Acquia & Evergage: Turn Your Drupal Site into a Lead Machine
Running Secure Drupal Websites with Acquia and AWS
-
Upload
acquia -
Category
Technology
-
view
5.244 -
download
5
Transcript of Running Secure Drupal Websites with Acquia and AWS
Webinar Audio Options
• Listen to streaming audio via your computer’s audio
− WebEx Audio Broadcast pop-up
• Trouble listening via your computer’s audio? Please request phone access
• Technical support
− US & Canada 866-229-3239
− International support 408-435-7088
• International phone access numbers:
− http://support.webex.com/support/phone-numbers.html
Drupal, the Cloud and SecurityDrupal, the Cloud and Security
July 25th, 2012
Ryan HollandSolutions ArchitectAmazon Web Services
Jessica IandiorioSr DirectorCloud MarketingAcquia
Mike LemireDirector, Information SecurityAcquia
Webinar Audio Options
• Listen to streaming audio via your computer’s audio
− WebEx Audio Broadcast pop-up
• Trouble listening via your computer’s audio? Please request phone access
• Technical support
− US & Canada 866-229-3239
− International support 408-435-7088
• International phone access numbers:
− http://support.webex.com/support/phone-numbers.html
Housekeeping
• Today’s webinar is being recorded. Slides and recording will be posted in next few days at:
− http://acquia.com/resources/recorded_webinars
• Submit questions via Q&A Tab in WebEx, we’ll answer as many as we can
− Give it a try & tell us where you joining from today
Agenda
• Overview of the Cloud Shared Responsibility Model
• Amazon Web Services Infrastructure level security
• Acquia Cloud platform level security
• Developing and Maintaining a Secure Drupal application
The Cloud Shared Responsibility Model
Infrastructure with Amazon Web Services: Security, Availability and Compliance
Ryan HollandSolution Architect
AWS Security and Compliance Center(http://aws.amazon.com/security/)
Answers to many security & privacy questions Security whitepaper Risk and Compliance whitepaper
Security bulletins
Customer penetration testing
Security best practices
More information on: AWS Identity & Access Management (AWS IAM) AWS Multi-Factor Authentication (AWS MFA)
Secure Data Centers
Many years experience building large-scale data centers.
Important attributes and features: Non-descript facilities Military-grade perimeter control berms Strictly controlled physical access (perimeter
and building) 3 or more levels of two-factor authentication
Controlled, need-based access for Amazon and AWS employees.
All physical and electronic access is logged.
AWS is Built for “Continuous Availability”
Scalable, fault tolerant servicesAll Datacenters (AZs) are always on No “Disaster Recovery Datacenter” Managed to the same standards
Robust Internet connectivity Each AZ has redundant, Tier 1 ISP Service
Providers Resilient network infrastructure
Amazon EC2 Regions and Availability ZonesUS East (Northern Virginia)US East (Northern Virginia) US West (Northern
California)US West (Northern
California)
Availability Zone A
Availability Zone A
Availability Zone B
Availability Zone B
Availability Zone A
Availability Zone A
Availability Zone B
Availability Zone B
Availability Zone C
Availability Zone C
Availability Zone D
Availability Zone D
Amazon EC2 Regions:
US East (Northern Virginia) / US West (Northern California, Oregon) / South America (Sao Paulo) / EU (Dublin) / Asia Pacific (Singapore, Tokyo) / US GovCloud
Availability Zone C
Availability Zone C
Amazon EC2 Instance Isolation
Physical Interfaces
Customer 1
Hypervisor
Customer 2 Customer n…
… Virtual Interfaces
Firewall
Customer 1Security Groups
Customer 2Security Groups
Customer nSecurity Groups
Multi-tier Security Architecture
Web Tier
Application Tier
Database Tier
EBS VolumePorts 80 and 443 only open to the Internet
Engineering staff have ssh access to the App
Tier, which acts as Bastion
