Drupal defense in depth — a Drupal security protection framework

Drupal defense in depth — a comprehensive guide for securing Drupal, even after End-of-Life

Drupal is an open source content management system (CMS). Like most open source CMSs, and open source software in general, the responsibility lies with the site owner to patch and/or upgrade the software.

When Drupal versions become End-of-Life, the software is no longer supported. There are many risks and challenges this represents, with the biggest risk being security.

For example, Drupal 7 and 9 will be End-of-Life on 1 November 2023. This means no more security updates will be developed. If the site remains on these versions after this date, the chances of being hacked by a cybersecurity attack considerably increases, potentially risking costly reputational damage to the brand.

The solution is to upgrade Drupal 7 and 9 to the latest version of Drupal before they become End-of-Life. However, it’s not an easy pathway. Drupal 7, in particular, is not compatible with the newer versions of Drupal. New architecture paradigms were introduced, making the ‘upgrade’ very, very difficult. Essentially ‘upgrading’ from Drupal 7 involves a complete rebuild, from scratch.

This is cost and time prohibitive.

To amplify this problem, many larger organisations have 10s if not 100s of sites on Drupal 7. Upgrading to the supported version of Drupal would be a significant undertaking.

Thus, this leaves organisations with the tough decision to leave the sites on Drupal 7 ‘as-is’ and/or use their best efforts to add some form of security controls.

To address this problem, we’ve developed a complete, fully managed Drupal hosting stack that offers several layers of security protection. It’s a multi-layered approach we’ve designed and called ‘Salsa’s Defense in Depth Drupal 7 Security Hosting Framework’.

The 7 layers are:

• Layer 1 — infrastructure
• Layer 2 — container hosting
• Layer 3 — Drupal application
• Layer 4 — edge protection
• Layer 5 — content delivery
• Layer 6 — people
• Layer 7 — process

Layer 1 — infrastructure

Definition: Infrastructure refers to the physical and virtual resources supporting the overall system, including hardware, networking components and software. The expectation is that the infrastructure layer would be operated by a cloud provider.

Security importance: A secure infrastructure ensures the foundation of the entire system remains robust, preventing unauthorised access and safeguarding critical data.

Risks and consequences: If infrastructure security is neglected, the entire system becomes vulnerable to attacks, data breaches and unauthorised access, leading to potential downtime, data loss and reputational damage.

Benefits and outcomes: When infrastructure is properly secured, it provides a stable and safe environment for applications, reduces the risk of attacks and ensures the availability and performance of the system.

Security controls and initiatives: Hosting companies can protect the infrastructure layer by:

• Ensuring the infrastructure provider is certified with relevant security standards
• Ensuring administrative and programmatic interfaces are protected using strong authentication and authorisation mechanisms with a principle of least privilege
• Implementing network segmentation and firewalls
• Encryption at rest and in transit
• Using auditing tools to find vulnerabilities and misconfigurations
• Applying regular security patches
• Frequent penetration testing
• Ensuring redundancy and backup systems are in place

Read detailed insight on layer 1, infrastructure

Layer 2 — container hosting

Definition: Traditionally a single host, or static set of host servers, would be used to deliver an application. However, it’s now more common to deliver an application with a container orchestrator, such as Kubernetes. This container orchestrator also requires an ecosystem of tools to provide services such as logging, monitoring, secret management, etc.

Security importance: Ensuring the security of the container orchestrator prevents unauthorised access to hosted applications and data.

Risks and consequences: An insecure container orchestrator can lead to unauthorised access, data theft and defacement or manipulation of the hosted applications.

Benefits and outcomes: A secure container orchestrator provides a trusted environment for the application, ensuring data integrity and reducing the risk of attacks.

Security controls and initiatives: Hosting companies can protect the container orchestration layer by:

• Using only official and security-hardened base images for the worker nodes
• Regularly rotating the worker nodes as new base images with security patches become available
• Ensuring the ecosystem of tools are patched regularly
• Implementing network segmentation between workloads
• Employing intrusion detection and prevention systems (IDPS)
• Protecting administrative interfaces with the use of a VPN
• Using roles-based access control (RBAC) with strong authentication, including multi-factor authentication (MFA)
• Signing code / containers and validating before deployment so that code is only run from trusted sources
• Using a security information and event management (SIEM) to aggregate disparate sources of security information to correlate events and provide anomaly detection

Read detailed insight on layer 2, hosting

Layer 3 — Drupal application

Definition: The Drupal application layer refers to the software and code that powers the website, including the core Drupal software, modules and themes.

Security importance: A secure Drupal application prevents vulnerabilities in the code from being exploited, reducing the risk of attacks and ensuring the proper functioning of the website.

Risks and consequences: An insecure Drupal application can lead to a range of issues, including unauthorised access, data breaches and site defacement.

Benefits and outcomes: Properly securing the Drupal application maintains website integrity, prevents unauthorised access and ensures a better user experience.

Security controls and initiatives: Hosting companies can protect the Drupal application layer by encouraging their customers to:

• Regularly update the core, modules and themes
• Use only modules covered by the Drupal Security Advisory Policy
• Use a mitigation strategy for any End-of-Life Drupal deployments, for example having a static representation
• Use secure coding practices and conduct code reviews
• Implement least-privilege access for user accounts
• Ensure proper configuration and disable unused features

Read detailed insight on layer 3, Drupal application

Layer 4 — edge protection

Definition: Edge protection is achieved through a web application firewall (WAF), which is a security solution that filters, monitors and blocks HTTP traffic to and from a web application, helping protect it from malicious attacks.

