Drupal defense in depth — a comprehensive guide for securing Drupal, even after End-of-Life
Drupal is an open source content management system (CMS). Like most open source CMSs, and open source software in general, the responsibility lies with the site owner to patch and/or upgrade the software.
When Drupal versions become End-of-Life, the software is no longer supported. There are many risks and challenges this represents, with the biggest risk being security.
For example, Drupal 7 and 9 will be End-of-Life on 1 November 2023. This means no more security updates will be developed. If the site remains on these versions after this date, the chances of being hacked by a cybersecurity attack considerably increases, potentially risking costly reputational damage to the brand.
The solution is to upgrade Drupal 7 and 9 to the latest version of Drupal before they become End-of-Life. However, it’s not an easy pathway. Drupal 7, in particular, is not compatible with the newer versions of Drupal. New architecture paradigms were introduced, making the ‘upgrade’ very, very difficult. Essentially ‘upgrading’ from Drupal 7 involves a complete rebuild, from scratch.
This is cost and time prohibitive.
To amplify this problem, many larger organisations have 10s if not 100s of sites on Drupal 7. Upgrading to the supported version of Drupal would be a significant undertaking.
Thus, this leaves organisations with the tough decision to leave the sites on Drupal 7 ‘as-is’ and/or use their best efforts to add some form of security controls.
To address this problem, we’ve developed a complete, fully managed Drupal hosting stack that offers several layers of security protection. It’s a multi-layered approach we’ve designed and called ‘Salsa’s Defense in Depth Drupal 7 Security Hosting Framework’.
The 7 layers are:
- Layer 1 — infrastructure
- Layer 2 — container hosting
- Layer 3 — Drupal application
- Layer 4 — edge protection
- Layer 5 — content delivery
- Layer 6 — people
- Layer 7 — process
Layer 1 — infrastructure
Definition: Infrastructure refers to the physical and virtual resources supporting the overall system, including hardware, networking components and software. The expectation is that the infrastructure layer would be operated by a cloud provider.
Security importance: A secure infrastructure ensures the foundation of the entire system remains robust, preventing unauthorised access and safeguarding critical data.
Risks and consequences: If infrastructure security is neglected, the entire system becomes vulnerable to attacks, data breaches and unauthorised access, leading to potential downtime, data loss and reputational damage.
Benefits and outcomes: When infrastructure is properly secured, it provides a stable and safe environment for applications, reduces the risk of attacks and ensures the availability and performance of the system.
Security controls and initiatives: Hosting companies can protect the infrastructure layer by:
Ensuring the infrastructure provider is certified with relevant security standards
Ensuring administrative and programmatic interfaces are protected using strong authentication and authorisation mechanisms with a principle of least privilege
Implementing network segmentation and firewalls
Encryption at rest and in transit
Using auditing tools to find vulnerabilities and misconfigurations
Applying regular security patches
Frequent penetration testing
Ensuring redundancy and backup systems are in place
Layer 2 — container hosting
Definition: Traditionally a single host, or static set of host servers, would be used to deliver an application. However, it’s now more common to deliver an application with a container orchestrator, such as Kubernetes. This container orchestrator also requires an ecosystem of tools to provide services such as logging, monitoring, secret management, etc.
Security importance: Ensuring the security of the container orchestrator prevents unauthorised access to hosted applications and data.
Risks and consequences: An insecure container orchestrator can lead to unauthorised access, data theft and defacement or manipulation of the hosted applications.
Benefits and outcomes: A secure container orchestrator provides a trusted environment for the application, ensuring data integrity and reducing the risk of attacks.
Security controls and initiatives: Hosting companies can protect the container orchestration layer by:
Using only official and security-hardened base images for the worker nodes
Regularly rotating the worker nodes as new base images with security patches become available
Ensuring the ecosystem of tools are patched regularly
Implementing network segmentation between workloads
Employing intrusion detection and prevention systems (IDPS)
Protecting administrative interfaces with the use of a VPN
Using roles-based access control (RBAC) with strong authentication, including multi-factor authentication (MFA)
Signing code / containers and validating before deployment so that code is only run from trusted sources
Using a security information and event management (SIEM) to aggregate disparate sources of security information to correlate events and provide anomaly detection
Layer 3 — Drupal application
Definition: The Drupal application layer refers to the software and code that powers the website, including the core Drupal software, modules and themes.
