Date:
15 May 2023
Author:
Salsa Digital Security Team

Defense in depth and the hosting layer

A secure hosting environment is crucial for the stability, performance and overall security of your Drupal applications. A well-managed hosting environment protects your applications and data against various threats and vulnerabilities, ensuring that your websites are always available to users and safeguarding your organisation’s reputation.

This whitepaper focuses on the hosting layer in Salsa's Defense in Depth Drupal 7 Security Hosting Framework, providing insights into the security risks and challenges associated with hosting Drupal applications. We present a comprehensive list of best practices and recommendations for securing your hosting environment, and discuss the benefits and outcomes of implementing these security measures.

This whitepaper is intended for system administrators, IT managers and decision-makers responsible for securing Drupal applications in their organisations. The guidance and recommendations provided in this whitepaper will be particularly useful for those managing hosting environments for Drupal 7 applications, as well as other versions of Drupal.

Security risks and challenges

There are 10 main security risks and challenges at the hosting layer:

  1. Insecure server configuration
  2. Vulnerable software and services
  3. Insufficient access control
  4. Inadequate monitoring and logging
  5. Weak authentication and authorisation
  6. Limited data backup and recovery plans
  7. Insecure network and firewall configuration
  8. Mismanagement of security patches and updates
  9. Insufficient security awareness and training
  10. Limited incident response and remediation plans

1. Insecure server configuration

One of the most common security risks associated with hosting environments is improper server configuration. Inadequate settings may expose sensitive data, allow unauthorised access and create vulnerabilities that can be exploited by attackers.

2. Vulnerable software and services

Outdated or insecure software and services running on the hosting environment can expose your Drupal application to a wide range of security threats. Ensuring that all software and services are up-to-date and appropriately configured is crucial for mitigating risks.

3. Insufficient access control

Lack of robust access control mechanisms may allow unauthorised users to gain access to critical resources or perform actions they shouldn't be allowed to perform. Properly implementing and maintaining access control is essential for safeguarding your hosting environment.

4. Inadequate monitoring and logging

Without proper monitoring and logging, it becomes difficult to detect and respond to security incidents in a timely manner. Detailed logs can help you identify unauthorised activities, suspicious behaviour and potential vulnerabilities.

5. Weak authentication and authorisation

Weak authentication and authorisation practices make it easier for attackers to gain unauthorised access to your hosting environment. Implementing strong authentication mechanisms and enforcing strict authorisation policies are essential for maintaining security.

6. Limited data backup and recovery plans

A lack of robust data backup and recovery plans can lead to catastrophic data loss in the event of a security breach or system failure. Regularly backing up data and having a well-defined recovery plan in place is vital for business continuity.

7. Insecure network and firewall configuration

Poor network and firewall configurations can expose your Drupal application to various threats, such as denial-of-service (DoS) attacks and unauthorised access attempts. Properly configuring network security settings and firewalls is essential for protecting your hosting environment.

8. Mismanagement of security patches and updates

Neglecting to apply security patches and updates in a timely manner can leave your hosting environment exposed to known vulnerabilities. Regularly updating all components, including operating systems, software and services, is crucial for maintaining security.

9. Insufficient security awareness and training

A lack of security awareness and training among staff members can lead to human errors that compromise the security of your hosting environment. Providing regular security training and raising awareness of security best practices can help mitigate risks associated with human error.

10. Limited incident response and remediation plans

The absence of well-defined incident response and remediation plans can prolong the impact of security breaches and make it more difficult to recover from incidents. Establishing a comprehensive incident response plan is critical for minimising the impact of security events and ensuring a swift recovery.

Top 10 best practices and recommendations

Below we’ve put together our top 10 best practices/recommendations for securing the hosting layer.

  1. Secure server configuration
  2. Keep software and services updated
  3. Implement robust access control
  4. Set up comprehensive monitoring and logging
  5. Strengthen authentication and authorisation
  6. Establish data backup and recovery plans
  7. Harden Drupal installation
  8. Perform regular security audits
  9. Implement incident response and recovery plans
  10. Educate and train staff

1. Secure server configuration

Secure server configuration involves setting up the server to minimise vulnerabilities and enhance the overall security of your Drupal hosting environment.

Security benefits: It addresses security by eliminating potential weaknesses in your server settings that could be exploited by attackers.

Actionable steps:

  1. Disable unnecessary services and features.
  2. Use the latest versions of server software and services.
  3. Configure file and directory permissions to limit access.
  4. Enable server-level encryption, such as TLS/SSL, for secure data transmission.
  5. Regularly review server configurations and update them as needed.
  6. Encourage the use of known good server configuration by providing minimal, pre-configured Docker images for developers.

2. Keep software and services updated

Keeping software and services updated involves regularly updating all components in your hosting environment to ensure they are protected against known vulnerabilities.

Security benefits: It addresses security by minimising the attack surface available to potential adversaries.

Actionable steps:

  1. Monitor for software and service updates and security patches.
  2. Establish a schedule for applying updates and patches.
  3. Verify the integrity of updates before installation.
  4. Test updates in a staging environment before deploying them to production.
  5. Monitor for any issues arising from the updates and address them promptly.

