Three Key Steps to Ensure Security Compliance with Drupal in the Cloud

Mike LemireDirector of Information SecurityJanuary 29, 2012

Jess IandiorioSr. Director, Cloud Product Marketing

Webinar Audio Options

• Audio will remain quiet until we begin at the top of the hour

• Streaming Audio• Appears automatically in pop-up window

• Or click Communicate : Join Audio Broadcast

• Remember to unmute your computer

• No Streaming Audio?• Request phone access

• Technical Support• US & Canada 866.229.3239

• International Support 408.435.7088

Thank you for joining! The webinar will begin

shortly.

Audio and Support Information• Audio will remain quiet until we

begin at the top of the hour

• Streaming Audio• Appears automatically in pop-up window

• Or click Communicate : Join Audio Broadcast

• Remember to unmute your computer

• No Streaming Audio?• Request phone access

• Technical Support• US & Canada 866.229.3239

• International Support 408.435.7088

Thank you for joining! We will begin shortly.

Housekeeping

• Slides and recording: posted in next 48 hours

• Submit questions: Q&A Tab in WebEx

• Twitter: @acquia

-Hashtags: #acquia #drupal

http://acquia.com/resources/recorded_webinars

Upcoming Webinars

• How to Create a Great Community Experience with Drupal

• REI Shares Lessons Learned Helping Build Obama’s OpenGov Vision

• Acquia Partner Series: Building a Fault-Tolerant Cloud Infrastructure for Drupal

• How to Create a Personalized Web Experience Using Drupal

• How to Ensure SQL Queries Don’t Slow Your Drupal Website

http://acquia.com/resources/webinars

Acquia is Hiring• Do you love working with Drupal?

• Acquia is hiring in North America, Europe, and Australia!

• Engineering

• Design

• Support

• Operations

• Client Advisors

• Sales and Marketing

http://acquia.com/careers

Three Key Steps to Ensure Security Compliance with Drupal in the Cloud

Mike LemireDirector of Information SecurityJanuary 29, 2012

Jess IandiorioSr. Director, Cloud Product Marketing

Agenda

Three Key Steps to Ensure Security Compliance with Drupal in the Cloud

• Understand your compliance requirements

• Develop and Manage your Drupal site in compliance

• Leverage Drupal and a secure Drupal Platform like Acquia Cloud

Understand your compliance requirements

Major regulatory and compliance drivers:

• US and International Privacy Regulations

• E-commerce Regulations

• Health Care Regulations

A broad definition of personal information

Personally identifiable information (PII):

First and Last name in combination with:

• Government ID (SS#, Drivers License, Passport)

• Home address

• Financial account numbers

• Health care information

Privacy Regulations

Applicable regulations: Where are your users and where is your data hosted?

Privacy Regulations by Country

Source: http://heatmap.forrestertools.com/

http://www.informationshield.com/intprivacylaws.html

Selected International Privacy Laws

• Austria: Data Protection Act 2000, Austrian Federal Law Gazette part I No. 165/1999

• Australia: Privacy Act of 1988

• Belgium: Belgium Data Protection Law and Belgian Data Privacy Commission Privacy Blog

• Bulgaria: The Bulgarian Personal Data Protection Act, was adopted on December 21, 2001 and entered into force on January 1, 2002. More information at theBugarian Data Protection Authority

• Canada: The Privacy Act - July 1983 Personal Information Protection and Electronic Data Act (PIPEDA) of 2000 (Bill C-6)

• European Union: European Union Data Protection Directive of 1998

• EU Internet Privacy Law of 2002 (DIRECTIVE 2002/58/EC) 

• France: Data Protection Act of 1978 (revised in 2004)

• Germany: Federal Data Protection Act of 2001

• Hungary: Act LXIII of 1992 on the Protection of Personal Data and the Publicity of Data of Public Interests  (excerpts in English).

• Ireland: Data Protection (Amendment) Act, Number 6 of 2003

• Japan: Personal Information Protection Law (Act) (Official English Translation)Law Summary from Jonesday Publishing

• Japan: Law for the Protection of Computer Processed Data Held by Administrative Organs, December 1988.