Security importance: A secure Drupal application prevents vulnerabilities in the code from being exploited, reducing the risk of attacks and ensuring the proper functioning of the website.
Risks and consequences: An insecure Drupal application can lead to a range of issues, including unauthorised access, data breaches and site defacement.
Benefits and outcomes: Properly securing the Drupal application maintains website integrity, prevents unauthorised access and ensures a better user experience.
Security controls and initiatives: Hosting companies can protect the Drupal application layer by encouraging their customers to:
Regularly update the core, modules and themes
Use only modules covered by the Drupal Security Advisory
Use a mitigation strategy for any End-of-Life Drupal deployments, for example having a static representation
Use secure coding practices and conduct code reviews
Implement least-privilege access for user accounts
Ensure proper configuration and disable unused features
Layer 4 — edge protection
Definition: Edge protection is achieved through a web application firewall (WAF), which is a security solution that filters, monitors and blocks HTTP traffic to and from a web application, helping protect it from malicious attacks.
Security importance: A WAF helps detect and block potential attacks before they can exploit vulnerabilities in the web application.
Risks and consequences: Without a WAF, a web application may be more susceptible to attacks, leading to downtime, data breaches and loss of user trust.
Benefits and outcomes: Implementing a WAF protects web applications from attacks, reduces the risk of exploitation and helps maintain site performance and availability.
Security controls and initiatives: Hosting companies can protect the WAF layer by:
- Deploying a properly configured WAF
- Regularly updating and tuning WAF rules
- Monitoring WAF logs for potential threats
- Integrating WAF with other security solutions
Layer 5 — content delivery
Definition: Content delivery is achieved through a Content Delivery Network (CDN), which is a system of distributed servers that work together to provide fast delivery of internet content, enhancing performance, security and reliability.
Security importance: CDNs offer significant security benefits, such as DDoS protection and traffic filtering, making it harder for attackers to target the origin site directly.
Risks and consequences: Without a CDN, a web application may be more vulnerable to DDoS attacks, slow performance, and downtime, which can lead to a negative user experience and potential loss of revenue.
Benefits and outcomes: Using a CDN not only enhances the performance and reliability of a web application, but also provides additional security benefits by offloading traffic, protecting against DDoS attacks, and hiding the origin server's IP address.
Security controls and initiatives: Hosting companies can protect the CDN layer by:
Implementing a reputable CDN service
Configuring CDN security features, such as DDoS protection, geo-blocking and rate limiting
Preferably serving static content where possible and making exceptions as needed
Regularly reviewing CDN security settings
Monitoring CDN logs for security events
Layer 6 — people
Definition: The people layer refers to the personnel responsible for managing, maintaining and operating the web application, including developers, administrators and support staff.
Security importance: Well-trained and security-aware personnel can significantly reduce the risk of security incidents caused by human error, while also ensuring the proper handling of security events.
Risks and consequences: Inadequately trained or careless personnel can inadvertently introduce security vulnerabilities, mishandle incidents or even fall victim to social engineering attacks, potentially leading to data breaches and system compromise.
Benefits and outcomes: A well-trained and security-conscious team can identify and mitigate potential security risks, effectively respond to incidents and maintain a secure environment for the web application.
Security controls and initiatives: Hosting companies can protect the people layer by:
Conducting regular security awareness training
Implementing strict access control policies
Establishing clear roles and responsibilities for security tasks
Encouraging a culture of security mindfulness and continuous improvement
Layer 7 — process
Definition: The process layer encompasses the policies, procedures and guidelines governing the operation, management and maintenance of the web application and its underlying infrastructure.
Security importance: Well-defined and properly implemented processes ensure consistency, effectiveness and efficiency in maintaining a secure environment.
Risks and consequences: Inadequate or poorly enforced processes can lead to inconsistencies, misconfigurations and overlooked vulnerabilities, potentially resulting in security breaches and system compromise.
Benefits and outcomes: Effective processes ensure that security best practices are consistently followed, reducing the risk of vulnerabilities and enhancing the overall security posture of the web application.
Security controls and initiatives: Hosting companies can protect the process layer by:
Developing and maintaining comprehensive security policies and procedures
Regularly reviewing and updating processes to ensure relevance and effectiveness
Conducting periodic audits and assessments to verify compliance with security policies
Implementing change management processes to minimise the risk of security issues arising from system modifications
Want more info?
Over the coming weeks we’ll be expanding out the important topic Drupal defense in depth, with an insight on each of the 7 layers.