Arc XP Security FAQ

Arc XP is committed to the security of our platform and has invested in application security processes, people, and technologies to meet that commitment. With a dynamic threat landscape, we continuously improve our security approach by following industry-accepted practices and proactively reimagining future security needs.  

Arc XP’s security program is validated and assessed through ISO 27001 certification and related ongoing audit processes. It includes developer training, a dedicated application security team, and security-related activities in the software development lifecycle to build a culture of risk-based security awareness and secure development. Continuous coordination between the application security team, development team, and security vendors enables us to deliver features to our customers while minimizing security risk.

As part of a comprehensive security program, Arc XP has instituted a vulnerability assessment and management process that includes these key items:

Arc XP’s platform is built on security best practices including, but not limited to:

Arc XP is committed to the security of its platform and, as part of that commitment, has instituted a vulnerability assessment and management process that includes the three critical pillars of a successful program:

Arc XP has engaged with a third-party vendor to support a hybrid program of deep-dive penetration testing and ongoing continuous scanning for the Arc XP platform.

In Q1 of each year, the Arc XP platform is subjected to a deep-dive penetration test. Vulnerabilities are ranked Low, Medium, High, or Critical. Priorities are set in collaboration with the security vendor based upon potential for the vulnerability to be exploited as well as the severity of impact in the case of an exploit. Each vulnerability priority is associated with an internal SLA that the team adheres to regarding time to classify and time to remediate. As vulnerabilities are remediated, the security vendor executes a retest to validate the remediation and test for quality or security issues around the fix. The development team and security vendor activity are tightly integrated through Arc XP’s issue tracking software to ensure crisp handoffs and clear communication. Vulnerability discovery and remediation trends are tracked on a management dashboard so that the program can be improved and optimized over time.

In each following quarter an additional vulnerability scan is conducted to ensure existing remediations have held up and to catch new vulnerabilities that may result from ongoing development.

This vulnerability assessment and management program is part of a larger application security program that includes developer training, a central application security team, and security-related activities in the SDLC to build a culture of risk-based security awareness and continuous improvement. Coordination between the application security team, development team, and security vendor is continuous throughout the year.

Arc XP is committed to the security of its platform and has invested in application security processes, people, and technologies to meet that commitment and to continuously improve the approach over time.

The penetration testing methodology that Arc XP employs includes automated scanning to provide breadth along with manual testing techniques to provide depth. The scope of coverage includes the OWASP Top 10 as well as business logic testing to find common vulnerabilities as well as vulnerabilities that are unique to the platform.

The penetration testing team uses the following tools during the automated portion of the test as well as to support the manual testing:

The penetration test team performs reconnaissance and information gathering first, using tools as well as interviews with the Arc XP team. Based on this reconnaissance they conduct the first round of automated scanning to uncover potential vulnerabilities. These vulnerabilities are validated by manual testing and then handed to the Arc XP team as Jira tickets for additional classification and remediation. Once the automated scanning and validation phase is complete the penetration test team uses these findings to review hot-spots in the application that require additional manual testing. This testing includes UI elements, API end points, role-based attacks, and man in the middle proxy-based attacks. As additional vulnerabilities are discovered they are handed to the Arc XP team for classification and remediation.

All of the OWASP Top 10 web application security risks are considered:

The vulnerability assessment dashboard contains information reviewed by the application security team, the development team, and the management team related to:

All data is encrypted at rest using AWS platform-provided symmetric encryption algorithms. Private keys are managed in a dedicated keystore.

All data is transmitted using HTTPS.

User passwords are stored as cryptographically secure hashes according to industry best practices.

SSO and MFA are enforced for all employee access to product resources and assets.

Akamai WAF and AWS Shield is used to detect and block known incoming attacks.

All EC2 instances and S3 buckets are placed behind an elastic load balancer and/or CloudFront.

Infrastructure code changes are made through CloudFormation and CodePipeline.

Crowdstrike is installed on EC2 instances to detect attacks, prevent malware, and provide threat intelligence.

