Illustration of a woman working at a desk

How to Secure Your CMS With Sitecore 9

Posted: April 12, 2018

Content management systems continue to be a major cybersecurity risk for businesses, providing data thieves and other malicious actors with potential points of intrusion. For instance, a 2017 WP White Security study revealed that more than 70 percent of WordPress installations are vulnerable to costly data breaches.

With the global annual cost of cybercrime expected to hit $6 trillion by 2021, businesses cannot afford to leave themselves open to attack. The fallout from a data breach is just too expensive and damaging to leave anything to chance. Any well-rounded cybersecurity strategy should incorporate safeguards at the CMS level, and with Sitecore's latest release, security officers finally have the tools needed to address their mounting concerns.

Encryption maintains data anonymity

Encryption has always been a pillar of cybersecurity best practices, and the Sitecore team went to great lengths to beef up this particular feature in the platform's latest iteration. Sitecore 9 offers enhanced encryption for data that's both at rest and in transit, meaning sensitive information is kept safe in the event of a data breach.

It's important to keep in mind that over the years, cybersecurity strategies have gravitated from a perimeter focus to damage control. That's not to say that cybersecurity experts have given up on network defenses, but it's wishful thinking to believe any organization can stave off all breach attempts. It's better to assume that the network will be compromised eventually and plan accordingly.

Sophisticated encryption features like those included in Sitecore 9 prevent malicious actors from accessing sensitive data even if they manage to intercept it. Expanding the scope of encryption to include in-transit data further builds in safeguards by protecting data sent across different platforms. In this case, connections between Sitecore and xConnect and external client portals are encrypted, effectively cutting off access to other parties.

Comply with PII privacy regulations

This level of encryption also protects companies against regulatory compliance risks, such as those presented by the forthcoming General Data Protection Regulation. Any CMS platform is bound to house a great deal of personally identifiable information belonging to customers and site visitors. In Sitecore's case, the vast amount of PII will be located in the xDB, where information is pulled from various sources like Web Form modules.

That data is subject to a number of guidelines regarding its collection, storage and use. Data security and privacy regulations are nothing new - the Payment Card Industry Data Security Standard and the Health Insurance Portability and Accountability Act have been around for years - but GDPR presents several new wrinkles. Perhaps the most problematic new requirement is the so-called "right to be forgotten." Under GDPR, businesses must comply with any request from a European customer or user to have their personal data wiped from existing databases. That is a much bigger task than it may initially appear, and many organizations lack the capacity to completely erase every piece of PII upon request.

Sitecore 9 introduces an elegant solution to this complex problem. Instead of outright deleting the data itself, the platform allows businesses to delete identifiers and values that would tie information to specific individuals. By anonymizing data stored in the xDB, Sitecore users can adhere to GDPR guidelines without going through the laborious process of completely erasing a user or contact from their databases.

Federated authentication balances access with security

Sitecore 9's newest federated authentication controls support greater flexibility and broader user access while still maintaining tight control over critical databases and platforms. Previously, user permissions were handled locally by the Sitecore team, limiting identity service options. Companies are no longer tied to a specific identity service provider and can incorporate whatever identity management solution they desire into their Sitecore instance.

With Sitecore 9, the Sitecore development team has addressed a number of pressing cybersecurity concerns, enhancing the platform's defensive posture. Not all security features are ready to roll straight out of the box, and will instead require a fair amount of work to properly configure.

Working with an experienced Sitecore consultant ensures that any Sitecore instance is optimized for security purposes. Arrow Digital is a trusted Sitecore partner with the skills and know-how needed to securely implement Sitecore changes whether you're starting out fresh or migrating over from an older version.