Webscale Shared Responsibility Security and Operational Model
A reference for Webscale Shared Responsibility Security and Operational Model
The Webscale Managed Platform follows a shared responsibility model. This structure ensures that while Webscale manages the underlying infrastructure, security, and performance at the platform layer, the Merchant and their Systems Integrator (SI) retain control over the application code, custom logic, and business configurations.
1. Executive Summary & Strategic Recommendations
Summary: This section outlines the overarching goal of the shared model: maximizing uptime and security by clearly defining boundaries. Webscale handles the “plumbing” (Infrastructure/PaaS), while the Merchant/SI handles the “storefront” (Application/Code).
Strategic Recommendations:
- Patching: Establish a 48-hour window for applying “Critical” application patches released by the software vendor (Magento/Shopware).
- Automation: Utilize Webscale’s Predictive Auto-scaling to handle traffic surges rather than relying on manual intervention.
- Security: Leverage Webscale CloudEdge for “Edge-side” security (WAAP) to stop threats before they hit the origin server.
2. Security RACI
Summary: Security is a multi-layered approach. Webscale secures the perimeter and the operating system, while the Merchant is responsible for securing the data and the application-level access points.
| Security | ||
|---|---|---|
| Task/Responsibility (from security.xlsx) | Webscale (inferred RACI) | Webscale (with Infra) |
| Applying infrastructure patches | C,I | R |
| Applying patches to supporting services (e.g., Nginx or MySQL.) | R | R |
| Defining origin WAF rules | R | R |
| Defining CDN WAF rules | A | R |
| Deploying platform WAF rules | R | R |
| Deploying CDN WAF rules | A | R |
| Fixing core bugs in cloud infrastructure code | C | N/A |
| Releasing cloud infrastructure patches | C | N/A |
| Scaling (compute and storage) | R | R |
| Scaling (PaaS and grid) | R | R |
| Ensuring access to source code | R,C | R,C (This is tied to the customers repo) |
| Installing Webscale cloud infrastructure CLI tool | I | N/A |
| Adding cloud infrastructure configuration files to repository | I | N/A |
| Creating a project for the merchant (onboarding UI) | R | R |
| Connecting repositories to cloud infrastructure | R | R |
| Configuring the source repository | R | R |
| Creating a user for the release manager (onboarding UI) | R | R |
| Deploying code into production | I | R,I |
| Deploying code into staging | I | R,I |
| Remediating cloud infrastructure PCI scans | C,I | R |
| Remediating PaaS PCI scans | R | R |
| Managing OS and platform secrets | R | R |
| Managing cloud infrastructure encryption keys | R | R |
| Scanning customized cloud infrastructure instances | R | R |
| Managing support access controls (Teleport) | R | R |
| Controlling merchant support and access | R | R |
| Annual testing DR plan and backup and restore | R | R |
| Annual testing and documentation of disaster recovery plan | R | R |
3. Coding and Development
Summary: This section defines the ownership of the code lifecycle. Webscale provides the environment, but the integrity, quality, and security of the code residing in that environment are the responsibility of the developer.
| Coding and Development | ||
|---|---|---|
| Task/Responsibility | Webscale (inferred RACI) | Webscale (with Infra) |
| 1. Publishing updates and patches to core | I | R (This only applies to Webscale systems not the customers Magento application) |
| 2. Availability and patching of the file system | R | R |
| 3. Publishing updates and patches to ECE-Tools | I | I |
| 4. Core Application Quality | I | R (This only applies to Webscale systems not the customers Magento application) |
| 5. Availability of repo.magento.com | I | C |
| 6. Availability of Cloud Git server | I | C |
| 7. Other merchant-selected Code repositories | I | C,I |
| 8. Making Cloud Docker containers available for download | R | R |
| 9. Deployment and setup of Cloud Docker (optional) | I | I |
| 10. Any other local development setup | I | I |
| 11. Ongoing quality and updating of ECE Tools | I | I |
| 12. Installing the latest ECE Tools version | I | I |
| 13. Custom Magento modules and code | I | I |
| 14. Extensions | I | I |
| 15. Custom Integrations | I | I |
| 16. Configuration of build and static content deployment | I | I |
| 17. Building and executing deployment governance process | I | I |
| 18. Deploying to Staging environment | I | C,I |
| 19. Deploying to Production environment | I | C,I |
| 20. Production rollbacks | R,I | R,I |
| 21. Synchronizing data between environments | R | R |
| 22. Installing updates and patches to ECE-Tools | I | I |
| 23. Installing updates and patches to Magento core | I | I |
| 24. Customized Magento application and associated websites | I | I |
| 25. Core Application tuning and optimization | I | I |
| 26. Custom code tuning and optimization | I | I |
| 27. Custom code | I | N/A |
| 28. Load Testing | R,I | R,I (If purchased with us or they have their own) |
| 29. Performance testing | I | R,I (If purchased with us or they have their own) |
| 30. Rotating Logs | R | R |
| 31. Custom application | I | N/A |
| 32. Availability of New Relic services | A | C,I (Custom has their own New Relic) |
| 33. Setting up New Relic Alerts | R,I | R,I (We will only setup the access keys, customer will need to setup the alerts) |
| 34. Deploying New Relic agent on PaaS Servers | R | R |
| 35. Debugging and issue isolation | R | R |
| 36. Timely support of debugging and issue isolation process | R | R |
4. Application and Service Configuration
Summary: While Webscale ensures the availability of services like PHP, Redis, MySQL, RabbitMQ, and Opensearch the specific configuration and usage of these services to meet business logic requirements are controlled by the SI.
