Adobe is changing the world through digital experiences. We do that in an incredibly creative and innovative environment where we also take our customers’ data security and privacy very seriously. As a large and growing cloud company, achieving these things at the same time takes a sound strategy focused on two key pillars:
- Establish Effective, Enforceable Security Standards
- Implement and Adopt Simple, Scalable Security Services
Establish Effective, Enforceable Security Standards
The Common Controls Framework (CCF) is a comprehensive set of simple control requirements, rationalized from the alphabet soup of several different industry information security and privacy standards. To help ensure that our standards effectively meet our customers’ expectations, we are constantly refining this framework based on industry requirement changes, customer asks, and internal feedback.
In a recent update, Abhi Pandit (Adobe’s Sr. Director of Risk Advisory & Assurance Services) stated that “[Adobe] has made significant investments across the company to harmonize various security functions, compliance and governance processes, and technologies.” The CCF is the backbone of our corporate security policies and standards.
Implement and Adopt Simple, Scalable Security Services
With a common vision for customer data security and privacy set, we can look to our talented engineers to develop and implement the solutions that help meet our objectives. Engineering teams collaborate to develop scalable solutions that implement the CCF requirements in the most efficient and elegant way possible. Other teams leverage those services and help improve them over time.
A common pitfall seen with initiatives like the CCF is that teams may try to implement all of the standards on their own with little or no reliance on cross-functional services. Not only does this undermine the entire purpose of a common standard, it can often result in some undesirable outcomes. Examples include:
- Team resources overwhelmed by compliance initiatives and ability to deliver on product features may be hindered.
- Standalone compliance initiatives only partly address requirements and security may be compromised.
- Exhausted team resources lead to operational failure of compliance responsibilities and security may be compromised.
At Adobe, we make a concerted effort to help product teams use simple, scalable services to help prevent these undesirable outcomes. These services are a combination of internally developed services and reliable third party tools. Teams focus their effort on adopting those security services helping to free up their time to focus more on features that deliver a delightful, more secure user experience.
Practical Example of Implementation
Adobe uses four different types of control “roles” to organize our compliance efforts to meet the CCF standards: Driver, Subscriber, Contributor, and Standalone.
A driver is ultimately responsible for developing a service, including controls, that will mitigate a particular risk associated with a process and address the CCF requirements. For example, a driver implements a robust Identity Management system that can provide automated workflows for logical access control.
A subscriber is responsible to integrate their systems and processes in a way that will take advantage of the driver’s service. Continuing with the example above, a subscriber makes sure the only way to access their system is through the driver’s identity management system. As long as this continues, they share the risk with the driver.
A contributor is like a subscriber, integrated with a driver’s solution, but they may have a more active role in executing the control. A great example is a periodic access review. The driver’s identity management system gives contributors a notification that it’s time to review the access privileges in their respective groups so that they can certify the access is appropriate. They use a tool that makes it easy and effective—much easier and effective than a manual process that leverages a ticket or email.
If a team decided to tackle these problems as a standalone, they would need to set up their own identity management system or manual procedures to handle logical access control. These tend to be more manual and at a higher risk for control failure. The advantage of the CCF framework is these necessary core services and controls are provided and teams do not need to tackle these issues on their own, helping to lessen the overall risk.
The table below outlines a summary of these different roles and how they are currently viewed at Adobe.
Adobe CCF Control Roles
| Role |
Business Objective |
Risk Responsibility |
| Driver |
Implement robust service for all teams to satisfy control requirements. Reduce instances of services to the minimum possible and improve the services over time. |
Mitigate |
| Subscriber |
Adopt robust service provided by Driver |
Transfer/Share |
| Contributor |
Leverage robust service provided by Driver and work with them to meet requirements |
Transfer/Share |
| Standalone |
Implement a process to satisfy control requirements. Reduce instances to the minimum possible. |
Mitigate |
Conclusion
As Adobe grows, it is the hope that the number of compliance procedures should not grow at the same rate. The simple concepts explained in this post make up some of the secret sauce of how to leverage a compliance program to more effectively mitigate information security and privacy risk in a scalable way.
Kenny Scott
Manager, I.T. and Information Security, Risk Advisory and Assurance Services
@AdobeSecurity