University Websites Built on Drupal Should Encrypt Sensitive Data

On February 19th the University of Maryland disclosed to the public a data breach exposing over 300,000 records of students, faculty, and alumni including names, social security numbers, and dates of birth.

Universities and colleges using their website to communicate with students are aware of the fact that their website is a massive portal for student data. From the moment a potential student applies to a university through its website, up through each time a student submits financial and health information, thousands of personal records are being collected by the website and stored for internal use in databases.

Why is this data not being protected? That’s the big question asked by data security experts and concerned students alike, who are aware of the massive number of data breaches that occur yearly through websites. The information submitted on higher education websites includes nearly everything a hacker or malicious user wants including: home addresses, social security numbers, phone numbers, email addresses, passwords, parent names, credit card, and financial data. Many universities run teaching hospitals, not to mention their own student health services. Protected health information (PHI) entered through patient portals also poses a huge risk if the data isn’t protected.

This information should not only be encrypted to protect students, faculty, and patients alike, but it should be encrypted because the collection of financial data, credit card data, and PHI fall under industry regulations such as HIPAA/HITECH and PCI-DSS which require the encryption of this data.

Here’s the good news: Many college and university websites are built using the common content management system (CMS) Drupal. Drupal is one of the most widely used CMS platforms, and is used by both small start-ups and Fortune 100 enterprises. It is very commonly used for higher education sites. Drupal has a long history with addressing security in its modules, and in fact has even supported an Encrypt module to encrypt sensitive data. Although the Encrypt module made encrypting data easy for Drupal users, it lacked a very important component of successful encryption: encryption key management.

Encryption key management is the foundation of a successful encryption strategy. If the encryption key is stored locally with the encrypted data, then a hacker who gains access to the data can immediately decrypt the data, making the encryption useless. If the key is protected, away from the encrypted data, then the data remains safe, even if accessed by an attacker.

Ok, here’s the actual good news: Stronger encryption and encryption key management is now available for Drupal users. Chris Teitzel and Rick Hawkins, Drupal developers and owners of Cellar Door Media have recently teamed up with Townsend Security to create Key Connection for Drupal--a module that enables NIST-validated AES encryption and FIPS 140-2 compliant key management for data in Drupal.

Key Connection for Drupal offers these important features:

• Encryption anywhere you want it - The Key Connection for Drupal APIs allow developers to encrypt data and protect encryption keys anywhere data is collected in a website from student enrollment applications to student health service portals.
• Onboard encryption - While Drupal developers can still use the encrypt module to encrypt sensitive data, and protect the encryption keys to a cloud or physical key management module, they also have the option to do “onboard” encryption within the key manager using NIST validated AES encryption. This is a critical new feature for business who need to meet PCI-DSS compliance requirements.
• Multiple key management options - Developers can choose from multiple key management options from key management in the cloud to a physical hardware security module (HSM) that they can rack up in their own IT infrastructure. Townsend Security also offers virtual and hosted options.

To learn more about Key Connection for Drupal and how you can encrypt sensitive data in Drupal using NIST validated AES encryption and protection of encryption keys using FIPS 140-2 compliant key management, listen to the podcast featuring the Key Connection for Drupal developers.