The Arc XP Security Team has an incident management and response process that is activated if we believe the confidentiality, integrity, or availability of an Arc XP resource may have been impacted. If, during the course of an incident, we determine that a breach of security has occurred, leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Content or Customer Data (including Personal Data), then a security breach is declared. Breach response will activate a set of procedures governed by our contractual and regulatory obligations.

The Arc XP platform protects against DDoS and other attacks for our customers on a regular basis. Being a target of attack by threat actors is the norm for exposing a site or service on the public Internet. Arc XP makes it easy for you to manage these risks without impact to your customers or to your internal operations team. In effect, we manage your web sites’ security operations for you.

Our Delivery team monitors and manages our CDN configurations and WAF rules around the clock. We have developed an Arc XP platform security posture, including rate limits, reputation blocking, and attack blocking to protect our customers' data and services.

We employ multiple caching layers, starting at edge, continuing though every step of the delivery pipeline, and have never had a customer outage due to a DDoS attack. Our infrastructure is designed to absorb and deflect these types of attacks.

Many customers ask us about other protections products, such as Akamai’s Site Shield. Compared to Site Shield we provide all of the IP hiding and CDN layer protections that Site Shield gives you, but also include an actively managed WAF, many layers of infrastructure and application layer load balancing and caching, and a delivery team who is tasked with monitoring and responding to threats and attacks against your sites.

As described in the Arc XP shared security model, Arc XP is responsible for the security of the platform used to deliver your site and your team is responsible for the security of your sites’ unique code and business logic.

You do not receive Akamai Botman products out of the box. However, based on your need, you can customize a solution that works for your environment. Botman takes about a month from the desired go-live date to get things up and running (2 weeks for creating a named account + 2 weeks of integration). Cost is to be determined after a discovery call to understand more about your needs.

Arc only provides protection against malicious activity against edge, incidents involving excessive request usage, vulnerability scanning, or similar activities which are observed across the platform. Arc provides re-sell for Akamai Bot Management which can be used by clients to target more specific traffic which isn’t mitigated by Arc since it’s usage may be abusive for some customers but valid for others.

Arc XP’s layered defense includes the following:

CloudTrail is used to monitor resource access. CloudWatch, Splunk, and Datadog are used for logging and auditing.

We make your CDN logs available to you upon request. These logs contain some, but not all of the events denied through WAF. These events will show with a 403 or 429 status code in most cases. Keep in mind, however, that Arc XP does mitigate some attacks using alternate codes to increase the effectiveness of the mitigation.

If you are interested in CDN log delivery submit a ticket to Arc XP Customer Support to set it up. Arc XP can deliver logs to s3, Splunk, Datadog, etc.

There are dashboards available in Arc XP PageBuilder which will show edge requests, including WAF denied responses. In general, however, Arc XP is responsible for the security of the platform and these more detailed dashboards are not available to individual customers.

Vendors must complete a Vendor Risk Assessment with Arc App Security which is then reviewed and approved by the security team. This assessment includes a review of security certifications, audit reports, penetration testing procedures, and documentation of recent breaches if there have been any.

Data backups are performed by Arc using backup technologies unique to each data store. As a multi-tenant platform customer data is logically or physically co-located within Arc so there is not a customer specific backup. Backups are encrypted using AWS technologies and are tested following Arc’s internal DR processes.

In each region Arc XP uses multiple availability zones to allow failover in the case a single data center is impacted.

In the event of a region wide failure in which an entire AWS region is destroyed or taken offline for extended periods of time Arc XP uses the Akamai Cloud Wrapper central cache to consolidate requests to origin for all edge nodes. This approach extends the longevity of content for all edge nodes around the world in the event of an extended downtime.

As a result, customer sites will continue to operate with existing content, until we redeploy workflow/publishing services in another region, which could take days as a worst-case scenario.

We evaluate the effectiveness of our Disaster Recovery processes by tracking Recovery Time Objectives (RTO) and Recovery Point Objective (RPO). RPO and RTO work together in a time sequence, with RPO making sure a business has the right data backup policies in place and RTO ensuring it can recover data backups quickly. Arc XP performs table top and simulation exercises to develop and validate these RTO and RPO guidelines on a yearly basis.

