Azure Blueprint for Sitecore Security Implementation

Azure Network Security Best Practices

Logically segment subnets

Included. By default a segmented VNET is deployed for each location.

Control routing behavior

Included. NSG pinhole rules are defined according to the security recommendation.

Enable Forced Tunneling

Included. Forced tunneling is applied by default when using the Azure Blueprint VPN Gateyway module.

Use virtual network appliances

Included. A Web Application Firewall (WAF) is deployed into each DMZ by default. Azure blueprint supports deploying additional security appliances.

Deploy DMZs for security zoning

Included. Azure Blueprints VPN module provides secured network connections to on-prem resources.

Avoid exposure to the Internet with dedicated WAN links

Implemented. Azure Blueprint’s VPN module provides secured network connections to on-prem resources.

Optimize uptime and performance

Included. Azure Blueprint by default implements local and global load balancing for scale and redundancy.

HTTP-based Load Balancing

Included. Azure Blueprint is by default configured with Application Gateway for all internet facing http/https endpoints.

External Load Balancing

Included. Implemented as part of Azure Webapps.

Internal Load Balancing

Included. Implemented as part of SQL database and other PaaS services. In addition, Azure Blueprint’s Solr service also implements this.

Use global load balancing

Included. Azure Blueprint by default utilizes Traffic Manager for global load balancing across all deployments.

Disable RDP/SSH Access to Azure Virtual Machines

Included. Azure Blueprint’s VM foundation disables all external access to Virtual Machines, and are only allowed through a dedicated Jumpbox, which is deployed along with the Azure Blueprint foundation. (1)

Enable Azure Security Center

Included. By default Azure Blueprint enables Security Center configured with all relevant policies.

Securely extend your datacenter into Azure

Azure Blueprint is commonly not used as a Datacenter extension, but does comply with the relevant best practices.

Azure Data Security and Encryption Best Practices

Enforce Multi-factor Authentication

Included. Azure Blueprint fully implements Multi-Factor Authentication along with its Single-Sign-On implementation.

Use Role Based Access Control (RBAC)

Included. Azure Blueprint deploys security groups by default, and all Azure resources are defined with least privilege security permissions mapped to these groups.

Encrypt Azure Virtual Machines

Included. All VMs in Azure Blueprint are configured with encrypted Virtual Machines with keys stored in Keyvault’s Hardware security module.

Use Hardware Security Modules

Included. Azure Blueprint stores all secrets, certificates and passwords in Keyvault.

Manage with Secure Workstations

Implemented. Azure Blueprint provides a VM jumpbox for secure VM access, as well as P2S VPN access for any administrative access. Additional access measures and policies are fully supported. (1)

Enable SQL data encryption

Included. SQL data encryption and secure storage of keys is default set up in Azure Blueprint for Sitecore.

Protect data in transit

Included. By default all data connections in Azure Blueprint are either encrypted, in private networks, or both.

Enforce file level data encryption

File level encryption is not implemented in Azure Blueprint by default, but storage and database encryption is.

Azure Identity Management and Access Control Security Best Practices

Centralize your identity management

Included. Azure Blueprint leverages Azure AD for centralized identity management for all service access. This includes access to the VMs (1) as well as access to Sitecore.

Enable Single Sign-On (SSO)

Included. Single-Sign-On is implemented by default across Azure Blueprint for Sitecore.

Deploy password management

Included. Password Management policies are implemented and configurable in Azure Blueprint.

Enforce multi-factor authentication (MFA) for users

Included. MFA is implemented across all Azure Blueprint users. This is from Sitecore users to partner developers to system admins.

Use role-based access control (RBAC)

Included. Azure Blueprint deploys security groups by default, and all Azure resources are defined with least privilege security permissions mapped to these groups.

Control locations where resources are created using Resource Manager

Included. Azure Blueprint for Sitecore deploys a full set of management policies which enforces allowed ressource locations. In addition Azure Blueprint offers separate deployments into the Germany or China national Azure cloud, either as a separate installation, or as a part of a multinational deployment.

Guide developers to leverage identity capabilities for SaaS apps

N/A

Optimize uptime and performance

Included. Azure Blueprint by default implements local and global load balancing for scale and redundancy.

Actively monitor for suspicious activities

Included. Azure Blueprint implements active and intelligent security scanning using Security Center, Azure AD Threat detection, SQL Advanced Threat Protection, OWASP http request scanning, Anti-Malware protection and several other scanning/prevention mechanisms.




    Privacy Preferences

    When you visit our website, it may store information through your browser from specific services, usually in the form of cookies. Here you can change your Privacy preferences. It is worth noting that blocking some types of cookies may impact your experience on our website and the services we are able to offer.

    Click to enable/disable Google Analytics tracking code.
    Click to enable/disable Google Fonts.
    Click to enable/disable Google Maps.
    Click to enable/disable video embeds.
    Our website uses cookies, mainly from 3rd party services. Define your Privacy Preferences and/or agree to our use of cookies.