| Application and Service Configuration | ||
|---|---|---|
| Task/Responsibility | Webscale (inferred RACI) | Webscale (with Infra) |
| 1. Application configuration | R,I | R,I (Webscale - Adding the Domain in the control panel |
| 2. Adding domains to the application (Base URLs) | R,I | R,I (Webscale - Adding the Domain in the control panel |
| 3. Configuring PaaS to use supported Service versions (PHP, Redis) | R | R |
| 4. Availability of default cron jobs | R | R,C (Customers cannot add their own Cron Jobs) |
| 5. Ongoing quality of custom cron jobs | R | C, I (This is important as customers provided crons can and have caused issues for not completing in time or consuming too many resources) |
| 6. Availability of RabbitMQ service | R | R |
| 7. Configuration of default RabbitMQ settings | R | R |
| 8. Ongoing quality and patching of RabbitMQ | R | R |
| 9. Submit a service request to install a compatible RabbitMQ version | A | C,R (If a customer requires it we install it.) |
| 10. Availability of PHP | R | R |
| 11. Configuration of default PHP settings | R | R |
| 12. Configuration of custom PHP settings | R | R |
| 13. Configuration of YAML file to align PHP versions | R,I | N/A |
| 14. Availability of Galera and MariaDB services | R | R (We also support MySQL) |
| 15. Ongoing maintenance of default database settings | R | R |
| 16. Ongoing maintenance of merchant data and modified settings | I | C |
| 17. Configuration of Galera and MySQL | R | R |
| 18. Ongoing quality and patching of Galera and MariaDB | R | R |
| 19. Ongoing infrastructure optimization | R | R |
| 20. Identifying and fixing slow queries | C,I | C,I (Non-service impacting remains customers responsibilities) |
| 20 a. Identifying and fixing problematic queries | R,C (Only for Service impacting issues) | |
| 21. Submit a service request to install a compatible MariaDB version | A | C,R (If a customer requires it we install it.) |
| 22. Setting and maintaining merchant-specific data retention policies | I | C |
| 23. Availability and Quality of CDN | R | R |
| 24. Fastly service configuration (via Extension / API) | R,I | I |
| 25. Fastly Extension Quality | I | I |
| 26. Fastly Integration VCL Snippets Quality | R,I | I |
| 27. Page Cache optimization | R | R |
| 28. Adding domains to services, to CDN, and to infrastructure | R | R |
| 29. Custom VCL Snippets | R,I | I |
| 30. WAF & WAF Rules | A | R,C (Customer has the ability to manage as well) |
| 31. Availability of Redis service | R | R |
| 32. Configuration of default Redis settings | R | R |
| 33. Ongoing quality and patching of Redis | R | R |
| 34. Submit a service request to install a compatible Redis version | A | C,R (If a customer requires it we install it.) |
| 35. Availability of ElasticSearch | R | R |
| 36. Configuration of default ElasticSearch settings | R | R |
| 37. Submit a service request to install a compatible ElasticSearch version | A | C,R (If a customer requires it we install it.) |
| 38. Availability of SendGrid email service and its integration | R | R |
| 39. Monitor merchant’s SendGrid usage against limits | R | R |
| 40. Merchant responsible for using the service for transactional emails only | R | R |
| 41. Configuring optional third-party email services | I | I |
| 42. Availability and quality of third party services | I | I |
5. Commerce Services Extensions
Summary: Webscale allows for best-of-breed integrations. The responsibility for selecting, integrating, and maintaining these third-party services lies with the Merchant.