Arc XP also classifies various components into Tiers. Our tier system specifies the criticality of platform components and drives our RTO SLAs within a single region. Our RTO can vary between 75 to 240 minutes, based on Tier criticality and varies by region and data size. Our RPO values range from “Point in time” availability for critical tier components to a maximum of 1 hour for less critical components.

The security of your technology platforms and websites is our top priority. As a valued customer, we want to reassure you that we are committed to ensuring the security and integrity of the Arc XP platform that you rely on each day.

Arc XP's security program is validated and assessed through ISO 27001 certification and related ongoing processes. This certification provides the framework for our security approach that has been developed based on security best practices, including continuous coordination between the application security team, development team, and security vendors.

We continue to vigilantly monitor the dynamic threat landscape. Be assured that should an impacting incident arise, you will be notified as part of our incident response process. Likewise, should you or your teams see any concerning activity, contact Arc XP Customer Support so we can best support you.

Security of an Arc XP powered site is the result of a shared security model between Arc XP and you, our customer. Our team of security experts works tirelessly to ensure the security of the Arc XP platform, and as a customer, you also play an important role in the shared responsibility of keeping your site secure. Custom solutions you build on top of the Arc XP platform have the potential to introduce security vulnerabilities to your site, and identifying and mitigating security issues in these custom solutions is part of your responsibility.

We perform regular security assessments of the Arc XP platform and applications, and it is your responsibility to ensure any of your custom solutions built on top of Arc XP are secure once deployed. You are welcome, and encouraged to perform security testing against your Arc XP site to ensure you are providing the best level of security to your users. Because of the nature of security testing, there are certain guidelines and policy requirements that you must adhere to while performing such assessments against your Arc XP site.

Before conducting a penetration test against your site, read and abide by our Customer Security Testing policy.

The Arc XP platform may be used by our customers in two ways to process card payments. The Arc-supported scenarios are:

Each of these supported scenarios uses an iframe or redirects to a third party payment processor. At no point does Arc XP process or store PAN data, as this functionality is always performed by the third party payment processor. Arc XP is a Security-Impacting System for your PCI compliance scope.

If you choose to use Arc XP Sales features, elements of transaction data are retained in the system, including transaction ID, truncated PAN, and associated customer order information.

If you choose to process credit card data through an iframe or redirect from your custom code to a third-party payment processor without using Arc XP Sales features, Arc XP will not retain any transaction data.

We do not support payment processing on the Arc XP platform outside of these scenarios. If you choose to process credit card data in your code hosted on Arc XP without the use of an iframe or redirect, then you are at risk of failing your next PCI audit.

The Arc XP team leverages the HR policies and security policies of The Washington Post, including acknowledgment of security policies, NDAs, background checks, and security training. 

These processes and policies are in scope for Arc XP’s ISO 27001 certification and are audited annually both by Internal Audit and External Audit. The ISO 27001 certification and Statement of Applicability are available upon request.  

Every member of the Arc XP team is required to complete security awareness training on an annual basis. In addition, every member is trained on the details of the ISO 27001 program, including all policies in place, their responsibilities to adhere to these policies, and concrete steps they can do to meet their security requirements and objectives.

Critical application teams undergo additional training in the form of instructor led training brownbags that review key security topics, the threat landscape, and security best practices.

Finally, the team uses threat modeling and architecture and design reviews as opportunities for training and knowledge transfer as an important part of the security engineering process.

Arc XP gathers the following data, dependent upon the following usage scenarios:

In the case of the edit/author workflows, we support Okta IDP to access Arc XP and collect the following information:

In the case of Identity, Arc XP collects the following information per user:

In the case of Subscriptions or Commerce, Arc XP collects the following information per transaction:

Arc XP gathers the following additional information in log data that in some cases can be correlated to user ID:

Customers may place additional PII in Arc XP, including in author pages or custom fields. Arc XP does not govern or monitor that usage, so it is up to the customer to ensure these customer fields are used in a way that complies with relevant regulatory and compliance requirements.