0
Webinar Audio Options• Listen to streaming audio via your     computer’s audio −    WebEx Audio Broadcast pop-up• Trouble ...
Drupal, the Cloud and SecurityRyan Holland          Mike LemireSolutions Architect   Director, Information SecurityAmazon ...
Webinar Audio Options• Listen to streaming audio via your     computer’s audio −    WebEx Audio Broadcast pop-up• Trouble ...
Housekeeping• Today’s webinar is being recorded. Slides and     recording will be posted in next few days at: −    http://...
Agenda•   Overview of the Cloud Shared Responsibility Model•   Amazon Web Services Infrastructure level security•   Acquia...
The Cloud Shared Responsibility Model
Infrastructure with Amazon Web Services: Security,            Availability and Compliance                   Ryan Holland  ...
AWS Security and Compliance Center              (http://aws.amazon.com/security/)Answers to many security & privacy questi...
Secure Data CentersMany years experience building large-scaledata centers.Important attributes and features:  Non-descrip...
AWS is Built for “Continuous Availability”  Scalable, fault tolerant services  All Datacenters (AZs) are always on   No “...
Amazon EC2 Regions and Availability Zones     US East (Northern Virginia)                  US West (Northern California)  ...
Amazon EC2 Instance Isolation    Customer 1        Customer 2            …       Customer n                               ...
Multi-tier Security Architecture                                Web Tier                                           Applica...
Amazon Virtual Private Cloud (VPC) Create a logically isolated environment in Amazon’s highly scalable infrastructure Spec...
EBS Wiping / Data Destruction Blocks Zeroed Out Upon Provisioning Logical-to-Physical Block Mapping    Created during prov...
SOC 1 / SSAE 16 / ISAE 3402 Statement on Standards for Attestation Engagements (SSAE) 16 format (equivalent to the Interna...
ISO 27001 Certification ISO 27001/27002 certification achieved 11/2010 Follows ISO 27002 best practice guidance Covers the...
PCI DSS Level 1 Service Provider PCI DSS 2.0 compliant Covers core infrastructure & services   EC2, VPC, S3, EBS, RDS, EL...
FISMA/DIACAP Granted per project by Agency DAA AWS covers controls required for:   FIPS 199 Low & Moderate Impact   DIAC...
Acquia Cloud Platform:Security, Availability and ComplianceMike LemireDirector, SecurityAcquia
Acquia Cloud Documentation CenterAll of the information presented here in much more detailhttps://docs.acquia.com/https://...
OS Layer Security•       Acquia Cloud secure build    −     Unneeded services and ports disabled    −     “Least privilege...
Security Patch Management• Ubuntu 10.04 LTS OS• Major security advisories monitored including US-Cert,  Ubuntu, Mitre, Rap...
Secure Server Management• “Three-factor” authentication required for Acquia’s     operations and support teams −    PKI, K...
Network Security• Three layers of firewalls: Amazon, AWS provided-Acquia   managed hypervisor firewall and host firewall.•...
High Availability• Managed Cloud and  Drupal Gardens  environments built  using redundant  servers spread  across multiple...
Disaster Recovery• Optional hot standby site in   alternative Amazon Region• Continuous data replication• Failover based o...
Backups• Database, code and files backed up to multiple data  centers via Amazon S3 every 1 to 4 hours; weekly  snapshots ...
Change Control• Acquia utilizes Agile development methodology• Change control is included as part of our SSAE16  audits• P...
Personnel Security• Security, privacy and ethics training for all employees• Background checks for employees with producti...
Security Resources at Acquia• Extensive expertise to help you architect and plan your  Drupal site• 11 members of 40 membe...
Meeting Compliance Standards• FISMA (moderate) and DIACAP (MAC II Sensitive)  compliance packages.• SSAE16 SOC 1 Audited• ...
Securing Drupal
Drupal Security Responsibilities          So who is responsible for the Drupal layer           security? Answer: the site ...
Is Drupal Secure?• Drupal is proven secure. Drupal as a platform is deployed  in hundreds of thousands of web sites includ...
Drupal Security team         • 40 members, including 11 Acquians, on Drupal security team         • Establish mechanism to...
Drupal Development Best Practices•   Leverage latest Drupal core and stable modules•   Follow best practices when custom c...
Leverage Drupal’s Role Based Accesspermissions• Drupal 6 default roles: Anonymous, Authenticated• Drupal 7 default roles: ...
Security – Related Drupal modulesA wealth of contributed modules extend Drupal’s built in security:•   Login and session c...
