Three Key Steps to Ensure SecurityCompliance with Drupal in the CloudMike Lemire               Jess IandiorioDirector of I...
Webinar Audio Options• Audio will remain quiet until  we begin at the top of the  hour• Streaming Audio   •   Appears auto...
Audio and Support Information• Audio will remain quiet until we  begin at the top of the hour• Streaming Audio   • Appears...
Housekeeping• Slides and recording: posted in next 48  hours• Submit questions: Q&A Tab in WebEx• Twitter: @acquia  - Hash...
Upcoming Webinars• How to Create a Great Community Experience with Drupal• REI Shares Lessons Learned Helping Build Obama’...
Acquia is Hiring• Do you love working with    http://acquia.com/careers     Drupal?• Acquia is hiring in North     America...
Three Key Steps to Ensure SecurityCompliance with Drupal in the CloudMike Lemire               Jess IandiorioDirector of I...
Agenda  Three Key Steps to Ensure Security  Compliance with Drupal in the Cloud• Understand your compliance requirements• ...
Understand your compliance requirementsMajor regulatory and compliance drivers:• US and International Privacy Regulations•...
Privacy RegulationsA broad definition of personal informationPersonally identifiable information (PII):First and Last name...
Privacy Regulations by CountryApplicable regulations: Where are your users and where is your  data hosted?              So...
Privacy Regulations by Countryhttp://www.informationshield.com/intprivacylaws.htmlSelected International Privacy Laws•    ...
US Privacy Regulationshttp://www.informationshield.com/usprivacylaws.html•    Childrens Internet Protection Act of 2001 (C...
Ensuring Privacy Compliance in your siteHow do I ensure privacy compliance at the Drupal layer??• Understand and read the ...
Ensuring Privacy Compliance in your site•       Allow end users to modify or delete PII•       Monitor for and notify in c...
eCommerce Regulations – PCI DSSPCI DSS - The Payment Card Industry Data Security Standard (PCI DSS) is a global   security...
eCommerce Regulations – PCI DSSDetermine PCI Compliance LevelPCI Compliance Level 1: Over 6 million CC transactions annual...
Ensuring PCI Compliance in your sitePCI Compliance levels 2-4 must complete an annual self-assessment   questionnaire call...
Ensuring PCI Compliance in your siteMany ways to build a Drupal e-commerce site. These solutions are well tested and widel...
Ensuring PCI Compliance in your siteConduct quarterly vulnerability scans of your site using an approved   vulnerability s...
Health Care Data - HIPAAThe Health Insurance Portability and Accountability Act (HIPAA) establishes   national standards f...
HIPAA Security Rule• Technical Safeguards – Leverage encryption for PHI in transit and at   rest• Ensure data within the s...
Leverage a secure Drupal Platform like Acquia Cloud   Cloud SharedResponsibility Model
Leverage a secure Drupal Platform like Acquia CloudAcquia Cloud provides platform security enabling you to  build complian...
Leverage a secure Drupal Platform like Acquia CloudAcquia Corporate Controls• Incident Response• Personnel Security −   Se...
Leverage a secure Drupal Platform like Acquia CloudTransparent Control Environment• Annual SSAE16 SOC 1 audits• FISMA ATO ...
Leverage a secure Drupal Platform like Acquia CloudAcquia Cloud Platform PCI Compliance• PCI SAIC Completed• Certified vul...
Leverage a secure Drupal Platform like Acquia CloudAcquia Cloud - built on Amazon AWS•   Annual SSAE16 SOC 1 audits•   FIS...
Security Resources at Acquia• Extensive expertise to help you architect and plan your  Drupal site• 11 members of 40 membe...
Questions?• For more information visit:   http://www.acquia.com• Contact us: sales@acquia.com or 888.9.ACQUIA• Follow us: ...
