Cloud security
Cloud security consists of policies, controls, procedures, and technologies that work together to protect cloud-based systems, data, and infrastructure. You can configure cloud security to meet your business requirements.
Azure Cloud Security
Azure is the cloud with most security compliance certifications. For more information, see Microsoft Azure Trust Center.
Web Application Firewall (WAF)
The Sitecore Content Hub WAF protects against malicious attacks that aim to exploit vulnerabilities such as SQL injection (SQLi) and Cross-site scripting (XSS) using an OWASP ModSecurity Core Rule Set (CRS).
To quickly protect against all vulnerabilities, Content Hub relies on a uniquely designed managed CRS. As the vulnerability landscape changes quickly, we update the managed CRS regularly to provide fast and seamless protection against the latest attack vectors.
DDoS protection
Our unmetered DDoS protection for your web assets (HTTP/HTTPS) is powered by the intelligence harnessed from the Content Hub always-learning global network. DDoS protection works in tandem with our cloud web application WAF, Bot Management, and other L3/4 security services to protect assets from cyber threats.
Demilitarized zone
Content Hub has technical and organizational controls in place, such as:
-
System monitoring using Security Information and Event Management (SIEM) to detect intrusion or data leakage.
-
Authentication mechanisms and role-based access privileges.
The Content Hub IT team has implemented:
-
Centralized directory services (AD, Google, AAD) - only primary ID credentials are used to access Content Hub IT assets whenever possible and need to be enabled and used if the asset supports this option.
-
A federated identity management solution that acts as a gateway for accessing third-party solutions (SSO services).
Intrusion Protection Service (IPS)
Perimeter controls secure the Content Hub network against external attacks. Content Hub may use firewalls and access control lists configured to separate the Content Hub trusted network from the internet or internet-facing environments or establish data and network segmentation.
Traffic segregation
All cloud environments have their own dedicated isolated web, data, and processing components.
Traffic from the outside is only allowed for HTTP/HTTPS traffic towards the web components. These web components live in a separate sub-net where only well-defined traffic is allowed to go to the application tier sub-net.
Security Operation Center (SOC)
The Content Hub Cloud Ops team is responsible for the SOC function and maintains documentation on operating procedures.
Content Hub has a SIEM in place that performs scanning on:
-
File integrity logs
-
Firewall logs
-
User account logs
-
Network scanning logs
-
System error logs
-
Application logs
-
Help desk trouble tickets
Network security testing
Content Hub regularly executes vulnerability assessment tests by performing network security penetration testing on the cloud environments using an industry-standard methodology.