Expand my Community achievements bar.

Join us January 15th for an AMA with Champion Achaia Walton, who will be talking about her article on Event-Based Reporting and Measuring Content Groups!
SOLVED

Adobe Analytics Security Concerns with 1st Party Cookies/Cname and possible solutions?

Avatar

Level 2

I work for a bank and security is a major concern. We are currently using a cname on Adobe's collection servers (e.g. stats.bank.com) in order to have Adobe serve first party cookies on the bank.com domain. Our security council now says we shouldn't provide Adobe with a new SSL cert for stats.bank.com because it is too risky and if stats.bank.com is compromised and someone attacks our customers then we our liable due to it being our brand and all the cookie data is exposed as well as leaving customers open to malware attacks. So we have the following options:

  1. Bring reporting in-house
  2. Set up a filtering proxy operating as “stats.bank.com” that front-ends the relevant Adobe service
  3. Go back to Adobe's 3rd Party solution 2o7.net namespace
  4. Use a different 3rd party namespace on adobe's servers (e.g. stats.bk.com)

Here are our thoughts:

1) Too expensive

2) We thought it was a good solution but then the cost came up. It seems like it would be very costly to build that type of infrastructure due to the volume of calls.

3) Adobe's 3rd party namespace blocked too much.

4) Seems to maybe be a solution but still concerned about 3rd party being blocked.

I was wondering if anyone has had to deal with these type of security concerns and what the solution was. Also what are the drawbacks of solution #4 in particular?

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

Hi Michael,

You can use our visitorID service in your implementation. This allows 1st party cookies to be set without a need for an SSL cert from you guys, however the root domain must be the same as the web site in question. For example, if I own the domains examplebankone.com and examplebanktwo.com, the visitorID cookie must be set on their respective domains, not any consolidated cookie domain like stats.examplebank.com. If visitors were tracked in a single report suite from both examplebankone and examplebanktwo, they would count as two separate visitors since the visitorID cookies in question were separate.

If you do not have a global report suite, or everything is on the same root domain, visitorID service is most definitely one of the more viable options for you.

View solution in original post

1 Reply

Avatar

Correct answer by
Employee Advisor

Hi Michael,

You can use our visitorID service in your implementation. This allows 1st party cookies to be set without a need for an SSL cert from you guys, however the root domain must be the same as the web site in question. For example, if I own the domains examplebankone.com and examplebanktwo.com, the visitorID cookie must be set on their respective domains, not any consolidated cookie domain like stats.examplebank.com. If visitors were tracked in a single report suite from both examplebankone and examplebanktwo, they would count as two separate visitors since the visitorID cookies in question were separate.

If you do not have a global report suite, or everything is on the same root domain, visitorID service is most definitely one of the more viable options for you.