Episerver’s Digital Experience Cloud service represents the convergence of all Episerver’s technologies and value within one streamlined solution. While many have benefited from the overall value, ease of use, and adaptability to solve for many different digital strategies.
Our Digital Experience Cloud service is based on and includes Episerver’s core security values. Our worldwide support, integrity, continuous improvement, and transparency are a part of all our solutions and most certainly at the forefront for our Digital Experience Cloud Service.
Services are deployed on Microsoft Azure and operate on a security hardened OS, specifically designed to limit the attack surface of the operating system. The service also provides automated elastic scaling to smoothly handle traffic peaks, assuring high performance for seasonal spikes and other unanticipated spikes in traffic.
An anti-malware service is running on all service operating systems to provide drive level protection against malicious file uploads. Each customer’s service is isolated by Virtual Networks. Availability and performance are constantly monitored.
All data-in-transit is encrypted via HTTPs/TLS. The delivery network provides a broader, wider attack base and the Web Application Firewall (WAF) provides state-of-the-art scanning to monitor for unusual or malicious traffic. The global 24/7/365 Episerver Managed Services team continuously manages and monitors the delivery network and WAF to anticipate and mitigate attacks including DDoS style attacks against the DNS and service. Service instances are load balanced and enabled for automated elastic scaling. Episerver also provides multi-domain SSL certificates with the service.
The Digital Experience Cloud Service runs on Azure datacenters. Each facility is designed to run 24x7x365 with protection from power failure, physical intrusion & network outages. The Datacenters comply with industry standards (including ISO 27001) for physical security & availability. Access to all entry points are protected by perimeter fencing, cameras and biometric safeguards including palm readers, iris recognition and fingerprint readers. Uninterruptible power supplies and seismic bracing ensure continuous operation.
All Episerver team members are trained on ITIL best practices for security, privacy and quality. Access to applications and data is strictly limited by the principle of Least Privilege and all access is secured by encrypted network connections and IP Filtering.
Episerver team members only access data for the authorized purposes of archiving, backup, restoration, and collection of anonymized usage statistics to improve the service. Episerver does not access thinly grained data nor PII data.
Microsoft continuously works to ensure Azure is protected through a pro-active process known as Red Teaming; a form of live site penetration testing against the Azure infrastructure. Microsoft simulates real-world breaches and practices security incident response to test and improve the security of Azure.
Note, no end-customer data or applications are targeted during Red Team penetration testing. For more information, please review this Microsoft page.
Episerver & Microsoft follow formal processes to ensure our offerings are developed with security industry best practices. Episerver solutions are built by established teams that are focussed on building highly scalable, performant and secure systems. This is done through a Secure Development Lifecyle approach.
Episerver’s SDL utilizes principles from the Open Web Application Security Project (http://owasp.org) with processes in place to prevent security risks. Episerver’s .NET base runs managed code which also protects code and data from being misused or damaged by other code including potentially malicious programs.
Episerver provides a service dashboard where you can register to receive incident updates and view information about platform-wide planned maintenance regarding the Digital Experience Cloud Service.
Episerver Managed Services and Support communicates incidents regarding customer specific applications and websites. Customers are notified by email regarding issues and are updated during the progress of the incident.
Episerver provides the following monitoring services:
Digital Experience Cloud externally monitors web applications and any issues are handled according to the incident management process. See the Incident Management section in this document.
Digital Experience Cloud includes application monitoring. A customer is required to include the application monitoring software package in their code build for the SLA to be applicable.
Episerver World includes valuable information resources to help secure your Episerver solutions including considerations for Episerver Digital Experience Cloud.
The Digital Experience Cloud Service uses Microsoft Azure to run service instances and thus aligns with the Microsoft patch release cycle. Microsoft is responsible for patch management, learn more about Microsoft's Guest OS patch management schedule and the support lifecycle on their website. Episerver works closely with Microsoft for any edge cases involving patching.
Episerver follows a continuous release cycle with new releases on a weekly basis. Releases include both new features and fixes, and you can upgrade your solution at a cadence that makes sense for your business. Note that you are responsible for installing updates to the Episerver products you deploy in your service.
The service does not use the traditional version of Microsoft Windows, but rather a purpose-built version with a smaller attack surface and reduced potential for vulnerabilities. Each service instance uses isolated resources. With all the security benefits from Microsoft Azure, the scope of risk is reduced to traffic exclusive to web traffic at the network edge - more specifically ports 80 and 443.
TLS/SSL is commonly used for encrypted integration and communication with other services over HTTP (HTTPS). Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL) are cryptographic protocols that secure communications over a network by encrypting data being sent to and from each of the end-points. These protocols are used for securing communications for many different applications including email, voice-over-IP (VoIP), and web-based faxing. Websites also use TLS for encrypting data to and from web browsers interacting with web sites and applications.
