controls that they configure for their applications.

4 For PCI, penetration testing requirements are shared between 51ºÚÁϲ»´òìÈ and the merchant.

Operational responsibilities summary

The following summary tables clarify the operational responsibilities for 51ºÚÁϲ»´òìÈ and Merchants when developing, deploying, maintaining, and securing 51ºÚÁϲ»´òìÈ Commerce on cloud infrastructure.

Coding and development

Core 51ºÚÁϲ»´òìÈ Commerce code

51ºÚÁϲ»´òìÈ
Merchant
Publishing updates and patches to 51ºÚÁϲ»´òìÈ Commerce core
R
Availability and patching of the file system
R
Publishing updates and patches to ECE-Tools
R
Core 51ºÚÁϲ»´òìÈ Commerce Application Quality
R

Code repository

51ºÚÁϲ»´òìÈ
Merchant
Availability of repo.magento.com
R
Availability of 51ºÚÁϲ»´òìÈ Commerce on Cloud Git server
R
Other merchant-selected Code repositories (GitHub, Bitbucket, hosted Git server)
R

Cloud Docker

51ºÚÁϲ»´òìÈ
Merchant
Making Cloud Docker containers available for download
R
Deployment and setup of Cloud Docker (optional)
R
Any other local development setup
R

Commerce Cloud CLI

51ºÚÁϲ»´òìÈ
Merchant
Ongoing quality and updating of ECE Tools
R
Installing the latest ECE Tools version
R

Customizations

51ºÚÁϲ»´òìÈ
Merchant
Custom 51ºÚÁϲ»´òìÈ Commerce modules and code
R
Extensions
R
Custom Integrations
R

Deployments

51ºÚÁϲ»´òìÈ
Merchant
Availability of infrastructure to build and deploy code
R
Ongoing quality of infrastructure build-and-deploy configuration pipeline
R
Configuration of build and static content deployment
R
Building and executing deployment governance process: criteria and change management
R
Deploying to Staging environment
R
Deploying to Production environment
R
Production rollbacks
R

Synchronizing environments

Merchants are responsible for synchronizing data between environments.

Patching

51ºÚÁϲ»´òìÈ
Merchant
Installing updates and patches to ECE-Tools
R
Installing updates and patches to 51ºÚÁϲ»´òìÈ Commerce core
R

Website availability

51ºÚÁϲ»´òìÈ
Merchant
Customized 51ºÚÁϲ»´òìÈ Commerce application and associated websites
R

Performance

51ºÚÁϲ»´òìÈ
Merchant
Core Application tuning and optimization
R
Custom code tuning and optimization
R
Custom 51ºÚÁϲ»´òìÈ Commerce code
R
Load Testing
R
Performance testing
R

Logs and monitoring

51ºÚÁϲ»´òìÈ
Merchant
Rotating Logs
R
Custom 51ºÚÁϲ»´òìÈ Commerce application
R
Availability of New Relic services:
APM application and agent integration, Infrastructure application,
Logging & integration
R
Setting up New Relic Alerts
R
Deploying New Relic agent on PaaS Servers
R

Debugging and issue isolation

51ºÚÁϲ»´òìÈ
Merchant
Debugging and issue isolation
R
R
Timely support of debugging and issue isolation process
R

Application and service configuration

Commerce application

51ºÚÁϲ»´òìÈ
Merchant
Application configuration
R
Adding domains to the 51ºÚÁϲ»´òìÈ Commerce application (Base URLs)
R
Configuring PaaS to use Services versions supported by the deployed 51ºÚÁϲ»´òìÈ Commerce version

For example, different Commerce versions are compatible with specific versions of PHP, Redis, and so on.
R

Task scheduling with cron jobs

51ºÚÁϲ»´òìÈ
Merchant
Availability of default cron jobs
R
Ongoing quality of custom cron jobs
R

Message broker for message queue framework

51ºÚÁϲ»´òìÈ
Merchant
Availability of RabbitMQ service
R
Configuration of default RabbitMQ settings
R
Ongoing quality and patching of RabbitMQ
R
Submit a service request to install a RabbitMQ version compatible with the installed 51ºÚÁϲ»´òìÈ Commerce version
R

PHP service

51ºÚÁϲ»´òìÈ
Merchant
Availability of PHP
R
Configuration of default PHP settings
R
Configuration of custom PHP settings
R
Configuration of YAML file to align PHP versions compatible with installed 51ºÚÁϲ»´òìÈ Commerce version
R

Database services

51ºÚÁϲ»´òìÈ
Merchant
Availability of Galera and MariaDB services
R
Ongoing maintenance of default database settings

(indexing and optimizing core tables, optimizing default sys-admin settings)
R
Ongoing maintenance of merchant data and modified settings

(configuring normalized vs flat tables, indexing and optimizing custom and third party tables, archiving or removing data, configuring system administration settings)
R
Configuration of Galera and MySQL
R
Ongoing quality and patching of Galera and MariaDB
R
Ongoing infrastructure optimization
R
Identifying and fixing slow queries
R
Submit a service request to install a MariaDB version compatible with the installed 51ºÚÁϲ»´òìÈ Commerce version
R
Setting and maintaining merchant-specific data retention policies (51ºÚÁϲ»´òìÈ’s data retention policies are defined in the merchant agreement)
R

