SlideShare une entreprise Scribd logo

Three Key Steps to Ensure Security Compliance with Drupal in the Cloud

Télécharger en tant que PPT, PDF
Acquia
Acquia

Three Key Steps to Ensure Security Compliance with Drupal in the Cloud 1) Understand your compliance requirements such as privacy regulations, e-commerce regulations, and health care regulations that apply based on users and data location. 2) Develop and manage your Drupal site in compliance by implementing best practices for access controls, encryption, and auditing. 3) Leverage a secure Drupal platform like Acquia Cloud which provides security controls, certifications, and expertise to help ensure compliance.

Technologie
1  sur  30
Three Key Steps to Ensure Security Compliance with Drupal in the Cloud Mike Lemire Jess Iandiorio Director of Information Sr. Director, Cloud Security Product Marketing January 29, 2012
Webinar Audio Options • Audio will remain quiet until we begin at the top of the hour • Streaming Audio • Appears automatically in pop-up window • Or click Communicate : Join Audio Broadcast • Remember to unmute your computer • No Streaming Audio? • Request phone access Thank you for joining! • Technical Support The webinar will begin • US & Canada 866.229.3239 shortly. • International Support 408.435.7088
Audio and Support Information • Audio will remain quiet until we begin at the top of the hour • Streaming Audio • Appears automatically in pop-up window • Or click Communicate : Join Audio Broadcast • Remember to unmute your computer • No Streaming Audio? • Request phone access • Technical Support • US & Canada 866.229.3239 Thank you for joining! • International Support 408.435.7088 We will begin shortly.
Housekeeping • Slides and recording: posted in next 48 hours • Submit questions: Q&A Tab in WebEx • Twitter: @acquia - Hashtags: #acquia #drupal http://acquia.com/resources/recorded_webinars
Upcoming Webinars • How to Create a Great Community Experience with Drupal • REI Shares Lessons Learned Helping Build Obama’ s OpenGov Vision • Acquia Partner Series: Building a Fault-Tolerant Cloud Infrastructu • How to Create a Personalized Web Experience Using Drupal • How to Ensure SQL Queries Don’t Slow Your Drupal Website http://acquia.com/resources/webinars
Acquia is Hiring • Do you love working with http://acquia.com/careers Drupal? • Acquia is hiring in North America, Europe, and Australia! • Engineering • Design • Support • Operations • Client Advisors • Sales and Marketing
Three Key Steps to Ensure Security Compliance with Drupal in the Cloud Mike Lemire Jess Iandiorio Director of Information Sr. Director, Cloud Security Product Marketing January 29, 2012
Agenda Three Key Steps to Ensure Security Compliance with Drupal in the Cloud • Understand your compliance requirements • Develop and Manage your Drupal site in compliance • Leverage Drupal and a secure Drupal Platform like Acquia Cloud
Understand your compliance requirements Major regulatory and compliance drivers: • US and International Privacy Regulations • E-commerce Regulations • Health Care Regulations
Privacy Regulations A broad definition of personal information Personally identifiable information (PII): First and Last name in combination with: • Government ID (SS#, Drivers License, Passport) • Home address • Financial account numbers • Health care information
Privacy Regulations by Country Applicable regulations: Where are your users and where is your data hosted? Source: http://heatmap.forrestertools.com/
Privacy Regulations by Country http://www.informationshield.com/intprivacylaws.html Selected International Privacy Laws • Austria: Data Protection Act 2000, Austrian Federal Law Gazette part I No. 165/1999 • Australia: Privacy Act of 1988 • Belgium: Belgium Data Protection Law and Belgian Data Privacy Commission Privacy Blog • Bulgaria: The Bulgarian Personal Data Protection Act, was adopted on December 21, 2001 and entered into force on January 1, 2002. More information at the Bugarian Data Protection Authority • Canada: The Privacy Act - July 1983 Personal Information Protection and Electronic Data Act (PIPEDA) of 2000 (Bill C-6) • European Union: European Union Data Protection Directive of 1998 • EU Internet Privacy Law of 2002 (DIRECTIVE 2002/58/EC) • France: Data Protection Act of 1978 (revised in 2004) • Germany: Federal Data Protection Act of 2001 • Hungary: Act LXIII of 1992 on the Protection of Personal Data and the Publicity of Data of Public Interests (excerpts in English). • Ireland: Data Protection (Amendment) Act, Number 6 of 2003 • Japan: Personal Information Protection Law (Act) (Official English Translation) Law Summary from Jonesday Publishing • Japan: Law for the Protection of Computer Processed Data Held by Administrative Organs, December 1988. • Netherlands: Dutch Personal Data Protection Act 2000 as amended by Acts dated 5 April 2001, Bulletin of Acts, Orders and Decrees 180, 6 December 2001 • Singapore - The E-commerce Code for the Protection of Personal Information and Communications of Consumers of Internet Commerce. Other related Singapore Laws and E-commerce Laws . • Switzerland: The Federal Law on Data Protection of 1992 • Sweden: Personal Data Protection Act (1998:204), October 24, 1998 • United Kingdom: UK Data Protection Act 1998 Privacy and Electronic Communications (EC Directive) Regulations 2003 official text, and a consumer oriented site at the Information Commissioner's Office.
US Privacy Regulations http://www.informationshield.com/usprivacylaws.html • Children's Internet Protection Act of 2001 (CIPA) • Children's Online Privacy Protection Act of 1998 (COPPA) • Computer Fraud and Abuse Act of 1986 (CFAA) law summary. Full text at Cornell • Federal Information Security Management Act (FISMA) • Federal Trade Commission Act (FTCA) • Electronic Communications Privacy Act of 1986 (ECPA) • Electronic Freedom of Information Act of 1996 (E-FOIA) Discussion as it related to the Freedom of Information Act. • Fair Credit Reporting Act of 1999 (FCRA) • Family Education Rights and Privacy Act of 1974 (FERPA; also know as the Buckley Amendment) • Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (GLBA) • Privacy Protection Act of 1980 (PPA) - Additional discussion athttp://www.epic.org/privacy/ppa/. • Right to Financial Privacy Act of 1978 (RFPA) • Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act)
