Three Key Steps to Ensure Security Compliance with Drupal in the Cloud
1) Understand your compliance requirements such as privacy regulations, e-commerce regulations, and health care regulations that apply based on users and data location.
2) Develop and manage your Drupal site in compliance by implementing best practices for access controls, encryption, and auditing.
3) Leverage a secure Drupal platform like Acquia Cloud which provides security controls, certifications, and expertise to help ensure compliance.
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Three Key Steps to Ensure Security Compliance with Drupal in the Cloud
1. Three Key Steps to Ensure Security
Compliance with Drupal in the Cloud
Mike Lemire Jess Iandiorio
Director of Information Sr. Director, Cloud
Security Product Marketing
January 29, 2012
2. Webinar Audio Options
• Audio will remain quiet until
we begin at the top of the
hour
• Streaming Audio
• Appears automatically in pop-up window
• Or click Communicate : Join Audio
Broadcast
• Remember to unmute your computer
• No Streaming Audio?
• Request phone access Thank you for joining!
• Technical Support The webinar will begin
• US & Canada 866.229.3239 shortly.
• International Support 408.435.7088
3. Audio and Support Information
• Audio will remain quiet until we
begin at the top of the hour
• Streaming Audio
• Appears automatically in pop-up window
• Or click Communicate : Join Audio
Broadcast
• Remember to unmute your computer
• No Streaming Audio?
• Request phone access
• Technical Support
• US & Canada 866.229.3239 Thank you for joining!
• International Support 408.435.7088
We will begin shortly.
4. Housekeeping
• Slides and recording: posted in next 48
hours
• Submit questions: Q&A Tab in WebEx
• Twitter: @acquia
- Hashtags: #acquia #drupal
http://acquia.com/resources/recorded_webinars
5. Upcoming Webinars
• How to Create a Great Community Experience with Drupal
• REI Shares Lessons Learned Helping Build Obama’
s OpenGov Vision
• Acquia Partner Series: Building a Fault-Tolerant Cloud Infrastructu
• How to Create a Personalized Web Experience Using Drupal
• How to Ensure SQL Queries Don’t Slow Your Drupal Website
http://acquia.com/resources/webinars
6. Acquia is Hiring
• Do you love working with http://acquia.com/careers
Drupal?
• Acquia is hiring in North
America, Europe, and
Australia!
• Engineering
• Design
• Support
• Operations
• Client Advisors
• Sales and Marketing
7. Three Key Steps to Ensure Security
Compliance with Drupal in the Cloud
Mike Lemire Jess Iandiorio
Director of Information Sr. Director, Cloud
Security Product Marketing
January 29, 2012
8. Agenda
Three Key Steps to Ensure Security
Compliance with Drupal in the Cloud
• Understand your compliance requirements
• Develop and Manage your Drupal site in compliance
• Leverage Drupal and a secure Drupal Platform like
Acquia Cloud
9. Understand your compliance requirements
Major regulatory and compliance drivers:
• US and International Privacy Regulations
• E-commerce Regulations
• Health Care Regulations
10. Privacy Regulations
A broad definition of personal information
Personally identifiable information (PII):
First and Last name in combination with:
• Government ID (SS#, Drivers License, Passport)
• Home address
• Financial account numbers
• Health care information
11. Privacy Regulations by Country
Applicable regulations: Where are your users and where is your
data hosted?
Source: http://heatmap.forrestertools.com/
12. Privacy Regulations by Country
http://www.informationshield.com/intprivacylaws.html
Selected International Privacy Laws
• Austria: Data Protection Act 2000, Austrian Federal Law Gazette part I No. 165/1999
• Australia: Privacy Act of 1988
• Belgium: Belgium Data Protection Law and Belgian Data Privacy Commission Privacy Blog
• Bulgaria: The Bulgarian Personal Data Protection Act, was adopted on December 21, 2001 and entered into force on January 1, 2002. More information at the
Bugarian Data Protection Authority
• Canada: The Privacy Act - July 1983
Personal Information Protection and Electronic Data Act (PIPEDA) of 2000 (Bill C-6)
• European Union: European Union Data Protection Directive of 1998
• EU Internet Privacy Law of 2002 (DIRECTIVE 2002/58/EC)
• France: Data Protection Act of 1978 (revised in 2004)
• Germany: Federal Data Protection Act of 2001
• Hungary: Act LXIII of 1992 on the Protection of Personal Data and the Publicity of Data of Public Interests (excerpts in English).
