Enterprise-Grade Website Security

Pantheon is built on a container-based cloud architecture
. Unlike deployment of clusters or virtual private servers, containers allow lightweight partitioning of an operating system into isolated spaces where applications can safely run.

Update Drupal and WordPress core with a single click. Pantheon’s built-in dev, test, and live environments allow developers to push updates to production safely and quickly.

Pantheon’s Global CDN provides industry-leading DDoS protections. By filtering ongoing attacks and isolating traffic streams for each site and environment, Pantheon provides dedicated resources in times of need and prevents impact between customer websites.

Drupal and WordPress core—as well as module and plugin code—are write-protected in Test and Live environments. This feature guards against unauthorized updates that can result in compromise.

Pantheon runs over a million checks a day to proactively monitor network, server, and application resources. Our status page shows a transparent, aggregated report of current and historical uptime across all Pantheon sites.

Keep your site and your visitors secure with fully managed, and dedicated HTTPS certificates. We obtain and manage high-grade encryption with TLS 1.3 for all of your sites and deploy it worldwide with Pantheon's Global CDN.

Pantheon supports SAML integration, enabling additional security features like multi-factor authentication and single sign-on. Customers who enforce SAML authentication can also enforce settings like minimum password strengths or authentication audit logs.

Pantheon’s change management feature allows site owners to manage organization-wide settings and selectively grant or deny developer access to deploy to production. Role-based access lets team members work on what they need to without introducing risk to other sites or infrastructure components.

Automated/manual backups store customer data, sent compressed to cloud storage. Data encrypted in transit/at-rest using 256-bit AES cipher modes. Private keys, backup data on separate servers. Users test restore via dashboard, to existing/new site on Pantheon or elsewhere.

Pantheon ensures process and memory-level isolation using control groups for memory, disk, CPU. Valhalla's encrypted distributed file system employs client-server authentication. Customer files are secured by Linux permissions, while system and customer logs remain isolated.

Pantheon maintains full redundancy for core components: API, edge routing, DNS, and file storage. Automated tools aid recovery. Services tolerate process/server failure. Multi-datacenter presence facilitates restoration. Redundant upstream providers enhance reliability.

Pantheon relies on trusted repos, validates packages, and audits changes on Linux servers. User software runs in isolated containers, preventing direct execution of uploaded files. ClamAV antivirus with updated databases is provided for customer use.

Pantheon’s primary data centers are managed by Google and feature a layered security model. This includes safeguards like custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors & biometrics, and laser beam intrusion detection.

Pantheon grants access according to least privilege. Employees can interact with servers via a secure API without actual server access—when they do need it, SSH-key based authentication is used and activity is recorded in a central log.

Pantheon updates container hosts with latest kernel, OS, packages. Seamless migration to new instances, zero downtime. CMS updates and patches are internally tested and deployed via one-click workflow for customers.

Pantheon's agility swiftly addresses vulnerabilities (Heartbleed, Shellshock, Drupalgeddon, GHOST). Fresh layers prevent exposure. Post-incident reviews enhance future responses. Significant disruptions updates can be found at https://status.pantheon.io/ and @pantheonstatus. 

Pantheon uses on-disk storage with hardware RAID, multiple disks. Automated backups offer further protection. Backups, over 99.99% durable, encrypted, stored in multiple datacenters, ensure availability.

Pantheon uses x.509-based authentication, encryption for network security. Edge routers tunnel traffic, prevent bypass. Host intrusion prevention for user-pw services, server layer stops unauthorized access. Centralized security logs retained for a year.