Running Secure Drupal Websites with Acquia and AWS

Webinar Audio Options• Listen to streaming audio via your computer’s audio − WebEx Audio Broadcast pop-up• Trouble listening via your computer’s audio? Please request phone access• Technical support − US & Canada 866-229-3239 − International support 408-435-7088• International phone access numbers: − http://support.webex.com/support/phone -numbers.html

Drupal, the Cloud and SecurityRyan Holland Mike LemireSolutions Architect Director, Information SecurityAmazon Web Services AcquiaJessica IandiorioSr DirectorCloud MarketingAcquia July 25th, 2012

Webinar Audio Options• Listen to streaming audio via your computer’s audio − WebEx Audio Broadcast pop-up• Trouble listening via your computer’s audio? Please request phone access• Technical support − US & Canada 866-229-3239 − International support 408-435-7088• International phone access numbers: − http://support.webex.com/support/phone -numbers.html

Housekeeping• Today’s webinar is being recorded. Slides and recording will be posted in next few days at: − http://acquia.com/resources/recorded_webinars• Submit questions via Q&A Tab in WebEx, we’ll answer as many as we can − Give it a try & tell us where you joining from today

Agenda• Overview of the Cloud Shared Responsibility Model• Amazon Web Services Infrastructure level security• Acquia Cloud platform level security• Developing and Maintaining a Secure Drupal application

The Cloud Shared Responsibility Model

Infrastructure with Amazon Web Services: Security, Availability and Compliance Ryan Holland Solution Architect

AWS Security and Compliance Center (http://aws.amazon.com/security/)Answers to many security & privacy questions  Security whitepaper  Risk and Compliance whitepaperSecurity bulletinsCustomer penetration testingSecurity best practicesMore information on:  AWS Identity & Access Management (AWS IAM)  AWS Multi-Factor Authentication (AWS MFA)

Secure Data CentersMany years experience building large-scaledata centers.Important attributes and features:  Non-descript facilities  Military-grade perimeter control berms  Strictly controlled physical access (perimeter and building)  3 or more levels of two-factor authenticationControlled, need-based access for Amazonand AWS employees.All physical and electronic access is logged.

AWS is Built for “Continuous Availability” Scalable, fault tolerant services All Datacenters (AZs) are always on  No “Disaster Recovery Datacenter”  Managed to the same standards Robust Internet connectivity  Each AZ has redundant, Tier 1 ISP Service Providers  Resilient network infrastructure

Amazon EC2 Regions and Availability Zones US East (Northern Virginia) US West (Northern California) Availability Availability Availability Availability Zone A Zone B Zone A Zone B Availability Availability Zone C Zone D Availability Zone C Amazon EC2 Regions: US East (Northern Virginia) / US West (Northern California, Oregon) / South America (Sao Paulo) / EU (Dublin) / Asia Pacific (Singapore, Tokyo) / US GovCloud

Amazon EC2 Instance Isolation Customer 1 Customer 2 … Customer n Hypervisor Virtual Interfaces Customer 1 Security Groups Customer 2 Security Groups … Customer n Security Groups Firewall Physical Interfaces

Multi-tier Security Architecture Web Tier Application Tier Database Tier EBS VolumePorts 80 and 443 only open to the Internet Engineering staff have ssh access to the App Tier, which acts as Bastion Amazon EC2 Security Group Firewall

Amazon Virtual Private Cloud (VPC) Create a logically isolated environment in Amazon’s highly scalable infrastructure Specify your private IP address range into one or more public or private subnets Control inbound and outbound access to and from individual subnets using stateless Network Access Control Lists Protect your Instances with stateful filters for inbound and outbound traffic using Security Groups Attach an Elastic IP address to any instance in your VPC so it can be reached directly from the Internet Bridge your VPC and your onsite IT infrastructure with an industry standard encrypted VPN connection Use a wizard to easily create your VPC in 4 different topologies

EBS Wiping / Data Destruction Blocks Zeroed Out Upon Provisioning Logical-to-Physical Block Mapping Created during provisioning Destroyed during de-provisioning Failed Hardware Degaussed Sent to the Chipper

SOC 1 / SSAE 16 / ISAE 3402 Statement on Standards for Attestation Engagements (SSAE) 16 format (equivalent to the International Standard on Assurance Engagements [ISAE] 3402) replaces the SAS 70 Type II Covers Access, Change Management and Operations of EC2, S3, VPC, EBS, RDS, DynamoDB, VM Import, and DirectConnect  Control Objective 1: Security Organization  Control Objective 2: Employee User Access  Control Objective 3: Logical Security  Control Objective 4: Secure Data Handling  Control Objective 5: Physical Security and Environmental Protection  Control Objective 6: Change Management  Control Objective 7: Data Integrity, Availability and Redundancy  Control Objective 8: Incident Handling Includes all Regions Audited by an independent accounting firm and updated every 6 months Report available under NDA

ISO 27001 Certification ISO 27001/27002 certification achieved 11/2010 Follows ISO 27002 best practice guidance Covers the AWS Information Security Management System (ISMS) Covers EC2, S3, VPC, EBS, and RDS Includes all Regions ISO certifying agent: Ernst & Young CertifyPoint

PCI DSS Level 1 Service Provider PCI DSS 2.0 compliant Covers core infrastructure & services  EC2, VPC, S3, EBS, RDS, ELB, and IAM Use normally, no special configuration Leverage the work of our QSA AWS will work with merchants and designated Qualified Incident Response Assessors (QIRA)  can support forensic investigations Certified in all regions

FISMA/DIACAP Granted per project by Agency DAA AWS covers controls required for:  FIPS 199 Low & Moderate Impact  DIACAP MAC II Sensitivity Acquia manages application layer controls

