A Look into DXP and Security

At CMS-Connected, we take pride in being a reliable resource for decision-makers who are grappling with selecting a DXP for their organization. There are a lot of choices when selecting a vendor, and it is important to understand your organization’s needs in order to make the best choice. It is also essential to know the level of service and security measures that a platform offers.

The threats of the online world are greater than ever before, and businesses are at risk of having their systems breached. It is crucial for platforms to have solid security measures in place for their customers who are often large enterprise-level clients with vitally important, highly sensitive data. Large-scale security breaches, such as the recent Capital One data breach, which compromised over 100 million people's personal information, are a real threat in today’s digital world. Now, more than ever, it is paramount for security to be taken extremely seriously by vendors and priority given to digital experience platforms features that safeguard their clients’ critical information.

For this analysis, I was keen to speak to three of the top vendors that we work with to ask them three key questions about their security measures. I was able to connect with representatives from Crownpeak, Acquia, and Progress Sitefinity. My aim was to truly get a sense of their platforms’ comparative similarities and differences where it came to their systems’ security features. I also included an additional question personalized to each vendor and received some very insightful responses. Without further ado, here’s the compelling feedback we received.

Crownpeak

Crownpeak prides itself on being a member of the Amazon Web Services (AWS) Partner Network (APN). The leading cloud-based DXP meets all of the requirements of AWS to take advantage of the high-level security features that it includes. Amazon Web Services has high-priority cloud security that uses machine learning to discover, classify, and protect sensitive data.

Crownpeak promises end-to-end cybersecurity that protects organizations, customers, and brand reputation. Since they are used as a platform for some of the world's largest organizations — such as American Express, Toyota,  Healthgrades, and Sony — it means they must have protection at every layer.

Believing that respecting the integrity of an organization’s data is critical for security, Crownpeak uses encryption at every touchpoint.  They also offer workflow security, which is helpful for large organizations with many different teams that require specific user-permissions to control what can be edited by whom and when.

Answering my questions on behalf of Crownpeak is Paul Taylor, Vice President, Solutions Engineering, to fill us in on the security measures the platform has taken to ensure that its customers are protected.

What steps has Crownpeak taken towards enhancing security, and what processes do you currently have in place to protect your customers?  

“All Crownpeak services are delivered using SaaS. To assure the quality of service, performance, and reliability that Crownpeak customers expect, these services are underpinned by a strong program of operational controls, information security practices, high-availability engineering, and risk management.
 
In order for all Crownpeak customers to satisfy their legitimate needs to oversee and validate Crownpeak’s proper operational practices, Crownpeak is pleased to make available to all customers, unredacted, and upon written request, the following independent audit and certification assessments:

• Annual SSAE 16 [Statement on Standards for Attestation Engagements] SOC2 Type 2 [Service Organization Control] (ISAE 3402) [International Standard on Assurance Engagements] operation control audit

• FISMA (Moderate NIST 800-53) [National Institute of Standards and Technology] information security certification (FISMA [The Federal Information Security Management Act] is a stronger and more detailed information security standard than ISO 27001. In addition to being mandatory for any US Federal Government workload, it is also universally adopted as the information security standard for all US financial institutions)

• Annual penetration and vulnerability assessment

Lastly, in order to demonstrate an adequate level of protection for cross-border data transfers under GDPR [General Data Protection Regulation], Crownpeak maintains EU-US and Swiss-US Privacy Shield certifications.”
 
How do you feel Crownpeak’s security measures stack up against the competition?  

“Crownpeak’s approach to information security and operational control is second-to-none. Born from a desire to protect our customers’ end-customers from the concrete of the data center floor, all the way to their fingertips on the keyboard, Crownpeak focuses all areas of the business on ensuring a safe, secure, and scalable experience for all customers.
 
To our knowledge, Crownpeak was the first WCM/CMS provider to submit ourselves for independent SSAE 16 testing, as well as being the first (and to our knowledge, still the only) vendor to hold a FISMA certification.”

Has there been a notable security threat or potential security threat for one of your customers? If so, what did Crownpeak do, and how did Crownpeak's security measures repair or prevent the issue?
 
“Crownpeak continually protects our global customers against many current and future threats in the world of cybersecurity, through a program of security-focused engineering and operations, as well as proactive issue investigation and mitigation.
 
The Heartbleed vulnerability (https://en.wikipedia.org/wiki/Heartbleed) was publicly exposed in April 2014, a vulnerability affecting the OpenSSL cryptography library, which was widely used for many Transport Layer Security (TLS) protocol operations across the globe.
 
At the point of exposure, Crownpeak’s security and IT operations members were able to identify where the issue was exposed, and as a natively SaaS-based (multi-tenant) platform, we're able to make a single change to protect the services of all our customers, in a single action, with a few days of the vulnerability having been exposed.
 
