StoreFlow Hosted by XMPie

Summary: This article provides information on the StoreFlow product hosted on Amazon Web Service environment.

Overview

XMPie StoreFlow is a turn-key solution for print service providers managing Web-to-print sites and marketing portals. StoreFlow merges XMPie’s powerful Web-to-print capabilities with flexible pre-press automation to provide a complete, out-of-the-box solution with an end-to-end workflow for receiving, processing and producing orders received online.  

StoreFlow (hosted) is stored on the web and is practically based on Amazon Web Services (AWS) architecture and technology. Amazon Web Services (AWS) is a cloud computing platform that provides a suite of infrastructure services. Some of its services are currently used by XMPie StoreFlow (hosted) solution.

The usage of AWS cloud provides a highly reliable and secured infrastructure for deploying StoreFlow as a web-based application.

Infrastructure

Amazon Web Services (AWS) provide a reliable, secure, and highly performing infrastructure for the most demanding web applications, an infrastructure that matches XMPie StoreFlow solution.

It also delivers a scalable cloud computing platform with high availability and dependability. AWS’s data centers are state of the art, utilizing innovative architectural and engineering approaches.

StoreFlow Cloud Availability

XMPie shall use all reasonable commercial efforts to achieve the target infrastructure availability goal of 99.95% uptime twenty-four hours per day, seven (7) days per week (“Service Commitment”) during the subscription term, except during times of system maintenance, as set forth in the table below.

System Maintenance

System Maintenance refers to any systems software or XMPie applications change or update that has the potential to result in an impact or reduction to the resiliency or functionality of the XMPie service.

System Maintenance types:

Planned Maintenance

Planned maintenance involves any activity where it is anticipated to have interruption to the operational functioning of the XMPie services during US business hours. XMPie will provide subscribers with at least one (1) week posted notification and e-mail notice prior to conducting any planned maintenance with information on the changes and expected downtime, unless the maintenance is performed outside of US business hours (for example, on Sunday).

Emergency Maintenance

Emergency maintenance involves any activity where it may or may not be possible to anticipate an interruption to the operational functioning of the XMPie services during US business hours. XMPie will use all reasonable efforts to provide e-mail notification at least twenty-four (24)hours in advance of any Emergency Maintenance, unless the maintenance is performed outside of US business hours (for example, on Sunday).

Provided the client purchased the Fault Tolerance offering from XMPie, for services or systems provided to the client, the supplier will ensure the resumption of operations affected by a disruption within 48 hours (Recovery Time Objective). The supplier will back up the service or systems related data on a daily basis (RPO).

Security Measures

XMPie maintains a risk-based assessment security program. The framework for XMPie's security program includes administrative, technical, and physical safeguards reasonably designed to protect the confidentiality, integrity, and availability of Customer Data.  

XMPie's security framework covers: Policies and Procedures, Asset Management, Access Management, Cryptography, Physical Security, Operations Security, Communications Security, Business Continuity Security, People Security, Product Security, Cloud and Network Infrastructure Security, Security Compliance, Third-Party Security, Vulnerability Management, as well as Security Monitoring and Incident Response. Security is represented at the highest levels of the company, with XMPie's Vice President/General Manager meeting with executive management regularly to discuss issues and coordinate security initiatives. Information security policies and standards are reviewed and approved by Xerox management at least annually and are made available to all XMPie employees for their reference.

  • Tenant Isolation – Each StoreFlow customer is logically isolated from other customers. Depending on the service purchased, XMPie may achieve logical isolation by using Amazon Virtual Private Cloud (Amazon VPC). AWS has highly scalable, secure, and reliable infrastructure hosting.
    Information about AWS compliance is available here.

  • The physical security for StoreFlow is handled by the service provider (AWS). AWS has very rigorous security controls protecting its data centers.
    More details about the AWS data center's physical security are here.

  • StoreFlow solution supports SSL as a standard security for establishing encrypted connection between a web server and a client browser.

  • Security Group – Firewall - Amazon EC2 provides a complete firewall solution; every Amazon EC2 instance (virtual machine) is protected by security groups. Security groups provide firewall protection for the running instances. The traffic can be restricted by protocol, by service port, as well as by source IP address.