• Ireland: Data Protection (Amendment) Act, Number 6 of 2003
• Japan: Personal Information Protection Law (Act) (Official English Translation)
Law Summary from Jonesday Publishing
• Japan: Law for the Protection of Computer Processed Data Held by Administrative Organs, December 1988.
• Netherlands: Dutch Personal Data Protection Act 2000 as amended by Acts dated 5 April 2001, Bulletin of Acts, Orders and Decrees 180, 6 December 2001
• Singapore - The E-commerce Code for the Protection of Personal Information and Communications of Consumers of Internet Commerce. Other related
Singapore Laws and E-commerce Laws .
• Switzerland: The Federal Law on Data Protection of 1992
• Sweden: Personal Data Protection Act (1998:204), October 24, 1998
• United Kingdom: UK Data Protection Act 1998
Privacy and Electronic Communications (EC Directive) Regulations 2003 official text, and a consumer oriented site at the Information Commissioner's Office.
13. US Privacy Regulations
http://www.informationshield.com/usprivacylaws.html
• Children's Internet Protection Act of 2001 (CIPA)
• Children's Online Privacy Protection Act of 1998 (COPPA)
• Computer Fraud and Abuse Act of 1986 (CFAA) law summary. Full text at Cornell
• Federal Information Security Management Act (FISMA)
• Federal Trade Commission Act (FTCA)
• Electronic Communications Privacy Act of 1986 (ECPA)
• Electronic Freedom of Information Act of 1996 (E-FOIA) Discussion as it related to the Freedom of Information Act.
• Fair Credit Reporting Act of 1999 (FCRA)
• Family Education Rights and Privacy Act of 1974 (FERPA; also know as the Buckley Amendment)
• Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (GLBA)
• Privacy Protection Act of 1980 (PPA) - Additional discussion athttp://www.epic.org/privacy/ppa/.
• Right to Financial Privacy Act of 1978 (RFPA)
• Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act)
14. Ensuring Privacy Compliance in your site
How do I ensure privacy compliance at the Drupal layer??
• Understand and read the privacy regulation applicable to your site
• Meet most stringent regulations ie: EU, MA 201 CMR 17.00
General best practices:
• Encrypt personal information in transit and at rest
− Enable SSL/HTTPS for auth and any PII in transit
− Leverage Drupal encryption modules to encrypt PII fields in the DB
• Encrypted Settings Field http://drupal.org/project/encset
• Field Encryption http://drupal.org/project/field_encrypt
• Control access to personal information to authorized need to know
personnel
− Leverage Drupal user roles and permissions
− http://drupal.org/node/22275
15. Ensuring Privacy Compliance in your site
• Allow end users to modify or delete PII
• Monitor for and notify in case of breach
• Never sell, transfer PII to other entities without consent
• Publish a Privacy Policy
− Example: https://www.acquia.com/about-us/legal/privacy-policy
• Secure your site with strong authentication for admin users
− Leverage SSO: AD, LDAP
− Enable 2-factor auth for admin users: http://groups.drupal.org/node/235938#comment-
768208
− Protect /admin to trusted networks using .htaccess
16. eCommerce Regulations – PCI DSS
PCI DSS - The Payment Card Industry Data Security Standard (PCI DSS) is a global
security standard that includes requirements for security management, policies,
procedures, network architecture, software design and other critical protective
measures. This comprehensive standard is intended to help organizations proactively
protect customer account data.
https://www.pcisecuritystandards.org/index.php
17. eCommerce Regulations – PCI DSS
Determine PCI Compliance Level
PCI Compliance Level 1: Over 6 million CC transactions annually
PCI Compliance Level 2: 1-6 million CC transactions annually
PCI Compliance Level 3: 20,000 – 1 million CC transactions annually
PCI Compliance Level 4: less than 20,000 CC transactions annually
18. Ensuring PCI Compliance in your site
PCI Compliance levels 2-4 must complete an annual self-assessment
questionnaire called the PCI SAQ
4 versions of the SAQ:
A: Card-not-present (e-commerce or mail/telephone order) merchants, all
cardholder data functions outsourced.
B: N/A
C: Merchants with payment application systems connected to the
Internet, no cardholder data storage.
