PaaS Security

Our customers rely on Magnolia’s cloud web content management software to serve thousands of digital experiences every day. This page provides an overview of our certifications and processes to ensure the security of their data and the availability of their services.

nasa-Q1p7bh3SHj8-unsplash

Certifications

Magnolia holds the ISO 27001 and SOC 2 certifications, and collaborates with Compass Security on regular security reviews and penetration testing.

ISO 27001 certification

ISO 27001 provides requirements for an information security management system (ISMS) relating to “the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.” We invest in technology, processes, and people to help us protect these assets against data breaches and security threats from cyber criminals. We obtained our ISO certification to show this commitment to security and privacy.

SOC 2 certification

SOC 2 is a compliance standard for managing customer data. Based on the five pillars of security, availability, processing integrity, confidentiality, and privacy, the SOC 2 certification process assesses whether an organization securely processes sensitive information on its customers' behalf. We completed the certification process because we want to give our customers and users peace of mind by demonstrating that we are able to protect their and their customers' data.

Security assessment

Compass Security Network Computing AG is an IT security company specializing in security reviews and penetration testing. Our platform is tested annually or after each significant architectural change. The pen test result is available in a public statement issued by Compass Security describing the security standard of the Magnolia PaaS.

Application security: user access and identity management

A platform is only as secure as its weakest link, and some experts argue that users are the weakest link. To ensure maximum security and control, Magnolia provides the following user access and security features:

Password management

Magnolia provides a basic module to manage passwords centrally. Alternatively, you can set up Single Sign-On (SSO), offering the most convenience and flexibility to ensure compliance with your password security policies.

Password hashing

If you choose to manage passwords in Magnolia, we use a secure hashing algorithm with high cyclomatic complexity to store passwords, preventing successful brute force and rainbow table attacks.

Single sign-on

Our SSO module enables you to plug in any provider for authentication and authorization, allowing you to enforce custom settings such as password complexity or time to live (TTL).

Multi-factor/two-factor authentication

Magnolia requires multi-factor authentication (MFA)/two-factor authentication (2FA) using any authenticator app that Google supports, for example, Google Authenticator. MFA cannot be disabled.

Authorization

Magnolia keeps all user secrets in one place and will never copy your users' passwords, even if you choose to use Magnolia’s password management for external users and your company’s SSO solution for internal users.

Role-based access

Administrators can create and assign specific roles to users and groups to maintain consistent permissions across the system, limiting what users can do and minimizing the number of individual settings necessary per user.

Session timeout

We chose 30 minutes as our default session timeout to balance security and convenience. Administrators can change this value based on your organization’s needs. When a session times out, users have to re-authenticate to access the application.

Security and privacy

Our priorities are the security and privacy of your and your customers’ data.

Data security

We deploy a dedicated Kubernetes cluster for every customer on the Magnolia PaaS, physically separating your data from the data of other Magnolia customers. The data is encrypted at rest and in transit, and the encryption keys are safely stored in a vault.

Data privacy

Magnolia never processes any personally identifiable information (PII) you commit to the platform, except for IP addresses. All other PII is encrypted and as such not accessible to anyone else but you. It is, therefore, not considered PII from a GDPR perspective (Article 34(3)(a) GDPR).

Data Processing Agreement (DPA)
We will provide you with our DPA upon request.

Data handling
Your data is encrypted and not accessible to Magnolia staff. Data processing is limited to the IP address of incoming requests to deliver the response.

Encryption at rest
All data is encrypted at rest using industry-standard encryption.

Encryption in transit
All data is encrypted in transit using SSL encryption with TLS 1.2 or higher.

Log data retention
We keep log files for six months by default. You can change the data retention settings to satisfy your business’s legal requirements.

Security awareness
Every employee has to complete security training when starting their job. We also ensure continuous education via company-wide training sessions. Employees that require specific training to perform their duties are trained internally or externally via 3rd-party educational institutions.

API security and endpoint protection
Magnolia requires authentication to access its APIs, except to those intended to be accessed publicly.

CORS and XSS
Magnolia provides built-in support for Cross-Origin Resource Sharing (CORS) and protection against Cross-Site Scripting (XSS) attacks.

Business continuity and disaster recovery

Being entrusted with the business-critical assets of our customers, we take business continuity very seriously. We are also ISO 27001 certified.

Our Business Continuity Plan (BCP) covers all relevant topics, including:

  • Ensuring our ability to serve your assets
  • Keeping your resources alive 
  • Recovering from backups
  • Restoring the whole order of business to normalcy


We update our BCP for every change in the systems or our business processes. We also test it annually to ensure a smooth recovery. A copy of our BCP is available upon request.

We take particular interest in the following topics:

Backup and recovery

The Magnolia PaaS is backed up automatically, and using the Point-In-Time Recovery (PITR) technique, we minimize data loss in case of an incident. This provides a huge advantage over previous approaches to backup and recovery. You can restore data from a backup to any point in time, for example, because of human error.

Backup and restore are fully transparent. You can trigger a restore and check the backup logs via our self-service console.

Availability and performance

We ensure that we always have more cloud capacity available to cover our customers’ growth needs and any resource usage spikes that could occur at any time.

We also ensure worldwide coverage to allow you to serve experiences from servers close to your own customers. Our regional coverage includes deployments to mainland China.

Content Delivery Network (CDN)

The Magnolia PaaS includes a pre-configured CDN offering scalability and performance during traffic peaks. The CDN also provides coverage in case of an outage by serving a cached copy of pages; provided that the cache has been populated with content, the content has an expiration time in the future and maybe cached by the CDN.