| Commerce Services Extensions | ||
|---|---|---|
| Task/Responsibility | Webscale (inferred RACI) | Webscale (with Infra) |
| 1. Availability of the Advanced Reporting Service | I | I (If customer has their own advanced reporting services we will work with them) |
| 2. Configuration of Advanced Reporting complies with Terms & Conditions | I | I (If customer has their own advanced reporting services we will work with them) |
| 3. Availability of Business Intelligence (MBI) services | I | I (If customer has their own advanced reporting services we will work with them) |
| 4. MBI Data Synchronization processes | I | I (If customer has their own advanced reporting services we will work with them) |
| 5. Detecting MBI synchronization issues | I | I (If customer has their own advanced reporting services we will work with them) |
| 6. Configuring MBI Data Synchronization (for various platforms) | I | I (If customer has their own advanced reporting services we will work with them) |
| 7. Availability of Product Recommendations service | I | I (If customer has their own advanced reporting services we will work with them) |
6. Network Services
Summary: Focuses on the “Edge” of the network. Webscale manages the delivery and acceleration of content, while the Merchant manages the content itself and the domains.
| Network Services | ||
|---|---|---|
| Task/Responsibility | Webscale (inferred RACI) | Webscale (with Infra) |
| 1. Availability and Quality of Image Optimization | R | R |
| 2. Configuration of Image Optimization | R | R |
| 3. SSL Dedicated Certificate - expiration | R | R,I (If customer supplies SSL) |
| 4. Provisioning SSL Certificates | R | R,I (If customer supplies SSL) |
| 5. Purchasing and Maintaining EV/Specific SSL cert and provide to Adobe | R,I | R,I (If customer supplies SSL) |
| 6. Availability & Configuration of WAF | A | R |
| 7. Addressing WAF Rule False Positives | R | R,C (Customer Needs to validate) |
| 8. Reporting WAF Rule False Positives | I | C |
| 9. WAF Rule Tuning | R | R,C (Customer Needs to validate) |
| 10. WAF/CDN Logs | R | R,C (Customer Needs to validate) |
| 11. Proactive IP Blocking | R | R |
| 12. Bot Protection | R | R,I (If customer purchases bot manager) |
| 13. DDOS detection - layer 3-4 | R | R |
| 14. DDOS detection - layer 7 | A | R |
| 15. DDOS response | A | R |
| 16. Configuring and maintaining PrivateLink connections (Adobe-owned VPC) | R,I | R,I (If customer has own VPC and or Peering) |
| 17. Configuring and maintaining PrivateLink connections (Merchant-owned VPC) | R,I | R,I (If customer has own VPC and or Peering) |
| 18. Availability of SSH (Non-Private Link) | R | R,I (If customer has own VPC and or Peering) |
| 19. Configuration of PrivateLink Inbound to Cloud Service endpoint | R,I | R,I (If customer has own VPC and or Peering) |
| 20. Acceptance of PrivateLink Inbound to Cloud Service endpoint | R,I | R,I (If customer has own VPC and or Peering) |
| 21. Configuration of PrivateLink Inbound to Merchant’s VPC Service endpoint | R,I | R,I (If customer has own VPC and or Peering) |
| 22. Acceptance of PrivateLink Inbound to Merchant’s VPC Service endpoint | R,I | R,I (If customer has own VPC and or Peering) |
| 23. Configuration of PrivateLink integrations (endpoint to account) | R,I | R,I (If customer has own VPC and or Peering) |
| 24. Configuration of merchant-owned VPC for PrivateLink endpoint | R,I | R,I (If customer has own VPC and or Peering) |
7. System and Infrastructure
Summary: This is the core of the Webscale value proposition. We ensure the servers are up, scaled, and backed up based on standard lifecycle policies.
| System and infrastructure | ||
|---|---|---|
| Task/Responsibility | Webscale (inferred RACI) | Webscale (with Infra) |
| 1. Availability of Nginx | A | R |
| 2. Configuration of Nginx | R | R |
| 3. Ongoing quality and patching of Nginx | A | R |
| 4. Availability of Operating System | A | R |
| 5. Ongoing quality and patching of Operating System | A | R |
| 6. Availability of snapshot and backup process | A | R |
| 7. Scheduling backups for Pro Staging and Production | R | R |
| 8. Scheduling backups for Starter and Pro Integration environments | R | R |
| 9. Availability of HA / Failover | A | R |
| 10. Availability of CPU resources, data center, disk space | A | R |
| 11. Availability and execution of surge capacity or emergency upsizing | A | R |
| 12. Requesting surge capacity | C,I | C,I |
| 13. Monitoring vCPU usage against the limits | R | R |
Feedback
Was this page helpful?
Glad to hear it! Have any more feedback? Please share it here.
Sorry to hear that. Have any more feedback? Please share it here.
Last modified March 22, 2025