D: All other merchants not included in descriptions for SAQ A, B or C and all
service providers defined by a payment brand as eligible to complete an
SAQ.
https://www.pcisecuritystandards.org/merchants/self_assessment_form.php#i
nstructions
19. Ensuring PCI Compliance in your site
Many ways to build a Drupal e-commerce site. These solutions are well tested and widely used:
Ubercart - a full fledged e-commerce system designed to "just work" out of the box. It offers the standard
shopping cart features, integration with several payment and shipping quote services, and the ability to
automate your order workflow without writing any code. Additional features can be added by dozens of
related contributed modules, and with over 18,000 live sites and hundreds of users and contributors,
you're bound to find support for the functionality you need.
e-Commerce - The most recent version is a trimmed down e-commerce API that defines the components
you'll use to build the e-commerce functionality you need. The pool of contributors and users is relatively
small compared to Ubercart, so you should feel comfortable doing some heavy lifting on your own and
possible Drupal module development if you go this route.
Commerce Guys - Commerce Kickstart is Drupal Commerce packed with features that make it more
complete, faster to launch, and easier to administer. And like Drupal Commerce itself, it's free,
supported by an active developer community.
These solutions do not store CC data on your site
Source: http://commerceguys.com/blog/10-tips-e-commerce-drupal
20. Ensuring PCI Compliance in your site
Conduct quarterly vulnerability scans of your site using an approved
vulnerability scanner:
Approved Scanners:
https://www.pcisecuritystandards.org/approved_companies_providers/approv
ed_scanning_vendors.php#
Mitigate any findings (or validate false positives)
* Acquia will soon provide this service
21. Health Care Data - HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) establishes
national standards for electronic health care transactions and storage of
Personal Health Information (PHI).
The HIPAA Privacy Rule provides federal protections for personal health
information and gives patients an array of rights with respect to that
information. The Privacy Rule permits the disclosure of personal health
information needed for patient care and other important purposes.
The Security Rule specifies a series of administrative, physical, and
technical safeguards for covered entities to use to assure the
confidentiality, integrity, and availability of electronic protected health
information.
22. HIPAA Security Rule
• Technical Safeguards – Leverage encryption for PHI in transit and at
rest
• Ensure data within the systems has not been changed or erased in an
unauthorized manner.
• Enable strong authentication.
• Leverage Drupal roles and permissions to enforce role based access.
• Corporate controls including policies and procedures, security training and
full documentation of the system design.
23. Leverage a secure Drupal Platform like Acquia Cloud
Cloud Shared
Responsibility Model
24. Leverage a secure Drupal Platform like Acquia Cloud
Acquia Cloud provides platform security enabling you to
build compliant Drupal web sites.
• Physical security
• Secure System Access Controls
• OS and LAMP stack patching
• Antivirus
• SSL and HTTPS
• Network Security
− 3 layers of firewall
• Host Intrusion Detection
• OS layer vulnerability scanning
25. Leverage a secure Drupal Platform like Acquia Cloud
Acquia Corporate Controls
• Incident Response
• Personnel Security
− Security training including PII and HIPAA
− Background checks
− Role based access
• Safe Harbor certified
• Abides by all privacy regulations
26. Leverage a secure Drupal Platform like Acquia Cloud
Transparent Control Environment
• Annual SSAE16 SOC 1 audits
• FISMA ATO (Moderate)
• Cloud Security Alliance Security Trust and Assurance
Registry listed
https://cloudsecurityalliance.org/star/registry/
27. Leverage a secure Drupal Platform like Acquia Cloud
Acquia Cloud Platform PCI Compliance
• PCI SAIC Completed
• Certified vulnerability scans
Compliance Roadmap:
• FedRAMP
• ISO 27001 certification
28. Leverage a secure Drupal Platform like Acquia Cloud
Acquia Cloud - built on Amazon AWS
• Annual SSAE16 SOC 1 audits
• FISMA ATO (Moderate)
• PCI Level 1 certified
• Cloud Security Alliance Security Trust and Assurance
Registry listed
https://cloudsecurityalliance.org/star/registry/
• ISO 27001 certification
Roadmap:
• FedRAMP
29. Security Resources at Acquia
• Extensive expertise to help you architect and plan your
Drupal site
• 11 members of 40 member Drupal Security team
• Professional Services Security Audit
30. Questions?
• For more information visit:
http://www.acquia.com
• Contact us: sales@acquia.com or 888.9.ACQUIA
• Follow us: @acquia
• Comments welcome:
• Mike.lemire@acquia.com
• Jess.iandiorio@acquia.com
Today’s webinar recording will be posted to:
http://acquia.com/resources/recorded_webinars