Better in Launch: Security
Launch follows a rigorous security framework to ensure it meets even the highest standards.
by Jon Viray
posted on 06-27-2018
At Adobe, we follow a security-by-design approach to ensure that our products — including Launch, by Adobe — have security inseparably intertwined into each facet of the product lifecycle. This means you can trust that Launch will satisfy the most rigorous security standards.
Launch delivers control to customers through user rights management and self-hosting.
Instead of user roles, like DTM and other tag managers offer, Launch enables administrators to add users to granular rights of specific properties. This subtle nuance gives customers a simpler path to understand which users are enabled for specific tasks per property, such as the right to add extensions vs. create, and test rules vs. publish to production. This structure allows customers to better ensure that the correct users have the correct rights.
Other tag management systems require one (or sometimes more) third-party content delivery networks (CDNs) to host their application. Although this is convenient for customers, this design often increases a company’s risk profile by introducing more variables and relinquishing control over a critical component of architecture to a third-party. Launch, by Adobe, takes a different approach.
Customers can host their Launch libraries using our partnership with Akamai or on their own servers — this is known as self-hosting. With self-hosting, Launch can inherit the security measures already in place in the customer’s environment, which provides both confidence and absolute control.
The core Launch rules engine is known as Turbine, and it’s open-sourced under an Apache 2.0 license. Any company is welcome to inspect this source code to glean a complete understanding of how the core components of Launch operate.
To access the source code, visit this Github repository: https://github.com/Adobe-Marketing-Cloud/reactor-turbine.
Works with any identity type
Regardless of your identity management system, Launch can integrate with it. Launch supports three identity types:
- Adobe ID: This identity type is owned and managed by the end user. Adobe performs the authentication, and the end user manages the identity. Users retain complete control over files and data associated with their ID.
- Enterprise ID: This identity type is created, owned, and managed by an organization. Adobe hosts the Enterprise ID and performs authentication, but the organization maintains the Enterprise ID. End users cannot create an Enterprise ID.
- Federated ID: This identity type is created and owned by an organization and linked to the enterprise directory via federation. The organization manages credentials and processes Single Sign-On via a SAML2 Identity Provider (IdP).
For more information, visit https://helpx.adobe.com/enterprise/using/identity.html.
Common controls framework
The Adobe Common Controls Framework (CCF) is a set of security activities and compliance controls that is implemented within our product operations teams, as well as in various parts of our infrastructure and application teams. In creating the CCF, Adobe analyzed the criteria for the most common security certifications for cloud-based businesses, and rationalized the more than 1,000 requirements down to Adobe-specific controls that map to approximately a dozen industry standards.
Secure product lifecycle
As with other key Adobe product and service organizations, the Adobe Digital Experience organization has created and enforces the Adobe Secure Product Lifecycle (SPLC). A rigorous set of security activities spanning software development practices, processes, and tools, the Adobe’s SPLC is integrated into multiple stages of the product lifecycle, from technical training of every software engineer, to design and development, as well as quality assurance, testing, and deployment. Specific SPLC guidance is recommended per product or service based on an assessment of potential security issues. Complemented by continuous community engagement, the Adobe SPLC evolves to stay current as changes occur in technology, security practices, and the threat landscape.
Made-up of industry experts in building, deploying, and monitoring applications and services with robust security features, Adobe’s Platform Trust and Governance team developed and constantly evolves the Adobe SPLC. This team partners with our engineering teams to help achieve a high level of trust in Adobe products and services.
Evidence of our Secure Product Lifecycle is available via our SOC 2 Reports, which attest to meeting our Time to Resolution requirements around fixing any security issues that are found as part of any of our security reviews or tests in the proactive part of our SPLC. As one of our SPLC activities, we contract annually with trusted third-party penetration test vendors to conduct source-assisted (greybox) penetration tests of Launch. Customers or potential customers may also request a copy of our most recent Penetration Test Statement of Assessment or Remediation Report for Launch. This is available to any customer or potential customer under Standard NDA (included in MSA).
Launch, by Adobe, inherited decades of hardened, robust, and repeatable security practices that accumulate to a product ready to meet the most rigorous security standards.
To learn more, visit Adobe’s security web page at https://www.adobe.com/security.html.
Other content you might enjoy
Better in Launch: Upgrade Process
Better in Launch: Integrations
Better in Launch: Automation
Better in Launch: Performance
Better in Launch: Production Testing
Better in Launch: Team Collaboration
Better in Launch: Publishing
Content for your colleagues
Better in Launch: Integration
Better in Launch: User Interface
Better in Launch: Events, Conditions, and Actions
Topics: Digital Transformation, Analytics
Products: Experience Platform, Experience Cloud