Security importance: A WAF helps detect and block potential attacks before they can exploit vulnerabilities in the web application.

Risks and consequences: Without a WAF, a web application may be more susceptible to attacks, leading to downtime, data breaches and loss of user trust.

Benefits and outcomes: Implementing a WAF protects web applications from attacks, reduces the risk of exploitation and helps maintain site performance and availability.

Security controls and initiatives: Hosting companies can protect the WAF layer by:

• Deploying a properly configured WAF
• Regularly updating and tuning WAF rules
• Monitoring WAF logs for potential threats
• Integrating WAF with other security solutions

Read detailed insight on layer 4, edge protection

Layer 5 — content delivery

Definition: Content delivery is achieved through a Content Delivery Network (CDN), which is a system of distributed servers that work together to provide fast delivery of internet content, enhancing performance, security and reliability.

Security importance: CDNs offer significant security benefits, such as DDoS protection and traffic filtering, making it harder for attackers to target the origin site directly.

Risks and consequences: Without a CDN, a web application may be more vulnerable to DDoS attacks, slow performance, and downtime, which can lead to a negative user experience and potential loss of revenue.

Benefits and outcomes: Using a CDN not only enhances the performance and reliability of a web application, but also provides additional security benefits by offloading traffic, protecting against DDoS attacks, and hiding the origin server's IP address.

Security controls and initiatives: Hosting companies can protect the CDN layer by:

• Implementing a reputable CDN service
• Configuring CDN security features, such as DDoS protection, geo-blocking and rate limiting
• Preferably serving static content where possible and making exceptions as needed
• Regularly reviewing CDN security settings
• Monitoring CDN logs for security events

Read detailed insight on layer 5, content delivery

Layer 6 — people

Definition: The people layer refers to the personnel responsible for managing, maintaining and operating the web application, including developers, administrators and support staff.

Security importance: Well-trained and security-aware personnel can significantly reduce the risk of security incidents caused by human error, while also ensuring the proper handling of security events.

Risks and consequences: Inadequately trained or careless personnel can inadvertently introduce security vulnerabilities, mishandle incidents or even fall victim to social engineering attacks, potentially leading to data breaches and system compromise.

Benefits and outcomes: A well-trained and security-conscious team can identify and mitigate potential security risks, effectively respond to incidents and maintain a secure environment for the web application.

Security controls and initiatives: Hosting companies can protect the people layer by:

• Conducting regular security awareness training
• Implementing strict access control policies
• Establishing clear roles and responsibilities for security tasks
• Encouraging a culture of security mindfulness and continuous improvement

Read detailed insight on layer 6, people

Layer 7 — process

Definition: The process layer encompasses the policies, procedures and guidelines governing the operation, management and maintenance of the web application and its underlying infrastructure.

Security importance: Well-defined and properly implemented processes ensure consistency, effectiveness and efficiency in maintaining a secure environment.

Risks and consequences: Inadequate or poorly enforced processes can lead to inconsistencies, misconfigurations and overlooked vulnerabilities, potentially resulting in security breaches and system compromise.

Benefits and outcomes: Effective processes ensure that security best practices are consistently followed, reducing the risk of vulnerabilities and enhancing the overall security posture of the web application.

Security controls and initiatives: Hosting companies can protect the process layer by:

• Developing and maintaining comprehensive security policies and procedures
• Regularly reviewing and updating processes to ensure relevance and effectiveness
• Conducting periodic audits and assessments to verify compliance with security policies
• Implementing change management processes to minimise the risk of security issues arising from system modifications

Read detailed insight on layer 7, process

National Institute of Standards and Technology (NIST) and the Drupal in Defense Framework

NIST is a US-based agency that provides critical measurement solutions to promote equitable standards such as the NIST Cybersecurity Framework (NIST CSF). NIST CSF is recognised globally as one of the leading standards for organisational cybersecurity management. The CSF is based on existing standards, guidelines, and practices for organisations to better manage and reduce cybersecurity risk. In addition, it was designed to foster risk and cybersecurity management communications among both internal and external organisational stakeholders.

The NIST CSF covers the following five domains:

1. Identify: Activities to understand and manage cybersecurity risk by identifying assets, vulnerabilities, and threats.
2. Protect: Activities to implement safeguards to mitigate identified risks.
3. Detect: Activities to identify and detect cybersecurity events promptly.
4. Respond: Activities to plan for responding to and mitigating cybersecurity incidents when they occur.
5. Recover: Activities to plan for the recovery and restoration of systems and services after a cybersecurity incident.

While not an accreditation framework, the NIST CSF helps organisations to build an understanding and awareness of their current security posture against what is considered an industry best practice, as well as allowing cybersecurity expectations to be shared with business partners, suppliers and among sectors. By mapping the Framework to current cybersecurity management approaches, organisations are learning and showing how they match up with the Framework's standards, guidelines and best practices. Some parties are using the Framework to reconcile and de-conflict internal policy with legislation, regulation and industry best practice. The Framework also is being used as a strategic planning tool to assess risks and current practices.

More about NIST

Want more info?

View our in-depth insight on each of the 7 layers.

• Layer 1 — infrastructure
• Layer 2 — container hosting
• Layer 3 — Drupal application
• Layer 4 — edge protection
• Layer 5 — content delivery
• Layer 6 — people
• Layer 7 — process