Adobe’s Approach to Managing Data Security Risk
Updated April 2020
Adobe has invested significant human and financial resources in creating security processes and practices designed to meet industry standards for product and service engineering. Because we take the security of our customers’ digital experience seriously, we have ingrained security practices into our internal software development and operations processes.
Data collected, processed, transmitted and stored by Adobe services is classified through Adobe’s Data Classification and Handling process. Data is then protected in accordance with its designated classification and handling requirements to help ensure security controls are applied appropriately to the data.
How we address data security risk proactively
Adobe maintains a set of developmental and operational procedures that are designed to help maintain our security posture. The Adobe Secure Product Lifecycle (“SPLC”), is a rigorous set of several hundred specific security activities spanning software development practices, processes, and tools. The SPLC was designed from the ground up to help keep customer information safe and secure when using Adobe products and services and is integrated into multiple stages of the product lifecycle. Adobe’s SPLC seeks to uphold the standard of due care that is expected by our customers, shareholders, partners, employees, and the business itself. Complemented by continuous community engagement, the Adobe SPLC evolves in an effort to stay current as changes occur in technology, security practices, and the threat landscape.
The Adobe Service Lifecycle (“SLC”) is a portfolio management framework, implemented to validate product release plans and achieve a unified roadmap and strategic alignment across Adobe’s project, services and release portfolios. Adobe’s SPLC is integrated into this framework to achieve an aligned, unified and customer-centric product security vision across Adobe.
Third Party Cybersecurity Standards, Regulations and Certifications
Adobe maintains an Information Security Management Systems (“ISMS”) in accordance with ISO 27001:2013 which is comprised of information security policies and standards which demonstrate management’s commitment to, and support of, information security practices. In unison with the Common Controls Framework by Adobe (“CCF”), Adobe’s ISMS communicates security roles and responsibilities to relevant Adobe personnel, and supports a sustainable, continuously improving security program that aligns with Adobe’s security risks, priorities, and projects.
The Common Controls Framework (CCF) is the foundational framework and backbone of our company-wide security compliance strategy. The CCF is a comprehensive set of control requirements and security activities that are implemented within our product operations teams as well as in various parts of our infrastructure and application teams. CCF was developed by aggregating, correlating and rationalizing from the vast array of industry information security and privacy standards. Adoption of the CCF has enabled Adobe’s cloud products, services, platforms and operations to achieve compliance with a host of security certifications, standards and regulations such as: SOC 2, ISO 27001, PCI, FedRAMP and others. Adobe’s control environment using CCF provides the foundation for all components of internal controls, including the ability for Adobe to operate and manage logical and physical access, data security, incident response, change management, security operations and monitoring.
As part of our compliance activities, Adobe has developed and maintains over a hundred security, privacy and related policies and standards designed to help management and employees follow processes that govern our security. Policies are updated regularly and are communicated to, and easily accessible by, employees.
In addition, Adobe requires employees to complete a general security awareness training on an annual basis. Additional engineering and security specific training may also be required. Training content is aligned with Adobe security policies and standards, reviewed and updated annually.
Adobe proactively monitors the production environment with the goal of identifying and resolving vulnerabilities that could compromise the security of data or availability of our services. Vulnerability assessments are performed against the infrastructure, platform and applications that make up the Adobe technology stack.
Adobe also regularly conducts scans on our hosts and network devices to detect vulnerabilities. In addition, Adobe performs penetration tests periodically. These penetration tests are performed either by internal teams or by skilled, third-party security research firms.
Vulnerabilities discovered through internal/external vulnerability scans and penetration tests, are documented, assessed, prioritized and assigned to a remediation plan if necessary.
Reactive Security Measures
The Security Operations Center (“SOC”) within the Adobe Security Coordination Center (“SCC”) uses commercially available security information and event management (“SIEM”) solutions to consume and analyze various data sources. Local and remote analysis is conducted in a state-of-the-art forensics lab. The SCC uses the information gathered through Adobe’s SIEM solutions to detect potential threats. If any of the criteria thresholds or suspicious event logics are triggered, an alert is generated.
When a reported security incident is detected, the SCC analyzes and investigates the event to determine whether it is a confirmed incident or a false positive and, if the incident is confirmed, to evaluate the potential associated risk. Employees continually tune the SIEM tool in an effort to filter out noise, eliminate false positives, and help ensure the most critical threats are properly prioritized.
After the potential risk has been determined, the SCC begins incident handling and response, which includes gathering data (e.g., logs and forensic images) to help determine the root cause of the incident as well as the best course of action for mitigation.
After an incident has been resolved, the SCC enters the final phase of the incident response lifecycle, which includes processes and feedback loops, such as a port-mortem analysis. The incident post-mortem analysis is designed to highlight what was done well and what could be improved on, how to better defend Adobe from similar incidents, and where Adobe should focus resources going forward. Through this process, the SCC can provide proactive guidance to and drive improvements across the entire Adobe organization and, when required, to supporting processes.
While the SCC handles general threats to Adobe cloud services, infrastructure, and proprietary corporate information, Adobe’s Product Security Incident Response Team (“PSIRT”) manages the response to Adobe product vulnerabilities disclosed or discovered by third parties, specifically those that come from independent security researchers. PSIRT encourages private disclosure in a manner that helps minimize risk to customers, Adobe infrastructure and the Adobe brand. PSIRT provides a communication channel for industry partners, independent researchers, CERTs and other stakeholders to privately disclose potential security vulnerabilities impacting Adobe software, services and infrastructure. PSIRT investigates these submissions, and then works with the impacted technology owner to remediate or mitigate any confirmed vulnerabilities.
Beyond this, Adobe subscribes to industry threat feeds and email lists, which provide threat intelligence information from industry peers as well as adjacent industries. Information is received in a structured format that enables easy distribution into our SIEM systems. Adobe has a multi-faceted threat intelligence program using a combination of automation using industry standard tools and employee reviewers to filter through the intelligence we receive. The information derived from these external and internal sources is used by Adobe’s Incident Response team members to aid in determining any necessary course of action.
Throughout the Incident Response process, Adobe takes steps to help protect its own information, as well as the information of others, that might be affected by the incident. Among other things, the process considers whether incidents could impact external stakeholders and whether external communications may be appropriate on a case-by-case basis. In the event such communications are deemed necessary, the relevant Adobe management and legal teams coordinate to develop and execute communication plans as appropriate, in accordance with Adobe’s legal and regulatory obligations.
Vendor Management Office
To help evaluate the security of Adobe’s vendors, we developed a Vendor Security Review (VSR) program. The review is a set of requirements to which third-party vendors that collect, store, process, transmit, or dispose of Adobe Internal, Confidential, or Restricted data outside of Adobe-controlled physical offices or data center locations, must adhere. Typical scenarios include vendors processing and storing Adobe data at their site, cloud services (e.g., SaaS, PaaS, IaaS, and XaaS), LAN-to-LAN VPN connections, and data centers. The Vendor Security Review (VSR) program evaluates each vendor’s compliance to Adobe’s Vendor Information Security Standard, providing a risk-based review of the vendor’s security practices and enabling Adobe managers to make fact-based decisions concerning whether or not to enter into a relationship with that vendor.
To learn more about our data security practices, we invite you to look at these related links:
Adobe Secure Engineering Overview
Adobe Operational Security (OpSec) Overview
Adobe incident Response Overview
Building a Culture of Security Overview