Upcoming SlideShare
Loading in …5
×

Three Key Steps to Ensure Security Compliance with Drupal in the Cloud

2,885 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,885
On SlideShare
0
From Embeds
0
Number of Embeds
91
Actions
Shares
0
Downloads
18
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Three Key Steps to Ensure Security Compliance with Drupal in the Cloud

  1. 1. Three Key Steps to Ensure SecurityCompliance with Drupal in the CloudMike Lemire Jess IandiorioDirector of Information Sr. Director, CloudSecurity Product MarketingJanuary 29, 2012
  2. 2. Webinar Audio Options• Audio will remain quiet until we begin at the top of the hour• Streaming Audio • Appears automatically in pop-up window • Or click Communicate : Join Audio Broadcast • Remember to unmute your computer• No Streaming Audio? • Request phone access Thank you for joining!• Technical Support The webinar will begin • US & Canada 866.229.3239 shortly. • International Support 408.435.7088
  3. 3. Audio and Support Information• Audio will remain quiet until we begin at the top of the hour• Streaming Audio • Appears automatically in pop-up window • Or click Communicate : Join Audio Broadcast • Remember to unmute your computer• No Streaming Audio? • Request phone access• Technical Support • US & Canada 866.229.3239 Thank you for joining! • International Support 408.435.7088 We will begin shortly.
  4. 4. Housekeeping• Slides and recording: posted in next 48 hours• Submit questions: Q&A Tab in WebEx• Twitter: @acquia - Hashtags: #acquia #drupal http://acquia.com/resources/recorded_webinars
  5. 5. Upcoming Webinars• How to Create a Great Community Experience with Drupal• REI Shares Lessons Learned Helping Build Obama’ s OpenGov Vision• Acquia Partner Series: Building a Fault-Tolerant Cloud Infrastructu• How to Create a Personalized Web Experience Using Drupal• How to Ensure SQL Queries Don’t Slow Your Drupal Website http://acquia.com/resources/webinars
  6. 6. Acquia is Hiring• Do you love working with http://acquia.com/careers Drupal?• Acquia is hiring in North America, Europe, and Australia! • Engineering • Design • Support • Operations • Client Advisors • Sales and Marketing
  7. 7. Three Key Steps to Ensure SecurityCompliance with Drupal in the CloudMike Lemire Jess IandiorioDirector of Information Sr. Director, CloudSecurity Product MarketingJanuary 29, 2012
  8. 8. Agenda Three Key Steps to Ensure Security Compliance with Drupal in the Cloud• Understand your compliance requirements• Develop and Manage your Drupal site in compliance• Leverage Drupal and a secure Drupal Platform like Acquia Cloud
  9. 9. Understand your compliance requirementsMajor regulatory and compliance drivers:• US and International Privacy Regulations• E-commerce Regulations• Health Care Regulations
  10. 10. Privacy RegulationsA broad definition of personal informationPersonally identifiable information (PII):First and Last name in combination with:• Government ID (SS#, Drivers License, Passport)• Home address• Financial account numbers• Health care information
  11. 11. Privacy Regulations by CountryApplicable regulations: Where are your users and where is your data hosted? Source: http://heatmap.forrestertools.com/
  12. 12. Privacy Regulations by Countryhttp://www.informationshield.com/intprivacylaws.htmlSelected International Privacy Laws• Austria: Data Protection Act 2000, Austrian Federal Law Gazette part I No. 165/1999• Australia: Privacy Act of 1988• Belgium: Belgium Data Protection Law and Belgian Data Privacy Commission Privacy Blog• Bulgaria: The Bulgarian Personal Data Protection Act, was adopted on December 21, 2001 and entered into force on January 1, 2002. More information at the Bugarian Data Protection Authority• Canada: The Privacy Act - July 1983 Personal Information Protection and Electronic Data Act (PIPEDA) of 2000 (Bill C-6)• European Union: European Union Data Protection Directive of 1998• EU Internet Privacy Law of 2002 (DIRECTIVE 2002/58/EC)• France: Data Protection Act of 1978 (revised in 2004)• Germany: Federal Data Protection Act of 2001• Hungary: Act LXIII of 1992 on the Protection of Personal Data and the Publicity of Data of Public Interests (excerpts in English).• Ireland: Data Protection (Amendment) Act, Number 6 of 2003• Japan: Personal Information Protection Law (Act) (Official English Translation) Law Summary from Jonesday Publishing• Japan: Law for the Protection of Computer Processed Data Held by Administrative Organs, December 1988.• Netherlands: Dutch Personal Data Protection Act 2000 as amended by Acts dated 5 April 2001, Bulletin of Acts, Orders and Decrees 180, 6 December 2001• Singapore - The E-commerce Code for the Protection of Personal Information and Communications of Consumers of Internet Commerce. Other related Singapore Laws and E-commerce Laws .• Switzerland: The Federal Law on Data Protection of 1992• Sweden: Personal Data Protection Act (1998:204), October 24, 1998• United Kingdom: UK Data Protection Act 1998 Privacy and Electronic Communications (EC Directive) Regulations 2003 official text, and a consumer oriented site at the Information Commissioners Office.
