Drupal-based defense-in-depth strategy protects data
- By Todd Akers
- Aug 28, 2014
In medieval times, an intricate combination of towers, drawbridges, city walls, moats and harbors protected castles from all fronts. This intricate system provided an effective and layered defense from potential threats.
As the federal government seeks ways to contain and manage massive influxes of data, IT managers are taking pages out of the medieval defense rulebook by adopting “defense-in-depth” strategies that use complex, multi-layered approaches to information security. With defense-in-depth, federal IT managers use holistic strategies to analyze and identify potential threat vectors, including internal and external threats. In the process, they can secure their defenses as if they were leading the king’s protection forces.
Federal IT managers are practicing defense-in-depth while using open source software like Drupal for web development and content management. In fact, hundreds of federal sites – all of which demand a high level of security – are powered by Drupal.
Drupal offers a firm foundation for the strategy, specifically because it uses open source software that enjoys the support of a global community. This includes tens of thousands of users who regularly engage in peer reviews and vulnerability scanning, resulting in increased reliability and strengthening of core APIs and mitigation of common vulnerabilities. Further, the software is backed by a global team of some of the world’s leading web security experts who are always on-call and available to assess, evaluate and address issues.
With Drupal as the foundation, agencies’ IT managers can integrate a wide range of tactics that will help them build a well-fortified defense-in-depth approach. And while the following tactics are Drupal-specific, most can be applied to virtually any content management system (CMS).
Carefully manage and audit roles and permissions. A recent report from Forrester Research indicated that insider threats are a leading cause of data breaches. Edward Snowden comes to mind, but there have been insiders behind breaches in both the public and private sectors, such as the disgruntled ex-employee who still has network access and creates havoc by compromising critical information. Given this, the first question that should be asked when considering a defense-in-depth strategy is, “Who should I trust?”
It’s a great question, especially when it comes to a CMS. That’s because CMS administrative rights may not be as carefully managed – or simply more challenging to manage – as other government systems. Many CMSes are handled by contractors, who tend to come and go over time. Given that type of turnover, CMS permissions may need to be continually monitored or changed to ensure that only appropriate users have access to the system. This can be a significant logistical challenge, but it’s an important factor that federal IT managers will not want to overlook.
Follow the principle of least privilege. Administrators should provide the minimal amount of access to users based on their functional requirements. For example, content contributors may only be able to access the tools that allow them to create and publish content, while editors might have more leeway and be granted the ability to create, publish and revise. Developers, meanwhile, may not have access rights to any of the content, but the ability to add or delete modules, make architectural changes and so forth. A single administrator could be granted full control over the site, but only with certain restrictions. In such cases, administrative actions should also be audited, ensuring that the administrator only does what he is supposed to do.
Be careful with web modules. Add-on web modules may not be as secure as the Drupal core. Created and contributed by the overall community to extend the functionality of Drupal core, modules are not typically held to the high security standards of Drupal core, and they may undergo less widespread testing and review.
Fortunately, the Drupal community is continually on watch for potential module security issues and is quick to react when any might be discovered. In addition to developing patches, the community also shares information through security advisories, details on threats, suggested fixes and more. This information is shared via a number of channels, including the Drupal.org website, community forums, social media and mailing lists, ensuring details on security issues are disseminated in a timely and accessible manner.
While it’s nice to have the community on top of potential web module issues, administrators should continue to take their own precautions. This includes facilitating regular internal audits designed to determine who has permission to manage specific modules and rigorous testing.
Test web updates before putting them into production. Before making an update live, test it to make sure it’s running properly. Users can do this via their own methods, or they can rely on third-party testing solutions, such as Drupal’s Site Audit module.
Stay informed of security releases and CMS updates. Like a watchman on a castle wall, administrators must remain vigilant. That means keeping up to date with the latest security releases and updates for any software they might be using. A great way to stay informed is through Drupal.org, where users can automatically check for and download updates.
Federal IT administrators are the lords of the data they are charged with managing. As such, they must oversee every aspect of that maintenance. That includes protecting the confidentiality, integrity and availability of the data at all times. As in medieval times, the best way to ensure security is in place is through a concerted, fully formed defense-in-depth strategy.