April 04, 2017
As Sitecore and Microsoft continue to evolve the Sitecore PaaS offering more and more questions arise about the security of a Sitecore solution in Azure. In this post I cover some of the more common areas of concern and provide links to additional resources.
Moving to a cloud provider may be new for some organizations and it requires a bit of a rethink in terms of IT governance. I will not take credit, but I have always found this responsibility graph from Microsoft that covers how responsibilities adjust based on the solution type to be immensely helpful. What you should take away from this is security governance, custom end points and identify management policies are still the responsibility of the customer or their technical implementation partner.
Available in two tiers – Free and Standard - Security Center provides threat detection, prevention and response capabilities to an Azure environment. We highly recommend the Standard version as it provides advanced threat detection. It is priced at $15 / node / month. There is lots more to read at https://docs.microsoft.com/en-us/azure/security-center/security-center-intro
You will need to decide if there is sensitive data in your solution or backups that warrant encryption.
https://docs.microsoft.com/en-us/azure/storage/storage-service-encryption
I think we all know and understand network layer security, but too often we see people go with the “simple” approach for identity management. Don’t use local or custom stores, invest in a unified approach – Azure AD is there for that purpose.
For web app deployments, consider using web apps authentication on your content management (CM) and reporting roles. If authentication is not an option, you may also consider IP whitelisting.
For more on web apps authentication see https://docs.microsoft.com/en-us/azure/app-service/app-service-authentication-overview
Web application firewall which is part of Application Gateway provides protection for web apps from common threats like SQL injection and cross site scripting. It relies more probably on the OWASP core rule sets (https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project).
More on Application Gateway and WAF at https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-web-application-firewall-overview.
Create distinct logins for each Sitecore SQL database and ensure they are only accessible from within the Azure subscription. This should have been the default. Consider using Azure AD authentication for databases.
Sitecore’s standard procedures for hardening still apply. The full details are at https://doc.sitecore.net/sitecore_experience_platform/setting_up_and_maintaining/security_hardening.
While not strictly security related, Application Insights is very valuable for watching the environment. For those not familiar with it, Application Insights is an application performance management service for web applications. Sitecore 8.2 in PaaS uses App Insights for logging (instead of the file system).
