Security by Design: ZenSource— The Journey to Build an Enterprise-Grade Secure Drupal CMS
November 6, 2020
I have spent most of my career working in the Fortune 500 with responsibility for enterprise systems and technologies, specifically in the realm of infrastructure and security. If I am honest, I had always looked at open source systems like Drupal with trepidation and distrust—but times have changed.
During my time in the Fortune 500, we had the financial resources to purchase high-end solutions to meet our needs. But today, the ability to compete in the marketplace is harder than ever, and with increasing costs associated with doing business and keeping brands and consumers secure from the dangers of doing business online, companies have to do more with less. Maintaining a competitive advantage requires effective management of costs while still getting the needed features, capabilities, and effectiveness of all your technology investments.
Seeing this shift occurring in the industry, and indeed, for our own clients, Primacy recognized the need to have an enterprise CMS built on a cost-effective platform.
As an enterprise-minded security professional, my primary concerns related to building this enterprise CMS on a more affordable, open-source framework, centered around several areas: security, CMS capabilities, a scalable and secure infrastructure, support, and accountability. But at the heart of each concern is security.
Security can be a complex and potentially scary topic. There are a myriad of buzzwords and technobabble in the security industry. Things like machine learning and AI-driven defenses, Defense-in-depth, behavioral analytics and others which are pretty big concepts that come from a few simple ideas, being great at detecting and prevent unauthorized intrusions and changes, intervening when something is amiss, and being able to recover in the event of a disaster. Building a secure system is like building a fortress. There is no one turnkey solution that offers instantaneous impenetrable security. The key to ZenSource being a strong enterprise-grade secure CMS fortress must start with a strong foundation, the CMS itself.
A Secure CMS Platform
At the onset of our endeavor to design a CMS, we had several key decisions to make. The first was which CMS to buy or utilize that would meet our requirements. Because the effort was to build an enterprise-ready CMS, we needed a feature-rich, capable, stable, cost-effective, and secure system. From a security perspective, many of the breach issues that plague CMS systems (especially open source CMSs) are the result of human error, misconfiguration, and the use of insecure third-party add-ons. Drupal won out during our vetting process for having the least reliance on third-party add-ons and the greatest capabilities to meet the needs of the enterprise. Drupal’s vast community of developers thoroughly vet the system for security issues and weaknesses which makes the base product arguable more secure than many proprietary CMS products. Once we landed on Drupal as our foundational CMS tool, we need to build our fortress around it.
A Secure Infrastructure Foundation
ZenSource was built on and powered by AWS. AWS offers unmatched enterprise scalability, capability, and security. We needed a platform that could offer our customers global network availability, near real-time failover capabilities, the ability to expand automatically to scale to expected and unexpected demand, an expansive content delivery network, and the ability to implement advanced threat detection and prevention measures to ensure customer data could be safe from the latest threats. When building a fortress, you need to start with a secure foundation and the AWS infrastructure offered all of the needed capabilities to build an enterprise-level secure CMS.
Defense in Depth – Our Framework
Having a secure foundation is a start, but the configuration of the security controls within the infrastructure are the framework upon which we can build sturdy and impenetrable walls. Unlike many security endeavors, which focus on the exterior first, we started with the interior threat surface. ZenSource utilizes AES 256-bit encryption to protect Drupal’s database and our customer’s data to ensure that even if data is stolen it is completely unusable by an attacker.
We utilized separate keys for each of our clients to prevent even an accidental spread of data from one account to another. As another layer of defense, we utilize the CIS AWS benchmark standard configurations that ensure appropriate key rotation, encryption, identity and access management and security configuration for each client instance. We then added in instance security, using CIS secure build images, security groups to control east-west communication, next-generation anti-malware protection that utilizes behavioral analytics, and machine learning to detect zero-day threats and malicious behavior.
Finally, we address perimeter security utilizing WAF and DDOS protection technologies that are integrated with our Next Generation Cloud Firewall. All of these systems together represent a strong defense-in-depth strategy that addresses multiple layers of risk and utilizes automated technologies to monitor, report, respond and prevent threats from occurring. Interwoven into the entire security tapestry is advanced monitoring and automation that allows for tracking and responding to threats and changes to availability without manual intervention which provides true fault tolerance and reduced downtime and threat investigations. For all of their capabilities, this secure technology suite would not be sufficient if it were not backed by the support of a proven and dedicated team.
Primacy’s support team has been in the enterprise hosting business for well over a decade. We offer 24x7x365 coverage and boast multiple AWS certifications in addition to years of collective AWS infrastructure and security architecture experience and expertise. The support team’s responsiveness, dedication, and capability provide our clients with a turnkey solution that provides enterprise-level support and security. The ability to defend an open-source Drupal-based system hinges on the vigilant management and deployment of critical security patches that address core and community module security.
Our team stays on top of Drupal distributions for security patch requirements by thoroughly vetting the security of our modules and responding quickly to any known vulnerabilities and threats. When you combine our secure infrastructure, defense in depth framework, and responsive and expert support team, we have truly designed a tool in ZenSource that is built to protect and support our client’s sensitive data requirements regardless of their regulatory requirements, including HIPAA, PCI-DSS, CCPA, and GDPR.
My last concern when dealing with any technology that is supported by the open-source community is accountability. When I ran enterprise architectures, I needed a partner that was deeply invested in my success and would hold themselves accountable in the event things don’t go according to plan.
Primacy not only commits itself to an SLA uptime of 99.99% but we also achieve SOC 2 certification yearly and has invested in employing a full-time CISO to lead its security program and ensure that Primacy and ZenSource continue to stay ahead of the curve as we navigate the ever-changing threat landscape of the threats of today and tomorrow.
ZenSource has been designed from its inception to meet the requirements of an ever-changing privacy and security landscape and will continue to be a secure enterprise-grade solution for clients in highly regulated industries and for those who want to be a trusted brand in a sometimes dangerous digital world.