Today, Photoshop is an extremely powerful piece of software but it hasn’t always been this way. If you rewind 34 years, Photoshop didn’t exist at all and even when the application was initially created, it was a far-cry from the hugely powerful application that we know and love today.
Due to this, in recent years Adobe made some architectural changes to the whole cloud architecture and software stack as to better protect the users from this increasing number of vulnerabilities. As per Adobe, the current Cloud stack architecture is built with security considerations at its core, and utilizes industry standard software security methodologies for both development and management of the Creative Cloud.
In practice, availability zones exist as isolated locations within a region. However, from a network architecture perspective, they reside in a VPC. Physically, each availability zone has multiple different redundant data centers, enabling all data to be replicated across all data centers as well as within multiple servers within each data center. This redundant backup ensures that Creative Cloud customer data is safe from disasters, floods, power failures, etc.
Everything within each VPC is locked down by an AWS Security group, represented by orange keys in the chart above. A security group is another layer of security that allows Adobe to control the inbound and outbound traffic through the VPC, much like a virtual firewall.
The actual code within the VPC is housed in Amazon EC2 instances in specific subnets (or ranges of IP addresses). While public subnets are connected to the internet, private subnets are not and are only accessible through authenticated connections originating from the public subnet. This prevents an unauthorized user from connecting directly to the Creative Cloud storage service, for example, and allows Adobe to make sure that only authorized users can perform certain actions, such as storing UGC.
User generated content is redundantly stored in multiple data centers within a region and on multiple devices in each data center. All network traffic undergoes systematic data verification and checksum calculations to prevent corruption and ensure integrity. Finally, stored content is synchronously and automatically replicated to other data center facilities within the customer’s region so that data integrity is maintained even in the event of data loss in two locations.
UGC created using Creative Cloud can be stored in the US (US-East VA), Europe (EMEA-West IE), or Japan (APAC-West JP) regions. An end-user’s regional data store is determined when the user is created in the Adobe Admin Console and remains consistent throughout the user’s lifetime. In other words, content created by a user account in the US will always be stored in the US data center, regardless of where the user is located when they upload the content.
As mentioned above, Adobe encrypts all UGC stored in Creative Cloud at rest. For an additional layer of control and security, IT administrators can enable a dedicated encryption key for some or all the domains in the organization. Content is then encrypted using that dedicated encryption key which, if required, can be revoked from the Admin Console. Revoking the key will render all content encrypted with that key inaccessible to all end-users and will prevent both content upload and download until the encryption key is re-enabled.