• Netherlands: Dutch Personal Data Protection Act 2000 as amended by Acts dated 5 April 2001, Bulletin of Acts, Orders and Decrees 180, 6 December 2001

• Singapore - The E-commerce Code for the Protection of Personal Information and Communications of Consumers of Internet Commerce. Other related Singapore Laws and E-commerce Laws .

• Switzerland: The Federal Law on Data Protection of 1992

• Sweden: Personal Data Protection Act (1998:204), October 24, 1998

• United Kingdom: UK Data Protection Act 1998 Privacy and Electronic Communications (EC Directive) Regulations 2003 official text, and a consumer oriented site at the Information Commissioner's Office.

Privacy Regulations by Country

http://www.informationshield.com/usprivacylaws.html

• Children's Internet Protection Act of 2001 (CIPA)

• Children's Online Privacy Protection Act of 1998 (COPPA)

• Computer Fraud and Abuse Act of 1986 (CFAA) law summary. Full text at Cornell

• Federal Information Security Management Act (FISMA)

• Federal Trade Commission Act (FTCA)

• Electronic Communications Privacy Act of 1986 (ECPA)

• Electronic Freedom of Information Act of 1996 (E-FOIA) Discussion as it related to the Freedom of Information Act.

• Fair Credit Reporting Act of 1999 (FCRA)

• Family Education Rights and Privacy Act of 1974 (FERPA; also know as the Buckley Amendment)

• Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (GLBA)

• Privacy Protection Act of 1980 (PPA) - Additional discussion athttp://www.epic.org/privacy/ppa/.

• Right to Financial Privacy Act of 1978 (RFPA)

• Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act)

US Privacy Regulations

How do I ensure privacy compliance at the Drupal layer??

• Understand and read the privacy regulation applicable to your site

• Meet most stringent regulations ie: EU, MA 201 CMR 17.00

General best practices:

• Encrypt personal information in transit and at rest− Enable SSL/HTTPS for auth and any PII in transit

− Leverage Drupal encryption modules to encrypt PII fields in the DB

• Encrypted Settings Field http://drupal.org/project/encset

• Field Encryption http://drupal.org/project/field_encrypt

• Control access to personal information to authorized need to know personnel

− Leverage Drupal user roles and permissions

− http://drupal.org/node/22275

Ensuring Privacy Compliance in your site

• Allow end users to modify or delete PII

• Monitor for and notify in case of breach

• Never sell, transfer PII to other entities without consent

• Publish a Privacy Policy− Example: https://www.acquia.com/about-us/legal/privacy-policy

• Secure your site with strong authentication for admin users− Leverage SSO: AD, LDAP

− Enable 2-factor auth for admin users: http://groups.drupal.org/node/235938#comment-768208

− Protect /admin to trusted networks using .htaccess

Ensuring Privacy Compliance in your site

eCommerce Regulations – PCI DSSPCI DSS - The Payment Card Industry Data Security Standard (PCI DSS) is a global

security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.

https://www.pcisecuritystandards.org/index.php

Determine PCI Compliance LevelPCI Compliance Level 1: Over 6 million CC transactions annually

PCI Compliance Level 2: 1-6 million CC transactions annually

PCI Compliance Level 3: 20,000 – 1 million CC transactions annually

PCI Compliance Level 4: less than 20,000 CC transactions annually

eCommerce Regulations – PCI DSS

PCI Compliance levels 2-4 must complete an annual self-assessment questionnaire called the PCI SAQ

4 versions of the SAQ:

A: Card-not-present (e-commerce or mail/telephone order) merchants, all cardholder data functions outsourced. 

B: N/A

C: Merchants with payment application systems connected to the Internet, no cardholder data storage.

