Security

We ensure real-time protection, optimal performance and data integrity.

Episerver’s Digital Experience Cloud service represents the convergence of all Episerver’s technologies and value within one streamlined solution. While many have benefited from the overall value, ease of use, and adaptability to solve for many different digital strategies.

Our Digital Experience Cloud service is based on and includes Episerver’s core security values. Our worldwide support, integrity, continuous improvement, and transparency are a part of all our solutions and most certainly at the forefront for our Digital Experience Cloud Service.

Digital Experience Cloud Architecture

Services are deployed on Microsoft Azure and operate on a security hardened OS, specifically designed to limit the attack surface of the operating system. The service also provides automated elastic scaling to smoothly handle traffic peaks, assuring high performance for seasonal spikes and other unanticipated spikes in traffic.

An anti-malware service is running on all service operating systems to provide drive level protection against malicious file uploads. Each customer’s service is isolated by Virtual Networks. Availability and performance are constantly monitored.

All data-in-transit is encrypted via HTTPs/TLS. The delivery network provides a broader, wider attack base and the Web Application Firewall (WAF) provides state-of-the-art scanning to monitor for unusual or malicious traffic. The global 24/7/365 Episerver Managed Services team continuously manages and monitors the delivery network and WAF to anticipate and mitigate attacks including DDoS style attacks against the DNS and service. Service instances are load balanced and enabled for automated elastic scaling. Episerver also provides multi-domain SSL certificates with the service.

Secure & Reliable Datacenters

The Digital Experience Cloud Service runs on Azure datacenters. Each facility is designed to run 24x7x365 with protection from power failure, physical intrusion & network outages. The Datacenters comply with industry standards (including ISO 27001) for physical security & availability. Access to all entry points are protected by perimeter fencing, cameras and biometric safeguards including palm readers, iris recognition and fingerprint readers. Uninterruptible power supplies and seismic bracing ensure continuous operation.

For more information, please visit Microsoft's website.

Least Privilege Access

All Episerver team members are trained on ITIL best practices for security, privacy and quality. Access to applications and data is strictly limited by the principle of Least Privilege and all access is secured by encrypted network connections and IP Filtering.

Episerver team members only access data for the authorized purposes of archiving, backup, restoration, and collection of anonymized usage statistics to improve the service. Episerver does not access thinly grained data nor PII data.

Proactive Security Hardening

Microsoft continuously works to ensure Azure is protected through a pro-active process known as Red Teaming; a form of live site penetration testing against the Azure infrastructure. Microsoft simulates real-world breaches and practices security incident response to test and improve the security of Azure.

Note, no end-customer data or applications are targeted during Red Team penetration testing. For more information, please review this Microsoft page.

Episerver Secure Development Lifecycle (SDL)

Episerver & Microsoft follow formal processes to ensure our offerings are developed with security industry best practices. Episerver solutions are built by established teams that are focussed on building highly scalable, performant and secure systems. This is done through a Secure Development Lifecyle approach.

Episerver’s SDL utilizes principles from the Open Web Application Security Project (http://owasp.org) with processes in place to prevent security risks. Episerver’s .NET base runs managed code which also protects code and data from being misused or damaged by other code including potentially malicious programs.

Transparency of Service Health and Continuity

Episerver provides a service dashboard where you can register to receive incident updates and view information about platform-wide planned maintenance regarding the Digital Experience Cloud Service.

Episerver Managed Services and Support communicates incidents regarding customer specific applications and websites. Customers are notified by email regarding issues and are updated during the progress of the incident.

Monitoring

Episerver provides the following monitoring services:

External monitoring

Digital Experience Cloud externally monitors web applications and any issues are handled according to the incident management process. See the Incident Management section in this document.

Real User monitoring

Digital Experience Cloud monitors end-user experience by inserting a JavaScript on each page that measures end-user performance. A customer is required to include the application monitoring software package in their code build for the SLA to be applicable.

Application monitoring

Digital Experience Cloud includes application monitoring. A customer is required to include the application monitoring software package in their code build for the SLA to be applicable.

World – Documentation and Resources

Episerver World includes valuable information resources to help secure your Episerver solutions including considerations for Episerver Digital Experience Cloud.