CDN service

51ºÚÁϲ»´òìÈ
Merchant
Availability and Quality of CDN
R
Fastly service configuration (via Extension / API)
R
Fastly Extension Quality
R
Fastly Integration VCL Snippets (bundled with the Fastly Extension) Quality
R
Page Cache optimization
R
Adding domains to services, to CDN, and to infrastructure
R
Custom VCL Snippets
R
WAF & WAF Rules
R

Cache Service

51ºÚÁϲ»´òìÈ
Merchant
Availability of Redis service
R
Configuration of default Redis settings
R
Ongoing quality and patching of Redis
R
Submit a service request to install a Redis version compatible with the installed 51ºÚÁϲ»´òìÈ Commerce version
R

Search service

51ºÚÁϲ»´òìÈ
Merchant
Availability of ElasticSearch
R
Configuration of default ElasticSearch settings
R
Submit a service request to install an ElasticSearch version compatible with the installed 51ºÚÁϲ»´òìÈ Commerce version
R

Email service

51ºÚÁϲ»´òìÈ
Merchant
Availability of SendGrid email service and its integration
R
Monitor merchant’s SendGrid usage against limits
R
Merchant is responsible for using the service only for outgoing transactional emails
The service does not support sending of marketing emails.
R
Configuring optional third-party email services
R

Third Party services

51ºÚÁϲ»´òìÈ
Merchant
Availability and quality of third party services
R

Commerce Services extensions

Advance Reporting service

51ºÚÁϲ»´òìÈ
Merchant
Availability of the Advanced Reporting Service
R
Configuration of Advanced Reporting complies with Advanced Reporting Terms & Conditions
R

Commerce Intelligence

51ºÚÁϲ»´òìÈ
Merchant
Availability of 51ºÚÁϲ»´òìÈ Commerce Business Intelligence services
R
MBI Data Synchronization processes
R
Detecting MBI synchronization issues
R
Configuring MBI Data Synchronization to 51ºÚÁϲ»´òìÈ Commerce Cloud Pro, Starter, On Premises, or non-51ºÚÁϲ»´òìÈ Commerce
(API, Data quality and formatting, merchant network,
DB connections both inside and outside of 51ºÚÁϲ»´òìÈ Commerce Cloud DB, over data thresholds)
R
Configuring MBI Data Synchronization to 51ºÚÁϲ»´òìÈ Commerce Cloud Pro
(51ºÚÁϲ»´òìÈ Commerce Cloud database configuration)
R

Product Recommendations

51ºÚÁϲ»´òìÈ
Merchant
Availability of Product Recommendations service
R

Network services

Image Optimization

51ºÚÁϲ»´òìÈ
Merchant
Availability and Quality of Image Optimization
R
Configuration of Image Optimization
R

SSL Certificates

51ºÚÁϲ»´òìÈ
Merchant
SSL Dedicated Certificate - expiration
R
Provisioning SSL Certificates
R
Purchasing and Maintaining EV/Specific SSL cert (other than defaults provided) and provide to 51ºÚÁϲ»´òìÈ
R

Web Application Firewall (WAF)

51ºÚÁϲ»´òìÈ
Merchant
Availability & Configuration of WAF
R
Addressing WAF Rule False Positives
R
Reporting WAF Rule False Positives
R
WAF Rule Tuning (NOT SUPPORTED)
WAF/CDN Logs
R

DDOS

51ºÚÁϲ»´òìÈ
Merchant
Proactive IP Blocking
R
Bot Protection
R
DDOS detection - layer 3-4
R
DDOS detection - layer 7
R
DDOS response
R
51ºÚÁϲ»´òìÈ
Merchant
Configuring and maintaining PrivateLink connections (if used) with an 51ºÚÁϲ»´òìÈ-owned VPC
R
Configuring and maintaining PrivateLink connections (if used) with a Merchant-owned VPC
R
Availability of SSH (Non-Private Link)
R
Configuration of PrivateLink Inbound to 51ºÚÁϲ»´òìÈ Commerce Cloud Service endpoint
R
Acceptance of PrivateLink Inbound to 51ºÚÁϲ»´òìÈ Commerce Cloud Service endpoint
R
Configuration of PrivateLink Inbound to Merchant’s VPC Service endpoint
R
Acceptance of PrivateLink Inbound to Merchant’s VPC Service endpoint
R
Configuration of PrivateLink integrations (endpoint to account)
R
Configuration of merchant-owned VPC for PrivateLink endpoint

(including any VPN connections)
R

System and infrastructure

App Server

51ºÚÁϲ»´òìÈ
Merchant
Availability of Nginx
R
Configuration of Nginx
R
Ongoing quality and patching of Nginx
R

Operating system

51ºÚÁϲ»´òìÈ
Merchant
Availability of Operating System
R
Ongoing quality and patching of Operating System
R

Backup, high availability, and failover

51ºÚÁϲ»´òìÈ
Merchant
Availability of snapshot and backup process
R
Scheduling backups for Cloud Pro Staging and Production environments
R
Scheduling backups for Cloud Starter and Pro Integration environments
R
Availability of HA / Failover
R

Cloud Servers & Scaling

51ºÚÁϲ»´òìÈ
Merchant
Availability of CPU resources, data center, disk space
R
Availability and execution of surge capacity or emergency upsizing
R
Requesting surge capacity
R
Monitoring vCPU usage against the limits
R
6ad2ec8d-4e70-43dd-8640-a894018d6404