Security testing

Verify that the network traffic generated by the customer’s instance is protected from tenant port scanning and packet sniffing.

Perform a network security penetration test every six months at a minimum and after a significant change has been made to the system. Review the executive summary of the results of the network security penetration tests.

Perform at least one external network security penetration scan annually and provide these findings to Sitecore® for response and remediation.

Perform the application security penetration test at least once annually or after a significant change has been made to the system. Review the executive summary and detailed report. Sitecore Content Hub provides documentation about the software quality assurance and software development lifecycle for the application.

Perform an application security penetration assessment annually and provide findings to Sitecore for response and remediation.

Allows superusers to control if OAuth or other API access is allowed on a per-application, per-user basis, and to restrict the types of content accessed through the API.

Provides superusers with the ability to create time-sensitive access control criteria for third-party applications. Any actions taken by a third-party application are logged. The log contains an identifier to the application and the user context the application was authorized under in addition to the standard log data requirements.

Uses a firewall that does not permit the application to send traffic with a source IP or MAC address other than its own.

Supports PaaS/IaaS volume-level encryption to protect data against snapshot cloning or protect each piece of content.

Has robust data loss prevention mechanisms, including database and file activity monitoring, traffic, and usage baselining and alerting of traffic spikes above a defined threshold or a provider-determined baseline.