Adobe responsibilities

Adobe is responsible for the security and availability of the Adobe Commerce on cloud infrastructure environment and the core solution code. In addition, Adobe is responsible for the necessary activities and mechanisms that maintain the security of the Adobe Commerce on cloud infrastructure solution, including:

  • Applying server-level security and patches for applications supported by Adobe Commerce on cloud infrastructure, such as cloud data storage and search capabilities
  • Conducting penetration testing and scanning of the core Adobe Commerce on cloud infrastructure code
  • Conducting semi-annual reviews and audits of public cloud service providers’ identity and access management (IAM) solutions and permissions management (PCI compliance requirement)
  • Conducting semi-annual reviews and audits of authorized users, including Adobe employees and contractors (PCI compliance requirement)
  • Conducting annual testing and documentation of backup and restore functionality
  • Configuring server and perimeter firewalls
  • Connecting and configuring the Adobe Commerce on cloud infrastructure repository
  • Defining, testing, implementing, and documenting disaster recovery (DR) plans for the areas within Adobe’s scope of responsibility
  • Defining global platform web application firewall (WAF) rules
  • Hardening the operating system (OS)
  • Implementing and maintaining the integration of content distribution network (CDN) and application performance management (APM) solutions with Adobe Commerce on cloud infrastructure
  • Issuing periodic security and other updates for the core Adobe Commerce on cloud infrastructure code (applying patches is the merchant’s responsibility)
  • Managing merchant support and support access controls (for example, Zendesk)
  • Monitoring, logging, and remediating security incidents concerning the Adobe Commerce on cloud infrastructure platform infrastructure
  • Monitoring platform operations and providing 24/7 support for Adobe Commerce on cloud infrastructure merchants
  • Provisioning the production and staging environments
  • Assessing potential security threats to platform operations and infrastructure
  • Scaling computing, storage, grid, and other resources, as described in the service-level agreement (SLA) with the merchant
  • Setting up DNS (Adobe Commerce on cloud infrastructure platform infrastructure only)
  • Testing the platform for security vulnerabilities

Adobe maintains PCI certification for the infrastructure and services used for the Adobe Commerce solution. Merchants are responsible for the compliance of custom code, system and network processes, and the organization.

Adobe also ensures the availability of the merchant’s infrastructure as agreed upon in the applicable SLA.

Merchant responsibilities

The merchant is responsible for following security best practices for their specific, customized instance of Adobe Commerce on cloud infrastructure solution:

  • Adding the necessary Adobe Commerce on cloud infrastructure configuration files to the repository

  • Applying security and other patches to their custom Adobe Commerce on cloud infrastructure solution immediately following their release by Adobe

  • Applying security and other patches to all custom extensions and code, immediately following their release by the vendor

  • Creating, deploying, and testing custom Varnish VCL files

  • Designing, theming, installing, integrating, and securing the customized Adobe Commerce on cloud infrastructure solution, including all custom extensions and code

  • Granting and revoking user access to the merchant’s instance of the Adobe Commerce on cloud infrastructure configuration, application, and platform

  • Handling security issues related to the merchant’s internal network, servers, infrastructure, and any custom applications built on the Adobe Commerce on cloud infrastructure platform

  • Installing the Adobe Commerce on cloud infrastructure command-line integration (CLI) tool

  • Maintaining the required level of PCI compliance of the customized application and other internal processes, as defined by the PCI-DSS guidelines

    NOTE
    To minimize the areas that must be reviewed, PCI compliance for the merchant is built on the PCI certifications of Adobe Commerce and the cloud hosting provider.
  • Running PCI ASV scans and remediating issues in the core Adobe Commerce on cloud infrastructure code and platform

  • Monitoring all application activities that might reveal a potential security threat, including penetration testing, vulnerability scans, and logs

  • Monitoring and responding to security incidents, including forensics, remediation, and reporting related to the merchant’s Adobe Commerce on cloud infrastructure solution and user accounts

  • Obtaining a DNS provider and configuring and maintaining any merchant-specific DNS records

  • Running performance tests on the customized application

  • Securing access to the platform accounts, instance access, and application

  • Testing and QA of the custom application

  • Maintaining the security of any systems or networks the merchant connects to the Adobe Commerce on cloud infrastructure application

Cloud Service Provider responsibilities

Adobe relies on well-established cloud service providers to host the cloud server infrastructure for Adobe Commerce on cloud infrastructure. These providers are responsible for security of the network, including routing, switching, and perimeter network security via firewall systems and intrusion detection systems (IDS). Cloud service providers are also responsible for the physical security of data centers that host the Adobe Commerce on cloud infrastructure solution and the environmental security of data centers.

