Running Secure Drupal Websites with Acquia and AWS
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Running Secure Drupal Websites with Acquia and AWS

on

  • 4,300 views

 

Statistics

Views

Total Views
4,300
Views on SlideShare
3,566
Embed Views
734

Actions

Likes
3
Downloads
43
Comments
0

6 Embeds 734

http://www.scoop.it 532
http://www.acquia.com 113
https://www.acquia.com 85
http://xss.yandex.net 2
http://acquiacomstg.network.acquia-sites.com 1
http://acquialocaldev7.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • I'm Ryan Holland a Solution Architect on our partner team at Amazon Web services, our team is focused on building up an ecosystem of partners to so customers can deploy the same types of solutions on AWS as they use on premise
  • One of the core tenants of information security is availability so I think its important we cover how we approach this at AWS. Out services are built to provide continuous availability, this is accomplished by providing multiple datacenters within a region, we refer to these as Availability Zones, these are always on datacenters which allows for active/active deployments across multiple physical datacenters. Each availability zone is designed with fault separation from other availability zones within a region, what we mean by that is they are physically separated, built on different flood planes and utilize different power grids to reduce single points of failure. To provide network diversity and resiliency each availability zone is redundantly connected to multiple Tier 1 transit providers.
  • One of the core tenants of information security is availability so I think its important we cover how we approach this at AWS. Out services are built to provide continuous availability, this is accomplished by providing multiple datacenters within a region, we refer to these as Availability Zones, these are always on datacenters which allows for active/active deployments across multiple physical datacenters. Each availability zone is designed with fault separation from other availability zones within a region, what we mean by that is they are physically separated, built on different flood planes and utilize different power grids to reduce single points of failure. To provide network diversity and resiliency each availability zone is redundantly connected to multiple Tier 1 transit providers.
  • One of the core tenants of information security is availability so I think its important we cover how we approach this at AWS. Out services are built to provide continuous availability, this is accomplished by providing multiple datacenters within a region, we refer to these as Availability Zones, these are always on datacenters which allows for active/active deployments across multiple physical datacenters. Each availability zone is designed with fault separation from other availability zones within a region, what we mean by that is they are physically separated, built on different flood planes and utilize different power grids to reduce single points of failure. To provide network diversity and resiliency each availability zone is redundantly connected to multiple Tier 1 transit providers.
  • Availabilty zones are contained within a geographical region, it should be pointed out that the drawing on this slide is conceptual and the number of availability zones within a region may vary. The selection of a region can be important for meeting location-dependent privacy and compliance requirements, such as the EU data privacy directive, as data is not replicated across regions . As you can see today EC2 has expanded to 8 Regions globally which not only allows data to be placed in specific jurisitctions to meet compliance requirments but also provides a global footprint of infrastructure to on which to deploy your applications which can then minimize latency to customers accessing applications running in EC2. **Add note to slide about conceptual Azs
  • Now I want to go through some of the compliance certifications that AWS has in place, first is the SOC 1, which has replaced the SAS70. AWS publicishes a SOC1 audit report every six months. For the SOC1 AWS identifies the controls relating to the operational performance and security of our services and then an auditor evaluates the design of the control objectives and control activities to ensure they are effective. The auditors also verify the operation of those controls, attesting that the controls are operating as designed.   As you can see on this slide there are 8 control objectives covered in our SOC1 audit, the full report identifies the control activites that support each of these objectives. The scope of this audit covers our access, change mangement and operations for EC2, S3, VPC (Virtual Private Cloud), EBS (elastic block storage), RDS (a managed relational database service that offers mysql, oracle and microsoft SQL server), DynamoDB a fully managed nosql database, VM Import and directconnect. This report is available to customers who have a signed non-disclosure agreement in place.
  • The last certification I’ll cover is ISO27001, ISO 27001is a widely-adopted global security certification that sets out requirements and best practices for a systematic approach to managing company and customer information. AWS has achieved ISO 27001 certification of our Information Security Management System (ISMS) covering AWS infrastructure, data centers, and services including Amazon EC2, Amazon S3 and Amazon VPC, EBS and RDS. AWS’s ISO 27001 certification includes all AWS data centers in all regions worldwide. You get more information about our ISO27001 certification as well as see frequently asked questions on the Security and Complaince website I mentioned at the beginning of this presentation.
  • The next certification I want to discuss is PCI, AWS satisfies the requirements under PCI DSS for shared hosting providers. AWS also has been successfully validated against standards applicable to a Level 1 service provider under PCI DSS Version 2.0. Now that doesn’t mean that by using AWS you are automatically PCI Complaince, it means Merchants and other PCI service providers can use the AWS infrastructure for storing, processing, and transmitting credit card information in the cloud, as long as those customers create PCI compliant for their part of the shared environment. This is another area where out partners, such as SafeNet, can help customers build complaint architecture in AWS, as part of the customer responsibility for PCI will be to ensure that cardholder data is encrypted at reast.
  • To ensure that Drupal meets the highest standards for web application security on an ongoing basisc, the Drupal project has a security team of 35 active members .  Over the years, this team has continually strengthened Drupal’s core APIs by managing a disciplined process of testing and peer review of code, as well as the distribution of security advisories to the Drupal community.  These advisories include, as appropriate, patches to modules, updated versions, or instructions on how to mitigate the security risk (temporary workarounds). The Drupal Security Report details how the Drupal project addresses web application security with their “Top Ten Most Critical Web Application Security Risks” including Injection, Cross-site Scripting (XSS) and others. ---
  • To ensure that Drupal meets the highest standards for web application security on an ongoing basisc, the Drupal project has a security team of 35 active members .  Over the years, this team has continually strengthened Drupal’s core APIs by managing a disciplined process of testing and peer review of code, as well as the distribution of security advisories to the Drupal community.  These advisories include, as appropriate, patches to modules, updated versions, or instructions on how to mitigate the security risk (temporary workarounds). The Drupal Security Report details how the Drupal project addresses web application security with their “Top Ten Most Critical Web Application Security Risks” including Injection, Cross-site Scripting (XSS) and others. ---