  • XMPie utilizes Crowdstrike Horizon – a Cloud Posture Management (CSPM) system. Crowdstrike Horizon has the following capabilities:

    • Provides discovery and visibility into cloud infrastructure and resources.

    • Proactively detects threats across the application development lifecycle.

    • Misconfiguration management and remediation - Eliminates security risks and accelerates the delivery process.

    • DevSecOps integration - Employs cloud-native, agentless posture management to reduce overhead and eliminate friction and complexity.

    • Continuous compliance monitoring: Assesses the security of cloud accounts and eliminates compliance violations.

    • For more information see Falcon Horizon Cloud Security Posture Management.

  • In addition, CrowdStrike Falcon (EDR) – a lightweight-agent AI-driven endpoint protection platform - offers real-time protection and visibility across the enterprise, preventing attacks on endpoints on or off the network. CrowdStrike Flacon (EDR) provides the following capabilities:

    • Endpoint Protection: CS Falcon offers real-time protection for endpoints, such as workstations, servers, and laptops.

    • Next-Generation Antivirus (NGAV).

    • Endpoint Detection and Response (EDR).

    • Managed Threat Hunting: CrowdStrike's threat hunting services offer proactive detection and response capabilities.

    • Cloud-Native Architecture.

    • For more information see Endpoint Detection And Response (EDR).

  • XMPie uses CIS Microsoft Windows Server Level 1 Hardened Image - a preconfigured image built by the Center for Internet Security (CIS) for use on Amazon Elastic Compute Cloud (Amazon EC2). It is built to offer an image secured to industry-recognized security guidance running on Amazon EC2.

Security by Design

The XMPie Software Development Lifecycle (SDL) process is the method by which XMPie creates secure products and defines the activities that the product teams must perform at different stages of development (requirements, design, implementation, and deployment). XMPie engineers perform numerous security activities for the Services including:

  • Internal security reviews before products are launched

  • Periodic penetration tests performed by independent security teams

  • Architecture reviews

  • Secure Software Development Life Cycle (Secure SDLC) is a software engineering culture to unify software development, deployment, security, and operations:

    • Static Application Security Testing (SAST) - Analyzes source code to identify vulnerabilities in applications before the applications are compiled or deployed.

    • Dynamic Application Security Testing (DAST) - Identifies vulnerabilities and applications in (web) applications while they are running.

    • Software Composition Analysis (SCA) - set of tools and practices that enables identification and management of third-party and open-source components in software applications that helps identify and mitigate security vulnerabilities in these components. SCA also uncovers licensing issues of the components.

XMPie Architecture

Depending on the service offering you choose, XMPie's flexible architecture can be tailored to meet your high availability requirements. Please contact our team to learn more about how we can customize the deployment to suit your needs.

Standard Configuration

Fault Tolerance Configuration

Vulnerability Management

XMPie maintains controls and policies to mitigate the risk from security vulnerabilities in a measurable time frame that balances risk and the business/operational requirements.  

For the XMPie application software, critical software patches are evaluated, tested and applied proactively. For high-risk patches, XMPie will notify customers prior to the application of a patch.

Penetration Testing

XMPie performs application-level penetration tests for major releases or at least once a year. These tests use a combination of manual and automated techniques that complement each other to comprehensively evaluate the security posture of the application against latest threats as well as best practices like OWASP TOP 10 and SANS Top 25. Results of penetration tests are prioritized, triaged and remediated promptly by XMPie’s security team.

Backup and Recovery

StoreFlow environment is fully backed-up by CPM (Cloud Protection Manager by N2W Software).

The CPM is an enterprise-class backup and recovery solution for Amazon EC2 environment. The backup policy routine consists of daily snapshots.

Operational Monitoring

Licensee acknowledges that XMPie may request reasonable information from the licensee for the purpose of facilitating the use of StoreFlow cloud under the hosting service, and that certain applications may be used to retrieve information about StoreFlow cloud 's usage, to maintain compliance with the terms applicable to the use of the hosting service.

XMPie uses Amazon CloudWatch - a monitoring and management service which enables application and infrastructure monitoring.  Amazon CloudWatch provides the following capabilities:

  • Enables to collect and store logs from resources, applications, and services in near real time.