This policy of continued protection exists at the core of our ethos, and is highlighted in our customer promise, allowing any customer or prospect (under mNDA), to vulnerability and penetration test the Crownpeak platform, at any time – coupled with an assertion that any vulnerability identified that falls within the OWASP Top-10, with severity “High” or “Higher,” shall be resolved by Crownpeak, within two releases of the DXM product.

For the record, we release our software twice per month — therefore, every customer benefits from the security patches that result from a test that any customer conducts and finds (on-top of the tests that Crownpeak completes as a result of normal trading practices).”
 
Crownpeak’s Advanced Cybersecurity and Edge Protection service claims to offer additional safeguards against DDoS [Distributed Denial-of-Service] attacks. How successful has it been at detecting and stopping these attacks?
 
“Crownpeak’s Advanced Cybersecurity and Edge Protection service, provides for a Crownpeak-configured Web Application Firewall (WAF), working in parallel with the already-provided Content Distribution Network (CDN), to which all customers subscribe. The addition of the WAF, enables inbound traffic to be unpacked and inspected (at layers 3, 4 & 7) for a number of known vulnerabilities (e.g., Cross-Site-Scripting (XSS), SQL Injection, HTTP Flood, Slow-HTTP, Bot-Blocking, as well as “Shared Bad Actor IP Filtering,” where all customers are protected against a known attacker to any single customer).
 
Whilst we cannot talk about a specific customer, for confidentiality reasons, we do run regular tests, allowing third-parties to attempt to access (and take offline) customer services. One of our previous test runs involved a customer that wanted to be the pinnacle of information security within their vertical. This test involved a continuous penetration test, with over 1M concurrent connections, across 200+ attack vectors, returning 52Gb/s data, maintaining a 100% availability rating. This test led to (for the second time), Crownpeak being invited to stage at Amazon Web Services’ annual user conference to talk about how to build DDoS resilient infrastructure, at scale – see https://youtu.be/w9fSW6qMktA?t=13m20s”

Acquia

Earlier this year, Acquia unveiled new security capabilities, which included a broader set of compliance and security services, allowing for enterprise-level data protection. Acquia knows that cybersecurity of the utmost importance in today's digital world and they are committed to making sure that customer data is secure at every touchpoint. The open-source platform is built around the ever-popular and widely used Drupal, meaning their security capabilities are relied upon by a vast number of people.

Acquia says that the platform has been built to protect its customers and comes equipped “with layered firewalls, multi-factor authentication, vulnerability management, security event monitoring, secure file permissions, and disaster recovery and site backups.”

Answering questions on behalf of Acquia, we are pleased to hear from Tom Wentworth, SVP of Product Marketing. Tom had plenty to say about the security considerations at Acquia.

What steps has Acquia taken towards enhancing security, and what processes do you currently have in place to protect your customers?

“Acquia's platform was built with security in mind. Customers get a secure environment with layered firewalls, multi-factor authentication, vulnerability management, secure event monitoring, secure file permissions, and disaster recovery and site backups. Acquia also has a comprehensive compliance portfolio, which includes a variety of industry-specific audits and certifications performed by independent third parties. For customers on the Acquia Platform, we offer additional layers of security on top of our built-in protection, including Acquia Cloud Edge Protect and Acquia Cloud Edge CDN.”

How do you feel Acquia’s security measures stack up against the competition? 

“Acquia Cloud is known for its unparalleled performance and security, and we are consistently making further investments to provide our customers with the most robust and secure platform. This includes securing our platform by design, offering complementary security products and services, and having a portfolio of independent third-party compliance audits. These continued investments and an exceptional security team are what gives Acquia its reputation for having the most secure platform to host Drupal-based digital experiences.”

Has there been a notable security threat or potential security threat for one of your customers? If so, what did Acquia do, and how did Acquia’s security measures repair or prevent the issue?

“Acquia is trusted by customers who have some of the most stringent security and compliance requirements in the world. This is due to Acquia’s thorough approach to ensuring the security of our customer’s digital experiences, which begins with a shared responsibility model that spans our infrastructure provider, Acquia’s own security team, and the customer. 

Acquia manages, monitors, and secures the environment where our customer applications run, including the operating system and LAMP (Linux, Apache, MySQL, PHP) stack and network layers of Acquia Cloud. Acquia also provides tools and resources that enable our customers to maintain secure Drupal applications. Additionally, Acquia’s world-class support organization, which includes security team members, is available 24/7 for critical issue response to ensure that our customers always have the support they need.”

Acquia offers additional layers of security for customers of the platform, including Acquia Cloud Edge Protect. What level of security do these add-ons offer, and what is the level of security that comes with the platform out-of-the-box?