Ensuring Privacy Compliance in your site How do I ensure privacy compliance at the Drupal layer?? • Understand and read the privacy regulation applicable to your site • Meet most stringent regulations ie: EU, MA 201 CMR 17.00 General best practices: • Encrypt personal information in transit and at rest − Enable SSL/HTTPS for auth and any PII in transit − Leverage Drupal encryption modules to encrypt PII fields in the DB • Encrypted Settings Field http://drupal.org/project/encset • Field Encryption http://drupal.org/project/field_encrypt • Control access to personal information to authorized need to know personnel − Leverage Drupal user roles and permissions − http://drupal.org/node/22275
Ensuring Privacy Compliance in your site • Allow end users to modify or delete PII • Monitor for and notify in case of breach • Never sell, transfer PII to other entities without consent • Publish a Privacy Policy − Example: https://www.acquia.com/about-us/legal/privacy-policy • Secure your site with strong authentication for admin users − Leverage SSO: AD, LDAP − Enable 2-factor auth for admin users: http://groups.drupal.org/node/235938#comment- 768208 − Protect /admin to trusted networks using .htaccess
eCommerce Regulations – PCI DSS PCI DSS - The Payment Card Industry Data Security Standard (PCI DSS) is a global security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data. https://www.pcisecuritystandards.org/index.php
eCommerce Regulations – PCI DSS Determine PCI Compliance Level PCI Compliance Level 1: Over 6 million CC transactions annually PCI Compliance Level 2: 1-6 million CC transactions annually PCI Compliance Level 3: 20,000 – 1 million CC transactions annually PCI Compliance Level 4: less than 20,000 CC transactions annually
Ensuring PCI Compliance in your site PCI Compliance levels 2-4 must complete an annual self-assessment questionnaire called the PCI SAQ 4 versions of the SAQ: A: Card-not-present (e-commerce or mail/telephone order) merchants, all cardholder data functions outsourced. B: N/A C: Merchants with payment application systems connected to the Internet, no cardholder data storage. D: All other merchants not included in descriptions for SAQ A, B or C and all service providers defined by a payment brand as eligible to complete an SAQ. https://www.pcisecuritystandards.org/merchants/self_assessment_form.php#i nstructions
Ensuring PCI Compliance in your site Many ways to build a Drupal e-commerce site. These solutions are well tested and widely used: Ubercart - a full fledged e-commerce system designed to "just work" out of the box. It offers the standard shopping cart features, integration with several payment and shipping quote services, and the ability to automate your order workflow without writing any code. Additional features can be added by dozens of related contributed modules, and with over 18,000 live sites and hundreds of users and contributors, you're bound to find support for the functionality you need. e-Commerce - The most recent version is a trimmed down e-commerce API that defines the components you'll use to build the e-commerce functionality you need. The pool of contributors and users is relatively small compared to Ubercart, so you should feel comfortable doing some heavy lifting on your own and possible Drupal module development if you go this route. Commerce Guys - Commerce Kickstart is Drupal Commerce packed with features that make it more complete, faster to launch, and easier to administer. And like Drupal Commerce itself, it's free, supported by an active developer community. These solutions do not store CC data on your site Source: http://commerceguys.com/blog/10-tips-e-commerce-drupal
Ensuring PCI Compliance in your site Conduct quarterly vulnerability scans of your site using an approved vulnerability scanner: Approved Scanners: https://www.pcisecuritystandards.org/approved_companies_providers/approv ed_scanning_vendors.php# Mitigate any findings (or validate false positives) * Acquia will soon provide this service
Health Care Data - HIPAA The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for electronic health care transactions and storage of Personal Health Information (PHI). The HIPAA Privacy Rule provides federal protections for personal health information and gives patients an array of rights with respect to that information. The Privacy Rule permits the disclosure of personal health information needed for patient care and other important purposes. The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information.
HIPAA Security Rule • Technical Safeguards – Leverage encryption for PHI in transit and at rest • Ensure data within the systems has not been changed or erased in an unauthorized manner. • Enable strong authentication. • Leverage Drupal roles and permissions to enforce role based access. • Corporate controls including policies and procedures, security training and full documentation of the system design.
Leverage a secure Drupal Platform like Acquia Cloud Cloud Shared Responsibility Model
Leverage a secure Drupal Platform like Acquia Cloud Acquia Cloud provides platform security enabling you to build compliant Drupal web sites. • Physical security • Secure System Access Controls • OS and LAMP stack patching • Antivirus • SSL and HTTPS • Network Security − 3 layers of firewall • Host Intrusion Detection • OS layer vulnerability scanning
Leverage a secure Drupal Platform like Acquia Cloud Acquia Corporate Controls • Incident Response • Personnel Security − Security training including PII and HIPAA − Background checks − Role based access • Safe Harbor certified • Abides by all privacy regulations
Leverage a secure Drupal Platform like Acquia Cloud Transparent Control Environment • Annual SSAE16 SOC 1 audits • FISMA ATO (Moderate) • Cloud Security Alliance Security Trust and Assurance Registry listed https://cloudsecurityalliance.org/star/registry/
Leverage a secure Drupal Platform like Acquia Cloud Acquia Cloud Platform PCI Compliance • PCI SAIC Completed • Certified vulnerability scans Compliance Roadmap: • FedRAMP • ISO 27001 certification
Leverage a secure Drupal Platform like Acquia Cloud Acquia Cloud - built on Amazon AWS • Annual SSAE16 SOC 1 audits • FISMA ATO (Moderate) • PCI Level 1 certified • Cloud Security Alliance Security Trust and Assurance Registry listed https://cloudsecurityalliance.org/star/registry/ • ISO 27001 certification Roadmap: • FedRAMP
Security Resources at Acquia • Extensive expertise to help you architect and plan your Drupal site • 11 members of 40 member Drupal Security team • Professional Services Security Audit
Questions? • For more information visit: http://www.acquia.com • Contact us: sales@acquia.com or 888.9.ACQUIA • Follow us: @acquia • Comments welcome: • Mike.lemire@acquia.com • Jess.iandiorio@acquia.com Today’s webinar recording will be posted to: http://acquia.com/resources/recorded_webinars