Amazon EC2 Security Group
Firewall
Amazon Virtual Private Cloud (VPC)
Create a logically isolated environment in Amazon’s highly scalable infrastructure
Specify your private IP address range into one or more public or private subnets
Control inbound and outbound access to and from individual subnets using stateless Network Access Control Lists
Protect your Instances with stateful filters for inbound and outbound traffic using Security Groups
Attach an Elastic IP address to any instance in your VPC so it can be reached directly from the Internet
Bridge your VPC and your onsite IT infrastructure with an industry standard encrypted VPN connection
Use a wizard to easily create your VPC in 4 different topologies
EBS Wiping / Data Destruction
Blocks Zeroed Out Upon Provisioning
Logical-to-Physical Block Mapping
Created during provisioning
Destroyed during de-provisioning
Failed Hardware
Degaussed
Sent to the Chipper
SOC 1 / SSAE 16 / ISAE 3402
Statement on Standards for Attestation Engagements (SSAE) 16 format (equivalent to the International Standard on Assurance Engagements [ISAE] 3402) replaces the SAS 70 Type IICovers Access, Change Management and Operations of EC2, S3, VPC, EBS, RDS, DynamoDB, VM Import, and DirectConnect
Control Objective 1: Security Organization
Control Objective 2: Employee User Access
Control Objective 3: Logical Security
Control Objective 4: Secure Data Handling
Control Objective 5: Physical Security and Environmental Protection
Control Objective 6: Change Management
Control Objective 7: Data Integrity, Availability and Redundancy
Control Objective 8: Incident Handling
Includes all Regions
Audited by an independent accounting firm and updated every 6 months
Report available under NDA
ISO 27001 Certification
ISO 27001/27002 certification achieved 11/2010Follows ISO 27002 best practice guidanceCovers the AWS Information Security Management System (ISMS)Covers EC2, S3, VPC, EBS, and RDSIncludes all RegionsISO certifying agent: Ernst & Young CertifyPoint
PCI DSS Level 1 Service Provider
PCI DSS 2.0 compliant
Covers core infrastructure & services EC2, VPC, S3, EBS, RDS, ELB, and IAM
Use normally, no special configuration
Leverage the work of our QSA
AWS will work with merchants and designated Qualified Incident Response Assessors (QIRA) can support forensic investigations
Certified in all regions
FISMA/DIACAP
Granted per project by Agency DAAAWS covers controls required for: FIPS 199 Low & Moderate Impact DIACAP MAC II Sensitivity
Acquia manages application layer controls
Mike LemireDirector, SecurityAcquia
Acquia Cloud Platform:Security, Availability and Compliance
Acquia Cloud Documentation Center
All of the information presented here in much more detail
https://docs.acquia.com/
https://docs.acquia.com/cloud/arch/security
OS Layer Security
• Acquia Cloud secure build
− Unneeded services and ports disabled
− “Least privilege” access
− Consistent, centralized user management
• Real-time HIDS (Host Intrusion Detection System) monitoring utilizing OSSEC
• Option for whole disk encryption
Security Patch Management
• Ubuntu 10.04 LTS OS
• Major security advisories monitored including US-Cert, Ubuntu, Mitre, Rapid7 and Qualys.
• Security and Operatiosn teams evalutate, test and schedule patch deployment.
• OS and LAMP-stack security patches quickly deployed using our puppet based management infrastructure
• Host based vulnerability testing weekly
Secure Server Management
• “Three-factor” authentication required for Acquia’s operations and support teams
− PKI, Key passcode, One Time Password (OTP)
− Admin access to Acquia Cloud utilizes encrypted channels (ssh, scp, etc.) Via Bastion host(s)
• Audited role based access within Acquia
Network Security• Three layers of firewalls: Amazon, AWS provided-Acquia
managed hypervisor firewall and host firewall.
