Azure Blueprint for Sitecore
Security Implementation

A secure foundation for your Sitecore Azure deployment right out of the box

We have implemented our Azure Blueprint for Sitecore around the recommended best practices for Azure security published by Microsoft, and provide it in full to all Azure Blueprint customers as an integral part of our offering.

By using Azure Blueprint,  the security foundation for your Sitecore project is managed and maintained over time, so your team can focus time and effort on delivering value through your solution.

How Azure Blueprint for Sitecore implements the Microsoft Best Practices is detailed in the following sections.

Azure Network Security Best Practices

Logically segment subnets

Included. By default a segmented VNET is deployed for each location.

Control routing behavior

Included. NSG pinhole rules are defined according to the security recommendation.

Enable Forced Tunneling

Included. Forced tunneling is applied by default when using the Azure Blueprint VPN Gateyway module.

Use virtual network appliances

Included. A Web Application Firewall (WAF) is deployed into each DMZ by default. Azure blueprint supports deploying additional security applicances.

Deploy DMZs for security zoning

Included. Azure Blueprints VPN module provides secured network connections to on-prem resources

Avoid exposure to the Internet with dedicated WAN links

Implemented. Azure Blueprint’s VPN module provides secured network connections to on-prem resources.

Optimize uptime and performance

Included. Azure Blueprint by default implements local and global load balancing for scale and redundancy.

HTTP-based Load Balancing

Included. Azure Blueprint is by default configured with Application Gateway for all internet facing http/https endpoints.

External Load Balancing

Included. Implemented as part of Azure Webapps.

Internal Load Balancing

Included. Implemented as part of SQL database and other PaaS services. In addition, Azure Blueprint’s Solr service also implements this.

Use global load balancing

Included. Azure Blueprint by default utilizes Traffic Manager for global load balancing across all deployments.

Disable RDP/SSH Access to Azure Virtual Machines

Included. Azure Blueprint’s VM foundation disables all external access to Virtual Machines, and are only allowed through a dedicated Jumpbox, which is deployed along with the Azure Blueprint foundation (1)

Enable Azure Security Center

Included. By default Azure Blueprint enables Security Center configured with all relevant policies.

Securely extend your datacenter into Azure

Azure Blueprint is commonly not used as a Datacenter extension, but does comply with the relevant best practices.

Azure Data Security and Encryption Best Practices

Enforce Multi-factor Authentication

Included. Azure Blueprint fully implements Multi-Factor Authentication along with its Single-Sign-On implementation.

Use Role Based Access Control (RBAC)

Included. Azure Blueprint deploys security groups by default, and all Azure resources are defined with least privilege security permissions mapped to these groups

Encrypt Azure Virtual Machines

Included. All VMs in Azure Blueprint are configured with encrypted Virtual Machines with keys stored in Keyvault’s Hardware security module .

Use Hardware Security Modules

Included. Azure Blueprint stores all secrets, certificates and passwords in Keyvault.

Manage with Secure Workstations

Implemented. Azure Blueprint provides a VM jumpbox for secure VM access, as well as P2S VPN access for any administrative access. Additional access measures and policies are fully supported (1)

Enable SQL data encryption

Included. SQL data encryption and secure storage of keys is default set up in Azure Blueprint for Sitecore

Protect data in transit

Included. By default all data connections in Azure Blueprint are either encrypted, in private networks, or both.

Enforce file level data encryption

File level encryption is not implemented in Azure Blueprint by default, but storage and database encryption is.

Azure Identity Management and Access Control Security Best Practices

Centralize your identity management

Included. Azure Blueprint leverages Azure AD for centralized identity management for all service access. This includes access to the VMs (1) as well as access to Sitecore

Enable Single Sign-On (SSO)

Included. Single-Sign-On is implemented by default across Azure Blueprint for Sitecore.

Deploy password management

Included. Password Management policies are implemented and configurable in Azure Blueprint.

Enforce multi-factor authentication (MFA) for users

Included. MFA is implemented across all Azure Blueprint users. This is from Sitecore users to partner developers to system admins.

Use role-based access control (RBAC)

Included. Azure Blueprint deploys security groups by default, and all Azure resources are defined with least privilege security permissions mapped to these groups.

Control locations where resources are created using Resource Manager

Included. Azure Blueprint for Sitecore deploys a full set of management policies which enforces allowed ressource locations. In addition Azure Blueprint offers seperate deployments into the Germany or China national Azure cloud, either as a seperate installation, or as a part of a multinational deployment.

Guide developers to leverage identity capabilities for SaaS apps

N/A

Optimize uptime and performance

Included. Azure Blueprint by default implements local and global load balancing for scale and redundancy.

Actively monitor for suspicious activities

Included. Azure Blueprint implements active and intelligent security scanning using Security Center, Azure AD Threat detection, SQL Advanced Threat Protection, OWASP http request scanning, Anti-Malware protection and several other scanning/prevention mechanisms.

Notes

(1) Part of Blueprint Foundation for VMs, which is released with Azure Blueprint for Sitecore in August 2018