Recommandé

Web Marketing Wednesday Ottawa Oct 12th 2011
Web Marketing Wednesday Ottawa Oct 12th 2011Web Marketing Wednesday Ottawa Oct 12th 2011
Web Marketing Wednesday Ottawa Oct 12th 2011
Antoine Gay
 
Privacy for tech startups
Privacy for tech startups Privacy for tech startups
Privacy for tech startups
Marc Gallardo
 
Mind Your Business: Why Privacy Matters to the Successful Enterprise
Mind Your Business: Why Privacy Matters to the Successful Enterprise Mind Your Business: Why Privacy Matters to the Successful Enterprise
Mind Your Business: Why Privacy Matters to the Successful Enterprise
Eric Kavanagh
 
Lexing Barcelona Conference
Lexing Barcelona ConferenceLexing Barcelona Conference
Lexing Barcelona Conference
Marc Gallardo
 
Using international standards to improve EU cyber security
Using international standards to improve EU cyber securityUsing international standards to improve EU cyber security
Using international standards to improve EU cyber security
IT Governance Ltd
 
12th July GDPR event slides
12th July GDPR event slides12th July GDPR event slides
12th July GDPR event slides
Exponential_e
 
GDPR practical info session for development
GDPR practical info session for developmentGDPR practical info session for development
GDPR practical info session for development
Tomppa Järvinen
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slides
Naomi Holmes
 

Recommandé

Web Marketing Wednesday Ottawa Oct 12th 2011
Web Marketing Wednesday Ottawa Oct 12th 2011Web Marketing Wednesday Ottawa Oct 12th 2011
Web Marketing Wednesday Ottawa Oct 12th 2011
Antoine Gay
 
Privacy for tech startups
Privacy for tech startups Privacy for tech startups
Privacy for tech startups
Marc Gallardo
 
Mind Your Business: Why Privacy Matters to the Successful Enterprise
Mind Your Business: Why Privacy Matters to the Successful Enterprise Mind Your Business: Why Privacy Matters to the Successful Enterprise
Mind Your Business: Why Privacy Matters to the Successful Enterprise
Eric Kavanagh
 
Lexing Barcelona Conference
Lexing Barcelona ConferenceLexing Barcelona Conference
Lexing Barcelona Conference
Marc Gallardo
 
Using international standards to improve EU cyber security
Using international standards to improve EU cyber securityUsing international standards to improve EU cyber security
Using international standards to improve EU cyber security
IT Governance Ltd
 
12th July GDPR event slides
12th July GDPR event slides12th July GDPR event slides
12th July GDPR event slides
Exponential_e
 
GDPR practical info session for development
GDPR practical info session for developmentGDPR practical info session for development
GDPR practical info session for development
Tomppa Järvinen
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slides
Naomi Holmes
 
GDPR- The Buck Stops Here
GDPR- The Buck Stops HereGDPR- The Buck Stops Here
GDPR- The Buck Stops Here
Kellyn Pot'Vin-Gorman
 
All You Need To Know About Data Law Changes in 2018
All You Need To Know About Data Law Changes in 2018All You Need To Know About Data Law Changes in 2018
All You Need To Know About Data Law Changes in 2018
The Drum
 
Jcj corporate blind overview november 19 2012 1-1
Jcj corporate blind overview november 19 2012 1-1Jcj corporate blind overview november 19 2012 1-1
Jcj corporate blind overview november 19 2012 1-1
ashk4n
 
Cloud Regulations and Security Standards by Ran Adler
Cloud Regulations and Security Standards by Ran AdlerCloud Regulations and Security Standards by Ran Adler
Cloud Regulations and Security Standards by Ran Adler
Idan Tohami
 
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
Precisely
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failing
IT Governance Ltd
 
Encryption by Default BoF by Gihan Dias [APRICOT 2015]
Encryption by Default BoF by Gihan Dias [APRICOT 2015]Encryption by Default BoF by Gihan Dias [APRICOT 2015]
Encryption by Default BoF by Gihan Dias [APRICOT 2015]
APNIC
 