All domains in the Episerver Digital Experience Cloud service are protected by TLS/SSL by default.
The service includes a shared TLS/SSL certificate provided by Episerver that will be valid for multiple domains in a multi-site configuration. This means that all domains will be TLS/SSL secured by default. Episerver manages renewals of the shared certificate.
VPN may be used to allow a secure connection to internal corporate resource(s), for example. Communication is one-way to on-premises systems.
Episerver Digital Experience Cloud Service utilizes Microsoft's standard approach for Azure antimalware to provide real-time protection and content scanning.
A WAF sits in front of the service to filter out malicious traffic at the application layer, see Open Systems Interconnection (OSI) Model. In Digital Experience Cloud Service, WAF is always enabled, constantly monitoring the website traffic.
The WAF examines HTTP requests to your website, looking at all requests, and applying rules intended to filter out illegitimate traffic from legitimate website visitors.
A WAF is intended to automatically protects from an extensive list of attack types that is constantly updated including:
A WAF uses rulesets to block common attacks. These rulesets may be updated at any time to keep the WAF up-to-date with evolving trends in attacks. Because the Digital Experience Cloud Service handles significant attack traffic, Episerver identifies new attack styles and adds new WAF rules intended to protect customers against these potential vulnerabilities.
The WAF engine runs the OWASP ModSecurity Core Ruleset by default, intended to protect against the OWASP Top 10 common vulnerabilities.
The Digital Experience Cloud Services uses WAF to stop attacks at the network edge, intended to protect your service from common web threats and specialized attacks.
A DDoS (distributed denial of service attack) is an attempt to overwhelm your service with a load of traffic and cause an outage. The objectives may vary, from interruption with outages or attempts to force entry through a back door or a more vulnerable web property that may be setup to manage outages. Such an attack is typically carried out by multiple systems and usually from a Trojan virus existing on unsuspecting user’s systems. This can make it difficult to distinguish good traffic from bad traffic.
Episerver Digital Experience Cloud Service includes advanced DDoS protection matching the sophistication and scale of such threats, and can be used to mitigate DDoS attacks of all forms and sizes including those that target the UDP and ICMP protocols, as well as SYN/ACK, DNS amplification and Layer 7 attacks.
Episerver’s Digital Experience Cloud Service operating on Microsoft Azure also share the advantage of Microsoft security protection against DDoS attacks.
Episerver’s Digital Experience Cloud Service also mitigates DDoS attacks via its delivery network. Since 99% of DDoS attacks are volumetric and amplification based, the distributed nature of the delivery network helps absorb DDoS attacks. Since most DDoS ‘flood attacks’ use the User Datagram Protocol (UDP), such traffic is simply ignored.
Additionally, our delivery network is monitored 24/7 with both automatic and manual resources in place to reduce the impact of attacks; so, in many cases the customer doesn’t have to worry about it. Episerver’s Digital Experience Cloud Service delivery network provides a highly scalable reverse-proxy architecture with sophisticated DDoS identification and mitigation technology, to keep the service up and running.
Microsoft implements a defence in-depth approach and monitors the Microsoft Azure platform in many ways to detect possible attacks and vulnerabilities. The platform is protected by an active IDS/IPS system, which uses a number of techniques to detect attacks including traffic analysis.
We know that you cannot afford your digital presence not to be available all the time, regardless of traffic spikes. We constantly monitor all services – not just at the server level, but at the actual web delivery level – to be able to spot performance or availability issues and act upon them before they turn into problems.
Types of monitoring used:
Services included to catch and correct issues before they affect website delivery:
Microsoft and their Red Team regularly pen test the underlying infrastructure of the Digital Experience Cloud Service. The Episerver platform is also subject to regular penetration tests conducted by customers and partners.
As implementations on top of the Episerver platform could unexpectedly introduce a security vulnerability, thorough testing of the entire implementation is strongly suggested.
You can either conduct your own tests using tools or security services of your choice, or you can order this service through Episerver Expert Services.
If you plan to perform your own penetration tests, you need to notify Episerver at least 10 business days before the planned testing.
As Digital Experience Cloud Service is provided as-a-service, its critical for the instance of the application implementation to have vulnerability tests and penetration tests performed against the site.
Vulnerability scans protect against attacks on the website. Penetration testing thwarts hacking and attacks on routers, firewalls, and so on.
We analyze the code you deployed to your service instance from a hacker’s perspective and report back with the latest vulnerability findings.
Digital Experience Cloud Service includes a Managed Service process and Deployment Environments as steps in that process to ensure governance and segregation of duties throughout the deployment process thus helping ensure the SLA.