Acquia Cloud Platform:Security, Availability and ComplianceMike LemireDirector, SecurityAcquia

Acquia Cloud Documentation CenterAll of the information presented here in much more detailhttps://docs.acquia.com/https://docs.acquia.com/cloud/arch/security

OS Layer Security• Acquia Cloud secure build − Unneeded services and ports disabled − “Least privilege” access − Consistent, centralized user management• Real-time HIDS (Host Intrusion Detection System) monitoring utilizing OSSEC• Option for whole disk encryption

Security Patch Management• Ubuntu 10.04 LTS OS• Major security advisories monitored including US-Cert, Ubuntu, Mitre, Rapid7 and Qualys.• Security and Operatiosn teams evalutate, test and schedule patch deployment.• OS and LAMP-stack security patches quickly deployed using our puppet based management infrastructure• Host based vulnerability testing weekly

Secure Server Management• “Three-factor” authentication required for Acquia’s operations and support teams − PKI, Key passcode, One Time Password (OTP) − Admin access to Acquia Cloud utilizes encrypted channels (ssh, scp, etc.) Via Bastion host(s)• Audited role based access within Acquia

Network Security• Three layers of firewalls: Amazon, AWS provided-Acquia managed hypervisor firewall and host firewall.• Full support for HTTPS/SSL/TLS certificates• DoS attack monitoring and response• DDoS partners: DOS Arrest, Akamai

High Availability• Managed Cloud and Drupal Gardens environments built using redundant servers spread across multiple Availability Zones with automatic failover

Disaster Recovery• Optional hot standby site in alternative Amazon Region• Continuous data replication• Failover based on DNS

Backups• Database, code and files backed up to multiple data centers via Amazon S3 every 1 to 4 hours; weekly snapshots retained for one week; monthly snapshots retained for 3 months• Self help backups – from Acquia Network web interface or scripted.

Change Control• Acquia utilizes Agile development methodology• Change control is included as part of our SSAE16 audits• Production changes require code review and system tests before deployment to production environment

Personnel Security• Security, privacy and ethics training for all employees• Background checks for employees with production access• NIST – aligned internal security policies• Audit trails

Security Resources at Acquia• Extensive expertise to help you architect and plan your Drupal site• 11 members of 40 member Drupal Security team• Professional Services Security Audit

Meeting Compliance Standards• FISMA (moderate) and DIACAP (MAC II Sensitive) compliance packages.• SSAE16 SOC 1 Audited• Future roadmap: ISO 27001/2, Cloud Security Alliance STAR registry• Customer Sites: HIPAA, PCI compliant, Federal agencies

Securing Drupal

Drupal Security Responsibilities So who is responsible for the Drupal layer security? Answer: the site owner who may entrust • Drupal dev team at the company who owns the site • Third party development shop • Acquia if contracted for TAM (Technical Account Manager)

Is Drupal Secure?• Drupal is proven secure. Drupal as a platform is deployed in hundreds of thousands of web sites including some very high profile corporate and government sites• Drupal is continuously probed, scanned and analyzed for security defects

Drupal Security team • 40 members, including 11 Acquians, on Drupal security team • Establish mechanism to report and resolve reported security issues • Publish security advisories • Produce documentation: • Writing secure Drupal code • Securing a Drupal site • More info: http://drupal.org/security-team

Drupal Development Best Practices• Leverage latest Drupal core and stable modules• Follow best practices when custom coding• Pay particular attention to input and output validation• Make use of Drupal core APIsResources:• http://drupal.org/writing-secure-code/• http://groups.drupal.org/best-practices-drupal-security• Cracking Drupal by Greg Knaddison

Leverage Drupal’s Role Based Accesspermissions• Drupal 6 default roles: Anonymous, Authenticated• Drupal 7 default roles: Anonymous, Authenticated, Administer• Create roles and assign permissions with a least privileged mind-set• More info: http://drupal.org/node/22275/

Security – Related Drupal modulesA wealth of contributed modules extend Drupal’s built in security:• Login and session controls modules• Password controls modules• Authentication modules• Logging and audit modules• Anti-spam and protection• Secure communications• Leverage Anti-virus modules to scan file uploads• More:http://drupalscout.com/knowledge-base/contributed-modules- securing-your-drupal-site

Acquia Insight: Your Drupal Security Wizard• Insight analyzes Drupal sites for security, performance, and SEO problems• Included with any Acquia subscription − Compatible with any Drupal site (not just Acquia Cloud sites)• Identifies security and performance configuration errors• Verifies Drupal security patches are installed

Insight: Your Drupal Security Wizard

Architecting Highly Secure Drupal sitesReduce the attack vector• Protect /admin to known IP’s and Networks (.htaccess)• Separate edit and publish sites• Third party services: • Akamai CDN and Security Services • DOS Arrest

Drupal Secure Lifecycle • Update Core and Modules when advised to • Conduct vulnerability scans

Questions• For more information, visit: − http://acquia.com − http://twitter.com/acquia• Contact us: Today’s webinar recording will be posted at: − sales@acquia.com http://acquia.com/resources/recorded_webinars − 888.9.ACQUIA

Acquia is Hiring• Do you love working with Drupal?• If so, Acquia is hiring in North America & Europe: − Engineering & design − Client advisors and consulting − Inside sales Check out openings at http://acquia.com/careers

http://www.scoop.it	526
http://www.acquia.com	83
https://www.acquia.com	78
http://xss.yandex.net	2
http://acquiacomstg.network.acquia-sites.com	1
http://acquialocaldev7.com	1

Running Secure Drupal Websites with Acquia and AWS

by Acquia on Jul 26, 2012

Accessibility

Categories

Upload Details

Usage Rights

6 Embeds 691

Statistics

Running Secure Drupal Websites with Acquia and AWS Presentation Transcript