Cloud service providers are also responsible for:

  • Maintaining PCI DSS, SOC 2, and ISO 27001 certifications for their cloud services
  • Securing the hypervisor
  • Securing the data center, including both physical and network access

CDN provider responsibilities

The Adobe Commerce on cloud infrastructure solution uses CDN providers to speed page-load time, cache content, and instantly purge outdated content. These providers are also responsible for security issues directly related to or affecting their CDN, and for defining and maintaining CDN WAF rules.

Security responsibilities summary

The following summary table uses the RACI model to show the security responsibilities shared between Adobe, the merchant, and the Cloud service provider:

R — Responsible
A — Accountable
C — Consulted
I — Informed

TaskAdobeMerchantCloud service providerCDN provider
Applying Adobe Commerce on cloud infrastructure patchesCR
Applying patches to supporting services
(For example, Nginx or MySQL.)
RI
Defining origin WAF rulesR
Defining CDN WAF rulesAR
Deploying platform WAF rulesRI
Deploying CDN WAF rulesAIR
Fixing core bugs in Adobe Commerce on cloud infrastructure codeRI
Releasing Adobe Commerce on cloud infrastructure patchesRI
Scaling (compute and storage)RI
Scaling (PaaS and grid)R
Ensuring access to source code, including repo.magento.comRI
Installing Adobe Commerce on cloud infrastructure CLI toolR
Adding Adobe Commerce on cloud infrastructure configuration files to repositoryCR
Creating a project for the merchant (onboarding UI)RI
Connecting repositories to Adobe Commerce on cloud infrastructureRI
Configuring the source repository1RI
Creating a user for the release manager (onboarding UI)R
Deploying code into productionR
Deploying code into stagingR
Integrating external applications and extensionsR
Installing extensionsR
Customizing Adobe Commerce on cloud infrastructureR
Testing performance of customized Adobe Commerce on cloud infrastructureR
Testing the customized applicationR
Theming and design of custom applicationR
Creating, deploying, and testing custom Varnish VCLsCR
Configuring DNS (platform infrastructure only)RC
Developing CDN extension and fixing bugsACR
Onboarding CDNRI
Supporting CDN2RIC
Configuring New Relic APM and Infrastructure applicationsR
Installing New Relic APM and Infrastructure applicationsRI
Supporting New Relic APM and Infrastructure applicationsRC
Configuring Nginx3RR
Obtaining a DNS provider (Pro only)CR
Hardening the OSR
Provisioning the production and staging environmentsRI
Accessing Zendesk for Adobe Commerce on cloud infrastructureRC
Resolving merchant security issuesCRC
Resolving Adobe Commerce on cloud infrastructure security issuesR
Resolving CDN security issuesAR
Resolving APM security issuesA
Assisting Adobe with security research (software)RC
Assisting Adobe with security research (scans/audits)RC
Performing PCI ASV scansR
Remediating Adobe Commerce on cloud infrastructure PCI scans4RR
Remediating PaaS PCI scansR
Managing OS and platform secretsR
Managing Adobe Commerce on cloud infrastructure encryption keysR
Scanning customized Adobe Commerce on cloud infrastructure instancesR
Monitoring security logsR
Managing IAMand permissions for Adobe Commerce on cloud infrastructureR
Managing support access controls (Teleport)R
Controlling merchant support and accessRI
Annual testing and documentation of Adobe DR plan and backup and restoreR
Annual testing and documentation of disaster recovery planR

1 Only if the Adobe Commerce on cloud infrastructure repository is used as the main repository. Use of other external repositories is the sole responsibility of the merchant.