Running Secure Drupal Websites with Acquia and AWS Presentation Transcript

  • 1. Webinar Audio Options• Listen to streaming audio via your computer’s audio − WebEx Audio Broadcast pop-up• Trouble listening via your computer’s audio? Please request phone access• Technical support − US & Canada 866-229-3239 − International support 408-435-7088• International phone access numbers: − http://support.webex.com/support/phone -numbers.html
  • 2. Drupal, the Cloud and SecurityRyan Holland Mike LemireSolutions Architect Director, Information SecurityAmazon Web Services AcquiaJessica IandiorioSr DirectorCloud MarketingAcquia July 25th, 2012
  • 3. Webinar Audio Options• Listen to streaming audio via your computer’s audio − WebEx Audio Broadcast pop-up• Trouble listening via your computer’s audio? Please request phone access• Technical support − US & Canada 866-229-3239 − International support 408-435-7088• International phone access numbers: − http://support.webex.com/support/phone -numbers.html
  • 4. Housekeeping• Today’s webinar is being recorded. Slides and recording will be posted in next few days at: − http://acquia.com/resources/recorded_webinars• Submit questions via Q&A Tab in WebEx, we’ll answer as many as we can − Give it a try & tell us where you joining from today
  • 5. Agenda• Overview of the Cloud Shared Responsibility Model• Amazon Web Services Infrastructure level security• Acquia Cloud platform level security• Developing and Maintaining a Secure Drupal application
  • 6. The Cloud Shared Responsibility Model
  • 7. Infrastructure with Amazon Web Services: Security, Availability and Compliance Ryan Holland Solution Architect
  • 8. AWS Security and Compliance Center (http://aws.amazon.com/security/)Answers to many security & privacy questions  Security whitepaper  Risk and Compliance whitepaperSecurity bulletinsCustomer penetration testingSecurity best practicesMore information on:  AWS Identity & Access Management (AWS IAM)  AWS Multi-Factor Authentication (AWS MFA)
  • 9. Secure Data CentersMany years experience building large-scaledata centers.Important attributes and features:  Non-descript facilities  Military-grade perimeter control berms  Strictly controlled physical access (perimeter and building)  3 or more levels of two-factor authenticationControlled, need-based access for Amazonand AWS employees.All physical and electronic access is logged.
  • 10. AWS is Built for “Continuous Availability” Scalable, fault tolerant services All Datacenters (AZs) are always on  No “Disaster Recovery Datacenter”  Managed to the same standards Robust Internet connectivity  Each AZ has redundant, Tier 1 ISP Service Providers  Resilient network infrastructure
  • 11. Amazon EC2 Regions and Availability Zones US East (Northern Virginia) US West (Northern California) Availability Availability Availability Availability Zone A Zone B Zone A Zone B Availability Availability Zone C Zone D Availability Zone C Amazon EC2 Regions: US East (Northern Virginia) / US West (Northern California, Oregon) / South America (Sao Paulo) / EU (Dublin) / Asia Pacific (Singapore, Tokyo) / US GovCloud
  • 12. Amazon EC2 Instance Isolation Customer 1 Customer 2 … Customer n Hypervisor Virtual Interfaces Customer 1 Security Groups Customer 2 Security Groups … Customer n Security Groups Firewall Physical Interfaces
  • 13. Multi-tier Security Architecture Web Tier Application Tier Database Tier EBS VolumePorts 80 and 443 only open to the Internet Engineering staff have ssh access to the App Tier, which acts as Bastion Amazon EC2 Security Group Firewall
  • 14. Amazon Virtual Private Cloud (VPC) Create a logically isolated environment in Amazon’s highly scalable infrastructure Specify your private IP address range into one or more public or private subnets Control inbound and outbound access to and from individual subnets using stateless Network Access Control Lists Protect your Instances with stateful filters for inbound and outbound traffic using Security Groups Attach an Elastic IP address to any instance in your VPC so it can be reached directly from the Internet Bridge your VPC and your onsite IT infrastructure with an industry standard encrypted VPN connection Use a wizard to easily create your VPC in 4 different topologies
