1 of 17

Securing Data �in Drupal

2 of 17

Reasons to secure data

  • Recent high-profile breaches have shown that data security is more important than ever
  • Breaches have a significant and measurable impact on customers’ trust and spending habits
  • Risk management, along with meeting compliance, are the two main drivers for securing sensitive data
  • Financial cost of a data breach can be catastrophic
  • Many regulations say that if you have properly secured data, you are not financially responsible for a breach

3 of 17

What is considered sensitive data?

  • Credit card number
  • Passport number
  • Medical records
  • Student records
  • Social Security number
  • Email address
  • Phone number
  • Birth date

4 of 17

Regulatory compliance

  • PCI Data Security Standard (PCI DSS) for Merchants and Acquirers
  • HIPAA Data Security and HITECH ACT of 2009 for medical providers
  • GLBA / FFIEC for the financial industry
  • FISMA for US Government agencies
  • Federal Trade Commission (FTC) enforcement
  • State and proposed Federal Privacy Notification laws

5 of 17

What regulations have in common

Secure private information of individuals where name is combined with:

  • Credit card
  • Social security number
  • Drivers license
  • Other information (varies by state)

6 of 17

How to secure data

  • Apply security updates to Drupal core and contributed modules and themes
  • Set user permissions correctly
  • Avoid cross-site scripting and SQL injection vulnerabilities in custom code
  • Use https for all administrative access to site
  • Protect server access and use proper file permissions
  • Employ data encryption and keep keys safe

7 of 17

The importance of key management

  • Hackers don’t break encryption; they find your keys
  • There are standards and best practices for key management (NIST)
  • Compliance regulations (PCI, HIPAA, FISMA, etc.) require proper key management
  • Best practice is to store keys on a different server than the server the data is on
  • Even better: perform the encryption and decryption on another server, so the key is never transmitted

8 of 17

Key management vs. key storage

  • Key storage device only provides storage of the encryption key - you need to create the key elsewhere
  • Key management is responsible for managing keys through entire key lifecycle
  • Key generation
  • Pre-activation
  • Activation
  • Expiration
  • Post activation
  • Escrow
  • Destruction

9 of 17

General resources

  • Cracking Drupal (book by Greg Knaddison)�http://crackingdrupal.com/
  • Securing Your Site (page on Drupal.org)�https://www.drupal.org/security/secure-configuration
  • Security Review (contributed module)�https://www.drupal.org/project/security_review
  • PCI Compliance white paper�http://www.drupalpcicompliance.org

10 of 17

Encrypting data in Drupal

  • No native way to encrypt
  • Contributed modules provide encryption and decryption functionality
    • Encrypted Settings Field
    • AES Encryption
    • Encrypt

11 of 17

Encrypted Settings Field module

  • Adds a new field type
  • Won’t encrypt any other field types
  • Encryption methods
    • Mcrypt
    • Base64 (not really encryption)
  • Key is stored in settings.php or database
  • Limit on length of key
  • Not actively maintained

12 of 17

AES Encryption module

  • Provides API for developers and contributed modules
  • Encryption methods
    • Mcrypt
    • PHP Secure Library (phpseclib)
  • Key provider options
    • Database
    • File

13 of 17

Encrypt module

  • Provides API for developers and contributed modules to employ
  • Extensible via ctools plugins
  • Greg Knaddison, member of the Drupal Security Team, is a maintainer

14 of 17

Encrypt module

  • Included encryption methods
    • Basic (no extensions or libraries required)
    • PHP Secure Communications (phpseclib)
    • Mcrypt AES 256
  • Included key providers
    • Drupal Private Key (from database)
    • Variable in settings.php file
    • File, preferably outside of the web root

15 of 17

Townsend Security Key Connection

  • Contributed module that uses Encrypt’s plug-in system to add a new key provider and encryption method
  • Allows the key to be retrieved from an external server, where it can be managed properly
  • Allows encryption to be done on an external server

16 of 17

Townsend Security resources

  • Meeting Data Privacy Compliance Within the Drupal CMS�(http://townsendsecurity.com/sites/default/files/Drupal-Compliance.pdf)
  • What Data Needs to Be Encrypted in Drupal?�(http://info.townsendsecurity.com/white-paper-what-�data-needs-encrypted-drupal)
  • Drupal Developer Program�(http://townsendsecurity.com/drupal-developer)

17 of 17

Live Demos