Insights

Sitecore security in Azure

VP, Technology and Solution Delivery
Valtech

April 04, 2017

As Sitecore and Microsoft continue to evolve the Sitecore PaaS offering more and more questions arise about the security of a Sitecore solution in Azure. In this post I cover some of the more common areas of concern and provide links to additional resources.

The basics

Moving to a cloud provider may be new for some organizations and it requires a bit of a rethink in terms of IT governance. I will not take credit, but I have always found this responsibility graph from Microsoft that covers how responsibilities adjust based on the solution type to be immensely helpful. What you should take away from this is security governance, custom end points and identify management policies are still the responsibility of the customer or their technical implementation partner.

(1) Sitecore Security on Azure Blog.png

Use Security Center to monitor the security health of your environment

Available in two tiers – Free and Standard - Security Center provides threat detection, prevention and response capabilities to an Azure environment. We highly recommend the Standard version as it provides advanced threat detection. It is priced at $15 / node / month. There is lots more to read at https://docs.microsoft.com/en-us/azure/security-center/security-center-intro

Enable storage and disk encryption to protect data at rest

You will need to decide if there is sensitive data in your solution or backups that warrant encryption.

https://docs.microsoft.com/en-us/azure/storage/storage-service-encryption

Your identity perimeter is your first line of defence

I think we all know and understand network layer security, but too often we see people go with the “simple” approach for identity management. Don’t use local or custom stores, invest in a unified approach – Azure AD is there for that purpose.

Web apps authentication

For web app deployments, consider using web apps authentication on your content management (CM) and reporting roles. If authentication is not an option, you may also consider IP whitelisting.

For more on web apps authentication see https://docs.microsoft.com/en-us/azure/app-service/app-service-authentication-overview

Web application firewall (WAF)

Web application firewall which is part of Application Gateway provides protection for web apps from common threats like SQL injection and cross site scripting. It relies more probably on the OWASP core rule sets (https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project).

More on Application Gateway and WAF at https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-web-application-firewall-overview.

SQL databases

Create distinct logins for each Sitecore SQL database and ensure they are only accessible from within the Azure subscription. This should have been the default. Consider using Azure AD authentication for databases.

Don’t forget Sitecore hardening

Sitecore’s standard procedures for hardening still apply. The full details are at https://doc.sitecore.net/sitecore_experience_platform/setting_up_and_maintaining/security_hardening.

Application Insights

While not strictly security related, Application Insights is very valuable for watching the environment. For those not familiar with it, Application Insights is an application performance management service for web applications. Sitecore 8.2 in PaaS uses App Insights for logging (instead of the file system).

Meet The Challenges Of Today's Digital Economy

Ready to take that first step and rise to your digital potential? Contact Valtech today.
Talk to Us