Managed Cloud PaaS 1.0 roles and responsibilities
This topic describes the roles, responsibilities, and security model for PaaS 1.0 Managed Cloud solutions. Roles and responsibilities are described using the RACI model, where R = Responsible, A = Accountable, C = Consultant, and I = Informed.
Sitecore customers on Managed Cloud own the data and can apply changes to the Managed Cloud environment. This also means that customers are responsible for the confidentiality, integrity, and availability of Managed Cloud resources and data.
The following tables indicate the roles and responsibilities associated with the various security functions in Managed Cloud PaaS 1.0 solutions.
Activation and termination
This table shows the responsibilities for order activation and termination of Sitecore Managed Cloud PaaS 1.0 environments.
| Activity | Customer/Partner | Sitecore |
|---|---|---|
| Request environment and specify characteristics | R, A | I |
| Activate Sitecore Managed Cloud | I | R, A |
| Terminate Sitecore Managed Cloud | I | R, A |
| Retain data for 30 days after termination | I | R, A |
Provisioning of Sitecore environments
This table shows the responsibilities for the provisioning, reset, and deprovisioning of Managed Cloud PaaS 1.0 environments.
| Activity | Customer/Partner | Sitecore |
|---|---|---|
| Create new environment, installation, and initial set up: | C | R, A |
| Delete existing environment | C | R, A |
| Reset existing environment | C | R, A |
Sitecore application design and implementation
This table shows the responsibilities for Sitecore application design and implementation.
| Activity | Customer/Partner | Sitecore |
|---|---|---|
| Set up initial application security | I | R, A |
| Resource sizing (as dictated by custom solution) | R, A | C, I |
| Plan Sitecore software upgrade | R, A | I |
| Design, configuration, or customization of Sitecore solution | R, A | I |
| Optimize application (for example: performance tuning, database optimization, and so on) | R, A | I |
| Application performance tuning (Sitecore products) | R, A | I |
| Perform in-place Sitecore version upgrade (Not recommended) | R, A | I |
| Installation and configuration of Sitecore platform hotfixes and patches | R, A | C |
Infrastructure and server management
This table shows the responsibilities for Sitecore Managed Cloud infrastructure and server management.
| Activity | Customer/Partner | Sitecore |
|---|---|---|
| Perform initial provisioning check | I | R, A |
| Scale infrastructure services (Web App, Solr, Azure SQL, Redis cache, and so on) | A | R |
| Initial Web Application Firewall - deployment and configuration (subject to purchase) | A | R |
| Set up initial security (Azure SQL firewall) | C | R, A |
| Set up network firewalls and post-deployment security (Azure SQL firewall) | R, A | C |
| Set up third-party services (DevOps tools, CDN, databases, and so on) | R, A | C |
| Custom domain setup | R, A | C |
| Initial setup and configuration of backup services (blobs, database) - subject to purchase | I | R, A |
| Customization of backup schedules and services | R | A |
| Consolidation of billing | I | R, A |
| Infrastructure performance optimization | R, A | I |
Monitoring and incident notification
This table shows the responsibilities for Sitecore Managed Cloud monitoring and for notification of incidents.
| Activity | Customer/Partner | Sitecore |
|---|---|---|
| Managed Cloud infrastructure monitoring (CPU/RAM, network and so on) | I | R, A |
| Sitecore Managed Cloud platform consumption monitoring | C, I | R, A |
| Take action on recommendations from infrastructure alert(s) | A | R |
| Sitecore application monitoring | R, A | I |
| Monitoring for application security events and notifications | R, A | C |
| Monitoring for data-related security events and notification | R, A | C |
| Monitoring for infrastructure resource availability | C | R, A |
| Web Application Firewall monitoring and alerts (ongoing) | R, A | I |
| Notification of security events related to the Azure platform | C | R, A |
| Infrastructure incident notification | I | R, A |
| Security incident management for infrastructure | I | R, A |
Security: access and user administration
This table shows the responsibilities for user access and administration in Managed Cloud PaaS 1.0 solutions.
| Activity | Customer/Partner | Sitecore |
|---|---|---|
| Set up Identity and Active Directory infrastructure including account administration | C | R, A |
| Initial setup of Sitecore CMS user access | C | R, A |
| Ongoing administration of Sitecore CMS user access | R, A | C, I |
| Define Sitecore environment access permissions and security configuration | R, A | C, I |
| Implement customer-defined Sitecore environment access and security configuration | A, C | R |
Security: physical
This table shows the responsibilities for the physical components of a PaaS 1.0 Managed Cloud solution.
| Item | Customer/Partner | Sitecore |
|---|---|---|
| Physical data center | I | R, A |
| Physical network | I | R, A |
| Physical hosts | I | R, A |
Security: Sitecore application
This table shows the responsibilities for the security of different aspects of the Sitecore application in a PaaS 1.0 Managed Cloud solution.
| Activity | Customer/Partner | Sitecore |
|---|---|---|
| Base application security | I | R, A |
| Deployment and security hardening | R, A | C |
| Implementation of authentication mechanism | R, A | C |
| Custom code deployment | R, A | C |
| Sitecore application and customer solution change management | R, A | C |
| Configuring application security logging | R, A | I |
| Set up initial security in customized Sitecore application code | R, A | I |
| Azure App service operating system maintenance, including regular security patching and updates (delivered by Microsoft) | C, I | R, A |
Security: Azure platform
This table shows the responsibilities for the security of different aspects of the Azure platform in a PaaS 1.0 Managed Cloud solution.
| Activity | Customer/Partner | Sitecore |
|---|---|---|
| Configure encryption at rest and in motion (part of initial environment provisioning) | C, I | R, A |
| Configure and perform disaster recovery (Available as an add-on purchase) | C, I | R, A |
| Configure host security - hardened OS | I | R, A |
| Operating system (PaaS) | I | R, A |
| Sitecore Cloud operations change management (via ServiceNow) | C, I | R, A |
| Azure DDoS IP Protection initial setup (if purchased by customer) | C, I | R, A |
| Azure DDoS IP Protection post-provisioning (if purchased by customer) | R | A |
| Define basic Web Application Firewall requirements - rule management (Azure Front Door) | R, A | C |
| Initial deployment security hardening of Sitecore product (PaaS) | C | R, A |
| Ongoing security hardening of Sitecore product | R, A | C |
Security: certificates and key management
This table shows the responsibilities for certificates and key management in a PaaS 1.0 Managed Cloud solution.
| Activity | Customer/Partner | Sitecore |
|---|---|---|
| Self-signed certificate for non-production environments | I | R, A |
| Obtain public SSL certificates from Trusted Root Authority | R, A | C |
| SSL certificate deployment | R | A |
| SSL certificate configuration | R, A | C, I |
| Encryption key upload (Azure Key Vault) â initial product deployment | C, I | R, A |
| Encryption key upload (Azure Key Vault) and ongoing management of customer-owned keys and certificates | R, A | C, I |