A secure foundation for your Sitecore Azure deployment right out of the box
We have implemented our Azure Blueprint for Sitecore around the recommended best practices for Azure security published by Microsoft, and provide it in full to all Azure Blueprint customers as an integral part of our offering.
By using Azure Blueprint, the security foundation for your Sitecore project is managed and maintained over time, so your team can focus time and effort on delivering value through your solution.
How Azure Blueprint for Sitecore implements the Microsoft Best Practices is detailed in the following sections.
Azure Network Security Best Practices
Logically segment subnets
Included. By default a segmented VNET is deployed for each location.
Control routing behavior
Included. NSG pinhole rules are defined according to the security recommendation.
Enable Forced Tunneling
Included. Forced tunneling is applied by default when using the Azure Blueprint VPN Gateyway module.
Use virtual network appliances
Included. A Web Application Firewall (WAF) is deployed into each DMZ by default. Azure blueprint supports deploying additional security appliances.
Deploy DMZs for security zoning
Included. Azure Blueprints VPN module provides secured network connections to on-prem resources.
Avoid exposure to the Internet with dedicated WAN links
Implemented. Azure Blueprint’s VPN module provides secured network connections to on-prem resources.
Optimize uptime and performance
Included. Azure Blueprint by default implements local and global load balancing for scale and redundancy.
HTTP-based Load Balancing
Included. Azure Blueprint is by default configured with Application Gateway for all internet facing http/https endpoints.
External Load Balancing
Included. Implemented as part of Azure Webapps.
Internal Load Balancing
Included. Implemented as part of SQL database and other PaaS services. In addition, Azure Blueprint’s Solr service also implements this.
Use global load balancing
Included. Azure Blueprint by default utilizes Traffic Manager for global load balancing across all deployments.
Disable RDP/SSH Access to Azure Virtual Machines
Included. Azure Blueprint’s VM foundation disables all external access to Virtual Machines, and are only allowed through a dedicated Jumpbox, which is deployed along with the Azure Blueprint foundation. (1)
Enable Azure Security Center
Included. By default Azure Blueprint enables Security Center configured with all relevant policies.
Securely extend your datacenter into Azure
Azure Blueprint is commonly not used as a Datacenter extension, but does comply with the relevant best practices.
Azure Data Security and Encryption Best Practices
Enforce Multi-factor Authentication
Included. Azure Blueprint fully implements Multi-Factor Authentication along with its Single-Sign-On implementation.
Use Role Based Access Control (RBAC)
Included. Azure Blueprint deploys security groups by default, and all Azure resources are defined with least privilege security permissions mapped to these groups.
Encrypt Azure Virtual Machines
Included. All VMs in Azure Blueprint are configured with encrypted Virtual Machines with keys stored in Keyvault’s Hardware security module.
Use Hardware Security Modules
Included. Azure Blueprint stores all secrets, certificates and passwords in Keyvault.
Manage with Secure Workstations
Implemented. Azure Blueprint provides a VM jumpbox for secure VM access, as well as P2S VPN access for any administrative access. Additional access measures and policies are fully supported. (1)
Enable SQL data encryption
Included. SQL data encryption and secure storage of keys is default set up in Azure Blueprint for Sitecore.
Protect data in transit
Included. By default all data connections in Azure Blueprint are either encrypted, in private networks, or both.
Enforce file level data encryption
File level encryption is not implemented in Azure Blueprint by default, but storage and database encryption is.
Azure Identity Management and Access Control Security Best Practices
Centralize your identity management
Included. Azure Blueprint leverages Azure AD for centralized identity management for all service access. This includes access to the VMs (1) as well as access to Sitecore.
Enable Single Sign-On (SSO)
Included. Single-Sign-On is implemented by default across Azure Blueprint for Sitecore.
Deploy password management
Included. Password Management policies are implemented and configurable in Azure Blueprint.
Enforce multi-factor authentication (MFA) for users
Included. MFA is implemented across all Azure Blueprint users. This is from Sitecore users to partner developers to system admins.
Use role-based access control (RBAC)
Included. Azure Blueprint deploys security groups by default, and all Azure resources are defined with least privilege security permissions mapped to these groups.
Control locations where resources are created using Resource Manager
Included. Azure Blueprint for Sitecore deploys a full set of management policies which enforces allowed ressource locations. In addition Azure Blueprint offers separate deployments into the Germany or China national Azure cloud, either as a separate installation, or as a part of a multinational deployment.
Guide developers to leverage identity capabilities for SaaS apps
N/A
Optimize uptime and performance
Included. Azure Blueprint by default implements local and global load balancing for scale and redundancy.
Actively monitor for suspicious activities
Included. Azure Blueprint implements active and intelligent security scanning using Security Center, Azure AD Threat detection, SQL Advanced Threat Protection, OWASP http request scanning, Anti-Malware protection and several other scanning/prevention mechanisms.