Acquia Insight: Your Drupal Security Wizard• Insight analyzes Drupal sites for security,     performance, and SEO problems...
Insight: Your Drupal Security Wizard
Architecting Highly Secure Drupal sitesReduce the attack vector• Protect /admin to known IP’s and Networks (.htaccess)• Se...
Drupal Secure Lifecycle • Update Core and Modules when advised to • Conduct vulnerability scans
Questions• For more information, visit: −   http://acquia.com −   http://twitter.com/acquia• Contact us:                  ...
Acquia is Hiring• Do you love working with Drupal?• If so, Acquia is hiring in North America & Europe: −   Engineering & d...
Upcoming SlideShare
Loading in...5
×

Running Secure Drupal Websites with Acquia and AWS

5,509

Published on

Published in: Technology, Business
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,509
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
52
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • I'm Ryan Holland a Solution Architect on our partner team at Amazon Web services, our team is focused on building up an ecosystem of partners to so customers can deploy the same types of solutions on AWS as they use on premise
  • One of the core tenants of information security is availability so I think its important we cover how we approach this at AWS. Out services are built to provide continuous availability, this is accomplished by providing multiple datacenters within a region, we refer to these as Availability Zones, these are always on datacenters which allows for active/active deployments across multiple physical datacenters. Each availability zone is designed with fault separation from other availability zones within a region, what we mean by that is they are physically separated, built on different flood planes and utilize different power grids to reduce single points of failure. To provide network diversity and resiliency each availability zone is redundantly connected to multiple Tier 1 transit providers.
  • One of the core tenants of information security is availability so I think its important we cover how we approach this at AWS. Out services are built to provide continuous availability, this is accomplished by providing multiple datacenters within a region, we refer to these as Availability Zones, these are always on datacenters which allows for active/active deployments across multiple physical datacenters. Each availability zone is designed with fault separation from other availability zones within a region, what we mean by that is they are physically separated, built on different flood planes and utilize different power grids to reduce single points of failure. To provide network diversity and resiliency each availability zone is redundantly connected to multiple Tier 1 transit providers.
  • One of the core tenants of information security is availability so I think its important we cover how we approach this at AWS. Out services are built to provide continuous availability, this is accomplished by providing multiple datacenters within a region, we refer to these as Availability Zones, these are always on datacenters which allows for active/active deployments across multiple physical datacenters. Each availability zone is designed with fault separation from other availability zones within a region, what we mean by that is they are physically separated, built on different flood planes and utilize different power grids to reduce single points of failure. To provide network diversity and resiliency each availability zone is redundantly connected to multiple Tier 1 transit providers.
  • Availabilty zones are contained within a geographical region, it should be pointed out that the drawing on this slide is conceptual and the number of availability zones within a region may vary. The selection of a region can be important for meeting location-dependent privacy and compliance requirements, such as the EU data privacy directive, as data is not replicated across regions . As you can see today EC2 has expanded to 8 Regions globally which not only allows data to be placed in specific jurisitctions to meet compliance requirments but also provides a global footprint of infrastructure to on which to deploy your applications which can then minimize latency to customers accessing applications running in EC2. **Add note to slide about conceptual Azs
  • Now I want to go through some of the compliance certifications that AWS has in place, first is the SOC 1, which has replaced the SAS70. AWS publicishes a SOC1 audit report every six months. For the SOC1 AWS identifies the controls relating to the operational performance and security of our services and then an auditor evaluates the design of the control objectives and control activities to ensure they are effective. The auditors also verify the operation of those controls, attesting that the controls are operating as designed.   As you can see on this slide there are 8 control objectives covered in our SOC1 audit, the full report identifies the control activites that support each of these objectives. The scope of this audit covers our access, change mangement and operations for EC2, S3, VPC (Virtual Private Cloud), EBS (elastic block storage), RDS (a managed relational database service that offers mysql, oracle and microsoft SQL server), DynamoDB a fully managed nosql database, VM Import and directconnect. This report is available to customers who have a signed non-disclosure agreement in place.
  • The last certification I’ll cover is ISO27001, ISO 27001is a widely-adopted global security certification that sets out requirements and best practices for a systematic approach to managing company and customer information. AWS has achieved ISO 27001 certification of our Information Security Management System (ISMS) covering AWS infrastructure, data centers, and services including Amazon EC2, Amazon S3 and Amazon VPC, EBS and RDS. AWS’s ISO 27001 certification includes all AWS data centers in all regions worldwide. You get more information about our ISO27001 certification as well as see frequently asked questions on the Security and Complaince website I mentioned at the beginning of this presentation.