“Out-of-the-box, the Acquia Cloud Platform provides a secure environment with an array of strong access and authentication controls, as well as different firewall controls for best-in-class security capabilities. Beyond these built-in features, Acquia also has a comprehensive compliance portfolio which validates the security of our platform including SOC 1, SOC 2, PCI [Payment Card Industry Data Security Standard], FERPA [The Family Educational Rights and Privacy Act], ISO 27001, HIPAA [Health Insurance Portability and Accountability Act], and FedRAMP [The Federal Risk and Authorization Management Program] authorizations.

As for add-ons, Acquia has Acquia Cloud Edge and Acquia Cloud Shield. Acquia Cloud Edge provides advanced Layer 3, 4, and 7 DDoS mitigation, offers optional security add-ons to support enterprise security needs and offers a highly customizable CDN spanning 180 global data centers optimized for all content on all devices for fast delivery of digital experiences. Acquia Cloud Shield provides advanced network security and isolation to help maintain maximum control over business-critical data and to meet any regulatory requirements customers may have.”

Progress Sitefinity

Progress Sitefinity takes pride in its security operations and offers proactive monitoring of all system components of the Digital Experience Cloud. With 10,000+ websites, Progress Sitefinity maintains a clear stance on security. It is an integral part of everything they do.

Progress Sitefinity’s customers range from government agencies to businesses of every size — small to enterprise — so their security has to take into account the needs of many. The platform focuses on four main security areas:

• security by design

• cloud operations security

• customer data protection

• standards compliance

Earlier this year, the CMS-Connected team attended ProgressNEXT, where the theme was clearly about accelerating digital innovation. We discussed with members of the progress executive team about scaling and the digital experience itself. I was interested to learn where their digital innovation is right now, in terms of security.

Giving his insight on the topic today, we have Sergei Sokolov, Director of Product Management at Progress Sitefinity, to help us learn more about Progress Sitefinity’s security applications.

What steps has Progress Sitefinity taken towards enhancing security, and what processes do you currently have in place to protect your customers?

"Numerous large organizations, government agencies, financial institutions, and Fortune 500 companies have entrusted Progress Sitefinity over the years with delivering their web presence and engaging digital experiences. Progress puts security on the forefront and heavily invests in our commitment to understand, identify, and prevent security threats for organizations that rely on our solutions for their business continuity and data security.
 
Software security is a complex problem, and Progress has developed a comprehensive approach that leverages the broadly recognized and used OWASP SAMM software assurance model. The model assures we address all aspects of our security strategy to develop, operate, and maintain applications that can be trusted. Progress maintains compliance with external security certifications, as well. Our Sitefinity Digital Experience Cloud (DEC), which offers journey optimization through predictive analytics, is certified by an independent service auditor to comply with all the standards of the Service Organization Control Standards (SOC 2). Because of the comprehensive set of internal procedures and controls to ensure the security, processing integrity, confidentiality and availability of software development infrastructure, our customers can be confident using Sitefinity to run enterprise digital experiences.

Throughout the Sitefinity product development lifecycle, we work to maintain the highest security standards initiating at the requirements stage and moving into architecture, planning, development, and support. Within the development phase, for example, each piece of new code undergoes security reviews by our security team and is analyzed for potential security vulnerabilities by one of the best security platforms, Veracode.  Apart from thorough internal testing, we also work with external security experts to identify and address potential vulnerabilities using the industry-standard CVSS defect scoring model, which is used to determine the level of severity and prioritize resource allocation and communication efforts to appropriately notify any potential customers impacted. 

Last but not least, we regularly update the third-party components to ensure the highest-grade security for our customers.  But it is not just our software that is kept up-to-date with security – our engineering teams, product, and corporate security experts participate in recurring security trainings, such as SANS, Veracode, and Wombat."

How do you feel Progress Sitefinity’s security measures stack up against the competition?

"Make no mistake — we believe that security is a focal point and a responsibility to which all major vendors in our industry are committed. But, Sitefinity takes it a step further by building on top of the standard security features. In fact, Sitefinity was one of the first content management systems to introduce a web security module that enabled administrators to easily configure security response headers to further secure their websites. This out-of-the-box protection guards the site against the most critical security threats identified by Open Web Application Security Project (OWASP) such as cross-site scripting (XSS), malicious code injections, stealing of data, and many others.  The key to the module’s comprehensive safeguard superpowers lies in its innovative use of security HTTP headers, open redirect protection, and cross-site request forgery (CSRF) protection. Sitefinity also provides out-of-the-box HTML Sanitizer, which prevents risky HTML from being loaded, sanitizes user-uploaded images to prevent dangerous input, and also guards against potential XSS attacks.

Sitefinity includes broad options for data encryption. Sitefinity not only encrypts sensitive data via FIPS compliant algorithms, but it also gives our customers the option to encrypt their configuration files to keep them protected. Such configuration data that may include the values of connection strings to external systems, mail servers, or databases can also be stored in external key management services, such as Azure Key Vault or AWS Key Management Service.

