Webinar Audio Options

• Listen to streaming audio via your computer’s audio

− WebEx Audio Broadcast pop-up

• Trouble listening via your computer’s audio? Please request phone access

• Technical support

− US & Canada 866-229-3239

− International support 408-435-7088

• International phone access numbers:

− http://support.webex.com/support/phone-numbers.html

Drupal, the Cloud and SecurityDrupal, the Cloud and Security

July 25th, 2012

Ryan HollandSolutions ArchitectAmazon Web Services

Jessica IandiorioSr DirectorCloud MarketingAcquia

Mike LemireDirector, Information SecurityAcquia

Webinar Audio Options

• Listen to streaming audio via your computer’s audio

− WebEx Audio Broadcast pop-up

• Trouble listening via your computer’s audio? Please request phone access

• Technical support

− US & Canada 866-229-3239

− International support 408-435-7088

• International phone access numbers:

− http://support.webex.com/support/phone-numbers.html

Housekeeping

• Today’s webinar is being recorded. Slides and recording will be posted in next few days at:

− http://acquia.com/resources/recorded_webinars

• Submit questions via Q&A Tab in WebEx, we’ll answer as many as we can

− Give it a try & tell us where you joining from today

Agenda

• Overview of the Cloud Shared Responsibility Model

• Amazon Web Services Infrastructure level security

• Acquia Cloud platform level security

• Developing and Maintaining a Secure Drupal application

The Cloud Shared Responsibility Model

Infrastructure with Amazon Web Services: Security, Availability and Compliance

Ryan HollandSolution Architect

AWS Security and Compliance Center(http://aws.amazon.com/security/)

Answers to many security & privacy questions Security whitepaper Risk and Compliance whitepaper

Security bulletins

Customer penetration testing

Security best practices

More information on: AWS Identity & Access Management (AWS IAM) AWS Multi-Factor Authentication (AWS MFA)

Secure Data Centers

Many years experience building large-scale data centers.

Important attributes and features: Non-descript facilities Military-grade perimeter control berms Strictly controlled physical access (perimeter

and building) 3 or more levels of two-factor authentication

Controlled, need-based access for Amazon and AWS employees.

All physical and electronic access is logged.

AWS is Built for “Continuous Availability”

Scalable, fault tolerant servicesAll Datacenters (AZs) are always on No “Disaster Recovery Datacenter” Managed to the same standards

Robust Internet connectivity Each AZ has redundant, Tier 1 ISP Service

Providers Resilient network infrastructure

Amazon EC2 Regions and Availability ZonesUS East (Northern Virginia)US East (Northern Virginia) US West (Northern

California)US West (Northern

California)

Availability Zone A

Availability Zone A

Availability Zone B

Availability Zone B

Availability Zone A

Availability Zone A

Availability Zone B

Availability Zone B

Availability Zone C

Availability Zone C

Availability Zone D

Availability Zone D

Amazon EC2 Regions:

US East (Northern Virginia) / US West (Northern California, Oregon) / South America (Sao Paulo) / EU (Dublin) / Asia Pacific (Singapore, Tokyo) / US GovCloud

Availability Zone C

Availability Zone C

Amazon EC2 Instance Isolation

Physical Interfaces

Customer 1

Hypervisor

Customer 2 Customer n…

… Virtual Interfaces

Firewall

Customer 1Security Groups

Customer 2Security Groups

Customer nSecurity Groups

Multi-tier Security Architecture

Web Tier

Application Tier

Database Tier

EBS VolumePorts 80 and 443 only open to the Internet

Engineering staff have ssh access to the App

Tier, which acts as Bastion

Amazon EC2 Security Group

Firewall

Amazon Virtual Private Cloud (VPC)

Create a logically isolated environment in Amazon’s highly scalable infrastructure

Specify your private IP address range into one or more public or private subnets

Control inbound and outbound access to and from individual subnets using stateless Network Access Control Lists