3. Implement robust access control

Robust access control ensures that only authorised users have access to specific resources and that they can perform only the actions they’re allowed to do.

Security benefits: It addresses security by preventing unauthorised access to sensitive data and critical resources.

Actionable steps:

  1. Create user roles with the least-privilege principle in mind.
  2. Limit the number of users with administrative access.
  3. Use strong authentication methods, such as multifactor authentication.
  4. Regularly review and update access control policies.
  5. Monitor and log user activities for suspicious behaviour.
  6. Ensure that accounts are deactivated during the employee off-boarding process.

4. Set up comprehensive monitoring and logging

Comprehensive monitoring and logging involves collecting detailed logs and monitoring the hosting environment for potential threats.

Security benefits: It addresses security by enabling early detection and response to security incidents.

Actionable steps:

  1. Enable detailed logging for servers, applications and services.
  2. Set up monitoring tools to detect anomalies and suspicious activities.
  3. Regularly review logs for signs of unauthorised access or potential vulnerabilities.
  4. Establish log retention policies and securely store logs for future analysis.
  5. Integrate monitoring and logging tools with incident response processes.
  6. Aggregate logs and metrics in a way that allows them to be visualised as a “single pane of glass” to make it easier to spot anomalies.

5. Strengthen authentication and authorisation

Strengthening authentication and authorisation involves implementing strong mechanisms for verifying user identities and enforcing access control policies.

Security benefits: It addresses security by making it more difficult for attackers to gain unauthorised access.

Actionable steps:

  1. Use strong, unique passwords for all user accounts.
  2. Enforce multifactor authentication (MFA) for sensitive operations and administrative access.
  3. Regularly review and update authorisation policies.
  4. Monitor for and address failed login attempts and account lockouts.
  5. Provide security awareness training on password management and secure authentication practices.

6. Establish data backup and recovery plans

Data backup and recovery plans involve regularly backing up data and having well-defined procedures in place for restoring data in the event of a security breach or system failure.

Security benefits: It addresses security by ensuring business continuity and minimising the impact of data loss.

Actionable steps:

  1. Identify critical data and systems that require regular backups.
  2. Establish a backup schedule and automate the backup process.
  3. Store backups
  4. Encrypt backups to protect sensitive data.
  5. Test backup and recovery procedures regularly to ensure their effectiveness.

7. Harden Drupal installation

Hardening Drupal installation involves taking steps to improve the security of your Drupal site, such as applying security best practices and eliminating potential vulnerabilities.

Security benefits: It addresses security by minimising the attack surface and reducing the chances of successful exploitation.

Actionable steps:

  1. Install, enable and configure the Drupal Security Kit moduleExternal Link .
  2. Regularly review and apply Drupal security best practices.
  3. Regularly review the Drupal status report and address any potential security or configuration issues that Drupal has flagged.
  4. Remove unused modules and themes.
  5. Use only modules and themes from Drupal.org that are covered under the security advisory policy.
  6. Regularly audit your Drupal installation for potential vulnerabilities and address them promptly.
  7. Ensure that a strong, unique hash salt is configured for the production environment.

8. Perform regular security audits

Regular security audits involve systematically examining your hosting environment and Drupal installation for vulnerabilities and security issues.

Security benefits: It addresses security by identifying potential weaknesses and addressing them before they can be exploited.

Actionable steps:

  1. Schedule periodic security audits.
  2. Use automated tools, such as vulnerability scanners, to identify potential issues.
  3. Regularly scan container images in use for known vulnerabilities.
  4. Review the audit results and prioritise remediation efforts.
  5. Implement and verify the effectiveness of remediation measures.
  6. Maintain records of security audits for future reference and compliance purposes.

9. Implement incident response and recovery plans

Incident response and recovery plans involve having well-defined procedures for identifying, containing and recovering from security incidents.

Security benefits: It addresses security by minimising the impact of security incidents and ensuring a timely return to normal operations.

Actionable steps:

  1. Develop an incident response plan that covers identification, containment, eradication, recovery and lessons learned.
  2. Establish a dedicated incident response team.
  3. Train the team in incident response procedures and best practices.
  4. Regularly review and update the incident response plan.
  5. Conduct tabletop exercises to test and improve the incident response process.
  6. Automate incident response where possible so that security incidents are addressed or partially remediated as quickly as possible.

10. Educate and train staff

Educating and training staff involves providing them with the necessary knowledge and skills to identify and respond to security threats effectively.

Security benefits: It addresses security by reducing the likelihood of successful attacks due to human error and improving the organisation's overall security posture.

Actionable steps:

  1. Implement a security awareness training program.
  2. Cover topics such as phishing, social engineering and secure authentication practices.
  3. Train staff on the use of security tools and incident response procedures.
  4. Regularly update training materials to include the latest threats and best practices.
  5. Assess the effectiveness of the training program and adjust it as needed to improve its impact.

