Do you have the answers to your client's security questions? Do you know what questions you should be asking your clients to assess their security risk? During this session we’ll walk through how to have the “security conversation” with your clients, build a team and a process that gives you the confidence to take on larger and more complex projects which bring in additional revenue. Your reputation as an agency (and your client’s business) rely on a safe and secure site. By knowing the common pitfalls you can help navigate the treacherous waters of web security and lead your team to success and happy clients along the way.

1. Welcome to the
Business Track
FFWagency.com @FFWglobal

2. >Full-service digital agency
>World’s largest Drupal agency
>420 employees worldwide
>Portfolio includes Pfizer, NBC, Stanford University,
City of Copenhagen, and General Electric
>FFW Center of Excellence – thousands of hours of
free Drupal training at www.ffwagency.com/event
about FFW

3. ray saltini
director FFW Center of Excellence
@raysaltini, ray.saltini@ffwagency.com
www.ffwagency.com/event
FFWagency.com @FFWglobal
The FFW Center of Excellence was
launched in 2015 to further the
advancement of open source internet
technologies through evangelism, training
and code contributions.
The Center is the primary vehicle for FFW’s engagement with
the Drupal community. Since it’s launch large enterprise
organizations and SMBEs have registered for more than
$200,000 worth of free training around Drupal best practices and
Drupal 8, and FFW developers have logged nearly 1,000 hours
toward code contributions.

4. Simplifying Security: Protecting your
Clients and Your Company
FFWagency.com @FFWglobal
right now
Chris Teitzel
Founder/CEO at Cellar Door Media
Drew Gorton
Director @ Pantheon. Co-Founder, NodeSquirrel, CEO Emeritus,
Gorton Studios. Ex-Developer
Luke Probasco
Drupal General Manager/Director of Marketing at Townsend Security
“having the security conversation”

5. Simplifying Security:
Protecting your Clients and your Company

6. Pantheon.io
Who Dat?
6
Drew Gorton
@dgorton
Luke Probasco
@geetarluke
Chris Teitzel
@technerdteitzel

7. Time For a Quick Game

8. 8www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks

9. 9www.haveibeenpwned.com

10. Because that is where
the money is.
- Willie Sutton

11. Pantheon.io 11
Take Aways
● Breaches aren’t a matter of “if”, but “when”
● Protect more than credit cards - that’s not what hackers
really want anyway

12. Five Common Security Myths

13. I’m too small to be
a target.

14. Private businesses
are not regulated.

15. Encryption is complicated.

16. Security kills performance.

17. My clients aren’t
paying me for security.

18. Pantheon.io 18
Take Aways
● Hackers are targeting small and mid-sized organizations
● Compliance covers all industries
● You need to build security into sites, client’s shouldn’t
have to ask for it
● It’s not that hard

19. Security Fundamentals

20. Pantheon.io 20
What is Security?
CIA Triad
● Confidentiality
● Integrity
● Availability
Security is a Continuum
● More vs. Less
● Not On vs. Off

21. Pantheon.io 21
Personally Identifiable Information (PII)
Information that can be combined with something
else to determine a specific person:
● Name, address, email, date of birth, telephone number,
company, title ...
Some compliance regulations specify what data

22. Don’t build
Death Star
security.
- David Strauss

23. Pantheon.io 23
Defense in Depth
● Each layer takes time, which is
the enemy of hackers
● Involves every portion of the
company
http://www.slideshare.net/warpforge/dont-build-death-star-security-oreilly-software-architecture-conference-2016-nyc

24. Pantheon.io 24
Take Aways
● There is no security “magic bullet”
● Have a “defense in depth” approach
● If you don’t have to collect or store it, don’t

25. Security is Good for Business

26. Pantheon.io 26
Business Wins
● Stand out in your proposals
● Win more RFP’s
○ Larger RFP’s usually require attention
to security
○ Add into proposals even when not
asked for it

27. Pantheon.io 27
Business Wins
● You can be liable for a breach
● Reduce your risk by implementing
proper security
○ Even if the client doesn’t ask for it
○ Even if you have to eat the cost

28. Pantheon.io 28
Business Wins
● Minimize exposure to sensitive
client data
○ Don’t store passwords
○ Don’t hold onto credentials
● May mean telling a client no or that
you cannot do what is asked

29. Pantheon.io 29
Business Wins
● Build a name for yourself
● Security is a growing niche
● Security builds trust and clients
who trust you are clients who
refer you

30. Pantheon.io 30
Business Fails
California Data Breach Report, 2012 - 2015
Recommendation 1: The 20 controls in the Center for Internet
Security’s Critical Security Controls define a minimum level of
information security that all organizations that collect or maintain
personal information should meet. The failure to implement all the
Controls that apply to an organization’s environment constitutes a lack
of reasonable security.

31. Everyone has the right
to the protection of
personal data.
General Data Protection Regulation (GDPR) - EU

32. Pantheon.io 32
Take Aways
● Win more and larger projects
● Security can be one more tool in tool
belt
● Protect your business by protecting
your clients
● Growing niche

33. Questions to Ask Your Clients

34. Pantheon.io 34
Questions to ask your clients
What information is collected?
Who will have logins?
Anything being sold? Any donations?

