Data Center Security
Adobe takes security at all its data centers very seriously and maintains standards for security best practices as well as security compliance requirements.
Data Protection, Monitoring, and Availability
Segregating Client Data
Adobe Connect Hosted Multi-Tenant relies on application permissions to isolate one customer from another. The only access to these servers and databases is via secure access using the Adobe Connect application. All other access to the application and data servers is made only by authorized Adobe personnel and is conducted via encrypted channels over secure management connections.
Adobe also separates its corporate testing environments from its production environments to avoid the use of customer data in testing environments.
Data Storage and Backup
Customer content and data are backed up for Adobe Connect on a weekly basis, with daily differentials for disaster recovery purposes. These backups are also replicated to a hot failover site that is geographically removed from the primary data center. Adobe tests backups quarterly. The combination of backup procedures provides quick recovery from short-term backup as well as off-site protection of data.
By default, Adobe stores all Adobe Connect data using high-durability storage services provided by its cloud infrastructure partners. To help provide durability, PUT and COPY operations synchronously store customer data across multiple facilities and redundantly store objects on multiple devices across multiple facilities in a provider region. In addition, providers calculate checksums on all network traffic to detect corruption of data packets when storing or retrieving data.
Only authorized users within the Adobe intranet or remote users who have completed the multi-factor authentication process to create a VPN connection can access administrative tools. In addition, Adobe logs all server connections for auditing.
In order to protect against unauthorized access and modification, Adobe captures network logs, OS-related logs, and intrusion detections. Sufficient storage capacity for logs is identified, periodically reviewed, and, as needed, expanded to help ensure that log storage is not exceeded. Systems generating logs are hardened and access to logs and logging software is restricted to authorized Adobe Digital Marketing Information Security Team personnel.
Adobe deploys dedicated network connections in order to enable secure management of the Adobe Connect. All management connections to the servers occur over encrypted Secure Shell (SSH), Secure Sockets Layer (SSL), or Virtual Private Network (VPN) channels, and remote access always requires two-factor authentication. Unless the connection originates from a list of trusted IP addresses, Adobe does not allow management access from the Internet.
Secure Network Architecture
Adobe requires all certified cloud infrastructure providers to employ network devices, including firewall and other boundary devices, to monitor and control communications at the external boundary of the network and at key internal boundaries within the network. These boundary devices employ rule sets, access control lists (ACL), and configurations to enforce the flow of information to specific information system services. ACLs, or traffic flow policies, exist on each managed interface to manage and enforce the flow of traffic. Adobe works with our cloud infrastructure providers to enforce the most up-to-date ACLs.
Adobe Connect follows a Change Approval Board (CAB) process for any and all changes that could impact customer experience. The CAB process focuses upon enforcing stability and availability while permitting an agile response to emerging issues, and providing internal process transparency and accountability.
The Adobe Connect release schedule is typically one major release every 12 to 18 months, with a minor release following the major release by six months and patches as needed.
While most maintenance does not require downtime, when it does, a typical downtime maintenance window will fall on a Friday evening from 8 pm -midnight Pacific Time. Adobe Connect maintenance windows that include downtime are scheduled on an as-needed basis and are typically used for more involved maintenance (major releases) that will require the part of the system to be unavailable for a period of time. There is no option for delaying or scheduling maintenance on the hosted service. All patches, updates, and hotfixes are tested prior to deployment. Prior to deployment, manager approval is required.
All Adobe-certified cloud service providers are responsible for authorizing, logging, testing, approving, and documenting routine, emergency, and configuration changes to existing infrastructure in accordance with industry norms for similar systems. Providers schedule updates to minimize any customer impact.
In order to automate patch distribution for Adobe Connect components, Adobe uses internal patch and package repositories as well as industry-standard patch and configuration management. Depending on the role of the host and the criticality of pending patches, Adobe distributes patches to hosts at deployment and on a regular patch schedule. If required, Adobe releases and deploys emergency patch releases on short notice.
Adobe cloud infrastructure providers maintain responsibility for patching systems that support the delivery of IaaS services, such as the hypervisor and networking services.
Firewalls and Load Balancers
The firewalls implemented on all Adobe servers, whether in Adobe-owned data centers or at a certified cloud infrastructure provider, deny all Internet connections except those to Port 80 for HTTP and Port 443 for HTTPS. The firewalls also perform Network Address Translation (NAT). NAT masks the true IP address of a server from the client connecting to it. The load balancers proxy incoming HTTP/HTTPS connections and also distribute requests that enable the network to handle momentary load spikes without service disruption.
Adobe implements fully redundant firewalls and load balancers, reducing the possibility that a single device failure can disrupt the flow of traffic.
Non-Routable, Private Addressing
All Adobe servers containing customer data, whether in Adobe-owned data centers or at a certified cloud infrastructure provider, are configured with non-routable IP addresses (RFC 1918). These private addresses, combined with firewalls and NAT, help prevent an individual server on the network from being directly addressed from the Internet, greatly reducing the potential vectors of attack.
Both network intrusion detection and host intrusion detection (NIDS and HIDS) are integrated into our centralized security incident and event management system (SIEM) and are continuously monitored by the Digital Marketing Information Security Team. The security team follows up on intrusion notifications by validating the alert and inspecting the targeted platform for any sign of compromise. Adobe regularly updates all sensors and monitors them for proper operation.
Monitoring tools help detect unusual or unauthorized activities and conditions at ingress and egress communication points. As with its own data centers, Adobe ensures its infrastructure providers offer protection against traditional network security issues, including:
- Distributed Denial of Service (DDoS) attacks • Man-in-the-Middle (MITM) attacks
- IP Spoofing
- Port Scanning
- Packet sniffing by other tenants
Adobe monitors all its servers, routers, switches, load balancers, and other critical network equipment on the Adobe Connect network 24 hours a day, 7 days a week, 365 days a year. The Adobe Network Operations Center (NOC) receives notifications from the various monitoring systems and will immediately attempt to fix an issue or escalate the issue to the appropriate Adobe personnel. Additionally, Adobe contracts with multiple third parties to perform external monitoring.
Choosing Adobe Connect for your on-premise solution means that you are choosing a great tool for guarding sensitive data, making your storage more efficient, and providing top-quality customer service. If you’re looking to choose the right solution for your data-secured system and have more questions popping up, just contact us or fill out the form below. Our On-premise experts will follow up on you as soon as possible, providing all answers you need.