2 Adobe provides Level 1 support for issues with CDN providers.

3 The merchant is responsible for any Ngnix controls that they configure for their applications.

4 For PCI, penetration testing requirements are shared between Adobe and the merchant.

Operational responsibilities summary

The following summary tables clarify the operational responsibilities for Adobe and Merchants when developing, deploying, maintaining, and securing Adobe Commerce on cloud infrastructure.

Coding and development

Core Adobe Commerce code

AdobeMerchant
Publishing updates and patches to Adobe Commerce coreR
Availability and patching of the file systemR
Publishing updates and patches to ECE-ToolsR
Core Adobe Commerce Application QualityR

Code repository

AdobeMerchant
Availability of repo.magento.comR
Availability of Adobe Commerce on Cloud Git serverR
Other merchant-selected Code repositories (GitHub, Bitbucket, hosted Git server)R

Cloud Docker

AdobeMerchant
Making Cloud Docker containers available for downloadR
Deployment and setup of Cloud Docker (optional)R
Any other local development setupR

Commerce Cloud CLI

AdobeMerchant
Ongoing quality and updating of ECE ToolsR
Installing the latest ECE Tools versionR

Customizations

AdobeMerchant
Custom Adobe Commerce modules and codeR
ExtensionsR
Custom IntegrationsR

Deployments

AdobeMerchant
Availability of infrastructure to build and deploy codeR
Ongoing quality of infrastructure build-and-deploy configuration pipelineR
Configuration of build and static content deploymentR
Building and executing deployment governance process: criteria and change managementR
Deploying to Staging environmentR
Deploying to Production environmentR
Production rollbacksR

Synchronizing environments

Merchants are responsible for synchronizing data between environments.

Patching

AdobeMerchant
Installing updates and patches to ECE-ToolsR
Installing updates and patches to Adobe Commerce coreR

Website availability

AdobeMerchant
Customized Adobe Commerce application and associated websitesR

Performance

AdobeMerchant
Core Application tuning and optimizationR
Custom code tuning and optimizationR
Custom Adobe Commerce codeR
Load TestingR
Performance testingR

Logs and monitoring

AdobeMerchant
Rotating LogsR
Custom Adobe Commerce applicationR
Availability of New Relic services:
APM application and agent integration, Infrastructure application,
Logging & integration
R
Setting up New Relic AlertsR
Deploying New Relic agent on PaaS ServersR

Debugging and issue isolation

AdobeMerchant
Debugging and issue isolationRR
Timely support of debugging and issue isolation processR

Application and service configuration

Commerce application

AdobeMerchant
Application configurationR
Adding domains to the Adobe Commerce application (Base URLs)R
Configuring PaaS to use Services versions supported by the deployed Adobe Commerce version

For example, different Commerce versions are compatible with specific versions of PHP, Redis, and so on.
R

Task scheduling with cron jobs

AdobeMerchant
Availability of default cron jobsR
Ongoing quality of custom cron jobsR

Message broker for message queue framework

AdobeMerchant
Availability of RabbitMQ serviceR
Configuration of default RabbitMQ settingsR
Ongoing quality and patching of RabbitMQR
Submit a service request to install a RabbitMQ version compatible with the installed Adobe Commerce versionR

PHP service

AdobeMerchant
Availability of PHPR
Configuration of default PHP settingsR
Configuration of custom PHP settingsR
Configuration of YAML file to align PHP versions compatible with installed Adobe Commerce versionR

Database services

AdobeMerchant
Availability of Galera and MariaDB servicesR
Ongoing maintenance of default database settings

(indexing and optimizing core tables, optimizing default sys-admin settings)
R
Ongoing maintenance of merchant data and modified settings

(configuring normalized vs flat tables, indexing and optimizing custom and third party tables, archiving or removing data, configuring system administration settings)
R
Configuration of Galera and MySQLR
Ongoing quality and patching of Galera and MariaDBR
Ongoing infrastructure optimizationR
Identifying and fixing slow queriesR
Submit a service request to install a MariaDB version compatible with the installed Adobe Commerce versionR
Setting and maintaining merchant-specific data retention policies (Adobe’s data retention policies are defined in the merchant agreement)R

CDN service

AdobeMerchant
Availability and Quality of CDNR
Fastly service configuration (via Extension / API)R
Fastly Extension QualityR
Fastly Integration VCL Snippets (bundled with the Fastly Extension) QualityR
Page Cache optimizationR
Adding domains to services, to CDN, and to infrastructureR
Custom VCL SnippetsR
WAF & WAF RulesR