This resource is readily available at world.episerver.com.

System Updates and Patching

The Digital Experience Cloud Service uses Microsoft Azure to run service instances and thus aligns with the Microsoft patch release cycle. Microsoft is responsible for patch management, learn more about Microsoft's Guest OS patch management schedule and the support lifecycle on their website. Episerver works closely with Microsoft for any edge cases involving patching.

Episerver follows a continuous release cycle with new releases on a weekly basis. Releases include both new features and fixes, and you can upgrade your solution at a cadence that makes sense for your business. Note that you are responsible for installing updates to the Episerver products you deploy in your service.

Reduced Risk through Reduced Scope

The service does not use the traditional version of Microsoft Windows, but rather a purpose-built version with a smaller attack surface and reduced potential for vulnerabilities. Each service instance uses isolated resources. With all the security benefits from Microsoft Azure, the scope of risk is reduced to traffic exclusive to web traffic at the network edge - more specifically ports 80 and 443.

Transport Layer Security (TLS/SSL)

TLS/SSL is commonly used for encrypted integration and communication with other services over HTTP (HTTPS). Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL) are cryptographic protocols that secure communications over a network by encrypting data being sent to and from each of the end-points. These protocols are used for securing communications for many different applications including email, voice-over-IP (VoIP), and web-based faxing. Websites also use TLS for encrypting data to and from web browsers interacting with web sites and applications.

All domains in the Episerver Digital Experience Cloud service are protected by TLS/SSL by default.

The service includes a shared TLS/SSL certificate provided by Episerver that will be valid for multiple domains in a multi-site configuration. This means that all domains will be TLS/SSL secured by default. Episerver manages renewals of the shared certificate.

For more information, please visit our service description.

Virtual Private Network (VPN)

VPN may be used to allow a secure connection to internal corporate resource(s), for example. Communication is one-way to on-premises systems.

Antivirus and anti-malware

Episerver Digital Experience Cloud Service utilizes Microsoft's standard approach for Azure antimalware to provide real-time protection and content scanning.

Web Application Firewall (WAF)

A WAF sits in front of the service to filter out malicious traffic at the application layer, see Open Systems Interconnection (OSI) Model. In Digital Experience Cloud Service, WAF is always enabled, constantly monitoring the website traffic. 

The WAF examines HTTP requests to your website, looking at all requests, and applying rules intended to filter out illegitimate traffic from legitimate website visitors. 

How does WAF protect my website?

A WAF is intended to automatically protects from an extensive list of attack types that is constantly updated including:

  • SQL injection, comment spam
  • Cross-site scripting (XSS)
  • Distributed denial of service (DDoS) attacks

A WAF uses rulesets to block common attacks. These rulesets may be updated at any time to keep the WAF up-to-date with evolving trends in attacks. Because the Digital Experience Cloud Service handles significant attack traffic, Episerver identifies new attack styles and adds new WAF rules intended to protect customers against these potential vulnerabilities.

The WAF engine runs the OWASP ModSecurity Core Ruleset by default, intended to protect against the OWASP Top 10 common vulnerabilities.

The Digital Experience Cloud Services uses WAF to stop attacks at the network edge, intended to protect your service from common web threats and specialized attacks.

  • Automatic protection from diverse threats, with strong default rule sets and extensive customization providing Layer 7 protection that is fully integrated with DDoS mitigation
  • Fast processing times with instant global updates
  • No hardware, software, or tuning required

See the Digital Experience Cloud Service WAF topic Security on Episerver World for additional information.

DDoS

A DDoS (distributed denial of service attack) is an attempt to overwhelm your service with a load of traffic and cause an outage. The objectives may vary, from interruption with outages or attempts to force entry through a back door or a more vulnerable web property that may be setup to manage outages. Such an attack is typically carried out by multiple systems and usually from a Trojan virus existing on unsuspecting user’s systems. This can make it difficult to distinguish good traffic from bad traffic.

Episerver Digital Experience Cloud Service includes advanced DDoS protection matching the sophistication and scale of such threats, and can be used to mitigate DDoS attacks of all forms and sizes including those that target the UDP and ICMP protocols, as well as SYN/ACK, DNS amplification and Layer 7 attacks.