  13. 13. US Privacy Regulationshttp://www.informationshield.com/usprivacylaws.html• Childrens Internet Protection Act of 2001 (CIPA)• Childrens Online Privacy Protection Act of 1998 (COPPA)• Computer Fraud and Abuse Act of 1986 (CFAA) law summary. Full text at Cornell• Federal Information Security Management Act (FISMA)• Federal Trade Commission Act (FTCA)• Electronic Communications Privacy Act of 1986 (ECPA)• Electronic Freedom of Information Act of 1996 (E-FOIA) Discussion as it related to the Freedom of Information Act.• Fair Credit Reporting Act of 1999 (FCRA)• Family Education Rights and Privacy Act of 1974 (FERPA; also know as the Buckley Amendment)• Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (GLBA)• Privacy Protection Act of 1980 (PPA) - Additional discussion athttp://www.epic.org/privacy/ppa/.• Right to Financial Privacy Act of 1978 (RFPA)• Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act)
  14. 14. Ensuring Privacy Compliance in your siteHow do I ensure privacy compliance at the Drupal layer??• Understand and read the privacy regulation applicable to your site• Meet most stringent regulations ie: EU, MA 201 CMR 17.00General best practices:• Encrypt personal information in transit and at rest − Enable SSL/HTTPS for auth and any PII in transit − Leverage Drupal encryption modules to encrypt PII fields in the DB • Encrypted Settings Field http://drupal.org/project/encset • Field Encryption http://drupal.org/project/field_encrypt• Control access to personal information to authorized need to know personnel − Leverage Drupal user roles and permissions − http://drupal.org/node/22275
  15. 15. Ensuring Privacy Compliance in your site• Allow end users to modify or delete PII• Monitor for and notify in case of breach• Never sell, transfer PII to other entities without consent• Publish a Privacy Policy − Example: https://www.acquia.com/about-us/legal/privacy-policy• Secure your site with strong authentication for admin users − Leverage SSO: AD, LDAP − Enable 2-factor auth for admin users: http://groups.drupal.org/node/235938#comment- 768208 − Protect /admin to trusted networks using .htaccess
  16. 16. eCommerce Regulations – PCI DSSPCI DSS - The Payment Card Industry Data Security Standard (PCI DSS) is a global security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.https://www.pcisecuritystandards.org/index.php
  17. 17. eCommerce Regulations – PCI DSSDetermine PCI Compliance LevelPCI Compliance Level 1: Over 6 million CC transactions annuallyPCI Compliance Level 2: 1-6 million CC transactions annuallyPCI Compliance Level 3: 20,000 – 1 million CC transactions annuallyPCI Compliance Level 4: less than 20,000 CC transactions annually
  18. 18. Ensuring PCI Compliance in your sitePCI Compliance levels 2-4 must complete an annual self-assessment questionnaire called the PCI SAQ4 versions of the SAQ:A: Card-not-present (e-commerce or mail/telephone order) merchants, all cardholder data functions outsourced.B: N/AC: Merchants with payment application systems connected to the Internet, no cardholder data storage.D: All other merchants not included in descriptions for SAQ A, B or C and all service providers defined by a payment brand as eligible to complete an SAQ.https://www.pcisecuritystandards.org/merchants/self_assessment_form.php#i nstructions
  19. 19. Ensuring PCI Compliance in your siteMany ways to build a Drupal e-commerce site. These solutions are well tested and widely used:Ubercart - a full fledged e-commerce system designed to "just work" out of the box. It offers the standard shopping cart features, integration with several payment and shipping quote services, and the ability to automate your order workflow without writing any code. Additional features can be added by dozens of related contributed modules, and with over 18,000 live sites and hundreds of users and contributors, youre bound to find support for the functionality you need.e-Commerce - The most recent