Security is one of the most important concerns in enterprise communications. In 2019, the average cost of a
data breach in the US was $8.19 million. Cybercrime represents huge expenses for businesses and often, irreparable damage to the brands they represent.
Enterprise solutions like Adobe Experience Manager (AEM) are vulnerable to cyber threats when proper safeguards are lacking and security checkups aren’t performed. When a system like AEM is compromised, user credentials, customer data, marketing assets, and other proprietary and sensitive data can be stolen or used against your business to extremely harmful effect.
A good starting point for shoring up AEM security is to know the
OWASP (Open Web Access Security Project) Top Ten Web Application Security Risks. But while this gives you a high-level awareness of major risks to defend against, you still need to know how to manage them when it comes to AIM specifically.
Let’s go over six crucial tasks for increasing Adobe Experience Manager security. Implementing these steps as part of your overall cybersecurity protocols will help ensure that your company’s critical IP remains safe at all times.
1. Run AEM in Production Ready Mode.
The first important security step is to
run AEM in Production Ready Mode, also identified as the “nosamplecontent” runmode. As the name implies, this mode removes the example content and users that come with a fresh AEM installation.
Production Ready Mode, as opposed to AEM’s default runmode, automatically adheres to most—but not all—of the best practices recommended in Adobe’s security checklist. For example, the HTTPS transport layer will be active in this mode, and the WebDAV repository access will only be allowed on author instances.
While it doesn’t cover every single vulnerability, running Production Ready Mode is a great starting point for securing AEM. From there, adhering to the rest of the best practices for Adobe Experience Manager security will only serve to protect your systems even more.
2. Prevent unauthorized data access.
Eighty-one percent of data breaches result from weak or stolen passwords. It’s crucial to shore up AEM login protocols to defend against unauthorized data access.
One of the first tasks is to create new, secure passwords upon installation. Be sure to change both the default passwords for the
AEM Admin and the
OSGi Console Admin accounts to unique, strong passwords. This simple step will prevent intrusions into the core of AEM, as well as avoid server exposure during startup and shutdown.
In AEM Forms, you’ll also want to
prevent unauthorized access to form data. You can do this by scheduling regular cleanings of the temporary folder, where the data is typically stored. It’s also wise to manually check all Form data requests through pre-process and post-process authorizations.
Finally, be aware that
AEM supports typical enterprise authentication protocols, including LDAP and SAML SSO, for securely identifying users. (AEM also comes with its own SSO Authentication Handler to create federated user identities if your organization does not use LDAP or SAML SSO.) Whichever identity management protocol you use, ensure that it’s uniformly implemented and properly configured across all user endpoints.
3. Install AEM security hotfixes.
Because security vulnerabilities can crop up at any time across an enterprise deployment of AEM, Adobe regularly releases AEM hotfixes that can be easily downloaded and implemented. Make sure to install these as soon as they become available.
It’s possible to run AEM without these modifications—after all, your day-to-day usage will not necessarily depend on these patches for functionality. But the reason to perform these checks is to prevent bad actors from intruding via hidden weak spots.
To download AEM security hotfixes and stay on top of them as they’re released, visit the
AEM Releases and Updates page. Keep in mind that hotfixes should be tested within a staging environment for AEM before applying and using them in your typical day-to-day runmodes.
4. Use AEM through HTTPS.
Keep in mind that for web browser access to AEM, HTTPS should always be used. Both authoring and publishing environments must employ transport layer security at all times in order to keep AEM usage protected globally.
AEM 6.5 makes this easier to keep track of via the new “SSL by Default” feature. Be sure to
enable SSL by Default and automate it using one of the supported methods: through HTTP POST or package or by generating a private key and certificate for use with the SSL wizard. This provides reassurance that every typical user instance of AEM is automatically configured for secure login.
5. Prevent access control breaches.
According to the OWASP Foundation,
breaking access control is one of the top skills of cybercriminals. The lack of access control enforcement can allow malicious actors to break in, change access rights and permissions, and steal sensitive data, as well as do other kinds of damage.
It’s crucial to defend against Cross-Site Scripting (XSS), a common means of circumventing access controls by injecting websites with malicious code. To help with this,
OWASP provides the AntiSamy Java Library, an API that ensures that user-supplied HTML/CSS is not compromised by noncompliant code. Be sure to adapt the standard AntiSamy configuration for your particular security needs.
Also, make sure that you only access the XSS protection API through the
secure XSSAPI service from AEM.
6. Consistently monitor AEM instances and review logs.
Adobe Experience Manager security can be supervised, in part, through the
Operations Dashboard. It lets you monitor the health of any AEM instance at a glance, as well as run automated security checks.
It’s essential to create a Security Composite Health Check within the dashboard, which you can regularly review to get ahead of any brewing problems. If you see “warn” or “critical” messages, you can investigate and fix the components in question right away.
You should also familiarize yourself with the Log Message Analyzer. With this, you can review details on errors, giving you deeper insight into what’s required to fix them. You can also add or change logger configurations as necessary to suit your needs. For example, you can configure the logger to capture “warn” and “info” messages in addition to “error” messages, helping you identify problems that can develop into significant security vulnerabilities down the line.
Don’t Let a Security Breach Compromise Your AEM Implementation
Keeping up with the proper cybersecurity protocols for an enterprise solution like AEM is a complex beast. By following Adobe’s recommendations for shoring up security, you’ll be on the right track.
But the fact remains that it’s challenging to manage it all on your own, as you can miss necessary steps. Given the mounting rates of cybercrime and vulnerabilities that can sprout up at any time in software systems like AEM, it makes sense to leverage outside help in shoring up your security.
Atypical Digital is your
experienced partner in ensuring that every aspect of Adobe Experience Manager security is implemented properly and that your data stays safe.
Beyond helping you upgrade to the latest version of AEM, we will perform a thorough checkup of your current security state. After identifying where you are and where you should ideally be, we’ll take you through every step to make sure your AEM user teams, customers, and brand are protected.
Atypical Digital is an Adobe Experience Manager (AEM) Preferred Partner specializing in helping enterprise brands leverage Adobe’s AEM platform to optimize their platforms for productivity and efficiency, free up IT-related tasks to make teams more productive, and maximize AEM stability and security.
If you’re ready to boost your AEM security to protect your business and brand at large, contact Atypical Digital today!