Peeling back the onion: Drupal Security and Compliance

Presenters: fen, nerdstein

Securing a Drupal site is like peeling layers off an onion -- or examining all the layers of an onion at once. It impacts every tier of the architecture: the network, infrastructure, services, application, and data. Cloud-based infrastructures add further security-related considerations.

Working to bring a cloud-based system through the Risk Management Framework (RMF) to full Authority to Operate (ATO) is a challenging process. The RMF is not designed to analyze each tier of a cloud-based system, nor are the Authorizing Officials (in general) educated in the specifics of the full architecture (e.g., inheritance of FedRAMP controls, the intrusion detection and prevention capabilities of SELinux, and the need for multi-tiered access control).

In this session we will demystify the peeling of this onion by presenting considerations for each tier of the architecture, federal regulations/compliance frameworks, current challenges, achieving an authority to operate (ATO). We’ll take a glimpse at technologies under development to streamline the process and some case studies based on our experience. This session sheds light on the current state of security and compliance, while examining how innovation and best practices can happen through a shared understanding and future collaboration. Our session aims to start the conversation. 

Audience
Experience Level
Intermediate
Schedule Info
Conference Year
2016
Date / Time
Status
Accepted
Session Track
Community and Being Human
Supporting Documents