Magento 2 is here and as you may be aware, at some point in the near future, you will need to upgrade to it or risk being unsupported. Due to Magento 2 essentially being a redesigned and architected platform, current advice is to rebuild your site from scratch on the new version. There are some partners claiming to offer an easy migration, but you should explore this avenue with your eyes wide open and a deeper pocket for the hidden costs.
When thinking about upgrading or re-platforming from your current Magento solution, as well as replicating or improving the store functions or experience of your current site, some of the key areas you need to consider are the Non-Functional Requirements like Security, GDPR, Cost of Ownership, Management & Operation and Supporting Infrastructure. These may not have been important criteria when you last made these decisions, but some are now enforced by law and carry heavy penalties for your business if not implemented.
By Googling “web security” you’ll find extensive coverage on hacking, in fact eCommerce is by far the most targeted of all online. According to the Trustwave Global Security Report, Magento is the platform of choice for hackers and accounts for 85% of all compromised eCommerce systems, that is a huge!
Open Source is open code to everyone. Anyone can look at the code and identify potential causes of security breaches and any opportunist can identify and exploit the program through hacking and viruses. It can be like giving away the password to your safe.
Open Source is also about community development and the Magento community have extended the capabilities and integrations of the platform significantly. As part of a project, the end customer may not know what is standard Magento and how much is third party extension. The risk of using community code is that it can easily become what's been referred to as “stranded code” where the extension, feature or code is no longer improved, maintained or supported. As well as providing risk for future usability of the code, there is also the potential breach by hackers where it is not covered by a Magento patch.
On 7th November 2017, Magento released 3 patches containing 15 security changes that they state will “help to close cross-site request forgery (CSRF), unauthorised data leak and authenticated Admin user remote code execution vulnerabilities.” Keeping up-to-date with patches on any platform is important, but even more critical when the platform is open source and contains confidential customer information.
Larger organisations will likely have a team of full time staff of infrastructure engineers and developers whose job it is to keep the lights on and make sure the platform is secure and up-to-date. They will monitor the platform full time and have procedures in place to update patches and ensure there are no other risks with other systems connecting to the platform as upgrades are implemented.
Much of the vulnerability around patches comes from organisations that do not apply patches in a timely or regular fashion due to a lack of internal skill sets and the cost of external development staff to deploy them. These organisations are the most vulnerable and will account for the majority of attacks. The scary part which the TrustWare report points out, is that most of these organisations won’t even know they have had a breach of their platform for several months!
Lots of organisations have successfully adopted an open source strategy and deliver significant benefits with it by investing in the skilled staff to manage it and implementing processes to ensure its deployed, managed and extended in a way that won’t compromise their business.
If an organisation is unable to make that commitment for internal staff and processes, they should ensure they have the appropriate external resources to do it for them or have a detailed understanding of how its covered in their SLAs by their solution provider.
The third option, is to adopt a solution based on a platform like OmniCX. In short, we probably provide pretty much like for like with your current Magento platform for site, product, customer or order functionality, but where we differ hugely is around the Non-Functional services of Security, GDPR, Cost of Ownership, Management & Operation and Supporting Infrastructure. OmniCX provide all this as part of our SaaS solution so you get to focus on growing your business.
Tags: Magento security, GDPR security, Magento upgrade