Episerver’s Digital Experience Cloud Service operating on Microsoft Azure also share the advantage of Microsoft security protection against DDoS attacks.

Learn more about Microsoft Azure and DDoS here.

Delivery Network (CDN)

Episerver’s Digital Experience Cloud Service also mitigates DDoS attacks via its delivery network. Since 99% of DDoS attacks are volumetric and amplification based, the distributed nature of the delivery network helps absorb DDoS attacks. Since most DDoS ‘flood attacks’ use the User Datagram Protocol (UDP), such traffic is simply ignored.

Additionally, our delivery network is monitored 24/7 with both automatic and manual resources in place to reduce the impact of attacks; so, in many cases the customer doesn’t have to worry about it. Episerver’s Digital Experience Cloud Service delivery network provides a highly scalable reverse-proxy architecture with sophisticated DDoS identification and mitigation technology, to keep the service up and running.

DNS management

  • Customers can manage their own DNS (using a 3rd party) or Episerver can provide this service.
  • Episerver will manage a customer’s DNS records in the Digital Experience Cloud Service’s delivery network.

IDS/IPS management

Microsoft implements a defence in-depth approach and monitors the Microsoft Azure platform in many ways to detect possible attacks and vulnerabilities. The platform is protected by an active IDS/IPS system, which uses a number of techniques to detect attacks including traffic analysis.

Monitoring and Incident Management for Mission Critical Operations

We know that you cannot afford your digital presence not to be available all the time, regardless of traffic spikes. We constantly monitor all services – not just at the server level, but at the actual web delivery level – to be able to spot performance or availability issues and act upon them before they turn into problems.

Types of monitoring used:

  • Synthetic monitoring
  • Operational monitoring
  • Application Performance monitoring (APM)

Services included to catch and correct issues before they affect website delivery:

  • 24x7x365 incident and problem management
  • 24x7x365 Episerver Cloud support following ITIL processes
  • Full-stack service level management

Penetration Testing

Microsoft and their Red Team regularly pen test the underlying infrastructure of the Digital Experience Cloud Service. The Episerver platform is also subject to regular penetration tests conducted by customers and partners.

As implementations on top of the Episerver platform could unexpectedly introduce a security vulnerability, thorough testing of the entire implementation is strongly suggested.

You can either conduct your own tests using tools or security services of your choice, or you can order this service through Episerver Expert Services.

If you plan to perform your own penetration tests, you need to notify Episerver at least 10 business days before the planned testing.
As Digital Experience Cloud Service is provided as-a-service, its critical for the instance of the application implementation to have vulnerability tests and penetration tests performed against the site.

  • Listing of IP addresses and DNS names from where the tests will originate
  • Authentication (our safe methods for operations)
  • Logging support for auditing
  • Isolation of services
  • Facilities
  • Monitoring of products and services / transparency

Web Vulnerability Scanning

Vulnerability scans protect against attacks on the website. Penetration testing thwarts hacking and attacks on routers, firewalls, and so on.

We analyze the code you deployed to your service instance from a hacker’s perspective and report back with the latest vulnerability findings.

  • Tests your service for over 500 vulnerabilities, including OWASP Top 10.
  • Active and passive security tests.
  • Offers integrations with the most popular developer tools.
  • Continuously updated by a top-ranked security team of white hat hackers.

Governance with Managed deployment

Digital Experience Cloud Service includes a Managed Service process and Deployment Environments as steps in that process to ensure governance and segregation of duties throughout the deployment process thus helping ensure the SLA.

Default deployment environments are described in detail within our service description.

  • Trust Center

    Episerver's security values ensure that our customers are always supported by safe, secure solutions.

  • Privacy

    Control, security, and transparency – Episerver’s Data privacy agenda.

  • Compliance

    Integrated security compliance using a trusted infrastructure.

Step
  1. 1
  2. 2

Book your personalized demo today.

Our platform is easy to use and incredibly effective. We’ll show you how it can quickly transform your business.

You have already signed up for a demo. We will contact you shortly.

Book a demo

Almost there!

Please share a little more information so we can present a customized demo.

Thank you for your demo request!

We will contact you shortly to set up a meeting on how Episerver can help your business.