D: All other merchants not included in descriptions for SAQ A, B or C and all service providers defined by a payment brand as eligible to complete an SAQ. 

https://www.pcisecuritystandards.org/merchants/self_assessment_form.php#instructions

Ensuring PCI Compliance in your site

Many ways to build a Drupal e-commerce site. These solutions are well tested and widely used:

Ubercart - a full fledged e-commerce system designed to "just work" out of the box. It offers the standard shopping cart features, integration with several payment and shipping quote services, and the ability to automate your order workflow without writing any code. Additional features can be added by dozens of related contributed modules, and with over 18,000 live sites and hundreds of users and contributors, you're bound to find support for the functionality you need.

e-Commerce - The most recent version is a trimmed down e-commerce API that defines the components you'll use to build the e-commerce functionality you need. The pool of contributors and users is relatively small compared to Ubercart, so you should feel comfortable doing some heavy lifting on your own and possible Drupal module development if you go this route.

Commerce Guys - Commerce Kickstart is Drupal Commerce packed with features that make it more complete, faster to launch, and easier to administer. And like Drupal Commerce itself, it's free, supported by an active developer community.

These solutions do not store CC data on your site

Source: http://commerceguys.com/blog/10-tips-e-commerce-drupal

Ensuring PCI Compliance in your site

Conduct quarterly vulnerability scans of your site using an approved vulnerability scanner:

Approved Scanners:

https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php#

Mitigate any findings (or validate false positives)

* Acquia will soon provide this service

Ensuring PCI Compliance in your site

The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for electronic health care transactions and storage of Personal Health Information (PHI). 

The HIPAA Privacy Rule provides federal protections for personal health information and gives patients an array of rights with respect to that information. The Privacy Rule permits the disclosure of personal health information needed for patient care and other important purposes. 

The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information. 

Health Care Data - HIPAA

HIPAA Security Rule • Technical Safeguards – Leverage encryption for PHI in transit and at

rest

• Ensure data within the systems has not been changed or erased in an unauthorized manner.

• Enable strong authentication.

• Leverage Drupal roles and permissions to enforce role based access.

• Corporate controls including policies and procedures, security training and full documentation of the system design.

Leverage a secure Drupal Platform like Acquia Cloud

Cloud SharedResponsibility Model

Acquia Cloud provides platform security enabling you to build compliant Drupal web sites.

• Physical security

• Secure System Access Controls

• OS and LAMP stack patching

• Antivirus

• SSL and HTTPS

• Network Security − 3 layers of firewall

• Host Intrusion Detection

• OS layer vulnerability scanning

Leverage a secure Drupal Platform like Acquia Cloud

Acquia Corporate Controls

• Incident Response

• Personnel Security− Security training including PII and HIPAA

− Background checks

− Role based access

• Safe Harbor certified

• Abides by all privacy regulations

Leverage a secure Drupal Platform like Acquia Cloud

Transparent Control Environment

• Annual SSAE16 SOC 1 audits

• FISMA ATO (Moderate)

• Cloud Security Alliance Security Trust and Assurance Registry listed https://cloudsecurityalliance.org/star/registry/

Leverage a secure Drupal Platform like Acquia Cloud

Acquia Cloud Platform PCI Compliance

• PCI SAIC Completed

• Certified vulnerability scans

Leverage a secure Drupal Platform like Acquia Cloud

Compliance Roadmap:

• FedRAMP

• ISO 27001 certification

Acquia Cloud - built on Amazon AWS

• Annual SSAE16 SOC 1 audits

• FISMA ATO (Moderate)

• PCI Level 1 certified

• Cloud Security Alliance Security Trust and Assurance Registry listed https://cloudsecurityalliance.org/star/registry/

• ISO 27001 certification

Roadmap:

• FedRAMP

Leverage a secure Drupal Platform like Acquia Cloud

• Extensive expertise to help you architect and plan your Drupal site

• 11 members of 40 member Drupal Security team

• Professional Services Security Audit

Security Resources at Acquia

• For more information visit: http://www.acquia.com

• Contact us: sales@acquia.com or 888.9.ACQUIA

• Follow us: @acquia

• Comments welcome:

• Mike.lemire@acquia.com

• Jess.iandiorio@acquia.com

Today’s webinar recording will be posted to:http://acquia.com/resources/recorded_webinars

Questions?