Ecommerce security for different cloud models – does the difference matter?

In ecommerce, one of the first and most important steps before launching a business is to decide about a platform to build it on. Along with all the capabilities they will get, merchants must question how secure it is and what measures they will need to take to further enhance security.

In order not to maintain on-premises IT infrastructure and to avoid continuously struggling to scale it up to meet growing business needs, retailers tend to consider cloud ecommerce solutions. Their company’s information is stored in highly-optimized data centers. But as far as there are different cloud service models, it is only logical to assume that the way they ensure ecommerce security differs as well. We are here to explore a security aspect for two cloud models – IaaS (Infrastructure-as-a-Service) and SaaS (Software-as-a-Service). We will build our explanation on the examples of Salesforce Commerce Cloud (former Demandware) for SaaS and Magento for IaaS.

SaaS experience

Vendors of SaaS solutions provide companies with ready-to-use applications, so that the latter “rent” an ecommerce platform to create a web store and strongly depend on the vendor to ensure proper safety. 

One of the ecommerce platforms existing in the cloud, Salesforce Commerce Cloud is generous with promises of a superior shopping experience. But as security forms a basis for all the benefits, let’s go over the specifics of this critical aspect in cloud ecommerce and see what Salesforce does for information protection.

Web servers and databases. Having chosen a SaaS cloud ecommerce platform, merchants are not responsible for the security of the web servers and databases. The vendor – Salesforce in our case – takes the full responsibility to provide safe server environment and protect it from unauthorized access.

Access management. Protecting the company data both from external hackers and internal misuse is critical for ecommerce businesses. Here are some figures – around 60% of security breaches were caused by insiders (Research 2016 Cyber Security Intelligence Index by IBM). And three fourths of them involved malicious intent.

To increase internal security, Salesforce adds user roles to differentiate access privileges that employees have and offers separate environments for different functions, for example, for production and testing. Besides, there is password complexity control and two-factor authentication to minimize the risk of having outsiders in the back end of the web store.

Customer information management. The specific of cloud applications – many companies share the same hardware – calls for data isolation for each individual retailer. Salesforce uses a unique organization identifier that associates each system request with a particular company.

Besides, a cloud-based ecommerce business means that merchants have to store all customer information on a data server they don’t fully control. This drops the cost of hardware but raises doubts in the information ownership. In Salesforce Commerce Cloud, only authorized users can import, export, edit and delete information. For security reasons, merchants have a replicated copy of all customer information at their disposal. Upon the contract expiration, they have 30 days to take it out of Salesforce Commerce Cloud and, after that, it is subject to deprovision. Thus, Salesforce doesn’t store the information for long in order not to put it at risk of theft or disclosure.

Security monitoring. Salesforce utilizes network-based intrusion detection mechanisms to regularly monitor the system. This allows for prompt incident detection and response, as well as prevention of fraudulent authentication of accounts.

Security updates. Having identified and addressed a security vulnerability, Salesforce applies the improvements to the whole system. Thus, merchants don’t need to carefully follow security updates to stay protected.

Support. It is only natural that ecommerce players are not experts in information safety. Fortunately, they have Salesforce Security Incident Response Team to deal with arising issues.

IaaS security

Let’s move on to ecommerce platforms deployed according to IaaS cloud model. Here, merchants are responsible to choose a reliable hosting provider and maintain the security of the application itself. By and large, this means that they need to allocate additional staff to maintain the system or outsource this to a support team. It’s time to go through the details with a close look at Magento. This is a bright example of how the team behind the platform does much for security but owners of Magento-based stores still need to put much effort to safeguard their business.

Web servers and databases. Purchasing a Magento Commerce license or starting with a free Open Source version, retailers need to take care of the underlying infrastructure. As a rule, they need an expert assistance of Magento developers to configure web servers and databases, set access permissions to the file system and ensure its overall safety.

Access management. Security measures for the admin panel are the same for IaaS and SaaS cloud ecommerce platforms, and they mostly focus on preventing unauthorized access. We have earlier guided merchants through Magento security and addressed the protection of the admin panel in detail, but let’s summarize that setting a custom admin URL, restricting user permissions, choosing a strong password and adding two-factor authentication help to reduce the risk of criminal intrusion.

Customer information management. Having chosen an IaaS cloud model, companies fully control the customer data. But with great power comes great responsibility. Owning a wealth of sensitive information, merchants must back it up regularly and in due time, before applying major changes to a web store. This will save them from information loss in case of system crashes.

Security audits. Knowing the importance of regular auditing of the system for breaches, Magento offers a free Security Scan Tool. Still, merchants need to set an optimal schedule for security audits and fulfil the task by themselves. Alternatively, they can delegate it to their support team or look for a third-party company to run a full check-up of the system to detect existing issues and prevent potential ones.

Security updates. Though not solving individual security issues, Magento encourages reporting identified system vulnerabilities and further covers them with security patches that are available in the Magento Security Center. This guards against administrator account takeover, data leakage and system crash among other issues. Using Magento, retailers need to check for updates and timely install patches to strengthen security.

Support. As a rule, ecommerce sellers think about business strategies, conversion rates or sales boost. As for the software they use to sell, they tend to delegate its normal operation to a Magento support team. Here, finding experts to take professional care of the security of your web store is crucial.

Different approaches to SaaS and IaaS cloud models is key

Choosing an underlying platform for their business, sellers must clearly see what efforts they need to invest and what help they can expect from a vendor to keep a storefront trouble-free. As we made clear, an approach to ecommerce security must depend on the platform type. Working with an IaaS cloud solution, retailers have to consider environment and system safety, stay current on security updates, conduct regular audits and do their best to protect customer information from theft. In a SaaS cloud model, much of that comes from a vendor. But with that, they store company information in their databases, which makes retailers question its privacy.

Blog post provided by ScienceSoft, which provides consulting and custom software development services


In partnership with