By: Harshit
September 18 2018

Tips on your Drupal Website's Data Security Strategy

Who would want to suffer a data breach? That means a lot of loss, deterioration of brand identity, loss of customer information, trust, business opportunity and what not. Drupal as a CMS ensures continuous breach monitoring and enterprise-class security. What’s the catch? Paying attention to security measures since the very beginning to keep everything in line. Data is a the biggest property these days. 

Image containing file cabinets to represent datasets.

No Data is Trivial 

Drupal developers sometimes are unaware of what is more important in terms of data. It is not just the credit card information or your place of birth. Developers often fail to prioritise security for different data types. Personally Identifiable Information can be any of the following:

  • IP address 
  • Local Address
  • Social Security Numbers
  • Email
  • Passwords

Even the most trivial information can have magnitudes of impact and hackers are great aggregators.

Forget to make excuses and do the thinking for your clients 

Even if they are not so bonkers about security. It is a vendor’s responsibility to keep the client updated with the data whereabouts and measures which should not be compromised with. Drupal websites are deployed when there are content heavy requirements, they are absolutely data friendly as well. But when it comes to business data, the world is too dangerous a place. A slight leak in vulnerability can bring in so many attacks, or just one attack may hamper your business hours for an incomprehensible amount of time. 

Possible scenarios and the best you can do:

My clients don't require encryption

There can be reasons as to why your clients don’t require encryption, they may not be aware of any such thing, they may not know the degree of damage an unencrypted site can cause or some other reason possibly. Educate them about encryption and how is it going to guard their business data. Explain them why is it good to have in a very airtight business and market environments. 


The business might be too small  

The business might be too small for any potential attraction by bad boys. Their business might be operating at a very restricted location but that shouldn’t keep you from insisting on security measures for you clients. Provide them with the right roadmap when they approach scale as well.

The client's budgetary allowance is low

You may find this totally relatable but the instead of obeying the budget. You should make the necessary recommendations which they might have missed in the SOW. Even if it might cross their budget a little but it is always good to take necessary precautions rather than repenting later on. 

Enforce Strong Password Policies with Drupal 

About Encryption in Drupal

Drupal plays a crucial role in protecting the data on it. It has a wide range of custom and contributed modules help Drupal extend it’s capacity to hold functionalities and ensure protection- data or attack wise. Drupal Core does not natively support encryption and developers will need to look to contributed modules to secure private data. The following modules will help you get started on the right foot.

Encrypt

The Encrypt Drupal module provides an API for conducting symmetric encryption within Drupal. Various modules can be encrypted with Ecrypt’s help allowing it to encrypt and decrypt data in a more standardised manner. However, this module doesn’t provide any user friendly features of its own apart from the administration interfaces for managing encryption profiles.  

Real AES

The Real AES plugin in addition to the encrypt module which is usually useful for deploying encryption methods. This module is nearly used by 5377 sites and has 44,380 downloads. For your information; this module offers authenticated encryption based on AES-128 CBC with a HMAC.

Encrypted Files

Encrypted Files allows Drupal to encrypt files that users upload and decrypt files for download, keeping the unencrypted versions of files from ever being stored on disk. This takes them to the cloud and ensures data safety at it’s very best. 

How to use Demo module in Drupal 8?

The Essentials 

Here are a few essential security tips that were also discussed in a Drupalcon session in New Orleans 2015:

1. Keep Backing up Frequently

Backups will stand by you if  something catastrophic happens to your site, you need to be able to roll back to the latest functioning version. You should practise automated daily or weekly or monthly backups as per the density of data on your website and also ensure than you have a disaster recovery plan in place either with your vendor or the technical team in-house. 

Hosting solutions provide single click restoration of data and we can definitely consult you on that. Hosting by Acquia cloud or Pantheon provide automated daily backups of your site’s database, files, and code plus single-click restoration if something goes wrong. You can use the Backup and migrate module in Drupal to backup all your data for future use. 

2. Use Version Control

Use a source code management tool like Git so that in the event of a breach, you can view any files in your source that may be altered and revert your Git repo if needed. Git gives you a detailed control on what files have been changed, where they have been changed, and how they have been changed. 


3. Use Secure Passwords & Two Factor Authentication (2FA)

Credentials have become a property of their own. To protect credentials, factor authentication proves to be extremely helpful, using some third party tools like 1password, Lastpass and etc. You can create and easily manage all the unique passwords for any number of your websites. The credentials will be provided to you the moment you try logging in. This is easier to handle than a data breach. One additional tip is to never use the same password, for a cause.
Drupal provides you with some great contributed modules like Two Factor Auth (TFA) and Multi Factor Auth, you should check them out. 

12 must have security modules for your Drupal website 

4. Re-evaluate Permissions 

While you may know that Drupal allows you to have multiple roles for several purposes such as verified users, administrators, anonymous users, editors, etc. You should re-evaluate permissions, for example, an anonymous user should be given the least amount of permissions like view only, an editor should only be allowed to edit/add or modify existing content. 

5. Encryption

Now-a-days every compliance regulation calls for encryption and some even require end-to-end encryption. The above mentioned Drupal modules shall help you a lot in getting your encryption exactly right without too much hassle. Encrypt, Encrypt User, and Field Encrypt have made encrypting sensitive information easier than ever. 

6. Key Management

Your API keys and all the encryption details should not lie on the same server. One thing about hackers is, they don’t break your encryption, they locate your keys and use to access the sensitive data. So, you should make sure your Drupal installation and all the API keys are kept on separate servers. 

For external key management, you should use external key managers. Some Drupal modules like Key and Key Connection, have made key management totally hassle-free. 

Conclusion 

These steps in Data protection will help you in the longer run to not lose on your personal or customer data. Drupal is a great platform to make you a go getter and we can definitely be of help in making you super secure, regardless of the intricacy of outside vulnerability. You can reach us out to [email protected] and we discuss your next move.