Drupal-based defense-in-depth strategy protects data

Featured eBooks
Whole-of-State Cybersecurity
The State of Trust in Government
Cybersecurity in State and Local Government
By Todd Akers
 

Connecting state and local government leaders

By Todd Akers

|

With open-source Drupal as the foundation of a defense-in-depth strategy, agency IT managers can analyze and identify potential threat vectors, including internal and external threats.

In medieval times, an intricate combination of towers, drawbridges, city walls, moats and harbors protected castles from all fronts. This intricate system provided an effective and layered defense from potential threats.

As the federal government seeks ways to contain and manage massive influxes of data, IT managers are taking pages out of the medieval defense rulebook by adopting “defense-in-depth” strategies that use complex, multi-layered approaches to information security. With defense-in-depth, federal IT managers use holistic strategies to analyze and identify potential threat vectors, including internal and external threats. In the process, they can secure their defenses as if they were leading the king’s protection forces.

Federal IT managers are practicing defense-in-depth while using open source software like Drupal for web development and content management. In fact, hundreds of federal sites – all of which demand a high level of security – are powered by Drupal.

Drupal offers a firm foundation for the strategy, specifically because it uses open source software that enjoys the support of a global community. This includes tens of thousands of users who regularly engage in peer reviews and vulnerability scanning, resulting in increased reliability and strengthening of core APIs and mitigation of common vulnerabilities. Further, the software is backed by a global team of some of the world’s leading web security experts who are always on-call and available to assess, evaluate and address issues.

With Drupal as the foundation, agencies’ IT managers can integrate a wide range of tactics that will help them build a well-fortified defense-in-depth approach. And while the following tactics are Drupal-specific, most can be applied to virtually any content management system (CMS).

Carefully manage and audit roles and permissions. A recent report from Forrester Research indicated that insider threats are a leading cause of data breaches. Edward Snowden comes to mind, but there have been insiders behind breaches in both the public and private sectors, such as the disgruntled ex-employee who still has network access and creates havoc by compromising critical information. Given this, the first question that should be asked when considering a defense-in-depth strategy is, “Who should I trust?”

It’s a great question, especially when it comes to a CMS. That’s because CMS administrative rights may not be as carefully managed – or simply more challenging to manage – as other government systems. Many CMSes are handled by contractors, who tend to come and go over time. Given that type of turnover, CMS permissions may need to be continually monitored or changed to ensure that only appropriate users have access to the system. This can be a significant logistical challenge, but it’s an important factor that federal IT managers will not want to overlook.

Follow the principle of least privilege. Administrators should provide the minimal amount of access to users based on their functional requirements. For example, content contributors may only be able to access the tools that allow them to create and publish content, while editors might have more leeway and be granted the ability to create, publish and revise. Developers, meanwhile, may not have access rights to any of the content, but the ability to add or delete modules, make architectural changes and so forth. A single administrator could be granted full control over the site, but only with certain restrictions. In such cases, administrative actions should also be audited, ensuring that the administrator only does what he is supposed to do.

Be careful with web modules. Add-on web modules may not be as secure as the Drupal core. Created and contributed by the overall community to extend the functionality of Drupal core, modules are not typically held to the high security standards of Drupal core, and they may undergo less widespread testing and review.

Fortunately, the Drupal community is continually on watch for potential module security issues and is quick to react when any might be discovered. In addition to developing patches, the community also shares information through security advisories, details on threats, suggested fixes and more. This information is shared via a number of channels, including the Drupal.org website, community forums, social media and mailing lists, ensuring details on security issues are disseminated in a timely and accessible manner.

While it’s nice to have the community on top of potential web module issues, administrators should continue to take their own precautions. This includes facilitating regular internal audits designed to determine who has permission to manage specific modules and rigorous testing.

Test web updates before putting them into production. Before making an update live, test it to make sure it’s running properly. Users can do this via their own methods, or they can rely on third-party testing solutions, such as Drupal’s Site Audit module.

Stay informed of security releases and CMS updates. Like a watchman on a castle wall, administrators must remain vigilant. That means keeping up to date with the latest security releases and updates for any software they might be using. A great way to stay informed is through Drupal.org, where users can automatically check for and download updates.

Federal IT administrators are the lords of the data they are charged with managing. As such, they must oversee every aspect of that maintenance. That includes protecting the confidentiality, integrity and availability of the data at all times. As in medieval times, the best way to ensure security is in place is through a concerted, fully formed defense-in-depth strategy.

NEXT STORY: Researchers work to harden cyber infrastructure from WMD

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.