  • The next certification I want to discuss is PCI, AWS satisfies the requirements under PCI DSS for shared hosting providers. AWS also has been successfully validated against standards applicable to a Level 1 service provider under PCI DSS Version 2.0. Now that doesn’t mean that by using AWS you are automatically PCI Complaince, it means Merchants and other PCI service providers can use the AWS infrastructure for storing, processing, and transmitting credit card information in the cloud, as long as those customers create PCI compliant for their part of the shared environment. This is another area where out partners, such as SafeNet, can help customers build complaint architecture in AWS, as part of the customer responsibility for PCI will be to ensure that cardholder data is encrypted at reast.
  • To ensure that Drupal meets the highest standards for web application security on an ongoing basisc, the Drupal project has a security team of 35 active members .  Over the years, this team has continually strengthened Drupal’s core APIs by managing a disciplined process of testing and peer review of code, as well as the distribution of security advisories to the Drupal community.  These advisories include, as appropriate, patches to modules, updated versions, or instructions on how to mitigate the security risk (temporary workarounds). The Drupal Security Report details how the Drupal project addresses web application security with their “Top Ten Most Critical Web Application Security Risks” including Injection, Cross-site Scripting (XSS) and others. ---
  • To ensure that Drupal meets the highest standards for web application security on an ongoing basisc, the Drupal project has a security team of 35 active members .  Over the years, this team has continually strengthened Drupal’s core APIs by managing a disciplined process of testing and peer review of code, as well as the distribution of security advisories to the Drupal community.  These advisories include, as appropriate, patches to modules, updated versions, or instructions on how to mitigate the security risk (temporary workarounds). The Drupal Security Report details how the Drupal project addresses web application security with their “Top Ten Most Critical Web Application Security Risks” including Injection, Cross-site Scripting (XSS) and others. ---
  • Transcript of "Running Secure Drupal Websites with Acquia and AWS"

    1. 1. Webinar Audio Options• Listen to streaming audio via your computer’s audio − WebEx Audio Broadcast pop-up• Trouble listening via your computer’s audio? Please request phone access• Technical support − US & Canada 866-229-3239 − International support 408-435-7088• International phone access numbers: − http://support.webex.com/support/phone -numbers.html
    2. 2. Drupal, the Cloud and SecurityRyan Holland Mike LemireSolutions Architect Director, Information SecurityAmazon Web Services AcquiaJessica IandiorioSr DirectorCloud MarketingAcquia July 25th, 2012
    3. 3. Webinar Audio Options• Listen to streaming audio via your computer’s audio − WebEx Audio Broadcast pop-up• Trouble listening via your computer’s audio? Please request phone access• Technical support − US & Canada 866-229-3239 − International support 408-435-7088• International phone access numbers: − http://support.webex.com/support/phone -numbers.html
    4. 4. Housekeeping• Today’s webinar is being recorded. Slides and recording will be posted in next few days at: − http://acquia.com/resources/recorded_webinars• Submit questions via Q&A Tab in WebEx, we’ll answer as many as we can − Give it a try & tell us where you joining from today
    5. 5. Agenda• Overview of the Cloud Shared Responsibility Model• Amazon Web Services Infrastructure level security• Acquia Cloud platform level security• Developing and Maintaining a Secure Drupal application
    6. 6. The Cloud Shared Responsibility Model
    7. 7. Infrastructure with Amazon Web Services: Security, Availability and Compliance Ryan Holland Solution Architect
    8. 8. AWS Security and Compliance Center (http://aws.amazon.com/security/)Answers to many security & privacy questions  Security whitepaper  Risk and Compliance whitepaperSecurity bulletinsCustomer penetration testingSecurity best practicesMore information on:  AWS Identity & Access Management (AWS IAM)  AWS Multi-Factor Authentication (AWS MFA)
    9. 9. Secure Data CentersMany years experience building large-scaledata centers.Important attributes and features:  Non-descript facilities  Military-grade perimeter control berms  Strictly controlled physical access (perimeter and building)  3 or more levels of two-factor authenticationControlled, need-based access for Amazonand AWS employees.All physical and electronic access is logged.
