Drupal security

Ensuring data security

Why most competitors just don't cut it if data security matters to your organisation.

Photo of Greg Harvey
Tue, 2016-09-27 16:23By greg

Before we go into this, I'd like to explain this mostly isn't a "public cloud versus private cloud" thing, like some of the other posts in this series have been. Rather, this is looking at the companies operating the platforms you have to trust. I don't mean the infrastructure partners. We are based on Pulsant, Acquia are based on AWS, Pantheon are on Rackspace public cloud (last time I looked), and so on - but all of these infrastructure providers are certified to the hilt for information security.

The question is therefore less about infrastructure, and more about who is running the services on top of the infrastructure. Code Enigma operates an ISO 27001 certified management framework for ensuring we have a robust security posture. In contrast, none of our PaaS competitors have meaningful security certification, ISO 27001 or otherwise. Most don’t have any kind of certified (e.g. externally checked and audited) security management in place at all.

By way of an example, Acquia have ISO 27001 certification, but if you read their Scope Statement it explicitly covers their Boston office only, so it’s not a great deal of use given they’re a global organisation and their software is all at AWS. (AWS are comprehensively ISO 27001 certified, which is good, but it categorically does not extend to software running on the resource they provide, which is rather the point.)

Furthermore, we go way above and beyond simply making sure we meet the ISO 27001 standard (though that is good in and of itself). To give some examples, we have strict password management policies and software to enforce it, we use encrypted volumes on servers containing sensitive information, we have three-factor authentication (provided by Yubikeys, password and SSH key pair) on production servers, our backups are GPG encrypted with customer-specific private keys, each back-up is stored in a unique AWS customer account, our access is entirely over a secure VPN with certificate-based and password-based authentication (2FA again), etc. etc.

Is your data safe with us? As safe as it’ll ever be, that’s for sure. And significantly safer than it would be with any other Drupal hosting provider I can think of.

The other point, where we do come back to public versus private again for a moment, is because we operate a private cloud, we operate a private network. Communications on our network, between our servers, is completely behind closed doors. We double firewall anyway (software firewalls on servers are paranoid by default, to ensure if a bad person gets in to one server, it's as difficult as possible to get any further) but the point remains all that network traffic is on an internal LAN.

In stark contrast, all the traffic at a public cloud infrastructure provider is traversing public (or, at best, semi-public - e.g. enormous shared "internal" address spaces encompassing all other customers as well as you, such as what Rackspace refer to as "ServiceNet") so it's all hanging out there. Plus most of these companies are US-based, with so-called Safe Harbour agreements supposedly preventing the application of some rather questionable aspects of US law, and those Safe Harbour agreements have been declared fairly useless by the European Court of Justice. To quote an extract:

Those who will lose out are the smaller companies, and startups that had been planning to use something like Amazon’s AWS cloud services. The nature of cloud systems is that data is transferred promiscuously, both to create resilience and speed up access elsewhere.


All in all, we present a much better bet for any European organisation that is truly serious about data security.

Read on, our final instalment is about developer experience.