Managed Cloud PaaS 2.0 roles and responsibilities
This topic describes the roles, responsibilities, and security model for PaaS 2.0 Managed Cloud solutions. Roles and responsibilities are described using the RACI model, where R = Responsible, A = Accountable, C = Consultant, and I = Informed.
Sitecore customers on Managed Cloud own the data and can apply changes to the Managed Cloud environment. This also means that customers are responsible for the confidentiality, integrity, and availability of Sitecore Managed Cloud resources and data.
The following tables indicate the roles and responsibilities associated with the various security functions in Sitecore Managed Cloud PaaS 2.0 solutions.
Activation and termination
This table shows the responsibilities for order activation and termination of Sitecore Managed Cloud Standard PaaS 2.0 environments.
| Activity | Customer/Partner | Sitecore |
|---|---|---|
| Request environment and specify characteristics | R, A | I |
| Activate Sitecore Managed Cloud | I | R, A |
| Terminate Sitecore Managed Cloud | I | R, A |
| Retain data for 30 days after termination | I | R, A |
Provisioning of Sitecore environments
This table shows the responsibilities for the provisioning, resetting, and deprovisioning of Managed Cloud PaaS 2.0 environments.
| Activity | Customer/Partner | Sitecore |
|---|---|---|
Create new environment, installation, and initial set up:
| C | R, A |
| Delete existing environment | C | R, A |
| Reset existing environment | C | R, A |
Sitecore application design and implementation
This table shows the responsibilities for Sitecore application design and implementation.
| Activity | Customer/Partner | Sitecore |
|---|---|---|
| Set up initial application security | I | R, A |
| Resource sizing (as dictated by custom solution) | R, A | C, I |
| Plan Sitecore software upgrade | R, A | I |
| Design, configuration, or customization of Sitecore solution | R, A | I |
| Optimize application (for example: performance tuning, database optimization, and so on) | R, A | I |
| Application performance tuning (Sitecore products) | R, A | I |
| Perform in-place Sitecore version upgrade (Not recommended) | R, A | I |
| Installation and configuration of Sitecore platform hotfixes and patches | R, A | C |
Infrastructure and server management
This table shows the responsibilities for Sitecore Managed Cloud infrastructure and server management.
| Activity | Customer/Partner | Sitecore |
|---|---|---|
| Perform initial provisioning check | I | R, A |
| Scale infrastructure services (Web App, Solr, Azure SQL, Redis cache, and so on) | A | R |
| Initial Azure Front Door with Web Application Firewall - deployment and configuration | A | R |
| Network security groups and initial security setup (Azure SQL firewall) | C | R, A |
| Network firewalls and post-deployment security setup (Azure SQL firewall) | R, A | C |
| Set up third-party services (DevOps tools, CDN, databases, and so on) | R, A | C |
| Custom domain setup | R, A | C |
| Initial setup and configuration of backup services (blobs, database) | I | R, A |
| Customization of backup schedules and services | R | A |
| Consolidation of billing | I | R, A |
| Infrastructure performance optimization | R, A | I |
Monitoring and incident notification
This table shows the responsibilities for Sitecore Managed Cloud monitoring and for notification of incidents.
| Activity | Customer/Partner | Sitecore |
|---|---|---|
| Managed Cloud infrastructure monitoring (CPU/RAM, network and so on) | I | R, A |
| Sitecore Managed Cloud platform consumption usage monitoring | C, I | R, A |
| Take action on recommendations from infrastructure alert(s) | A | R |
| Sitecore application monitoring | R, A | I |
| Monitoring for application security events and notifications | R, A | C |
| Monitoring for data-related security events and notification | R, A | C |
| Monitoring for infrastructure resource availability | C | R, A |
| Web Application Firewall monitoring and alerts (ongoing) | R, A | I |
| Notification of security events related to the Azure platform | C | R, A |
| Infrastructure incident notification | I | R, A |
| Security incident management for infrastructure | I | R, A |
Security: access and user administration
This table shows the responsibilities for user access and administration in Managed Cloud PaaS 2.0 solutions.