Introdction to Cloud Regulation for Enterprise by 2Bsecure
Introdction to Cloud Regulation for Enterprise by 2BsecureIntrodction to Cloud Regulation for Enterprise by 2Bsecure
Introdction to Cloud Regulation for Enterprise by 2Bsecure
Idan Tohami
 
GDPR, User Data, Privacy, and Your Apps
GDPR, User Data, Privacy, and Your AppsGDPR, User Data, Privacy, and Your Apps
GDPR, User Data, Privacy, and Your Apps
Carl Brown
 
6 Practical Steps F&B Companies Can Take to Achieve Digital Transformation
6 Practical Steps F&B Companies Can Take to Achieve Digital Transformation6 Practical Steps F&B Companies Can Take to Achieve Digital Transformation
6 Practical Steps F&B Companies Can Take to Achieve Digital Transformation
SafetyChain Software
 
Scot Cloud 2016
Scot Cloud 2016Scot Cloud 2016
Scot Cloud 2016
Ray Bugg
 
Cyber Security Conference 2017
Cyber Security Conference 2017Cyber Security Conference 2017
Cyber Security Conference 2017
Norfolk Chamber of Commerce
 
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredCountdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Precisely
 
eBusiness Club "Demystifying the EU Cookie Law presentation, Geldards
eBusiness Club "Demystifying the EU Cookie Law presentation, GeldardseBusiness Club "Demystifying the EU Cookie Law presentation, Geldards
eBusiness Club "Demystifying the EU Cookie Law presentation, Geldards
Jon Egley
 
Unlock the potential of data security 2020
Unlock the potential of data security 2020Unlock the potential of data security 2020
Unlock the potential of data security 2020
Ulf Mattsson
 
It's More than Cloud - Digital Disruption - your business model is under thre...
It's More than Cloud - Digital Disruption - your business model is under thre...It's More than Cloud - Digital Disruption - your business model is under thre...
It's More than Cloud - Digital Disruption - your business model is under thre...
David Terrar
 
Data Acquisition and Control
Data Acquisition and Control Data Acquisition and Control
Data Acquisition and Control
ICP DAS USA, Inc.
 
The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?
BCS ProSoft
 
Presentation Deck Dec.pdf
Presentation Deck Dec.pdfPresentation Deck Dec.pdf
Presentation Deck Dec.pdf
Paolo Costanzo
 
Privacy Regulations and Your Digital Setup
Privacy Regulations and Your Digital SetupPrivacy Regulations and Your Digital Setup
Privacy Regulations and Your Digital Setup
Piwik PRO
 
Acquia_Adcetera Webinar_Marketing Automation.pdf
Acquia_Adcetera Webinar_Marketing Automation.pdfAcquia_Adcetera Webinar_Marketing Automation.pdf
Acquia_Adcetera Webinar_Marketing Automation.pdf
Acquia
 
Acquia Webinar Deck - 9_13 .pdf
Acquia Webinar Deck - 9_13 .pdfAcquia Webinar Deck - 9_13 .pdf
Acquia Webinar Deck - 9_13 .pdf
Acquia
 

Contenu connexe

Similaire à Three Key Steps to Ensure Security Compliance with Drupal in the Cloud

Jcj corporate blind overview november 19 2012 1-1
Jcj corporate blind overview november 19 2012 1-1Jcj corporate blind overview november 19 2012 1-1
Jcj corporate blind overview november 19 2012 1-1
ashk4n
 
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
Precisely
 

Similaire à Three Key Steps to Ensure Security Compliance with Drupal in the Cloud (20)

GDPR- The Buck Stops Here
GDPR- The Buck Stops HereGDPR- The Buck Stops Here
GDPR- The Buck Stops Here
 
All You Need To Know About Data Law Changes in 2018
All You Need To Know About Data Law Changes in 2018All You Need To Know About Data Law Changes in 2018
All You Need To Know About Data Law Changes in 2018
 
Jcj corporate blind overview november 19 2012 1-1
Jcj corporate blind overview november 19 2012 1-1Jcj corporate blind overview november 19 2012 1-1
Jcj corporate blind overview november 19 2012 1-1
 
Cloud Regulations and Security Standards by Ran Adler
Cloud Regulations and Security Standards by Ran AdlerCloud Regulations and Security Standards by Ran Adler
Cloud Regulations and Security Standards by Ran Adler
 
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failing
 
Encryption by Default BoF by Gihan Dias [APRICOT 2015]
Encryption by Default BoF by Gihan Dias [APRICOT 2015]Encryption by Default BoF by Gihan Dias [APRICOT 2015]
Encryption by Default BoF by Gihan Dias [APRICOT 2015]
 
Introdction to Cloud Regulation for Enterprise by 2Bsecure
Introdction to Cloud Regulation for Enterprise by 2BsecureIntrodction to Cloud Regulation for Enterprise by 2Bsecure
Introdction to Cloud Regulation for Enterprise by 2Bsecure
 
GDPR, User Data, Privacy, and Your Apps
GDPR, User Data, Privacy, and Your AppsGDPR, User Data, Privacy, and Your Apps
GDPR, User Data, Privacy, and Your Apps
 
6 Practical Steps F&B Companies Can Take to Achieve Digital Transformation
6 Practical Steps F&B Companies Can Take to Achieve Digital Transformation6 Practical Steps F&B Companies Can Take to Achieve Digital Transformation
6 Practical Steps F&B Companies Can Take to Achieve Digital Transformation
 
