This topic describes security-related aspects associated with the Optimizely platform and service delivery.
Information security management
Optimizely’s Digital Experience Platform (DXP), is managed with an Information Security Management System certified to ISO 27001. Best practice architecture and development, secure data centers, global support and CDN/WAF services combine to ensure Optimizely customers are always supported by safe, secure solutions.
Optimizely DXP is deployed on Microsoft Azure security hardened systems. Antimalware is enabled for all Azure services, and each customer’s service is isolated by virtual networks. Availability and performance monitoring is provided, and performance is supported by elastically scaling Web Apps that cater to seasonal traffic peaks and intraday spikes.
All data-in-transit is encrypted via HTTPs/TLS. The provided Content Delivery Network (CDN) protects origin servers, and together with the built-in Web Application Firewall (WAF) it provides DDoS mitigation and state-of-the-art protection against unusual and malicious traffic. See Introduction to DXP for technical details about the service architecture.
Secure and reliable datacenters
Optimizely DXP runs on secure Microsoft Azure datacenters. Each facility is designed to run 24x7x365 with protection from power failure, physical intrusion and network outages. Entry points are protected by perimeter fencing, cameras and biometric safeguards. Azure datacenters are certified to 90+ compliance standards, including for example ISO 27001, FedRAMP and SSAE 18 SOC 2.
Least privilege access
A limited subset of employees has access to customer applications based on the principle of least privilege. Access is through feature-limited portals, over encrypted connections with multi-factor authentication and all access is logged. The intent of providing access to a subset of employees is to provide effective customer support, troubleshoot potential problems and detect and respond to security incidents. For more information, see the Data Processing Agreement (DPA).
Secure Development Lifecycle (SDL)
Optimizely solutions are built by established teams focused on building highly scalable, performant and secure systems. Optimizely’s Secure Product Development Lifecycle (SDL) uses an agile methodology based on the Kanban approach, with the primary function to ensure quality and security are a part of every product delivered.
Methodologies and standards include Test Driven Development, OWASP, NIST and BSIMM, with mandatory coding guidelines and code reviews. Code changes require at least three approvals before integration into the main source code branch. All code is reviewed with respect to best practices including prevention techniques for SQL and XPath/XSLT injection, cross site scripting, broken session management and cross site request forgery through static and dynamic vulnerability testing.
Transparent service health and continuity
The Optimizely Digital Experience Platform provides up to 99.9% SLA at the website application level. Customers can register to receive incident updates and view information about platform-wide planned maintenance on the service dashboard. Customers are notified directly for incidents regarding their specific applications, and are directly updated during the progress of the incident.
System updates and patching
App Service instances run on Azure and are aligned with Microsoft’s Azure patch release cycle. The Optimizely CMS and Optimizely Commerce code follow a continuous release cycle with new releases on a weekly basis. Releases include both new features and fixes, and customers can upgrade their solutions at a cadence that makes sense for their particular business.
Optimizely provides the following monitoring as part of DXP:
- External monitoring
External monitoring of web applications where any issues are handled according to the incident management process.
- Real user monitoring
- Application monitoring
Monitoring of application resource consumption to ensure acceptable service usage, and to improve the platform.
Transport Layer Security (TLS/SSL)
All services are protected with TLS version 1.2 or higher with full support for TLS 1.3. See SSL requirements.
Virtual Private Networks (VPN)
Optimizely supports the use of a VPN for secure connections to internal corporate resources. VPN connections are most commonly used for application-to-application integrations with a customer’s on-premise systems, if needed or appropriate. Supported VPNs are Azure compliant, IPSEC IKE v2, and route based.
Web Application Firewall (WAF)
A managed WAF is provided. The WAF examines all HTTP requests to a website, applying rules to filter out illegitimate traffic from legitimate website visitors. See Web Application Firewall.
Distributed Denial of Service mitigation (DDoS)
Advanced DDoS protection is provided to mitigate attacks of all forms and sizes including those that target the UDP and ICMP protocols, SYN/ACK, DNS amplification and Layer 7 attacks. The provided CDN is rated at over 30 Tbps throughput; more than 15x the size of the largest recorded DDoS attack.
Optimizely conducts weekly vulnerability testing against DXP, and Optimizely also performs annual external audits. Microsoft also regularly test the underlying Azure infrastructure.
Customers can run WVS and penetrations tests using tools and third-party services of their choice. Optimizely recommends customers follow documented guidance for testing against Azure-based services. Customers can alternatively contract for WVS and penetration testing through Optimizely Expert Services.
- Security - Optimizely CMS Developer Guide
- Security - Optimizely Commerce Developer Guide
- Optimizely Trust Center
Last updated: Dec 16, 2019