three key steps to ensure security compliance with drupal in the cloud
DESCRIPTION
TRANSCRIPT
Three Key Steps to Ensure Security Compliance with Drupal in the Cloud
Mike LemireDirector of Information SecurityJanuary 29, 2012
Jess IandiorioSr. Director, Cloud Product Marketing
Webinar Audio Options
• Audio will remain quiet until we begin at the top of the hour
• Streaming Audio• Appears automatically in pop-up window
• Or click Communicate : Join Audio Broadcast
• Remember to unmute your computer
• No Streaming Audio?• Request phone access
• Technical Support• US & Canada 866.229.3239
• International Support 408.435.7088
Thank you for joining! The webinar will begin
shortly.
Audio and Support Information• Audio will remain quiet until we
begin at the top of the hour
• Streaming Audio• Appears automatically in pop-up window
• Or click Communicate : Join Audio Broadcast
• Remember to unmute your computer
• No Streaming Audio?• Request phone access
• Technical Support• US & Canada 866.229.3239
• International Support 408.435.7088
Thank you for joining! We will begin shortly.
Housekeeping
• Slides and recording: posted in next 48 hours
• Submit questions: Q&A Tab in WebEx
• Twitter: @acquia
-Hashtags: #acquia #drupal
http://acquia.com/resources/recorded_webinars
Upcoming Webinars
• How to Create a Great Community Experience with Drupal
• REI Shares Lessons Learned Helping Build Obama’s OpenGov Vision
• Acquia Partner Series: Building a Fault-Tolerant Cloud Infrastructure for Drupal
• How to Create a Personalized Web Experience Using Drupal
• How to Ensure SQL Queries Don’t Slow Your Drupal Website
http://acquia.com/resources/webinars
Acquia is Hiring• Do you love working with Drupal?
• Acquia is hiring in North America, Europe, and Australia!
• Engineering
• Design
• Support
• Operations
• Client Advisors
• Sales and Marketing
http://acquia.com/careers
Three Key Steps to Ensure Security Compliance with Drupal in the Cloud
Mike LemireDirector of Information SecurityJanuary 29, 2012
Jess IandiorioSr. Director, Cloud Product Marketing
Agenda
Three Key Steps to Ensure Security Compliance with Drupal in the Cloud
• Understand your compliance requirements
• Develop and Manage your Drupal site in compliance
• Leverage Drupal and a secure Drupal Platform like Acquia Cloud
Understand your compliance requirements
Major regulatory and compliance drivers:
• US and International Privacy Regulations
• E-commerce Regulations
• Health Care Regulations
A broad definition of personal information
Personally identifiable information (PII):
First and Last name in combination with:
• Government ID (SS#, Drivers License, Passport)
• Home address
• Financial account numbers
• Health care information
Privacy Regulations
Applicable regulations: Where are your users and where is your data hosted?
Privacy Regulations by Country
Source: http://heatmap.forrestertools.com/
http://www.informationshield.com/intprivacylaws.html
Selected International Privacy Laws
• Austria: Data Protection Act 2000, Austrian Federal Law Gazette part I No. 165/1999
• Australia: Privacy Act of 1988
• Belgium: Belgium Data Protection Law and Belgian Data Privacy Commission Privacy Blog
• Bulgaria: The Bulgarian Personal Data Protection Act, was adopted on December 21, 2001 and entered into force on January 1, 2002. More information at theBugarian Data Protection Authority
• Canada: The Privacy Act - July 1983 Personal Information Protection and Electronic Data Act (PIPEDA) of 2000 (Bill C-6)
• European Union: European Union Data Protection Directive of 1998
• EU Internet Privacy Law of 2002 (DIRECTIVE 2002/58/EC)
• France: Data Protection Act of 1978 (revised in 2004)
• Germany: Federal Data Protection Act of 2001
• Hungary: Act LXIII of 1992 on the Protection of Personal Data and the Publicity of Data of Public Interests (excerpts in English).