version is a trimmed down e-commerce API that defines the components youll use to build the e-commerce functionality you need. The pool of contributors and users is relatively small compared to Ubercart, so you should feel comfortable doing some heavy lifting on your own and possible Drupal module development if you go this route.Commerce Guys - Commerce Kickstart is Drupal Commerce packed with features that make it more complete, faster to launch, and easier to administer. And like Drupal Commerce itself, its free, supported by an active developer community.These solutions do not store CC data on your siteSource: http://commerceguys.com/blog/10-tips-e-commerce-drupal
  20. 20. Ensuring PCI Compliance in your siteConduct quarterly vulnerability scans of your site using an approved vulnerability scanner:Approved Scanners:https://www.pcisecuritystandards.org/approved_companies_providers/approv ed_scanning_vendors.php#Mitigate any findings (or validate false positives)* Acquia will soon provide this service
  21. 21. Health Care Data - HIPAAThe Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for electronic health care transactions and storage of Personal Health Information (PHI).The HIPAA Privacy Rule provides federal protections for personal health information and gives patients an array of rights with respect to that information. The Privacy Rule permits the disclosure of personal health information needed for patient care and other important purposes.The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information.
  22. 22. HIPAA Security Rule• Technical Safeguards – Leverage encryption for PHI in transit and at rest• Ensure data within the systems has not been changed or erased in an unauthorized manner.• Enable strong authentication.• Leverage Drupal roles and permissions to enforce role based access.• Corporate controls including policies and procedures, security training and full documentation of the system design.
  23. 23. Leverage a secure Drupal Platform like Acquia Cloud Cloud SharedResponsibility Model
  24. 24. Leverage a secure Drupal Platform like Acquia CloudAcquia Cloud provides platform security enabling you to build compliant Drupal web sites.• Physical security• Secure System Access Controls• OS and LAMP stack patching• Antivirus• SSL and HTTPS• Network Security − 3 layers of firewall• Host Intrusion Detection• OS layer vulnerability scanning
  25. 25. Leverage a secure Drupal Platform like Acquia CloudAcquia Corporate Controls• Incident Response• Personnel Security − Security training including PII and HIPAA − Background checks − Role based access• Safe Harbor certified• Abides by all privacy regulations
  26. 26. Leverage a secure Drupal Platform like Acquia CloudTransparent Control Environment• Annual SSAE16 SOC 1 audits• FISMA ATO (Moderate)• Cloud Security Alliance Security Trust and Assurance Registry listed https://cloudsecurityalliance.org/star/registry/
  27. 27. Leverage a secure Drupal Platform like Acquia CloudAcquia Cloud Platform PCI Compliance• PCI SAIC Completed• Certified vulnerability scans Compliance Roadmap: • FedRAMP • ISO 27001 certification
  28. 28. Leverage a secure Drupal Platform like Acquia CloudAcquia Cloud - built on Amazon AWS• Annual SSAE16 SOC 1 audits• FISMA ATO (Moderate)• PCI Level 1 certified• Cloud Security Alliance Security Trust and Assurance Registry listed https://cloudsecurityalliance.org/star/registry/• ISO 27001 certificationRoadmap:• FedRAMP
  29. 29. Security Resources at Acquia• Extensive expertise to help you architect and plan your Drupal site• 11 members of 40 member Drupal Security team• Professional Services Security Audit
  30. 30. Questions?• For more information visit: http://www.acquia.com• Contact us: sales@acquia.com or 888.9.ACQUIA• Follow us: @acquia• Comments welcome:• Mike.lemire@acquia.com• Jess.iandiorio@acquia.com Today’s webinar recording will be posted to: http://acquia.com/resources/recorded_webinars

×