Scot Cloud 2016
Scot Cloud 2016Scot Cloud 2016
Scot Cloud 2016
 
Cyber Security Conference 2017
Cyber Security Conference 2017Cyber Security Conference 2017
Cyber Security Conference 2017
 
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredCountdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
 
eBusiness Club "Demystifying the EU Cookie Law presentation, Geldards
eBusiness Club "Demystifying the EU Cookie Law presentation, GeldardseBusiness Club "Demystifying the EU Cookie Law presentation, Geldards
eBusiness Club "Demystifying the EU Cookie Law presentation, Geldards
 
Unlock the potential of data security 2020
Unlock the potential of data security 2020Unlock the potential of data security 2020
Unlock the potential of data security 2020
 
It's More than Cloud - Digital Disruption - your business model is under thre...
It's More than Cloud - Digital Disruption - your business model is under thre...It's More than Cloud - Digital Disruption - your business model is under thre...
It's More than Cloud - Digital Disruption - your business model is under thre...
 
Data Acquisition and Control
Data Acquisition and Control Data Acquisition and Control
Data Acquisition and Control
 
The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?
 
Presentation Deck Dec.pdf
Presentation Deck Dec.pdfPresentation Deck Dec.pdf
Presentation Deck Dec.pdf
 
Privacy Regulations and Your Digital Setup
Privacy Regulations and Your Digital SetupPrivacy Regulations and Your Digital Setup
Privacy Regulations and Your Digital Setup
 

Plus de Acquia

Acquia Webinar Deck - 9_13 .pdf
Acquia Webinar Deck - 9_13 .pdfAcquia Webinar Deck - 9_13 .pdf
Acquia Webinar Deck - 9_13 .pdf
Acquia
 
Taking Your Multi-Site Management at Scale to the Next Level
Taking Your Multi-Site Management at Scale to the Next LevelTaking Your Multi-Site Management at Scale to the Next Level
Taking Your Multi-Site Management at Scale to the Next Level
Acquia
 
How to Unify Brand Experience: A Hootsuite Story
How to Unify Brand Experience: A Hootsuite Story How to Unify Brand Experience: A Hootsuite Story
How to Unify Brand Experience: A Hootsuite Story
Acquia
 
Improve Code Quality and Time to Market: 100% Cloud-Based Development Workflow
Improve Code Quality and Time to Market: 100% Cloud-Based Development WorkflowImprove Code Quality and Time to Market: 100% Cloud-Based Development Workflow
Improve Code Quality and Time to Market: 100% Cloud-Based Development Workflow
Acquia
 
July 2021 Partner Bootcamp
July 2021 Partner BootcampJuly 2021 Partner Bootcamp
July 2021 Partner Bootcamp
Acquia
 
May Partner Bootcamp
May Partner BootcampMay Partner Bootcamp
May Partner Bootcamp
Acquia
 
April partner bootcamp deck cookieless future
April partner bootcamp deck cookieless futureApril partner bootcamp deck cookieless future
April partner bootcamp deck cookieless future
Acquia
 
How to enhance cx through personalised, automated solutions
How to enhance cx through personalised, automated solutionsHow to enhance cx through personalised, automated solutions
How to enhance cx through personalised, automated solutions
Acquia
 
DRUPAL MIGRATIONS AND DRUPAL 9 INNOVATION: HOW PAC-12 DELIVERED DIGITALLY FOR...
DRUPAL MIGRATIONS AND DRUPAL 9 INNOVATION: HOW PAC-12 DELIVERED DIGITALLY FOR...DRUPAL MIGRATIONS AND DRUPAL 9 INNOVATION: HOW PAC-12 DELIVERED DIGITALLY FOR...
DRUPAL MIGRATIONS AND DRUPAL 9 INNOVATION: HOW PAC-12 DELIVERED DIGITALLY FOR...
Acquia
 
Customer Experience (CX): 3 Key Factors Shaping CX Redesign in 2021
Customer Experience (CX): 3 Key Factors Shaping CX Redesign in 2021Customer Experience (CX): 3 Key Factors Shaping CX Redesign in 2021
Customer Experience (CX): 3 Key Factors Shaping CX Redesign in 2021
Acquia
 

Plus de Acquia (20)

Acquia_Adcetera Webinar_Marketing Automation.pdf
Acquia_Adcetera Webinar_Marketing Automation.pdfAcquia_Adcetera Webinar_Marketing Automation.pdf
Acquia_Adcetera Webinar_Marketing Automation.pdf
 
Acquia Webinar Deck - 9_13 .pdf
Acquia Webinar Deck - 9_13 .pdfAcquia Webinar Deck - 9_13 .pdf
Acquia Webinar Deck - 9_13 .pdf
 
Taking Your Multi-Site Management at Scale to the Next Level
Taking Your Multi-Site Management at Scale to the Next LevelTaking Your Multi-Site Management at Scale to the Next Level
Taking Your Multi-Site Management at Scale to the Next Level
 
CDP for Retail Webinar with Appnovation - Q2 2022.pdf
CDP for Retail Webinar with Appnovation - Q2 2022.pdfCDP for Retail Webinar with Appnovation - Q2 2022.pdf
CDP for Retail Webinar with Appnovation - Q2 2022.pdf
 