35. Pantheon.io 35
Trigger Words
● Ecommerce
● Donations
● Integration
● API
● Registered Users
● Paywall
● Forms in general

36. Pantheon.io 36
Take Aways
● PII is more than Credit Cards
● Use Discovery to uncover security concerns
● Dig in deeper on trigger words

37. Creating a Culture of Security

38. Pantheon.io 38
Creating a culture of Security
Every person on the team is responsible
for their part to be secure

39. Pantheon.io 39
Creating a Culture of Security
● Sales/Marketing
○ Use services and vendors that have been vetted for
security (payment gateways, cloud storage etc.)
○ Website responsibility is usually under Marketing
○ When in doubt, don’t post it
○ Get away from FUD, instead use security to empower

40. Pantheon.io 40
Creating a Culture of Security
● Development Team
○ Allow for time spent researching/learning
○ Regular code audits
○ Award and recognize failures caught by the team
○ Involve the development team in every proposal to ensure
the right questions are asked

41. Pantheon.io 41
Creating a Culture of Security
● Practical Tips
○ Use password managment tools
○ Use single sign-on / 2FA for all business critical items
○ Keep internal and guest wifi separate (don’t give out wifi
to everyone who walks in the door)
○ Regular security audits, discussions, memos etc.

42. Pantheon.io 42
Take Aways
● Everyone is responsible for security, not just developers
● Communication is key, encourage it!
● Learn from failures!
● “Your focus on security keeps us all secure”

43. Security Profiles & Case Studies

44. Pantheon.io 44
Security Profiles & Case Studies
Profile:
Small Business
Site: Brochureware, MailChimp, PayPal, no users
Focus on: Hosting platform, Drupal, API Keys

45. Pantheon.io 45
Security Profiles & Case Studies
Profile:
Higher Education
Site: Admissions, student records, donations
Focus on: Encryption, key management, compliance

46. Pantheon.io 46
Security Profiles & Case Studies
Profile:
Enterprise
Site: Corporate site, intranet, sub-sites
Focus on: Hosting, 2FA, encryption, key management, compliance

47. Pantheon.io 47
Take Aways
● Sites large and small have similar security concerns
● Modules and services can help
● Security is a good business investment

48. Evaluating Hosting Platforms

49. https://www.drupal.org/hosting

50. Pantheon.io 50
Traditional Options

51. Pantheon.io 51
Real World Mess

52. Pantheon.io 52
Better Way: Cloud. Consistent, Scalable

53. Pantheon.io 53
Take Aways
● Start with Drupal.org
● No Shared Hosting!
● Ask about Drupalgeddon process, timeframe, results
● Ask about Heartbleed process, timeframe, results

54. Securing Drupal

55. Pantheon.io 55
Secure Configuration
● Secure User 1
○ No simple passwords
○ Don’t share passwords
across sites
○ Doesn’t have to be ‘admin’
● Permissions & Roles
○ Administer * is powerful
○ Administer filters can pwn site
● No PHP (!!!)
● Update module
○ Wednesdays are security
releases
○ Turn it on. Get the
notifications. Do them

56. Pantheon.io 56
Drupal Modules (1 of 2)
■ Password Policy + Password Strength: enforce strong passwords
■ Security Review: tests for easy-to-make configuration mistakes
■ Security Kit: security-hardening options
■ Hacked!: check for altered code
■ Paranoia: identify and block PHP evals
■ Permissions Lock: more granular control over 'Administer
Permissions'

57. Pantheon.io 57
Drupal Modules (2 of 2)
■ Login Security: limit login attempts
■ Automated Logout: force logout after a specified time of inactivity
■ Two Factor Authentication: base module for two-factor
authentication
■ Encrypt: provides an API for performing two-way data encryption
■ Key: gives site administrators the ability to define how and where keys
are stored

58. Migrate to Drupal 8!

59. Pantheon.io 59
Drupal 8 FTW
● Drupal 6 is EOL
○ Great update opportunity
○ Migration is focused first on 6 -> 8 compatibility
○ Fix mistakes in the upgrade - don’t just keep bad practices in place

60. Pantheon.io 60
Drupal 8 FTW
● Drupal 8 is the most secure Drupal
○ Core isn’t an island anymore
○ String sanitization
○ NO PHP IN CORE!
○ Twig - No more bad practices!

61. 90% of site-specific
vulnerabilities are in the
custom theme
- Peter Wolanin
https://dev.acquia.com/blog/drupal-8/10-ways-drupal-8-will-be-more-secure/2015/08/27/6621

62. Pantheon.io 62
Drupal 8 FTW
● Upgrade Cycle is a great opportunity for businesses to sell
● Built in REST API
○ Secure access to data
○ Opportunity for expanded projects

63. Pantheon.io 63
Take Aways
● Drupal 8 is newer, faster, and more secure!
● Upgrade opportunity from Drupal 6 -> 8 to fix issues and add new
business
● Expand projects with API support (be careful what you expose)

64. Bringing It Full Circle

65. Pantheon.io 65
In Conclusion
✓ You and your clients are targets
✓ Business value of security
✓ Build security into your processes, culture, proposals and billing
✓ Use a secure hosting provider
✓ Improve Drupal’s security with Configuration + Modules

66. Rate this Session and Get the
Slides
https://events.drupal.org/neworleans2016/sessions/simplifying-security-protecting-your-clients-and-your-company

67. Pantheon.io
Questions?
67
Drew Gorton
@dgorton
Luke Probasco
@geetarluke
Chris Teitzel
@technerdteitzel

68. Pantheon.io 68