When communicating with customers that have projects containing sensitive data – we provide them with the option to communicate with us via encrypted email channels, as opposed to the usual means of filing a support ticket. Thus, they are confident to communicate with us freely when sharing sensitive data related to their projects."

Has there been a notable security threat or potential security threat for one of your customers? If so, what did Progress Sitefinity do, and how did your security measures repair or prevent the issue?

"As one of the most secure CMS solutions on the market, Sitefinity has an incident response plan in place, which includes secure encrypted communication channels and internal/external notification processes. We acknowledge that security vulnerabilities will continue to be identified, but we are committed to providing competent and timely response to our customers should they discover any security potential risks associated with Sitefinity.

Various security vulnerabilities have been reported against Sitefinity by our customers’ security teams, independent security testers, as well as discovered by our internal testing post-production. Each of those is scored, which then determines the timing and the breadth of required patches according to our internal processes. Once a security patch is released, we notify our customers and partners through a product alert channel, along with instructions on what actions to take to ensure continued enterprise-grade security.

One successful example of eradicating a security vulnerability in Sitefinity has been described in this blog post by a security expert, who discovered vulnerabilities while performing penetration testing on a customer website. He contacted our security team and reported the vulnerabilities — once independently confirmed, we mitigated the risks with security patches and resolved the issues."  

Earlier this year, you announced that Progress Sitefinity is now available in the cloud. What were the increased security considerations that came along with this innovation? 

"Once Progress Sitefinity took the natural step to PaaS, which allows IT to minimize operational infrastructure burdens while supporting the innovation and rapid time to market that marketers seek, we had to make sure our customers’ security and confidence extended up in the cloud as well. Sitefinity Cloud offers several approaches to help fortify the base, strengthen gameplay, and keep bad actors out. We partner and are strategically integrated with Microsoft Azure and its processes and expertise to ensure our Cloud offering meets all security best practices, regulations, and standards. Let’s take a closer look at just a few of the key components of the Sitefinity Cloud Azure infrastructure:

• Centralized protection of web applications from common exploits and vulnerabilities including outpost protection, intrusion detection system and the Web Application Firewall

• Single-tenant CMS deployment to minimize risk of data leakage between tenants with additional data security applied through multi-tenancy within our journey optimization, personalization, and analytics capabilities to store different customer datacenters in separate database tables

• Strong encryption of all client data at rest and in transit

• Multiple options for logging and monitoring events, including Azure app monitoring for additional insights for our Cloud customer admins

• Azure Active Directory, one of the most secure identity providers, which we use for all Sitefinity Cloud user accounts 

In terms of prevention for failover in a world where uptime is primary to the success of the business,
Sitefinity Cloud offers 99.9% service level availability.  All data is backed up, and in case of an incident, the database is restored, meaning that the whole site and its configurations are restored on a new instance.
 
Going forward, Progress Sitefinity will continue adopting the latest technologies and best practices to make sure the trust of our customers is more than justified. With 10,000+ web properties built on Sitefinity by 2,700+ global organizations implemented and serviced by 250+ partners worldwide, you can trust that security and data privacy is an integral part of everything we do."        

Ending Notes

Through these interviews, I was able to glean and summarize information on each of the vendors and their security measures.

Crownpeak

• A SaaS that offers routine assessments and audits of their customers’ websites. The first, and one of the only platforms, to hold a FISMA certification and accreditation, making it a top platform of US Federal agencies. Performs two updates a month, ensuring that software is up to date and that all sites have the highest security available to them.

Acquia

• Acquia offers out-of-the-box basic security with optional additional layers to meet the needs of their diverse customers. The platform is constantly looking at how to further their investments in security with the latest technology to ensure the platform is as secure and robust as possible. Acquia also provides third-party audits and 24/7 support for all customers. Ensuring that if an issue does arise, it can be resolved immediately.

Progress Sitefinity

• Each piece of new code in the dev stage goes through a security review before it ever goes live, and all third-party components are regulated for security. Sitefinity was the first platform to develop a web security module to easily configure response headers in the browser. All communication channels are encrypted for secure correspondence.

Security is preeminent in customers’ minds and is equally top-of-mind for digital experience platforms. Between Crownpeak, Acquia, and Progress Sitefinity, they all offer highly-responsive, resilient security capabilities.

All three of the selected platforms are available in the cloud. The cloud has been subjected to criticism saying that it opens up the doors to hackers and other malicious issues. The same has been said for open-source, and while there have been instances of rifts being exposed from cyber intrusions, it is clear that the digital experience industry is working towards making their platforms as safe as possible. While the possibility of the cloud having security gaps is there, platforms are making concerted efforts to protect their customers.