• Ireland: Data Protection (Amendment) Act, Number 6 of 2003
• Japan: Personal Information Protection Law (Act) (Official English Translation)Law Summary from Jonesday Publishing
• Japan: Law for the Protection of Computer Processed Data Held by Administrative Organs, December 1988.
• Netherlands: Dutch Personal Data Protection Act 2000 as amended by Acts dated 5 April 2001, Bulletin of Acts, Orders and Decrees 180, 6 December 2001
• Singapore - The E-commerce Code for the Protection of Personal Information and Communications of Consumers of Internet Commerce. Other related Singapore Laws and E-commerce Laws .
• Switzerland: The Federal Law on Data Protection of 1992
• Sweden: Personal Data Protection Act (1998:204), October 24, 1998
• United Kingdom: UK Data Protection Act 1998 Privacy and Electronic Communications (EC Directive) Regulations 2003 official text, and a consumer oriented site at the Information Commissioner's Office.
Privacy Regulations by Country
http://www.informationshield.com/usprivacylaws.html
• Children's Internet Protection Act of 2001 (CIPA)
• Children's Online Privacy Protection Act of 1998 (COPPA)
• Computer Fraud and Abuse Act of 1986 (CFAA) law summary. Full text at Cornell
• Federal Information Security Management Act (FISMA)
• Federal Trade Commission Act (FTCA)
• Electronic Communications Privacy Act of 1986 (ECPA)
• Electronic Freedom of Information Act of 1996 (E-FOIA) Discussion as it related to the Freedom of Information Act.
• Fair Credit Reporting Act of 1999 (FCRA)
• Family Education Rights and Privacy Act of 1974 (FERPA; also know as the Buckley Amendment)
• Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (GLBA)
• Privacy Protection Act of 1980 (PPA) - Additional discussion athttp://www.epic.org/privacy/ppa/.
• Right to Financial Privacy Act of 1978 (RFPA)
• Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act)
US Privacy Regulations
How do I ensure privacy compliance at the Drupal layer??
• Understand and read the privacy regulation applicable to your site
• Meet most stringent regulations ie: EU, MA 201 CMR 17.00
General best practices:
• Encrypt personal information in transit and at rest− Enable SSL/HTTPS for auth and any PII in transit
− Leverage Drupal encryption modules to encrypt PII fields in the DB
• Encrypted Settings Field http://drupal.org/project/encset
• Field Encryption http://drupal.org/project/field_encrypt
• Control access to personal information to authorized need to know personnel
− Leverage Drupal user roles and permissions
− http://drupal.org/node/22275
Ensuring Privacy Compliance in your site
• Allow end users to modify or delete PII
• Monitor for and notify in case of breach
• Never sell, transfer PII to other entities without consent
• Publish a Privacy Policy− Example: https://www.acquia.com/about-us/legal/privacy-policy
• Secure your site with strong authentication for admin users− Leverage SSO: AD, LDAP
− Enable 2-factor auth for admin users: http://groups.drupal.org/node/235938#comment-768208
− Protect /admin to trusted networks using .htaccess
Ensuring Privacy Compliance in your site
eCommerce Regulations – PCI DSSPCI DSS - The Payment Card Industry Data Security Standard (PCI DSS) is a global
security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.
https://www.pcisecuritystandards.org/index.php
Determine PCI Compliance LevelPCI Compliance Level 1: Over 6 million CC transactions annually
PCI Compliance Level 2: 1-6 million CC transactions annually
PCI Compliance Level 3: 20,000 – 1 million CC transactions annually
PCI Compliance Level 4: less than 20,000 CC transactions annually
eCommerce Regulations – PCI DSS
PCI Compliance levels 2-4 must complete an annual self-assessment questionnaire called the PCI SAQ
4 versions of the SAQ:
A: Card-not-present (e-commerce or mail/telephone order) merchants, all cardholder data functions outsourced.
B: N/A
C: Merchants with payment application systems connected to the Internet, no cardholder data storage.