  • Cross-account observability across multiple AWS accounts which helps monitor and troubleshoot applications that span multiple accounts within a region.

  • Alarm and automate actions.

  • For more information see Amazon CloudWatch features.

In addition, depending on the service purchased, XMPie may use Datadog observability service, which enables real-time monitoring and log management. Datadog provides the following capabilities:

  • Determines performance metrics as well as event monitoring for infrastructure and cloud services.

  • Infrastructure monitoring - provides our team with a single view of our infrastructure (including servers, apps, metrics and other services).

  • Application Performance Monitoring (APM) - this includes Processes, Windows Services, XMPie Services, AWS integrations, monitors, synthetic tests, Health checks and more.

  • Alerts based on critical issues.

  • Automatically collects and analyzes logs, latency and error rate.

  • For more information see Datadog Solution Brief.

XMPie can help with your NOC needs. Depending on the services purchased, XMPie can establish a Network Operation Center (NOC) for 24/7 monitoring and rapid action management.

Service Exclusions and Limitations

Unless Managed Services are involved, the following are limitations of the hosted solution:

  • No file system access - for security and service experience reasons, XMPie does not support direct access to the file system. This means no bulk uploads of assets, documents, or hot folder import for uProduce and Free Flow Core (FFC), as well as no hot folder output from uProduce or Free Flow Core.  

  • FTP output is possible but requires FTP server on the client side. There are many caveats in regard to file naming. It requires scripting license in Free Flow Core (FFC). The only automation out of FFC is to supported in Xerox printers using (depreciated by Xerox) FFC Cloud Print tool installed locally in client location. Only FFC automation is via uStore.  

  • No operating system access - for security and service experience reasons, XMPie does not support direct access to the operating system. Meaning, no Remote Desktop Connection (RDC) capabilities provided to the client.  

  • No direct SQL server database access - this means no automation or scripting capabilities, even when upgrading to full SQL license. There is a Professional Service plugin that can provide some access to update a database via flat file. This requires user intervention and cannot be scheduled or automated.  

  • Customers are solely responsible for ensuring the data they host on the site does not trigger malicious content flags. This responsibility is continuous and ongoing, extending beyond the initial configuration of a store/domain. Should their store/domain become flagged as malicious weeks or months after setup, the onus remains on the customer to actively monitor their data and take appropriate remedial action.

    If a customer's domain triggers a malicious content flag, XMPie may need to take temporary measures to mitigate the risk, potentially including taking the store(s) offline. This action would be taken solely to protect the platform and its users and would be communicated to the customer beforehand.

StoreFlow Private Cloud Resource Provisions (AWS Instance)

StoreFlow environment is currently offered in two configurations in US-East (N.Virginia) and EU-West (Ireland) AWS regions:

  • StoreFlow

  • StoreFlow Pro

StoreFlow runs on top of M5 family instance types from AWS. This family includes the M5 instance types and provides a balance of compute, memory and network resources. The main features for M5 instances are:

  • Up to 3.1 GHz Intel Xeon Platinum 8000 series processor (Skylake-SP or Cascade Lake) with new Intel Advanced Vector Extension (AVX-512) instruction set.

  • Provisioned IOPS (SSD) volumes, EBS-optimized for fast I/O performance.

  • Support for Enhanced Networking.

  • Balance of compute, memory, and network resources.

The table below represents the server’s specifications for each of the StoreFlow packages. These are the minimum requirements with the corresponding Amazon EC2 instance types.

Package

AWS Instance

vCPU

RAM (GiB)

StoreFlow Backend Server

M5.xlarge

4

16

StoreFlow Pro Backend Server

M5.2xlarge

8

32

StoreFlow Front End Server

T3.medium

2

8

StoreFlow Pro Front End Server

T3.large

2

8

Notes:

  • XMPie  will alert the customer ahead of time when adding storage is needed. At the time of adding additional storage, XMPie will bill for the incremental additional storage.

  • Subject to the service purchased, XMPie will use the appropriate SQL server that fits the system/service requirements.

  • The information above can vary, and it is true as of the last review date of this document.

 

Last reviewed: February 2024