| Activity | Customer/Partner | Sitecore |
|---|---|---|
| Set up Identity and Active Directory infrastructure including account administration | C | R, A |
| Initial setup of Sitecore CMS user access | C | R, A |
| Ongoing administration of Sitecore CMS user access | R, A | C, I |
| Define Sitecore environment access permissions and security configuration | R, A | C, I |
| Implement customer-defined Sitecore environment access and security configuration | A, C | R |
Security: physical
This table shows the responsibilities for the physical components of a PaaS 2.0 Managed Cloud solution.
| Item | Customer/Partner | Sitecore |
|---|---|---|
| Physical data center | I | R, A |
| Physical network | I | R, A |
| Physical hosts | I | R, A |
Security: Sitecore application
This table shows the responsibilities for the security of different aspects of the Sitecore application in a PaaS 2.0 Managed Cloud solution.
| Activity | Customer/Partner | Sitecore |
|---|---|---|
| Base application security | I | R, A |
| Deployment and security hardening | R, A | C |
| Implementation of authentication mechanism | R, A | C |
| Custom code deployment | R, A | C |
| Sitecore application and customer solution change management | R, A | C |
| Configuring application security logging | R, A | I |
| Set up initial security in customized Sitecore application code | R, A | I |
| Azure App service operating system maintenance, including regular security patching and updates (delivered by Microsoft) | C, I | R, A |
Security: Azure platform
This table shows the responsibilities for the security of different aspects of the Azure platform in a PaaS 2.0 Managed Cloud solution.
| Activity | Customer/Partner | Sitecore |
|---|---|---|
| Configure encryption at rest and in motion (part of initial environment provisioning) | C, I | R, A |
| Configure infrastructure security logging via Azure Defender for Cloud (Requires additional purchase: Sitecore Managed Cloud - Advanced Hub) | I | R, A |
| Configure and perform disaster recovery (Available as an add-on purchase) | C, I | R, A |
| Configure CD App service for Azure Zone Redundancy (production only) | C, I | R, A |
| Configure host security - hardened OS | I | R, A |
| Configure initial network security – Network security groups | C, I | R, A |
| Configure initial network security – VNET and subnets | C, I | R, A |
| Configure initial network security – private link / private end-point (App service, SQL, Key Vault) | C, I | R, A |
| Configure Azure Bastion service * | C, I | R, A |
| Implementation of Azure S2S VPN (If requested to be included in the provisioning process) | C, I | R, A |
| Ongoing S2S VPN configuration and client-side management | R, A | C, I |
| Operating system (PaaS) | I | R, A |
| Sitecore Cloud operations change management (via ServiceNow) | C, I | R, A |
| Azure DDoS IP Protection initial setup (if purchased by customer) | C, I | R, A |
| Azure DDoS IP Protection post-provisioning (if purchased by customer) | R | A |
| Define basic Web Application Firewall requirements - rule management (Azure Front Door) | R, A | C |
| Implement initial Web Application Firewall configuration and rule management (Front Door) advanced configuration - limited to Advanced Hub only | C | R, A |
| Initial deployment security hardening of Sitecore product (PaaS) | C | R, A |
| Ongoing security hardening of Sitecore application | R, A | C |
* Aspects of PaaS 2.0 administration (such as the Kudu Interface) require access to the Hub-spoke VNETs for Sitecore employees delivering Managed Cloud Standard services. We use the Azure Bastion service to connect to the Bastion Virtual Machine (Private IP/DNS only). PaaS 2.0 does not permit public access to Kudu interfaces.
Security: certificates and key management
This table shows the responsibilities for certificates and key management in a PaaS 2.0 Managed Cloud solution.
| Activity | Customer/Partner | Sitecore |
|---|---|---|
| Self-signed certificate for non-production environments | I | R, A |
| Obtain public SSL certificates from Trusted Root Authority | R, A | C |
| SSL certificate deployment | R | A |
| SSL certificate configuration | R, A | C, I |
| Encryption key upload (Azure Key Vault) – initial product deployment | C, I | R, A |
| Encryption key upload (Azure Key Vault) – ongoing management of customer-owned keys and certificates | R, A | C, I |