  • 15. EBS Wiping / Data Destruction Blocks Zeroed Out Upon Provisioning Logical-to-Physical Block Mapping Created during provisioning Destroyed during de-provisioning Failed Hardware Degaussed Sent to the Chipper
  • 16. SOC 1 / SSAE 16 / ISAE 3402 Statement on Standards for Attestation Engagements (SSAE) 16 format (equivalent to the International Standard on Assurance Engagements [ISAE] 3402) replaces the SAS 70 Type II Covers Access, Change Management and Operations of EC2, S3, VPC, EBS, RDS, DynamoDB, VM Import, and DirectConnect  Control Objective 1: Security Organization  Control Objective 2: Employee User Access  Control Objective 3: Logical Security  Control Objective 4: Secure Data Handling  Control Objective 5: Physical Security and Environmental Protection  Control Objective 6: Change Management  Control Objective 7: Data Integrity, Availability and Redundancy  Control Objective 8: Incident Handling Includes all Regions Audited by an independent accounting firm and updated every 6 months Report available under NDA
  • 17. ISO 27001 Certification ISO 27001/27002 certification achieved 11/2010 Follows ISO 27002 best practice guidance Covers the AWS Information Security Management System (ISMS) Covers EC2, S3, VPC, EBS, and RDS Includes all Regions ISO certifying agent: Ernst & Young CertifyPoint
  • 18. PCI DSS Level 1 Service Provider PCI DSS 2.0 compliant Covers core infrastructure & services  EC2, VPC, S3, EBS, RDS, ELB, and IAM Use normally, no special configuration Leverage the work of our QSA AWS will work with merchants and designated Qualified Incident Response Assessors (QIRA)  can support forensic investigations Certified in all regions
  • 19. FISMA/DIACAP Granted per project by Agency DAA AWS covers controls required for:  FIPS 199 Low & Moderate Impact  DIACAP MAC II Sensitivity Acquia manages application layer controls
  • 20. Acquia Cloud Platform:Security, Availability and ComplianceMike LemireDirector, SecurityAcquia
  • 21. Acquia Cloud Documentation CenterAll of the information presented here in much more detailhttps://docs.acquia.com/https://docs.acquia.com/cloud/arch/security
  • 22. OS Layer Security• Acquia Cloud secure build − Unneeded services and ports disabled − “Least privilege” access − Consistent, centralized user management• Real-time HIDS (Host Intrusion Detection System) monitoring utilizing OSSEC• Option for whole disk encryption
  • 23. Security Patch Management• Ubuntu 10.04 LTS OS• Major security advisories monitored including US-Cert, Ubuntu, Mitre, Rapid7 and Qualys.• Security and Operatiosn teams evalutate, test and schedule patch deployment.• OS and LAMP-stack security patches quickly deployed using our puppet based management infrastructure• Host based vulnerability testing weekly
  • 24. Secure Server Management• “Three-factor” authentication required for Acquia’s operations and support teams − PKI, Key passcode, One Time Password (OTP) − Admin access to Acquia Cloud utilizes encrypted channels (ssh, scp, etc.) Via Bastion host(s)• Audited role based access within Acquia
  • 25. Network Security• Three layers of firewalls: Amazon, AWS provided-Acquia managed hypervisor firewall and host firewall.• Full support for HTTPS/SSL/TLS certificates• DoS attack monitoring and response• DDoS partners: DOS Arrest, Akamai
  • 26. High Availability• Managed Cloud and Drupal Gardens environments built using redundant servers spread across multiple Availability Zones with automatic failover
  • 27. Disaster Recovery• Optional hot standby site in alternative Amazon Region• Continuous data replication• Failover based on DNS
  • 28. Backups• Database, code and files backed up to multiple data centers via Amazon S3 every 1 to 4 hours; weekly snapshots retained for one week; monthly snapshots retained for 3 months• Self help backups – from Acquia Network web interface or scripted.
