Managed Cloud security overview
The security model for Sitecore Managed Cloud provides control over information and resources. Sitecore customers on Managed Cloud own the data and can apply changes to the Managed Cloud environment. This also means that customers are responsible for the confidentiality, integrity, and availability of Sitecore Managed Cloud resources and data.
The Sitecore Managed Cloud security model
The following tables indicate the roles and responsibilities associated with the various security functions in Sitecore Managed Cloud using the key responsibility roles of the RACI model. In the Production environment and Nonproduction environment columns, the value Sitecore can also refer to a Service provider and the value Customer can also refer to a Partner.
| Production environment | Nonproduction environment | |||
|---|---|---|---|---|
| Sitecore | Customer | Sitecore | Customer | |
| AKS | R, A | I | R, A | I |
| Default Network Controls | R, A | I | R, A | I |
| Define Custom Network Controls Requirements in Azure | R, A | R | R, A | R |
| Implement Custom Network Controls in Azure | R, A | R | R, A | R |
| Sitecore Application Product | R, A | C | R, A | C |
| Sitecore Application Code | R | R, A | R | R, A |
| Identity and Directory Infrastructure including account administration | R | R, A | R | R, A |
| Cloudflare | R, A | R | R, A | R |
| Basic Firewall Requirements | R, A | C | R, A | C |
| Firewall Monitoring and Alerting | R, A | R | R | R, A |
| Notification of security events related to the Azure platform | R, A | C | R, A | C |
| Notification of security events related to the Azure platform (When Sitecore is made aware by MSFT) | R, A | I | R, A | I |
| Define Environment access permissions and security configuration | R, A | R | R,A | R |
| Implement customer defined environment access and security configuration | R, A | R | R, A | R |
| Initial deployment security hardening of Sitecore product | R, A | C | R, A | C |
| Ongoing security hardening of Sitecore application | R | R, A | R | R, A |
| Patching of base images for Sitecore roles and made available in container registry | C | R, A | C | R, A |
| Deployment of Sitecore hotfixes, patches, and upgrades | R | R, A | R | R, A |
| Security monitoring of Azure environment | R, A | R | R, A | R |
| Obtain Public SSL certificates from Trusted Root Authority | C | R, A | C | R, A |
| SSL certificate Deployment | R | A | R | A |
Privacy and data protections laws
In Sitecore Managed Cloud, we process the data that we receive from our customers. In GDPR terminology, we are a Data Processor. Under the CCPA, we are a Service Provider. Accordingly, we have Data Processor Agreements with the relevant clauses in place with our customers to ensure compliance.
For more information, please visit our Trust Center.
Cloud operations procedures
Sitecore’s Cloud operations procedures include formal standards for the following:
- Customer onboarding, including the creation of user accounts.
- Infrastructure resource creation and set up.
- Data creation and set up.
- Disposal standards to securely delete infrastructure resources.
- Data disposal standards.
- Capacity management to identify capacity and availability-related issues.
- Issues and event management.