D: All other merchants not included in descriptions for SAQ A, B or C and all service providers defined by a payment brand as eligible to complete an SAQ.
https://www.pcisecuritystandards.org/merchants/self_assessment_form.php#instructions
Ensuring PCI Compliance in your site
Many ways to build a Drupal e-commerce site. These solutions are well tested and widely used:
Ubercart - a full fledged e-commerce system designed to "just work" out of the box. It offers the standard shopping cart features, integration with several payment and shipping quote services, and the ability to automate your order workflow without writing any code. Additional features can be added by dozens of related contributed modules, and with over 18,000 live sites and hundreds of users and contributors, you're bound to find support for the functionality you need.
e-Commerce - The most recent version is a trimmed down e-commerce API that defines the components you'll use to build the e-commerce functionality you need. The pool of contributors and users is relatively small compared to Ubercart, so you should feel comfortable doing some heavy lifting on your own and possible Drupal module development if you go this route.
Commerce Guys - Commerce Kickstart is Drupal Commerce packed with features that make it more complete, faster to launch, and easier to administer. And like Drupal Commerce itself, it's free, supported by an active developer community.
These solutions do not store CC data on your site
Source: http://commerceguys.com/blog/10-tips-e-commerce-drupal
Ensuring PCI Compliance in your site
Conduct quarterly vulnerability scans of your site using an approved vulnerability scanner:
Approved Scanners:
https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php#
Mitigate any findings (or validate false positives)
* Acquia will soon provide this service
Ensuring PCI Compliance in your site
The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for electronic health care transactions and storage of Personal Health Information (PHI).
The HIPAA Privacy Rule provides federal protections for personal health information and gives patients an array of rights with respect to that information. The Privacy Rule permits the disclosure of personal health information needed for patient care and other important purposes.
The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information.
Health Care Data - HIPAA
HIPAA Security Rule • Technical Safeguards – Leverage encryption for PHI in transit and at
rest
• Ensure data within the systems has not been changed or erased in an unauthorized manner.
• Enable strong authentication.
• Leverage Drupal roles and permissions to enforce role based access.
• Corporate controls including policies and procedures, security training and full documentation of the system design.
Leverage a secure Drupal Platform like Acquia Cloud
Cloud SharedResponsibility Model
Acquia Cloud provides platform security enabling you to build compliant Drupal web sites.
• Physical security
• Secure System Access Controls
• OS and LAMP stack patching
• Antivirus
• SSL and HTTPS
• Network Security − 3 layers of firewall
• Host Intrusion Detection
• OS layer vulnerability scanning
Leverage a secure Drupal Platform like Acquia Cloud
Acquia Corporate Controls
• Incident Response
• Personnel Security− Security training including PII and HIPAA
− Background checks
− Role based access
• Safe Harbor certified
• Abides by all privacy regulations
Leverage a secure Drupal Platform like Acquia Cloud
Transparent Control Environment
• Annual SSAE16 SOC 1 audits
• FISMA ATO (Moderate)
• Cloud Security Alliance Security Trust and Assurance Registry listed https://cloudsecurityalliance.org/star/registry/
Leverage a secure Drupal Platform like Acquia Cloud
Acquia Cloud Platform PCI Compliance
• PCI SAIC Completed
• Certified vulnerability scans
Leverage a secure Drupal Platform like Acquia Cloud
Compliance Roadmap:
• FedRAMP
• ISO 27001 certification
Acquia Cloud - built on Amazon AWS
• Annual SSAE16 SOC 1 audits
• FISMA ATO (Moderate)
• PCI Level 1 certified
• Cloud Security Alliance Security Trust and Assurance Registry listed https://cloudsecurityalliance.org/star/registry/
• ISO 27001 certification
Roadmap:
• FedRAMP
Leverage a secure Drupal Platform like Acquia Cloud
• Extensive expertise to help you architect and plan your Drupal site
• 11 members of 40 member Drupal Security team
• Professional Services Security Audit
Security Resources at Acquia
• For more information visit: http://www.acquia.com
• Contact us: [email protected] or 888.9.ACQUIA
• Follow us: @acquia
• Comments welcome:
Today’s webinar recording will be posted to:http://acquia.com/resources/recorded_webinars
Questions?