  • 29. Change Control• Acquia utilizes Agile development methodology• Change control is included as part of our SSAE16 audits• Production changes require code review and system tests before deployment to production environment
  • 30. Personnel Security• Security, privacy and ethics training for all employees• Background checks for employees with production access• NIST – aligned internal security policies• Audit trails
  • 31. Security Resources at Acquia• Extensive expertise to help you architect and plan your Drupal site• 11 members of 40 member Drupal Security team• Professional Services Security Audit
  • 32. Meeting Compliance Standards• FISMA (moderate) and DIACAP (MAC II Sensitive) compliance packages.• SSAE16 SOC 1 Audited• Future roadmap: ISO 27001/2, Cloud Security Alliance STAR registry• Customer Sites: HIPAA, PCI compliant, Federal agencies
  • 33. Securing Drupal
  • 34. Drupal Security Responsibilities So who is responsible for the Drupal layer security? Answer: the site owner who may entrust • Drupal dev team at the company who owns the site • Third party development shop • Acquia if contracted for TAM (Technical Account Manager)
  • 35. Is Drupal Secure?• Drupal is proven secure. Drupal as a platform is deployed in hundreds of thousands of web sites including some very high profile corporate and government sites• Drupal is continuously probed, scanned and analyzed for security defects
  • 36. Drupal Security team • 40 members, including 11 Acquians, on Drupal security team • Establish mechanism to report and resolve reported security issues • Publish security advisories • Produce documentation: • Writing secure Drupal code • Securing a Drupal site • More info: http://drupal.org/security-team
  • 37. Drupal Development Best Practices• Leverage latest Drupal core and stable modules• Follow best practices when custom coding• Pay particular attention to input and output validation• Make use of Drupal core APIsResources:• http://drupal.org/writing-secure-code/• http://groups.drupal.org/best-practices-drupal-security• Cracking Drupal by Greg Knaddison
  • 38. Leverage Drupal’s Role Based Accesspermissions• Drupal 6 default roles: Anonymous, Authenticated• Drupal 7 default roles: Anonymous, Authenticated, Administer• Create roles and assign permissions with a least privileged mind-set• More info: http://drupal.org/node/22275/
  • 39. Security – Related Drupal modulesA wealth of contributed modules extend Drupal’s built in security:• Login and session controls modules• Password controls modules• Authentication modules• Logging and audit modules• Anti-spam and protection• Secure communications• Leverage Anti-virus modules to scan file uploads• More:http://drupalscout.com/knowledge-base/contributed-modules- securing-your-drupal-site
  • 40. Acquia Insight: Your Drupal Security Wizard• Insight analyzes Drupal sites for security, performance, and SEO problems• Included with any Acquia subscription − Compatible with any Drupal site (not just Acquia Cloud sites)• Identifies security and performance configuration errors• Verifies Drupal security patches are installed
  • 41. Insight: Your Drupal Security Wizard
  • 42. Architecting Highly Secure Drupal sitesReduce the attack vector• Protect /admin to known IP’s and Networks (.htaccess)• Separate edit and publish sites• Third party services: • Akamai CDN and Security Services • DOS Arrest
  • 43. Drupal Secure Lifecycle • Update Core and Modules when advised to • Conduct vulnerability scans
  • 44. Questions• For more information, visit: − http://acquia.com − http://twitter.com/acquia• Contact us: Today’s webinar recording will be posted at: − sales@acquia.com http://acquia.com/resources/recorded_webinars − 888.9.ACQUIA
  • 45. Acquia is Hiring• Do you love working with Drupal?• If so, Acquia is hiring in North America & Europe: − Engineering & design − Client advisors and consulting − Inside sales Check out openings at http://acquia.com/careers