May Partner Bootcamp 2022
May Partner Bootcamp 2022May Partner Bootcamp 2022
May Partner Bootcamp 2022
 
April Partner Bootcamp 2022
April Partner Bootcamp 2022April Partner Bootcamp 2022
April Partner Bootcamp 2022
 
How to Unify Brand Experience: A Hootsuite Story
How to Unify Brand Experience: A Hootsuite Story How to Unify Brand Experience: A Hootsuite Story
How to Unify Brand Experience: A Hootsuite Story
 
Using Personas to Guide DAM Results: How Life Time Pumped Up Their UX and CX
Using Personas to Guide DAM Results: How Life Time Pumped Up Their UX and CXUsing Personas to Guide DAM Results: How Life Time Pumped Up Their UX and CX
Using Personas to Guide DAM Results: How Life Time Pumped Up Their UX and CX
 
Improve Code Quality and Time to Market: 100% Cloud-Based Development Workflow
Improve Code Quality and Time to Market: 100% Cloud-Based Development WorkflowImprove Code Quality and Time to Market: 100% Cloud-Based Development Workflow
Improve Code Quality and Time to Market: 100% Cloud-Based Development Workflow
 
September Partner Bootcamp
September Partner BootcampSeptember Partner Bootcamp
September Partner Bootcamp
 
August partner bootcamp
August partner bootcampAugust partner bootcamp
August partner bootcamp
 
July 2021 Partner Bootcamp
July 2021 Partner BootcampJuly 2021 Partner Bootcamp
July 2021 Partner Bootcamp
 
May Partner Bootcamp
May Partner BootcampMay Partner Bootcamp
May Partner Bootcamp
 
DRUPAL 7 END OF LIFE IS NEAR - MIGRATE TO DRUPAL 9 FAST AND EASY
DRUPAL 7 END OF LIFE IS NEAR - MIGRATE TO DRUPAL 9 FAST AND EASYDRUPAL 7 END OF LIFE IS NEAR - MIGRATE TO DRUPAL 9 FAST AND EASY
DRUPAL 7 END OF LIFE IS NEAR - MIGRATE TO DRUPAL 9 FAST AND EASY
 
Work While You Sleep: The CMO’s Guide to a 24/7/365 Lead Machine
Work While You Sleep: The CMO’s Guide to a 24/7/365 Lead MachineWork While You Sleep: The CMO’s Guide to a 24/7/365 Lead Machine
Work While You Sleep: The CMO’s Guide to a 24/7/365 Lead Machine
 
Acquia webinar: Leveraging Drupal to Bury Your Sales Team In B2B Leads
Acquia webinar: Leveraging Drupal to Bury Your Sales Team In B2B LeadsAcquia webinar: Leveraging Drupal to Bury Your Sales Team In B2B Leads
Acquia webinar: Leveraging Drupal to Bury Your Sales Team In B2B Leads
 
April partner bootcamp deck cookieless future
April partner bootcamp deck cookieless futureApril partner bootcamp deck cookieless future
April partner bootcamp deck cookieless future
 
How to enhance cx through personalised, automated solutions
How to enhance cx through personalised, automated solutionsHow to enhance cx through personalised, automated solutions
How to enhance cx through personalised, automated solutions
 
DRUPAL MIGRATIONS AND DRUPAL 9 INNOVATION: HOW PAC-12 DELIVERED DIGITALLY FOR...
DRUPAL MIGRATIONS AND DRUPAL 9 INNOVATION: HOW PAC-12 DELIVERED DIGITALLY FOR...DRUPAL MIGRATIONS AND DRUPAL 9 INNOVATION: HOW PAC-12 DELIVERED DIGITALLY FOR...
DRUPAL MIGRATIONS AND DRUPAL 9 INNOVATION: HOW PAC-12 DELIVERED DIGITALLY FOR...
 
Customer Experience (CX): 3 Key Factors Shaping CX Redesign in 2021
Customer Experience (CX): 3 Key Factors Shaping CX Redesign in 2021Customer Experience (CX): 3 Key Factors Shaping CX Redesign in 2021
Customer Experience (CX): 3 Key Factors Shaping CX Redesign in 2021
 

Dernier

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Dernier (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 