Protect your Instances with stateful filters for inbound and outbound traffic using Security Groups

Attach an Elastic IP address to any instance in your VPC so it can be reached directly from the Internet

Bridge your VPC and your onsite IT infrastructure with an industry standard encrypted VPN connection

Use a wizard to easily create your VPC in 4 different topologies

EBS Wiping / Data Destruction

Blocks Zeroed Out Upon Provisioning

Logical-to-Physical Block Mapping

Created during provisioning

Destroyed during de-provisioning

Failed Hardware

Degaussed

Sent to the Chipper

SOC 1 / SSAE 16 / ISAE 3402

Statement on Standards for Attestation Engagements (SSAE) 16 format (equivalent to the International Standard on Assurance Engagements [ISAE] 3402) replaces the SAS 70 Type IICovers Access, Change Management and Operations of EC2, S3, VPC, EBS, RDS, DynamoDB, VM Import, and DirectConnect

Control Objective 1: Security Organization

Control Objective 2: Employee User Access

Control Objective 3: Logical Security

Control Objective 4: Secure Data Handling

Control Objective 5: Physical Security and Environmental Protection

Control Objective 6: Change Management

Control Objective 7: Data Integrity, Availability and Redundancy

Control Objective 8: Incident Handling

Includes all Regions

Audited by an independent accounting firm and updated every 6 months

Report available under NDA

ISO 27001 Certification

ISO 27001/27002 certification achieved 11/2010Follows ISO 27002 best practice guidanceCovers the AWS Information Security Management System (ISMS)Covers EC2, S3, VPC, EBS, and RDSIncludes all RegionsISO certifying agent: Ernst & Young CertifyPoint

PCI DSS Level 1 Service Provider

PCI DSS 2.0 compliant

Covers core infrastructure & services EC2, VPC, S3, EBS, RDS, ELB, and IAM

Use normally, no special configuration

Leverage the work of our QSA

AWS will work with merchants and designated Qualified Incident Response Assessors (QIRA) can support forensic investigations

Certified in all regions

FISMA/DIACAP

Granted per project by Agency DAAAWS covers controls required for: FIPS 199 Low & Moderate Impact DIACAP MAC II Sensitivity

Acquia manages application layer controls

Mike LemireDirector, SecurityAcquia

Acquia Cloud Platform:Security, Availability and Compliance

Acquia Cloud Documentation Center

All of the information presented here in much more detail

https://docs.acquia.com/

https://docs.acquia.com/cloud/arch/security

OS Layer Security

• Acquia Cloud secure build

− Unneeded services and ports disabled

− “Least privilege” access

− Consistent, centralized user management

• Real-time HIDS (Host Intrusion Detection System) monitoring utilizing OSSEC

• Option for whole disk encryption

Security Patch Management

• Ubuntu 10.04 LTS OS

• Major security advisories monitored including US-Cert, Ubuntu, Mitre, Rapid7 and Qualys.

• Security and Operatiosn teams evalutate, test and schedule patch deployment.

• OS and LAMP-stack security patches quickly deployed using our puppet based management infrastructure

• Host based vulnerability testing weekly

Secure Server Management

• “Three-factor” authentication required for Acquia’s operations and support teams

− PKI, Key passcode, One Time Password (OTP)

− Admin access to Acquia Cloud utilizes encrypted channels (ssh, scp, etc.) Via Bastion host(s)

• Audited role based access within Acquia

Network Security• Three layers of firewalls: Amazon, AWS provided-Acquia

managed hypervisor firewall and host firewall.

• Full support for HTTPS/SSL/TLS certificates

• DoS attack monitoring and response

• DDoS partners: DOS Arrest, Akamai

• Managed Cloud and Drupal Gardens environments built using redundant servers spread across multiple Availability Zones with automatic failover

High Availability

Disaster Recovery• Optional hot standby site in

alternative Amazon Region

• Continuous data replication

• Failover based on DNS

Backups

• Database, code and files backed up to multiple data centers via Amazon S3 every 1 to 4 hours; weekly snapshots retained for one week; monthly snapshots retained for 3 months

• Self help backups – from Acquia Network web interface or scripted.

