Sitecore - On-Premises to Azure PaaS (ASE) Cloud Migration - Part 2

 

Sitecore - On-Premises to Azure PaaS (ASE) Cloud Migration - Part 2

 

Security aspects considered while designing the new Azure PaaS infrastructure

  •  Sitecore Web applications are hosted inside Azure App Service Environment (ASE) which is an Azure App Service feature that provides a fully isolated, dedicated and secure environment to run App Service applications
  •   WAF protection

o   WAF feature of the Application Gateway provides centralized protection for your web applications from common exploits and vulnerabilities.

o   WAF is based on rules from the Open Web Application Security Project (OWASP) core rule sets 3.0 or 2.2.9.

o   Sitecore Content Delivery server runs behind WAF and IP restrictions on the Web App. These limits access only from the Application Gateway

·         With Application Gateway, only IPs from certain countries were allowed (based on previous Ddos attack). IP restriction will be an ongoing activity and any malicious IPs will be added to the list as and when they are identified.

·         Key Vault to Secure keys and credentials

o   Azure Key Vault is used to secure the keys and secrets by encryption. It uses keys that are protected by HSMs.

·         Restrict access based on least privilege security principles

o   Use RBAC to provide permissions to users, groups, and applications. 

·         Restrict incoming source IP addresses

o   ASE’s VNET feature helps restrict incoming source IP addresses through network security groups (NSG). VNET enable to place Azure resources in a non-internet, routable network that can be access controlled.

·         Use Azure AD authentication to connect to databases instead of SQL Server authentication. This will help in controlling the proliferation of user identities across database servers.

·         Use Azure SQL firewall for access restriction

o   Restrict to only allow IP addresses to access the web application instance.

·         Encrypt data at rest

o   Use Transparent Data Encryption (TDE) feature which is enabled by default. This transparently encrypts SQL Server, Azure SQL Database, and Azure SQL Data Warehouse data and log files and protects against a compromise of direct access to the files or their backup. There by enables to encrypt data at rest without changing existing applications.

·         Connection string are stored in App setting, so they are encrypted at REST and during transit.

·         Access is limited via deny anonymous access web.config rules

o   For CD servers, anonymous access is denied to:

§  /App_Config

§  /xsl

§  /sitecore modules/Shell

§  /sitecore modules/debug

§  /sitecore

·         App Service will not serve requests for .configs via default request filtering rules

·         Non-HTTPS requests are caught at CDN level & redirected to HTTPS

·         Request Validation is enabled by default.

STRIDE threats and mitigations that are considered as part of the design

               

#

Risk

Area of concern

Mitigation

1

Spoofing

Authentication

HTTPS connection

2

Tampering

Integrity

Valid SSL certificates

3

Repudiation

Non-repudiation

Enable Azure monitoring and diagnostics

4

Information disclosure

Confidentiality

Encrypt sensitive data

5

Denial of Service

Availability

Monitor performance metrics for potential DoS and implement connection filters

6

Elevation of Privilege

Authorization

Uses AD Authentication on content Authoring and custom Authorization for customers

 

Design for Disaster Recovery

Design of the Azure PaaS environment will be with Zone redundancy and Geo Replication. Therefore, No separate DR environment is required.

Azure SQL (Sitecore Databases):  Azure SQL Database automatically creates database backups and uses Azure read-access geo-redundant storage (RA-GRS) to provide geo-redundancy.  These backups are created automatically, at no additional charge, and are retained for 35days. 

#

Resource

Backup technology

Secondary environment

1

App service environment

NA

Created on-demand.

2

App Service plan

NA

Created on-demand.

3

Azure SQL Databases

SQL Azure Geo-Replication.

Fully deployed

4

Azure Storage Account

NA

Created on-demand.

5

Application Gateway

-Gateway created in two different regions.

-Zone Redundancy

Fully deployed

6

Azure Key vault

NA

Created on-demand.

7

Azure Mongo DB Atlas

Completely managed

Completely managed














Azure Web app Backups

Backups are configured on Sitecore Content Delivery & Content Management web apps. The backups will be stored in a blob storage in different containers.

The backup policy is as below:

·         Backup to happen every day.

·         Retention period of 31 days.

 

Logging

The following logs will be streamed to Azure Event hub

Resource

Log type

Description

Web App

AppServiceConsoleLogs

Standard output and standard error

AppServiceHTTPLogs

Web server logs

AppServiceAuditLogs

Login activity via FTP and Kudu

AppServiceFileAuditLogs

File changes via FTP and Kudu

AppServiceAppLogs

Application logs

NSG

Network Security Group Event

Entries are logged for which NSG rules are applied

Network Security Group Rule Counter

Contains entries for how many times each NSG rule is applied to deny or allow traffic

Application Gateway

Access Logs

View Application Gateway access patterns

Performance Logs

Application Gateway instances performance

Firewall Logs

Requests logged through detection / prevention

CDN

Access Logs

View CDN access patterns



Comments

Post a Comment

Popular posts from this blog

Sitecore: Performance issue on page load, Analytics?

Image
  Background of Infra: ·           The App service is hosted inside Isolated App Service Environment. ·          Sitecore XP Scaled topology used. ·          Sitecore Version: 9.1.1   Issue & Troubleshooting The website started experiencing slowness in Page load, sometimes it was taking more than a minute. On checking the Profiler trace it was found that the Sitecore analytics process is getting blocked while creating a tracker object.     StackTrace     ROOT    Sitecore.Mvc!Sitecore.Mvc.Routing.RouteHttpHandler.BeginProcessRequest     Sitecore.Mvc!Sitecore.Mvc.Pipelines.PipelineService.RunPipeline     Sitecore.Kernel!Sitecore.Pipelines.DefaultCorePipelineManager.Run     Sitecore.Kernel!Sitecore.Pipelines.DefaultCorePipelineManager.Run     Si...
Read more

Sitecore App Service Backup Problems and solutions

    1.        Backup Size crossing the threshold a.        Problem The Microsoft threshold for backups is 10 GB. Sometimes there are situations encountered where the Web App size has crossed this limit and because of which the backups would fail. b.        Solution All files from /App_Data are either:   ·          Temporary files for caching purposes ·          Diagnostic data for debugging purposes They shouldn't affect any Sitecore functionalities if they are not restored from the backup files. But in case if there are any missing files from /App_Data in the future, some of them would automatically populate itself with data.   Create a Backup Filter 1)        Create a file named _backup.filter in D:\home\site\wwwroot through Kudu console ( h...
Read more

How to go to a Complete Sitecore Cloud Native from Sitecore XP?

Image
  How to go to a Complete Sitecore Cloud Native from Sitecore XP. Introduction   In this blog, I’ll try to explain the need to consider going towards a Sitecore Cloud Native solution while upgrading your Sitecore solution to 10.x version & also a high-level road map to get there. Why Sitecore Cloud Native? ·        Tech landscape will be in line with industry trend Microservices-based, API-first, Cloud-native, and Headless (MACH) compliant ·        Sitecore CDP is better and more advanced integration and analytics (in line with current trend of “cookie less marketing”) ·        Sitecore Cloud Native solution is completely different from the way XP works. Here we can plug and play SaaS Components like Personalize, send etc as and when required. ·        Whereas Sitecore XP license brings in all the components as it is a monolithic architectur...
Read more