    10. 10. AWS is Built for “Continuous Availability” Scalable, fault tolerant services All Datacenters (AZs) are always on  No “Disaster Recovery Datacenter”  Managed to the same standards Robust Internet connectivity  Each AZ has redundant, Tier 1 ISP Service Providers  Resilient network infrastructure
    11. 11. Amazon EC2 Regions and Availability Zones US East (Northern Virginia) US West (Northern California) Availability Availability Availability Availability Zone A Zone B Zone A Zone B Availability Availability Zone C Zone D Availability Zone C Amazon EC2 Regions: US East (Northern Virginia) / US West (Northern California, Oregon) / South America (Sao Paulo) / EU (Dublin) / Asia Pacific (Singapore, Tokyo) / US GovCloud
    12. 12. Amazon EC2 Instance Isolation Customer 1 Customer 2 … Customer n Hypervisor Virtual Interfaces Customer 1 Security Groups Customer 2 Security Groups … Customer n Security Groups Firewall Physical Interfaces
    13. 13. Multi-tier Security Architecture Web Tier Application Tier Database Tier EBS VolumePorts 80 and 443 only open to the Internet Engineering staff have ssh access to the App Tier, which acts as Bastion Amazon EC2 Security Group Firewall
    14. 14. Amazon Virtual Private Cloud (VPC) Create a logically isolated environment in Amazon’s highly scalable infrastructure Specify your private IP address range into one or more public or private subnets Control inbound and outbound access to and from individual subnets using stateless Network Access Control Lists Protect your Instances with stateful filters for inbound and outbound traffic using Security Groups Attach an Elastic IP address to any instance in your VPC so it can be reached directly from the Internet Bridge your VPC and your onsite IT infrastructure with an industry standard encrypted VPN connection Use a wizard to easily create your VPC in 4 different topologies
    15. 15. EBS Wiping / Data Destruction Blocks Zeroed Out Upon Provisioning Logical-to-Physical Block Mapping Created during provisioning Destroyed during de-provisioning Failed Hardware Degaussed Sent to the Chipper
    16. 16. SOC 1 / SSAE 16 / ISAE 3402 Statement on Standards for Attestation Engagements (SSAE) 16 format (equivalent to the International Standard on Assurance Engagements [ISAE] 3402) replaces the SAS 70 Type II Covers Access, Change Management and Operations of EC2, S3, VPC, EBS, RDS, DynamoDB, VM Import, and DirectConnect  Control Objective 1: Security Organization  Control Objective 2: Employee User Access  Control Objective 3: Logical Security  Control Objective 4: Secure Data Handling  Control Objective 5: Physical Security and Environmental Protection  Control Objective 6: Change Management  Control Objective 7: Data Integrity, Availability and Redundancy  Control Objective 8: Incident Handling Includes all Regions Audited by an independent accounting firm and updated every 6 months Report available under NDA
    17. 17. ISO 27001 Certification ISO 27001/27002 certification achieved 11/2010 Follows ISO 27002 best practice guidance Covers the AWS Information Security Management System (ISMS) Covers EC2, S3, VPC, EBS, and RDS Includes all Regions ISO certifying agent: Ernst & Young CertifyPoint
    18. 18. PCI DSS Level 1 Service Provider PCI DSS 2.0 compliant Covers core infrastructure & services  EC2, VPC, S3, EBS, RDS, ELB, and IAM Use normally, no special configuration Leverage the work of our QSA AWS will work with merchants and designated Qualified Incident Response Assessors (QIRA)  can support forensic investigations Certified in all regions
    19. 19. FISMA/DIACAP Granted per project by Agency DAA AWS covers controls required for:  FIPS 199 Low & Moderate Impact  DIACAP MAC II Sensitivity Acquia manages application layer controls
    20. 20. Acquia Cloud Platform:Security, Availability and ComplianceMike LemireDirector, SecurityAcquia
    21. 21. Acquia Cloud Documentation CenterAll of the information presented here in much more detailhttps://docs.acquia.com/https://docs.acquia.com/cloud/arch/security
    22. 22. OS Layer Security• Acquia Cloud secure build − Unneeded services and ports disabled − “Least privilege” access − Consistent, centralized user management• Real-time HIDS (Host Intrusion Detection System) monitoring utilizing OSSEC• Option for whole disk encryption
    23. 23. Security Patch Management• Ubuntu 10.04 LTS OS• Major security advisories monitored including US-Cert, Ubuntu, Mitre, Rapid7 and Qualys.• Security and Operatiosn teams evalutate, test and schedule patch deployment.• OS and LAMP-stack security patches quickly deployed using our puppet based management infrastructure• Host based vulnerability testing weekly
    24. 24. Secure Server Management• “Three-factor” authentication required for Acquia’s operations and support teams − PKI, Key passcode, One Time Password (OTP) − Admin access to Acquia Cloud utilizes encrypted channels (ssh, scp, etc.) Via Bastion host(s)• Audited role based access within Acquia
    25. 25. Network Security• Three layers of firewalls: Amazon, AWS provided-Acquia managed hypervisor firewall and host firewall.• Full support for HTTPS/SSL/TLS certificates• DoS attack monitoring and response• DDoS partners: DOS Arrest, Akamai
    26. 26. High Availability• Managed Cloud and Drupal Gardens environments built using redundant servers spread across multiple Availability Zones with automatic failover
    27. 27. Disaster Recovery• Optional hot standby site in alternative Amazon Region• Continuous data replication• Failover based on DNS
    28. 28. Backups• Database, code and files backed up to multiple data centers via Amazon S3 every 1 to 4 hours; weekly snapshots retained for one week; monthly snapshots retained for 3 months• Self help backups – from Acquia Network web interface or scripted.
