Re: Marketo Cookie Access

Adam_Hodgden1 · ‎02-22-2016

Has anyone ever experienced this concern with their IT department when creating a CNAME?

Allowing Marketo to host info.company.com would allow Marketo access to cookies defined at *.company.com – this includes customer and employee data. Is it possible to add a level of indirection to prevent the cookie access and add transparency? E.g. Use info.mkto.company.com – this would signal to our more security-conscious customers that these are subdomains controlled by a third party, and also limit Marketo’s access to cookies to only those in the *.mkto.company.com subdomain.

Thanks

Adam

SanfordWhiteman · ‎02-22-2016

Allowing Marketo to host info.company.com would allow Marketo access to cookies defined at *.company.com – this includes customer and employee data.

If they're storing PII in cookies, that's a security risk right there, with or without Marketo! I'd suggest that's what needs to be fixed first, by encrypting the data (if it must be kept on the client) or keeping only a session key on the client.
Unless your PII cookies are marked "http only" (so they cannot be read from JavaScript under any circumstances) the fact that Marketo is hosting info.company.com is irrelevant. As Greg mentioned, running JavaScript on any of your pages, whether that JS is from Google, Marketo, Optimizely, or in-house code, gives the script access to all cookies not marked "http only." In other words, if you are running GA on www.company.com such cookies are already compromised.

Is it possible to add a level of indirection to prevent the cookie access and add transparency? E.g. Use info.mkto.company.com – this would signal to our more security-conscious customers that these are subdomains controlled by a third party, and also limit Marketo’s access to cookies to only those in the *.mkto.company.com subdomain.

Sure, if you don't care about automatically tracking people's click path after they click a link to go from mkto.company.com to www.company.com, you can lock Munchkin to only track on .mkto.company.com.

But:

Most Marketo users would find that to be a severe impediment to getting the expected ROI from the platform.
That move alone will not stop cookies you set at the upper-level .company.com (not .www.company.com) from being sent to Marketo. Your developers would also have to ensure that www.company.com always sets cookies at the .www.company.com level. Then and only then will the domains be separate.

It is possible to keep the domains separate but still track across domains, using code that varies from the simple to the dizzyingly complex depending on your environment. It's something we love to do, but we always establish that there is an unambiguous, compelling need for the setup first (typically that unambiguous need is when someone must have both company.<one TLD> and company.<another TLD> in production).

View solution in original post

Grégoire_Miche2 · ‎02-22-2016

Hi Adam,

IMHO, the security concern may come from the fact that you are putting JS code on you pages as well, in the first place

AFAIK, The CNAME does not tell at what domain level the cookie should be placed. it just tell how the landing pages URL will be set.

If order to change the level at which Marketo cookie will be set, you may want to change the domainlevel parameter. See Effect and usage of the domainlevel munchkin Initialization Parameter

-Greg

SanfordWhiteman · ‎02-22-2016

Allowing Marketo to host info.company.com would allow Marketo access to cookies defined at *.company.com – this includes customer and employee data.

If they're storing PII in cookies, that's a security risk right there, with or without Marketo! I'd suggest that's what needs to be fixed first, by encrypting the data (if it must be kept on the client) or keeping only a session key on the client.
Unless your PII cookies are marked "http only" (so they cannot be read from JavaScript under any circumstances) the fact that Marketo is hosting info.company.com is irrelevant. As Greg mentioned, running JavaScript on any of your pages, whether that JS is from Google, Marketo, Optimizely, or in-house code, gives the script access to all cookies not marked "http only." In other words, if you are running GA on www.company.com such cookies are already compromised.

Is it possible to add a level of indirection to prevent the cookie access and add transparency? E.g. Use info.mkto.company.com – this would signal to our more security-conscious customers that these are subdomains controlled by a third party, and also limit Marketo’s access to cookies to only those in the *.mkto.company.com subdomain.

Sure, if you don't care about automatically tracking people's click path after they click a link to go from mkto.company.com to www.company.com, you can lock Munchkin to only track on .mkto.company.com.

But:

Most Marketo users would find that to be a severe impediment to getting the expected ROI from the platform.
That move alone will not stop cookies you set at the upper-level .company.com (not .www.company.com) from being sent to Marketo. Your developers would also have to ensure that www.company.com always sets cookies at the .www.company.com level. Then and only then will the domains be separate.

It is possible to keep the domains separate but still track across domains, using code that varies from the simple to the dizzyingly complex depending on your environment. It's something we love to do, but we always establish that there is an unambiguous, compelling need for the setup first (typically that unambiguous need is when someone must have both company.<one TLD> and company.<another TLD> in production).

Adam_Hodgden1 · ‎02-23-2016

Thank you Sanford, that's what I needed to know.

SanfordWhiteman · ‎02-23-2016

Cool, if you could mark as Correct Answer that would help later searches.