Adobe’s Approach to Managing Data Security Risk
Updated March 2019.
Adobe has invested significant human and financial resources in creating security processes and practices designed to meet industry standards for product and service engineering. Because we take the security of our customers’ digital experience seriously, we have ingrained security practices into our internal software development and operations processes.
Data collected, processed, transmitted and stored by Adobe services is classified through Adobe’s Data Classification and Handling process. Data is then protected in accordance with its designated classification and handling requirements to help ensure security controls are applied appropriately to the data.
The Security Operations Centre (“SOC”) within the Adobe Security Co-ordination Centre (“SCC”) uses commercially available security information and event management (“SIEM”) solutions to consume and analyse various data sources. Local and remote analysis is conducted in a state-of-the-art forensics lab. The SCC uses the information gathered through Adobe’s SIEM solutions to detect potential threats. If any of the criteria thresholds or suspicious event logics are triggered, an alert is generated.
When a reported security incident is detected, the SCC analyses and investigates the event to determine whether it is a confirmed incident or a false positive and, if the incident is confirmed, to evaluate the potential associated risk. Employees continually tune the SIEM tool in an effort to filter out noise, eliminate false positives and help ensure the most critical threats are properly prioritised.
After the potential risk has been determined, the SCC begins incident handling and response, which includes gathering data (e.g., logs and forensic images) to help determine the root cause of the incident as well as the best course of action for mitigation.
After an incident has been resolved, the SCC enters the final phase of the incident response lifecycle, which includes processes and feedback loops, such as a port-mortem analysis. The incident post-mortem analysis is designed to highlight what was done well and what could be improved on, how to better defend Adobe from similar incidents and where Adobe should focus resources going forward. Through this process, the SCC can provide proactive guidance to and drive improvements across the entire Adobe organisation and, when required, to supporting processes.
Adobe proactively monitors the production environment with the goal of identifying and resolving vulnerabilities that could compromise the security of data or availability of our services. Vulnerability assessments are performed against the infrastructure, platform and applications that make up the Adobe technology stack.
Adobe also regularly conducts scans on our hosts and network devices to detect vulnerabilities. In addition, Adobe performs penetration tests periodically. These penetration tests are performed either internally or by skilled, third-party security research firms. Finally, anti-virus and anti-malware software is deployed, where applicable.
For vulnerabilities discovered through internal/external vulnerability scans and penetration tests, vulnerabilities are documented, assessed, prioritised and assigned to a remediation plan if necessary.
How we address data security risk
Adobe maintains a set of developmental and operational procedures that are designed to help maintain our security posture. The Adobe Secure Product Lifecycle (“SPLC”), is a rigorous set of several hundred specific security activities spanning software development practices, processes and tools. The SPLC was designed from the ground up to help keep customer information safe and secure when using Adobe products and services and is integrated into multiple stages of the product lifecycle. Adobe’s SPLC seeks to uphold the standard of due care that is expected by our customers, shareholders, partners, employees and the business itself. Complemented by continuous community engagement, the Adobe SPLC evolves in an effort to stay current as changes occur in technology, security practices and the threat landscape.
The Adobe Service Lifecycle (“SLC”) is a portfolio management framework, implemented to validate product release plans and achieve a unified roadmap and strategic alignment across Adobe’s project, services and release portfolios. Adobe’s SPLC is integrated into this framework to achieve an aligned, unified and customer-centric product security vision across Adobe.
Adobe has developed and maintains over a hundred security, privacy and related policies and standards designed to help management and employees follow processes that govern our security. Policies are updated regularly and are communicated to and easily accessible by, employees.
To help evaluate the security of Adobe’s vendors, we developed a vendor risk assessment programme —
called “Guardrails.” The Guardrails assessment is a set of requirements to which third-party vendors that collect, store, process, transmit or dispose of Adobe Internal, Confidential or Restricted data outside of Adobe-controlled physical offices or data centre locations, must adhere. Typical scenarios include vendors processing and storing Adobe data at their site, cloud services (e.g., SaaS, PaaS, IaaS and XaaS), LAN-to-LAN VPN connections and data centres. The Guardrails Risk Assessment programme evaluates each vendor’s compliance to Adobe’s Vendor Information Security Standard, providing a risk-based review of the vendor’s security practices and enabling Adobe managers to make fact-based decisions concerning whether or not to enter into a relationship with that vendor.
In addition, Adobe requires employees to complete a general security awareness training on an annual basis. Additional engineering and security specific training may also be required. Training content is aligned with Adobe security policies and standards, reviewed and updated annually and refreshed periodically.
Third Party Cybersecurity Risk Management Standards
Adobe maintains an Information Security Management Systems (“ISMS”) in accordance with ISO 27001:2013 which is comprised of information security policies and standards which demonstrate management’s commitment to and support of, information security practices. In unison with the Common Controls Framework by Adobe (“CCF”), Adobe’s ISMS communicates security roles and responsibilities to relevant Adobe personnel and supports a sustainable, continuously improving security program that aligns with Adobe’s security risks, priorities and projects.
Adobe’s control environment using CCF was created with NIST guidelines in mind and provides the foundation for all components of internal controls, including the ability of Adobe to operate and manage logical and physical access, data security, incident response, change management, security operations and monitoring.
The Incident Response process involves the identification, classification, response and resolution of incidents. The resolution process for significant incidents includes a “lessons learnt” step. Existing trends in attacks, incident types and triage and remediation steps from ongoing incident handling activities are documented and incorporated into the Incident Response plan.
While the SCC handles general threats to Adobe cloud services, infrastructure and proprietary corporate information, Adobe’s Product Security Incident Response Team (“PSIRT”) manages the response to Adobe product vulnerabilities disclosed or discovered by third parties, specifically those that come from independent security researchers. The PSIRT encourages private disclosure in a manner that helps minimise risk to customers, Adobe infrastructure and the Adobe brand. The PSIRT provides a communication channel for industry partners, independent researchers, CERTs and other stakeholders to privately disclose potential security vulnerabilities affecting Adobe software, services and infrastructure. The PSIRT investigates these submissions and then works with the affected technology owner to remediate or mitigate any confirmed vulnerabilities.
Beyond this, Adobe subscribes to industry threat feeds and email lists, which provide threat intelligence information from industry peers as well as adjacent industries. Information is received in a structured format that enables easy distribution into our SIEM systems. Adobe has a multi-faceted threat intelligence programme using a combination of automation using industry standard tools and employee reviewers to filter through the intelligence we receive. The information derived from these external and internal sources is used by Adobe’s Incident Response team members to aid in determining any necessary course of action.
Throughout the Incident Response process, Adobe takes steps to help protect its own information, as well as the information of others, that might be affected by the incident. Among other things, the process considers whether incidents could affect external stakeholders and whether external communications may be appropriate on a case-by-case basis. In the event such communications are deemed necessary, the relevant Adobe management and legal teams co-ordinate to develop and execute communication plans as appropriate, in accordance with Adobe’s legal and regulatory obligations.
To learn more about our data security practices, we invite you to look at these related links:
Adobe Secure Engineering Overview
Adobe incident Response Overview
Building a Culture of Security Overview