    29. 29. Change Control• Acquia utilizes Agile development methodology• Change control is included as part of our SSAE16 audits• Production changes require code review and system tests before deployment to production environment
    30. 30. Personnel Security• Security, privacy and ethics training for all employees• Background checks for employees with production access• NIST – aligned internal security policies• Audit trails
    31. 31. Security Resources at Acquia• Extensive expertise to help you architect and plan your Drupal site• 11 members of 40 member Drupal Security team• Professional Services Security Audit
    32. 32. Meeting Compliance Standards• FISMA (moderate) and DIACAP (MAC II Sensitive) compliance packages.• SSAE16 SOC 1 Audited• Future roadmap: ISO 27001/2, Cloud Security Alliance STAR registry• Customer Sites: HIPAA, PCI compliant, Federal agencies
    33. 33. Securing Drupal
    34. 34. Drupal Security Responsibilities So who is responsible for the Drupal layer security? Answer: the site owner who may entrust • Drupal dev team at the company who owns the site • Third party development shop • Acquia if contracted for TAM (Technical Account Manager)
    35. 35. Is Drupal Secure?• Drupal is proven secure. Drupal as a platform is deployed in hundreds of thousands of web sites including some very high profile corporate and government sites• Drupal is continuously probed, scanned and analyzed for security defects
    36. 36. Drupal Security team • 40 members, including 11 Acquians, on Drupal security team • Establish mechanism to report and resolve reported security issues • Publish security advisories • Produce documentation: • Writing secure Drupal code • Securing a Drupal site • More info: http://drupal.org/security-team
    37. 37. Drupal Development Best Practices• Leverage latest Drupal core and stable modules• Follow best practices when custom coding• Pay particular attention to input and output validation• Make use of Drupal core APIsResources:• http://drupal.org/writing-secure-code/• http://groups.drupal.org/best-practices-drupal-security• Cracking Drupal by Greg Knaddison
    38. 38. Leverage Drupal’s Role Based Accesspermissions• Drupal 6 default roles: Anonymous, Authenticated• Drupal 7 default roles: Anonymous, Authenticated, Administer• Create roles and assign permissions with a least privileged mind-set• More info: http://drupal.org/node/22275/
    39. 39. Security – Related Drupal modulesA wealth of contributed modules extend Drupal’s built in security:• Login and session controls modules• Password controls modules• Authentication modules• Logging and audit modules• Anti-spam and protection• Secure communications• Leverage Anti-virus modules to scan file uploads• More:http://drupalscout.com/knowledge-base/contributed-modules- securing-your-drupal-site
    40. 40. Acquia Insight: Your Drupal Security Wizard• Insight analyzes Drupal sites for security, performance, and SEO problems• Included with any Acquia subscription − Compatible with any Drupal site (not just Acquia Cloud sites)• Identifies security and performance configuration errors• Verifies Drupal security patches are installed
    41. 41. Insight: Your Drupal Security Wizard
    42. 42. Architecting Highly Secure Drupal sitesReduce the attack vector• Protect /admin to known IP’s and Networks (.htaccess)• Separate edit and publish sites• Third party services: • Akamai CDN and Security Services • DOS Arrest
    43. 43. Drupal Secure Lifecycle • Update Core and Modules when advised to • Conduct vulnerability scans
    44. 44. Questions• For more information, visit: − http://acquia.com − http://twitter.com/acquia• Contact us: Today’s webinar recording will be posted at: − sales@acquia.com http://acquia.com/resources/recorded_webinars − 888.9.ACQUIA
    45. 45. Acquia is Hiring• Do you love working with Drupal?• If so, Acquia is hiring in North America & Europe: − Engineering & design − Client advisors and consulting − Inside sales Check out openings at http://acquia.com/careers
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×