Cache Service

AdobeMerchant
Availability of Redis serviceR
Configuration of default Redis settingsR
Ongoing quality and patching of RedisR
Submit a service request to install a Redis version compatible with the installed Adobe Commerce versionR

Search service

AdobeMerchant
Availability of ElasticSearchR
Configuration of default ElasticSearch settingsR
Submit a service request to install an ElasticSearch version compatible with the installed Adobe Commerce versionR

Email service

AdobeMerchant
Availability of SendGrid email service and its integrationR
Monitor merchant’s SendGrid usage against limitsR
Merchant is responsible for using the service only for outgoing transactional emails
The service does not support sending of marketing emails.
R
Configuring optional third-party email servicesR

Third Party services

AdobeMerchant
Availability and quality of third party servicesR

Commerce Services extensions

Advance Reporting service

AdobeMerchant
Availability of the Advanced Reporting ServiceR
Configuration of Advanced Reporting complies with Advanced Reporting Terms & ConditionsR

Commerce Intelligence

AdobeMerchant
Availability of Adobe Commerce Business Intelligence servicesR
MBI Data Synchronization processesR
Detecting MBI synchronization issuesR
Configuring MBI Data Synchronization to Adobe Commerce Cloud Pro, Starter, On Premises, or non-Adobe Commerce
(API, Data quality and formatting, merchant network,
DB connections both inside and outside of Adobe Commerce Cloud DB, over data thresholds)
R
Configuring MBI Data Synchronization to Adobe Commerce Cloud Pro
(Adobe Commerce Cloud database configuration)
R

Product Recommendations

AdobeMerchant
Availability of Product Recommendations serviceR

Network services

Image Optimization

AdobeMerchant
Availability and Quality of Image OptimizationR
Configuration of Image OptimizationR

SSL Certificates

AdobeMerchant
SSL Dedicated Certificate - expirationR
Provisioning SSL CertificatesR
Purchasing and Maintaining EV/Specific SSL cert (other than defaults provided) and provide to AdobeR

Web Application Firewall (WAF)

AdobeMerchant
Availability & Configuration of WAFR
Addressing WAF Rule False PositivesR
Reporting WAF Rule False PositivesR
WAF Rule Tuning (NOT SUPPORTED)
WAF/CDN LogsR

DDOS

AdobeMerchant
Proactive IP BlockingR
Bot ProtectionR
DDOS detection - layer 3-4R
DDOS detection - layer 7R
DDOS responseR
AdobeMerchant
Configuring and maintaining PrivateLink connections (if used) with an Adobe-owned VPCR
Configuring and maintaining PrivateLink connections (if used) with a Merchant-owned VPCR
Availability of SSH (Non-Private Link)R
Configuration of PrivateLink Inbound to Adobe Commerce Cloud Service endpointR
Acceptance of PrivateLink Inbound to Adobe Commerce Cloud Service endpointR
Configuration of PrivateLink Inbound to Merchant’s VPC Service endpointR
Acceptance of PrivateLink Inbound to Merchant’s VPC Service endpointR
Configuration of PrivateLink integrations (endpoint to account)R
Configuration of merchant-owned VPC for PrivateLink endpoint

(including any VPN connections)
R

System and infrastructure

App Server

AdobeMerchant
Availability of NginxR
Configuration of NginxR
Ongoing quality and patching of NginxR

Operating system

AdobeMerchant
Availability of Operating SystemR
Ongoing quality and patching of Operating SystemR

Backup, high availability, and failover

AdobeMerchant
Availability of snapshot and backup processR
Scheduling backups for Cloud Pro Staging and Production environmentsR
Scheduling backups for Cloud Starter and Pro Integration environmentsR
Availability of HA / FailoverR

Cloud Servers & Scaling

AdobeMerchant
Availability of CPU resources, data center, disk spaceR
Availability and execution of surge capacity or emergency upsizingR
Requesting surge capacityR
Monitoring vCPU usage against the limitsR

Connect with Experience League at Summit!

Get front-row access to top sessions, hands-on activities, and networking—wherever you are!

Learn more