Change Control

• Acquia utilizes Agile development methodology

• Change control is included as part of our SSAE16 audits

• Production changes require code review and system tests before deployment to production environment

Personnel Security

• Security, privacy and ethics training for all employees

• Background checks for employees with production access

• NIST – aligned internal security policies

• Audit trails

• Extensive expertise to help you architect and plan your Drupal site

• 11 members of 40 member Drupal Security team

• Professional Services Security Audit

Security Resources at Acquia

Meeting Compliance Standards

• FISMA (moderate) and DIACAP (MAC II Sensitive) compliance packages.

• SSAE16 SOC 1 Audited

• Future roadmap: ISO 27001/2, Cloud Security Alliance STAR registry

• Customer Sites: HIPAA, PCI compliant, Federal agencies

Securing Drupal

Drupal Security Responsibilities

So who is responsible for the Drupal layer

security? Answer: the site owner who may

entrust

•Drupal dev team at the company who owns the

site

•Third party development shop

•Acquia if contracted for TAM (Technical Account

Manager)

Is Drupal Secure?

• Drupal is proven secure. Drupal as a platform is deployed in hundreds of thousands of web sites including some very high profile corporate and government sites

• Drupal is continuously probed, scanned and analyzed for security defects

Drupal Security team

•40 members, including 11 Acquians, on Drupal security team

•Establish mechanism to report and resolve reported security

issues

•Publish security advisories

•Produce documentation:

•Writing secure Drupal code

•Securing a Drupal site

• More info: http://drupal.org/security-team

Drupal Development Best Practices• Leverage latest Drupal core and stable modules

• Follow best practices when custom coding

• Pay particular attention to input and output validation

• Make use of Drupal core APIs

Resources:

• http://drupal.org/writing-secure-code/

• http://groups.drupal.org/best-practices-drupal-security

• Cracking Drupal by

Greg Knaddison

Leverage Drupal’s Role Based Access permissions

• Drupal 6 default roles: Anonymous, Authenticated

• Drupal 7 default roles: Anonymous, Authenticated, Administer

• Create roles and assign permissions with a least privileged mind-set

• More info: http://drupal.org/node/22275/

Security – Related Drupal modules

A wealth of contributed modules extend Drupal’s built in security:

• Login and session controls modules

• Password controls modules

• Authentication modules

• Logging and audit modules

• Anti-spam and protection

• Secure communications

• Leverage Anti-virus modules to scan file uploads

• More:

http://drupalscout.com/knowledge-base/contributed-modules-securing-your-drupal-site

Acquia Insight: Your Drupal Security Wizard

• Insight analyzes Drupal sites for security, performance, and SEO problems

• Included with any Acquia subscription− Compatible with any Drupal site (not just Acquia Cloud sites)

• Identifies security and performance configuration errors

• Verifies Drupal security patches are installed

Insight: Your Drupal Security Wizard

Architecting Highly Secure Drupal sites

Reduce the attack vector

• Protect /admin to known IP’s and Networks (.htaccess)

• Separate edit and publish sites

• Third party services:

• Akamai CDN and Security Services

• DOS Arrest

Drupal Secure Lifecycle

• Update Core and Modules when advised to

• Conduct vulnerability scans

Questions

• For more information, visit:− http://acquia.com

− http://twitter.com/acquia

• Contact us:− sales@acquia.com

− 888.9.ACQUIA

Today’s webinar recording will be posted at:

http://acquia.com/resources/recorded_webinars

Acquia is Hiring

• Do you love working with Drupal?

• If so, Acquia is hiring in North America & Europe:− Engineering & design

− Client advisors and consulting

− Inside sales

Check out openings at

http://acquia.com/careers