Information security management

Optimizely’s Digital Experience Platform (DXP) is managed by an information security management system certified to ISO 27001. Best practice architecture and development, secure data centers, global support, and CDN or WAF services combine to ensure safe, secure solutions that support Optimizely customers.

Security and privacy are built into the Azure platform, and any feature that Optimizely develops must meet the highest quality standards. This is ensured by various coding guidelines that must be met before the code is considered for inclusion in the platform.

Guidelines include performance considerations, security concerns, and globalization and localization aspects. Optimizely bases much of its platform-related security efforts on the Open Web Application Security Project (OWASP).

The Optimizely platform is tested against:

Injection
Cross-site scripting (XSS)
Broken authentication and session management
Insecure direct object references
Cross-site request forgery (CSRF)
Security misconfiguration
Insecure cryptographic storage
Failure to restrict URL access
Insufficient transport layer protection
Unvalidated redirects and forwards

Optimizely has a continuous release cycle with weekly releases. Releases include features and fixes, and you can upgrade your solution at a cadence that makes sense for your business.

📘
Note
You are responsible for installing appropriate software updates to the Optimizely platform in your solution.

Service architecture

Optimizely DXP is deployed on Microsoft Azure security hardened systems. Availability and performance monitoring are provided, and performance is supported by elastically scaling Web Apps that cater to seasonal traffic peaks and intraday spikes.

Data-in-transit is encrypted through HTTPs/TLS. The provided Content Delivery Network (CDN) protects origin servers, and together with the built-in Web Application Firewall (WAF), it provides DDoS mitigation and state-of-the-art protection against unusual and malicious traffic. See DXP cloud services for technical details about the service architecture.

Optimizely DXP leverages the Microsoft Azure platform. The underlying infrastructure follows Microsoft Azure compliance standards, certifications, and supporting processes.

DXP uses Azure Web Apps to run Optimizely applications and thus aligns with the Microsoft patch release cycle. Microsoft is responsible for patch management. Optimizely works closely with Microsoft for any edge cases involving patching.

Azure Web Apps do not use the traditional version of Microsoft Windows but rather a purpose-built version with a smaller attack surface and reduced vulnerability. Each customer solution uses isolated resources with independent databases and Web Apps.

Secure and reliable datacenters

Optimizely DXP runs on secure Microsoft Azure datacenters. Each facility is designed to run 24x7x365 with protection from power failure, physical intrusion, and network outages. Perimeter fencing, cameras, and biometric safeguards protect entry points. Azure datacenters are certified to 90+ compliance standards, including, for example, ISO 27001, FedRAMP, and SSAE 18 SOC 2.

Least privilege access

A limited subset of employees can access customer applications based on the principle of least privilege. Access is through feature-limited portals, over encrypted connections with multi-factor authentication, and access is logged. Providing access to a subset of employees provides effective customer support, troubleshoots potential problems, and detects and responds to security incidents. See the Data Processing Agreement (DPA).

Secure Development Lifecycle

Optimizely solutions are built by established teams focused on building highly scalable, performant, and secure systems. Optimizely’s Secure Product Development Lifecycle (SDL) uses an agile methodology based on the Kanban approach, with the primary function of ensuring quality and security is a part of every product delivered.

Methodologies and standards include Test Driven Development, OWASP, NIST, and BSIMM, with mandatory coding guidelines and code reviews. Code changes require at least three approvals before integration into the main source code branch.  Code is reviewed concerning best practices, including prevention techniques for SQL and XPath/XSLT injection, cross-site scripting, broken session management, and cross-site request forgery through static and dynamic vulnerability testing.

Transparent service health and continuity

The Optimizely Digital Experience Platform provides up to 99.9% SLA at the website application level. Customers can register to receive incident updates and view information about platform-wide planned maintenance on the service dashboard. Customers are notified directly of incidents regarding their specific applications and are updated on the progress of the incident.

Update and patch the system

App Service instances run on Azure and are aligned with Microsoft’s Azure patch release cycle. The Optimizely Content Management System (CMS) and Optimizely Customized Commerce code follow a continuous release cycle with new releases on a weekly basis. Releases include features and fixes, and customers can upgrade their solutions at a cadence that makes sense for their particular business.

Monitor DXP

Optimizely provides the following monitoring as part of DXP:

External monitoring – External monitoring of web applications, where any issues are handled according to the incident management process.
Real user monitoring – Monitoring end-user experience by inserting a JavaScript on each page to measure end-user actions.
Application monitoring – Monitoring application resource consumption to ensure acceptable service usage and improve the platform.

