Cloudflare. HipChat. OneLogin. The list goes on – and that is just companies that have suffered breaches so far in 2017. Businesses, large and small, are losing vast amounts of intellectual property (IP) and customer personally identifiable information (PII) to data breaches. While there is no “silver bullet” to data security, there is one tool that stands out among the rest – encryption. Encryption can mean the difference between a public breach notification (when private data is lost) and keeping the incident to yourself (if data is encrypted, you didn’t lose any decipherable information).
To protect data in Drupal, encryption is deployed at the application level with modules, rather than at the database level. This makes it much easier to encrypt specific fields, forms, user-related data, or files. It is important to note that Drupal Core does not natively support encryption and that developers will need to look to contributed modules to secure private data. Let’s first look at the two primary reasons for encryption.
Why We Encrypt: Protect Brand/Customers
The most recent Ponemon Cost of a Data Breach Study shows the average cost of a lost or stolen record to be $141. This cost includes loss of customers, remediating the breach, and post data breach costs – ultimately affecting a business’s bottom line and in some cases, their ability to keep doors open.
Why We Encrypt: Compliance
While we expect businesses to deploy encryption whenever sensitive data is present, unfortunately, they often need another budge in the right direction. That budge is handled by compliance regulations. Both public and private organizations fall under compliance. Compliance regulations include PCI DSS (if you take credit cards), HIPAA (healthcare), FFIEC (finance), FERPA (education), etc. Further, aside from industry specific regulations, many states have their own data security mandates.
What Should We Encrypt?
Organizations starting an encryption project always have this question on their minds. It is a simple question, but can be hard to answer. Generally speaking, you should encrypt any information that alone, or when combined with other information, can identify a unique, individual person. This is called Personally Identifying Information, or PII. This should be your starting point, but you may need to address other information depending on the compliance regulations you must meet. Examples include:
Social Security Number
Student ID Number
Student Educational Records
Excuses, Excuses, Excuses
No more excuses. If you aren’t encrypting private data, you are not applying due diligence. Yes, learning security best practices may be something new for site developers, but by not evolving your skills, your sites and clients will be left vulnerable when bad actors come knocking.
“My clients aren’t asking for encryption.”
It may be true that your clients aren’t asking specifically for security, but they are paying you for it. Your clients expect site security, just as they expect you to anticipate and address their needs in other areas of site development. Further, by not implementing appropriate security controls, if there is a breach, you can be liable.
“I’m too small to be a target.”
It is often a surprise to small and medium sized businesses that they are actually considered a greater target than large enterprises. Why? Because hackers know that SMBs are an easy target. Symantec recently published a report confirming that three out of five cyber-attacks target small and midsize companies.
“There is no budget.”
Encryption has a reputation for being costly and causing severe impact on performance.
Today this reputation doesn’t hold true, and these common fears can, in fact, get in the way of implementing a strong security solution.
Encryption in Drupal
As mentioned earlier, Drupal Core does not natively support encryption and developers will need to look to contributed modules to secure private data. The following modules will help you get started on the right foot.
Encrypt creates an API for performing symmetric encryption and decryption of data within Drupal. It provides a plugin-based system for encryption methods and key providers, allowing the ability to choose how to encrypt data.
Real AES provides an encryption method plugin for the Encrypt module. This module offers authenticated encryption based on AES-128 CBC with a HMAC.
Field Encryption encrypts Field values when stored in the Drupal database. This module is useful for fields that site visitors may input sensitive data into.
Encrypted Files allows Drupal to encrypt files that users upload and decrypt files for download, keeping the unencrypted versions of files from ever being stored on disk.
Key Management in Drupal
Most users who are currently encrypting sensitive data are storing the encryption key locally in either a file on the server, in the database, or in Drupal’s settings file. None of these methods meet data security best practices or compliance regulations such as PCI DSS, HIPAA, etc. In order to truly protect encrypted data, businesses need to also store and manage their keys with an external key manager. The Key module can help with this. Key provides the ability to manage encryption keys and define how/where keys are stored, allowing sites to meet regulatory or compliance requirements and security best practices.
At the end of the day, it is important to remember that there is no silver bullet to data security and you should take a defense in depth approach to protecting your or your clients’ web sites. Townsend Security’s dedicated Alliance Key Manager is in use by over 3,000 customers worldwide and is the only dedicated key manager with Drupal integrations. Alternatively, Lockr is the first hosted API & encryption key management for modern content management systems like Drupal and WordPress, providing affordable solutions for all sites to properly manage access and encryption keys.