Three Key Steps to Ensure Security Compliance with Drupal in the Cloud

  • 1. Three Key Steps to Ensure Security Compliance with Drupal in the Cloud Mike Lemire Jess Iandiorio Director of Information Sr. Director, Cloud Security Product Marketing January 29, 2012
  • 2. Webinar Audio Options • Audio will remain quiet until we begin at the top of the hour • Streaming Audio • Appears automatically in pop-up window • Or click Communicate : Join Audio Broadcast • Remember to unmute your computer • No Streaming Audio? • Request phone access Thank you for joining! • Technical Support The webinar will begin • US & Canada 866.229.3239 shortly. • International Support 408.435.7088
  • 3. Audio and Support Information • Audio will remain quiet until we begin at the top of the hour • Streaming Audio • Appears automatically in pop-up window • Or click Communicate : Join Audio Broadcast • Remember to unmute your computer • No Streaming Audio? • Request phone access • Technical Support • US & Canada 866.229.3239 Thank you for joining! • International Support 408.435.7088 We will begin shortly.
  • 4. Housekeeping • Slides and recording: posted in next 48 hours • Submit questions: Q&A Tab in WebEx • Twitter: @acquia - Hashtags: #acquia #drupal http://acquia.com/resources/recorded_webinars
  • 5. Upcoming Webinars • How to Create a Great Community Experience with Drupal • REI Shares Lessons Learned Helping Build Obama’ s OpenGov Vision • Acquia Partner Series: Building a Fault-Tolerant Cloud Infrastructu • How to Create a Personalized Web Experience Using Drupal • How to Ensure SQL Queries Don’t Slow Your Drupal Website http://acquia.com/resources/webinars
  • 6. Acquia is Hiring • Do you love working with http://acquia.com/careers Drupal? • Acquia is hiring in North America, Europe, and Australia! • Engineering • Design • Support • Operations • Client Advisors • Sales and Marketing
  • 7. Three Key Steps to Ensure Security Compliance with Drupal in the Cloud Mike Lemire Jess Iandiorio Director of Information Sr. Director, Cloud Security Product Marketing January 29, 2012
  • 8. Agenda Three Key Steps to Ensure Security Compliance with Drupal in the Cloud • Understand your compliance requirements • Develop and Manage your Drupal site in compliance • Leverage Drupal and a secure Drupal Platform like Acquia Cloud
  • 9. Understand your compliance requirements Major regulatory and compliance drivers: • US and International Privacy Regulations • E-commerce Regulations • Health Care Regulations
  • 10. Privacy Regulations A broad definition of personal information Personally identifiable information (PII): First and Last name in combination with: • Government ID (SS#, Drivers License, Passport) • Home address • Financial account numbers • Health care information
  • 11. Privacy Regulations by Country Applicable regulations: Where are your users and where is your data hosted? Source: http://heatmap.forrestertools.com/
  • 12. Privacy Regulations by Country http://www.informationshield.com/intprivacylaws.html Selected International Privacy Laws • Austria: Data Protection Act 2000, Austrian Federal Law Gazette part I No. 165/1999 • Australia: Privacy Act of 1988 • Belgium: Belgium Data Protection Law and Belgian Data Privacy Commission Privacy Blog • Bulgaria: The Bulgarian Personal Data Protection Act, was adopted on December 21, 2001 and entered into force on January 1, 2002. More information at the Bugarian Data Protection Authority • Canada: The Privacy Act - July 1983 Personal Information Protection and Electronic Data Act (PIPEDA) of 2000 (Bill C-6) • European Union: European Union Data Protection Directive of 1998 • EU Internet Privacy Law of 2002 (DIRECTIVE 2002/58/EC) • France: Data Protection Act of 1978 (revised in 2004) • Germany: Federal Data Protection Act of 2001 • Hungary: Act LXIII of 1992 on the Protection of Personal Data and the Publicity of Data of Public Interests (excerpts in English). • Ireland: Data Protection (Amendment) Act, Number 6 of 2003 • Japan: Personal Information Protection Law (Act) (Official English Translation) Law Summary from Jonesday Publishing • Japan: Law for the Protection of Computer Processed Data Held by Administrative Organs, December 1988. • Netherlands: Dutch Personal Data Protection Act 2000 as amended by Acts dated 5 April 2001, Bulletin of Acts, Orders and Decrees 180, 6 December 2001 • Singapore - The E-commerce Code for the Protection of Personal Information and Communications of Consumers of Internet Commerce. Other related Singapore Laws and E-commerce Laws . • Switzerland: The Federal Law on Data Protection of 1992 • Sweden: Personal Data Protection Act (1998:204), October 24, 1998 • United Kingdom: UK Data Protection Act 1998 Privacy and Electronic Communications (EC Directive) Regulations 2003 official text, and a consumer oriented site at the Information Commissioner's Office.
  • 13. US Privacy Regulations http://www.informationshield.com/usprivacylaws.html • Children's Internet Protection Act of 2001 (CIPA) • Children's Online Privacy Protection Act of 1998 (COPPA) • Computer Fraud and Abuse Act of 1986 (CFAA) law summary. Full text at Cornell • Federal Information Security Management Act (FISMA) • Federal Trade Commission Act (FTCA) • Electronic Communications Privacy Act of 1986 (ECPA) • Electronic Freedom of Information Act of 1996 (E-FOIA) Discussion as it related to the Freedom of Information Act. • Fair Credit Reporting Act of 1999 (FCRA) • Family Education Rights and Privacy Act of 1974 (FERPA; also know as the Buckley Amendment) • Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (GLBA) • Privacy Protection Act of 1980 (PPA) - Additional discussion athttp://www.epic.org/privacy/ppa/. • Right to Financial Privacy Act of 1978 (RFPA) • Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act)
  • 14. Ensuring Privacy Compliance in your site How do I ensure privacy compliance at the Drupal layer?? • Understand and read the privacy regulation applicable to your site • Meet most stringent regulations ie: EU, MA 201 CMR 17.00 General best practices: • Encrypt personal information in transit and at rest − Enable SSL/HTTPS for auth and any PII in transit − Leverage Drupal encryption modules to encrypt PII fields in the DB • Encrypted Settings Field http://drupal.org/project/encset • Field Encryption http://drupal.org/project/field_encrypt • Control access to personal information to authorized need to know personnel − Leverage Drupal user roles and permissions − http://drupal.org/node/22275