• Full support for HTTPS/SSL/TLS certificates
• DoS attack monitoring and response
• DDoS partners: DOS Arrest, Akamai
• Managed Cloud and Drupal Gardens environments built using redundant servers spread across multiple Availability Zones with automatic failover
High Availability
Disaster Recovery• Optional hot standby site in
alternative Amazon Region
• Continuous data replication
• Failover based on DNS
Backups
• Database, code and files backed up to multiple data centers via Amazon S3 every 1 to 4 hours; weekly snapshots retained for one week; monthly snapshots retained for 3 months
• Self help backups – from Acquia Network web interface or scripted.
Change Control
• Acquia utilizes Agile development methodology
• Change control is included as part of our SSAE16 audits
• Production changes require code review and system tests before deployment to production environment
Personnel Security
• Security, privacy and ethics training for all employees
• Background checks for employees with production access
• NIST – aligned internal security policies
• Audit trails
• Extensive expertise to help you architect and plan your Drupal site
• 11 members of 40 member Drupal Security team
• Professional Services Security Audit
Security Resources at Acquia
Meeting Compliance Standards
• FISMA (moderate) and DIACAP (MAC II Sensitive) compliance packages.
• SSAE16 SOC 1 Audited
• Future roadmap: ISO 27001/2, Cloud Security Alliance STAR registry
• Customer Sites: HIPAA, PCI compliant, Federal agencies
Securing Drupal
Drupal Security Responsibilities
So who is responsible for the Drupal layer
security? Answer: the site owner who may
entrust
•Drupal dev team at the company who owns the
site
•Third party development shop
•Acquia if contracted for TAM (Technical Account
Manager)
Is Drupal Secure?
• Drupal is proven secure. Drupal as a platform is deployed in hundreds of thousands of web sites including some very high profile corporate and government sites
• Drupal is continuously probed, scanned and analyzed for security defects
Drupal Security team
•40 members, including 11 Acquians, on Drupal security team
•Establish mechanism to report and resolve reported security
issues
•Publish security advisories
•Produce documentation:
•Writing secure Drupal code
•Securing a Drupal site
• More info: http://drupal.org/security-team
Drupal Development Best Practices• Leverage latest Drupal core and stable modules
• Follow best practices when custom coding
• Pay particular attention to input and output validation
• Make use of Drupal core APIs
Resources:
• http://drupal.org/writing-secure-code/
• http://groups.drupal.org/best-practices-drupal-security
• Cracking Drupal by
Greg Knaddison
Leverage Drupal’s Role Based Access permissions
• Drupal 6 default roles: Anonymous, Authenticated
• Drupal 7 default roles: Anonymous, Authenticated, Administer
• Create roles and assign permissions with a least privileged mind-set
• More info: http://drupal.org/node/22275/
Security – Related Drupal modules
A wealth of contributed modules extend Drupal’s built in security:
• Login and session controls modules
• Password controls modules
• Authentication modules
• Logging and audit modules
• Anti-spam and protection
• Secure communications
• Leverage Anti-virus modules to scan file uploads
• More:
http://drupalscout.com/knowledge-base/contributed-modules-securing-your-drupal-site
Acquia Insight: Your Drupal Security Wizard
• Insight analyzes Drupal sites for security, performance, and SEO problems
• Included with any Acquia subscription− Compatible with any Drupal site (not just Acquia Cloud sites)
• Identifies security and performance configuration errors
• Verifies Drupal security patches are installed
Insight: Your Drupal Security Wizard
Architecting Highly Secure Drupal sites
Reduce the attack vector
• Protect /admin to known IP’s and Networks (.htaccess)
• Separate edit and publish sites
• Third party services:
• Akamai CDN and Security Services
• DOS Arrest
Drupal Secure Lifecycle
• Update Core and Modules when advised to
• Conduct vulnerability scans
Questions
• For more information, visit:− http://acquia.com
− http://twitter.com/acquia
• Contact us:− [email protected]
− 888.9.ACQUIA
Today’s webinar recording will be posted at:
http://acquia.com/resources/recorded_webinars
Acquia is Hiring
• Do you love working with Drupal?
• If so, Acquia is hiring in North America & Europe:− Engineering & design
− Client advisors and consulting
− Inside sales
Check out openings at
http://acquia.com/careers