Benefits and outcomes

There are many benefits of using defense in depth strategies to secure Drupal at the hosting layer. These include:

  1. Enhanced security posture
  2. Compliance with industry standards
  3. Improved performance and reliability
  4. Greater confidence from customers and partners
  5. Reduced risk of data breach and downtime
  6. Streamlined incident response and recovery
  7. Empowered and informed staff

1. Enhanced security posture

By implementing the recommended best practices, your Drupal hosting environment will benefit from a more robust security posture, reducing the likelihood of successful attacks and minimising their impact.

2. Compliance with industry standards

Following these recommendations will also help you maintain compliance with industry standards and regulations, such as Australian Privacy Principles (Australia), PCI Data Security StandardsExternal Link (global), GDPRExternal Link (Europe), and HIPAAExternal Link (US), minimising potential fines and reputational damage.

3. Improved performance and reliability

Many of the security best practices outlined, such as regular updates and performance monitoring, also contribute to improved performance and reliability of your Drupal site, enhancing user experience.

4. Greater confidence from customers and partners

A secure hosting environment can instil greater confidence in your customers and partners, as they know that their data and transactions are being handled securely and professionally.

5. Reduced risk of data breach and downtime

Implementing these best practices will help minimise the risk of data breaches, downtime and other security incidents that can damage your organisation's reputation and result in financial loss.

6. Streamlined incident response and recovery

With well-defined incident response and recovery plans in place, your organisation will be better prepared to handle security incidents quickly and effectively, minimising their impact and ensuring a swift return to normal operations.

7. Empowered and informed staff

Properly trained and educated staff will be more adept at recognising and responding to security threats, making them an essential component of your organisation's overall security strategy.

Conclusion

By implementing the top 10 best practices and recommendations outlined in this whitepaper, your organisation will benefit from a more secure and resilient Drupal hosting environment, mitigating risks and protecting your valuable data and assets.

It's important to remember that security is an ongoing process that requires constant attention and dedication. Regularly reviewing and updating your security measures in line with industry best practices will ensure that your Drupal hosting environment remains secure and compliant.

Securing your Drupal hosting environment is just one part of a comprehensive security strategy. Remember to consider all aspects of security across the various layers of your organisation, from infrastructure to people and processes, to maintain a robust security posture.

Lastly, don't hesitate to seek external support and collaborate with others in the Drupal community, industry peers and security professionals to share knowledge, insights and best practices. This collaborative approach can help you stay informed about the latest threats and security solutions, ensuring your organisation remains resilient in the face of an ever-evolving threat landscape.

National Institute of Standards and Technology (NIST) Cybersecurity Framework and the hosting layer

NIST is a US-based agency that provides critical measurement solutions to promote equitable standards such as the NIST Cybersecurity FrameworkExternal Link (NIST CSF). NIST CSF is recognised globally as one of the leading standards for organisational cybersecurity management.

The NIST CSF may be applied to hosting services to enhance cybersecurity practices and protect both the hosting infrastructure and the data and services hosted within it. Here are some of the NIST CSF activities that can apply to this layer:

Identify:

  1. Asset inventory: Maintain a comprehensive inventory of the hardware and software assets across data centres or cloud environments.

  2. Data classification: Identify and classify data hosted on infrastructure to understand the sensitivity and criticality of information.

Protect:

  1. Access controls: Implement strong access controls, including authentication and authorisation mechanisms, to prevent unauthorised access to hosted resources.

  2. Data encryption: Encrypt data in transit and at rest to protect sensitive information from unauthorised access.

  3. Security patch management: Regularly update and patch all software and systems to address known vulnerabilities.

  4. Security awareness training: Train staff to recognise and respond to security threats effectively.

Detect:

  1. Intrusion detection: Deploy intrusion detection systems (IDS) and security information and event management (SIEM) solutions to detect and respond to suspicious activities and security incidents.

  2. Anomaly detection: Implement anomaly detection mechanisms to identify deviations from normal system behaviour that may indicate a security breach.

Respond:

  1. Incident response plan: Develop and maintain an incident response plan that outlines procedures for responding to security incidents promptly and effectively.

  2. Communication: Establish communication protocols for notifying customers and relevant authorities in the event of a security incident that affects hosted services.

Recover:

  1. Backup and recovery: Regularly backup hosted data and systems to ensure quick recovery in case of data loss or system compromise.

  2. Disaster recovery: Develop and test disaster recovery plans to ensure business continuity in the event of a major disruption or cyberattack.

  3. Continuity planning: Implement business continuity plans to maintain critical hosting services during disruptions.

More about NIST

Resources and further reading

Other resources

  • Drupal hosting providers: Research Drupal hosting providers to find the one that best meets your security and performance requirements. Consider providers that specialise in Drupal hosting and offer security-focused features and support, such as Salsa Hosting.

  • Security conferences and webinars: Attend security conferences and webinars to stay informed about the latest trends, best practices and tools in the cybersecurity industry.

  • Drupal community and forums: Participate in the Drupal community and forumsExternal Link to share knowledge, experiences and learn from other Drupal developers and administrators.

  • Security blogs and newsletters: Subscribe to security blogs and newsletters from industry experts and organisations to stay up-to-date on the latest cybersecurity news and trends.

  • Industry certifications and training: Consider pursuing industry certifications and training programs to strengthen your skills and knowledge in the areas of hosting, infrastructure, and cybersecurity best practices.