  • 15. Ensuring Privacy Compliance in your site • Allow end users to modify or delete PII • Monitor for and notify in case of breach • Never sell, transfer PII to other entities without consent • Publish a Privacy Policy − Example: https://www.acquia.com/about-us/legal/privacy-policy • Secure your site with strong authentication for admin users − Leverage SSO: AD, LDAP − Enable 2-factor auth for admin users: http://groups.drupal.org/node/235938#comment- 768208 − Protect /admin to trusted networks using .htaccess
  • 16. eCommerce Regulations – PCI DSS PCI DSS - The Payment Card Industry Data Security Standard (PCI DSS) is a global security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data. https://www.pcisecuritystandards.org/index.php
  • 17. eCommerce Regulations – PCI DSS Determine PCI Compliance Level PCI Compliance Level 1: Over 6 million CC transactions annually PCI Compliance Level 2: 1-6 million CC transactions annually PCI Compliance Level 3: 20,000 – 1 million CC transactions annually PCI Compliance Level 4: less than 20,000 CC transactions annually
  • 18. Ensuring PCI Compliance in your site PCI Compliance levels 2-4 must complete an annual self-assessment questionnaire called the PCI SAQ 4 versions of the SAQ: A: Card-not-present (e-commerce or mail/telephone order) merchants, all cardholder data functions outsourced. B: N/A C: Merchants with payment application systems connected to the Internet, no cardholder data storage. D: All other merchants not included in descriptions for SAQ A, B or C and all service providers defined by a payment brand as eligible to complete an SAQ. https://www.pcisecuritystandards.org/merchants/self_assessment_form.php#i nstructions
  • 19. Ensuring PCI Compliance in your site Many ways to build a Drupal e-commerce site. These solutions are well tested and widely used: Ubercart - a full fledged e-commerce system designed to "just work" out of the box. It offers the standard shopping cart features, integration with several payment and shipping quote services, and the ability to automate your order workflow without writing any code. Additional features can be added by dozens of related contributed modules, and with over 18,000 live sites and hundreds of users and contributors, you're bound to find support for the functionality you need. e-Commerce - The most recent version is a trimmed down e-commerce API that defines the components you'll use to build the e-commerce functionality you need. The pool of contributors and users is relatively small compared to Ubercart, so you should feel comfortable doing some heavy lifting on your own and possible Drupal module development if you go this route. Commerce Guys - Commerce Kickstart is Drupal Commerce packed with features that make it more complete, faster to launch, and easier to administer. And like Drupal Commerce itself, it's free, supported by an active developer community. These solutions do not store CC data on your site Source: http://commerceguys.com/blog/10-tips-e-commerce-drupal
  • 20. Ensuring PCI Compliance in your site Conduct quarterly vulnerability scans of your site using an approved vulnerability scanner: Approved Scanners: https://www.pcisecuritystandards.org/approved_companies_providers/approv ed_scanning_vendors.php# Mitigate any findings (or validate false positives) * Acquia will soon provide this service
  • 21. Health Care Data - HIPAA The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for electronic health care transactions and storage of Personal Health Information (PHI). The HIPAA Privacy Rule provides federal protections for personal health information and gives patients an array of rights with respect to that information. The Privacy Rule permits the disclosure of personal health information needed for patient care and other important purposes. The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information.
  • 22. HIPAA Security Rule • Technical Safeguards – Leverage encryption for PHI in transit and at rest • Ensure data within the systems has not been changed or erased in an unauthorized manner. • Enable strong authentication. • Leverage Drupal roles and permissions to enforce role based access. • Corporate controls including policies and procedures, security training and full documentation of the system design.
  • 23. Leverage a secure Drupal Platform like Acquia Cloud Cloud Shared Responsibility Model
  • 24. Leverage a secure Drupal Platform like Acquia Cloud Acquia Cloud provides platform security enabling you to build compliant Drupal web sites. • Physical security • Secure System Access Controls • OS and LAMP stack patching • Antivirus • SSL and HTTPS • Network Security − 3 layers of firewall • Host Intrusion Detection • OS layer vulnerability scanning
  • 25. Leverage a secure Drupal Platform like Acquia Cloud Acquia Corporate Controls • Incident Response • Personnel Security − Security training including PII and HIPAA − Background checks − Role based access • Safe Harbor certified • Abides by all privacy regulations
  • 26. Leverage a secure Drupal Platform like Acquia Cloud Transparent Control Environment • Annual SSAE16 SOC 1 audits • FISMA ATO (Moderate) • Cloud Security Alliance Security Trust and Assurance Registry listed https://cloudsecurityalliance.org/star/registry/
  • 27. Leverage a secure Drupal Platform like Acquia Cloud Acquia Cloud Platform PCI Compliance • PCI SAIC Completed • Certified vulnerability scans Compliance Roadmap: • FedRAMP • ISO 27001 certification
  • 28. Leverage a secure Drupal Platform like Acquia Cloud Acquia Cloud - built on Amazon AWS • Annual SSAE16 SOC 1 audits • FISMA ATO (Moderate) • PCI Level 1 certified • Cloud Security Alliance Security Trust and Assurance Registry listed https://cloudsecurityalliance.org/star/registry/ • ISO 27001 certification Roadmap: • FedRAMP
  • 29. Security Resources at Acquia • Extensive expertise to help you architect and plan your Drupal site • 11 members of 40 member Drupal Security team • Professional Services Security Audit
  • 30. Questions? • For more information visit: http://www.acquia.com • Contact us: sales@acquia.com or 888.9.ACQUIA • Follow us: @acquia • Comments welcome: • Mike.lemire@acquia.com • Jess.iandiorio@acquia.com Today’s webinar recording will be posted to: http://acquia.com/resources/recorded_webinars