Secure communication

Transport Layer Security and Secure Sockets Layer

Services are protected with Transport Layer Security (TLS) version 1.2 or higher with full support for TLS 1.3.

Secure Sockets Layer (SSL) is commonly used for encrypted integration and communication with other services through REST and web service APIs. Domains in DXP are protected by SSL by default. SSL termination is at the CDN for editorial or administrative views and on the public website. Optimizely Commerce (PaaS) packages include SSL termination at the CDN for Commerce Manager.

Cipher

The strength of an SSL/TLS connection can be improved by not allowing weaker ciphers. For incoming traffic to a site in the DXP solution, this is done at the CDN.

Virtual Private Network

Virtual Private Network (VPN) can allow a secure connection to an internal corporate resource. Note that communication is one-way to the on-premises system.

Optimizely supports using a VPN for secure connections to internal corporate resources. VPN connections are most commonly used for application-to-application integrations with a customer’s on-premise systems, if needed or appropriate. Supported VPNs are Azure compliant, IPSEC IKE v2, and route-based.

Application environment

Azure Web Apps do not use the traditional version of Microsoft Windows, but rather a purpose-built version with a smaller attack surface and reduced vulnerability. Each customer solution uses isolated resources with independent databases and Web Apps.

Web Application Firewall

A Web Application Firewall (WAF) sits in front of web applications to filter out malicious traffic at the application layer (Layer 7 of the Open Systems Interconnection (OSI) Model, including HTTPS and HTTP traffic). A WAF stops attacks at the network edge, protecting your website from common web threats and specialized attacks before they reach your servers.

WAF is included in the Optimizely DXP; see Web Application Firewall for details.

Distributed Denial of Service mitigation

Distributed Denial of Service (DDoS) attacks are common and complex, and traditional on-premises solutions cannot handle these. Optimizely DXP offers advanced protection at the network edge through its CDN provider, including UDP and ICMP protocols, DNS amplification, Layer 7 and 3/4, SYN/ACK, and SMURF (see information on the Internet for this terminology). The provided CDN is rated at over 30 Tbps throughput, more than 15x the size of the largest recorded DDoS attack.

Microsoft Azure also protects against attacks generated from outside and inside the platform.

Anti-malware

Optimizely, DXP relies on Microsoft's standard approach for Azure anti-malware to provide real-time protection and content scanning.

Local storage

Files saved to the app's local temporary storage are automatically deleted when the app restarts. To improve security and save space, delete any temporary files your app creates after they are no longer needed, instead of relying on automatic deletion. For long-term storage, use Azure Blob Storage.

Service window and patching

DXP uses Azure Web Apps to run Optimizely applications and thus aligns with the Microsoft patch release cycle. Microsoft is responsible for patch management. Optimizely works closely with Microsoft for any edge cases involving patching.

Product updates and upgrades

Optimizely has a continuous release cycle with releases every week. Releases include features and fixes, and you can upgrade your solution at a cadence that makes sense for your business.

📘
Note
You are responsible for installing appropriate software updates to the Optimizely platform in your solution.

Compliance

Optimizely DXP leverages the Microsoft Azure platform. The underlying infrastructure follows Microsoft Azure compliance standards, certifications, and supporting processes.

Vulnerability testing

Optimizely conducts weekly vulnerability testing against DXP and performs annual external audits. Microsoft also regularly tests the underlying Azure infrastructure.

Customers can run WVS and penetration tests using tools and third-party services. You should follow documented guidance for testing against Azure-based services. Customers can alternatively contract for WVS.

Penetration testing

Microsoft and their Red Team regularly provide a penetration test to the underlying infrastructure of DXP. The Optimizely platform is also subject to regular penetration tests by customers and partners.

However, any implementation on the Optimizely platform could unexpectedly introduce a security hole. You need to ensure that your solution is thoroughly tested before going live.

You can conduct your tests using tools or security services.

If you plan to perform your penetration tests, you need to notify Optimizely at least 10 business days before the planned testing.

To notify Optimizely about your test, submit a ticket to Optimizely with your test plan including:

Test type and approach
Contact information for emergency issues
Expected start and end times
Listing of IP addresses and DNS names from where the tests will originate

Outbound IP addresses

While the outbound IP addresses of a DXP environment can stay static for extended periods, there is no guarantee that they will. They can change anytime, and Optimizely cannot monitor this or proactively inform customers of a potential change.

Optimizely strongly discourages using the outbound IP addresses for security purposes because important site functionality may break at any time when the outbound IP addresses change.

Instead, you should use other methods of securing the traffic, like certificate/key-based authentication or a VPN.

For information about CMS 11 security, see Security in the Optimizely Content Management System (CMS) Developer Guide.