System security is becoming increasingly important. Data, traditionally stored on the internal networks and drives, must now also become available online. Security plays a major role in enforcing that sensitive data is only accessible to the employees. iDelft has extensive experience in the field of system security and on this page we present a number of recommendations (often in combination with the Drupal Content Management Framework).
Tip 1: Security Updates
Ensure that security updates are applied at all levels of the system: The operating system, the management software (e.g. cPanel), the Core Content Management Framework software (e.g. Drupal and PHP), the configuration, but also all additional modules used within your specific environment. Two rules of thumb: If you have not given an explicit order for these hosting and support activities then they will not happen or will only happen infrequently. A second rule of thumb is that updates should take place at least every month. If not, your system is probably not properly secured. In that context, it is good to know that a large security team is working within the Drupal community on security issues and solutions (patches) every day.
Tip 2: Good user roles
One should only grant employees access rights to those parts of the system that are relevant for the person in question. This is not only about accessing data, but also functionalities to copy, export and delete data. These kinds of functionalities are generally controlled via user roles. Good user roles are crucial for protecting sensitive data.
Tip 3: Good password management
Setting a central password policy helps to make systems more secure. An effective password policy dictates the minimum size, complexity and lifespan of a password and can be automatically enforced in Drupal.
Tip 4: Two-factor authentication
If you want optimal security, you should consider applying a second layer in addition to usernames and passwords to secure access to the systems. Such a second layer is also referred to as a second factor. We can take care of this within a Drupal environment. The Google or Microsoft authenticator generates a number on a phone. This number must be entered additionally by the relevant user. This is especially useful for users (roles) with a high risk profile such as administrators.
Tip 5: Good use of SSL certificates
Logging in to a website is quite common nowadays, but behind the scenes there are still a few things to consider. It is necessary that no unauthorized users can reach the protected data. Secure Sockets Layer (SSL) is a widely used security technique that provides an encrypted connection between the server and the client. In this way, possible malicious parties cannot (or at least very difficult) tap the connection and the data is safe from eavesdropping during transport. SSL certificates are actually required by default these days because browsers issue a warning if the SSL certificates are not present. What many organizations don't realize is that these certificates can expire. Good monitoring is therefore necessary and that brings us to the next tip.
Tip 6: Ensure proper monitoring of the systems
Security issues need to be detected before system integrity is really at risk. An expired SSL certificate, a sudden increase in login attempts, a large number of requested web pages, no network access: a large number of parameters must be monitored and visualized. If necessary, an engineer should be automatically informed. iDelft has experience with implementing the Nagios software, which can be used for this purpose.
Tip 7: Install additional security software
In addition to a solid firewall, a robust system also has anti-virus software on board if files can be uploaded. Active software components should run that maximize the number of login attempts. IP addresses must be blacklisted when the system is being overloaded from these IP addresses. We use, for example, Fail2Ban to enforce this. It is also recommended to take anti-spam measures with ReCaptcha and Honeypot.
Tip 8: Caching
Caching is often used to optimize the performance (speed) of web page rendering. Indirectly, caching also contributes to the security of the systems because overloading can be prevented. The trick is that frequently requested web pages are already available and served immediately without putting a heavy load on the server. With proper caching in combination with an IP address blocking mechanism, simple Denial Of Service (DOS) attacks can be countered. With a massive attack from thousands of servers this is of course not possible and that brings us to the next tip.
Tip 9: Implement a good backup and consider implementing a fallback system
Better safe than sorry: A backup must be in a different physical location than the main server and cover a sufficient long time span. An alternative to a data backup is a full fallback system that can be activated if the main system is being hacked or overloaded.
Tip 10: Consider a Single-Sign On implementation
If there are many login mechanisms present in an organization, things can more easily go wrong compared with a Single-Sign-On environment. iDelft has experience in setting up a Single Sign-On (SSO) environment, also in combination with Drupal. This allows the number of accounts and passwords to be limited. The users are managed in a central place know as IdP (IdP: Identity Provider). The the software can then use an SP (SP: Service Provider). For some projects (for example the Nikhef alumni portal), iDelft has made the software work in combination with an existing Single Sign-On environment. With the push of a button, a malicious user can be immediately disconnected from all systems.
Finally: The iDelft security philosophy
We strongly believe that only through knowledge and hands-on experience you can take system security to a higher level. It goes without saying that much of the software produced by iDelft is also hosted and maintained by us. The servers, applications and firewalls are properly configured so that unauthorized persons cannot penetrate the server directly or via Drupal using, for example, XSS scripting. We implement advanced software packages on the servers that automatically and continuously scan web requests and intervene when abuse is detected: quantitatively (a large number of requests), but also qualitatively (for example, a targeted attack to penetrate via a login screen). Forms are also protected to stop spammers. In summary: security can only be effective if attention is paid to protection at all levels and components.
Please contact us if a quick security scan of the web environment is required. We like to stop by and help your organisation.