You are free to opt-out of the CDN to use your own without impacting the security of the Magnolia PaaS.

Multi-cloud

The Magnolia PaaS supports multi-cloud deployments, allowing you to choose different cloud providers and deployment regions in case one single cloud provider cannot meet all your needs. This option ensures service delivery globally and provides higher availability and greater disaster tolerance in all regions.

It also provides better fault tolerance for those rare cases where not just a single availability zone or single data center but a whole provider is affected.

Using automatic monitoring and scaling, the cloud orchestrator can detect issues with a cloud service and increase resources in the available cloud to compensate for the loss of computing power, allowing you to operate at total capacity. Once the incident is resolved, the Magnolia PaaS automatically rebalances the resources to the original distribution.

Exit management

Most vendors don’t talk about what happens when you decide to terminate your subscription. Instead, we aim for total transparency and provide documentation for exporting your data.

We also guarantee that your data is deleted when your subscription ends, avoiding misuse.

System security

We secure each subsystem of the Magnolia PaaS and regularly review and test all its parts and processes – internally and externally through an independent 3rd-party IT security company. The Magnolia PaaS is also reviewed and audited under rigorous ISO 27001 requirements using external auditors to ensure the audit's independence.

We also encourage you to test your customizations and the code you deploy on the Magnolia PaaS to ensure that those changes don’t compromise the security.

Consequently, the platform is undergoing redundant testing by multiple security testers using different approaches and ensuring thorough testing.

We will fully cooperate with you and the testers in case of any findings – no matter how small or theoretical. We aim to provide a fix as soon as possible or within 30 days at the latest, either by direct remediation or by introducing mitigating measures to ensure we can safely quarantine the weak point.

Network security

The Magnolia PaaS uses containerized deployment and Kubernetes orchestration. We deploy a dedicated cluster for every customer on the Magnolia PaaS, ensuring that your environment is separated. You also have a dedicated account with your chosen cloud provider introducing another encapsulation layer.

Containerized deployment also allows you to maintain fine-grained control minimizing exposed access points. We also secure access to all exposed endpoints through various measures, but most notably, we provide a web application firewall (WAF), DDOS protection, and transmission protection.

Firewall/WAF

We deploy a web application firewall (WAF) by default unless you opt-out of it.

During the first hours or days after deployment, the backend heavily analyzes your traffic and optimizes the configuration rules or suggests improvements. These optimization processes continue to run at lower intensity throughout the platform’s lifetime.

This doesn’t mean that you start without protection rather the opposite: we deploy many rules, and the optimization clears those that lead to false positives.

WAF includes, but is not limited to, rules to protect against the OWASP top 10 attack vectors such as XSS, SQLi, and PHP. It also detects application-specific threats, for example, CVE, and request anomalies, for example, a missing UA and XFF mismatch.

DDoS protection

DDoS protection is available on different levels. Cloud infrastructure providers typically cover level 3 or level 4. Magnolia covers level 7. The WAF and CDN cover these layers and the layers in-between, actively blocking attacks.

A higher degree of DDoS protection, including advanced anomaly detection and threat analysis algorithms, is available as part of Magnolia’s Advanced Security Package.

Suppose a DDoS attack is causing a traffic spike nonetheless. In that case, the Magnolia PaaS automatically scales up its resources to ensure that the platform can handle the load up to the limit of your contracted resources.

Our Advanced Security Package also protects against the cost of additional traffic generated by a DDoS attack.

Transmission protection

All traffic is protected by encryption, preventing cyber criminals from reading and manipulating any data in transit. This applies to both in-platform and platform-to-end-user traffic.

All communication happens over SSL with TLS 1.2 or higher using industry-standard encryption strength. The only exception applies if you deliberately enforce weaker certificate encryption to support very old browsers.

In addition, our systems monitor all traffic actively. To ensure that no anomalies remain undetected, you have the option to let traffic undergo a behavior analysis that raises an alert and stops any suspicious activity before cyber criminals can get deeper into the system.

Infrastructure and physical security

All our cloud infrastructure providers must present their ISO 27001 certification or undergo a security audit by Magnolia before their selection. We also test all providers annually and verify that they still meet our strict security and reliability requirements.

Physical access to all facilities is restricted and limited to authorized personnel only.

Penetration tests

To provide the most secure environment to our customers, the Magnolia PaaS is regularly undergoing security testing, including but not limited to pen testing. The pen tests are executed by an independent 3rd-party security vendor annually or after each significant architectural change. 

The test includes the infrastructure environments, the orchestration, and the Magnolia application. The result is available in a public statement upon request.

We also encourage our customers to run their own pen tests to test their customizations. As a result of this policy, the Magnolia PaaS undergoes pen testing once a month or more on average.

Vulnerability reporting and management

In compliance with the requirements of our ISO 27001 certification, the Magnolia PaaS provides an active vulnerability reporting and management solution.

We test all of our software for vulnerabilities at every build. If you encounter a vulnerability, you can report it to security@magnolia-cms.com. We monitor this e-mail account 24/7/365. 

We provide a fix for all reported issues within 30 days, but typically much faster – five business days on average at the time of writing.

All 3rd-party libraries are screened daily for new vulnerabilities. Upon detection, we schedule an immediate update or take mitigating measures until a fix becomes available.

You can also access an account-specific, pre-configured, and customizable security dashboard.

In addition, you can subscribe to receive vulnerability and security notifications, including their severity and any resolution and mitigation measures.