DrupalCon Baltimore 2017: Death Star Security - Maintaining Agility and Security
Have you been tasked to build the most powerful weapon in the universe? No? How about a hyper performant and scalable system integrating multiple services and workflows all corners of the globe? Are you new to creating and maintaining a system for Drupal to thrive in, but don't know how to keep it safe?
“Death Star” security happens whenever a system relies entirely on an outermost security layer — and fails catastrophically when breached. Especially as stack layers multiply, they shouldn’t all run in a single, trusted virtual private cloud (or similar isolation in a traditional data center). Sharing secrets doesn’t scale, either, as systems multiply and external services integrate with your site and user base.
Instead, we’ll be exploring methods strong enough to cross the public Internet, flexible enough to allow new services without reconfiguring existing systems, and robust enough to avoid single points of failure. Security architecture using a defense in depth approach for every step and every layer will help prevent a young Jedi shooting a proton torpedo through a hole the size of a wamp rat and destroying your hard work. To do this, we'll discuss:
Public key infrastructure (and where that's possible)
Federated identity (for infrastructure and websites)
Capability-based security (rather than traditional role-based access control)
Data encryption in transit and at rest
Building a security consciousness amongst your team
A session for projects and teams of all sizes this will be an interactive time filled with lessons learned and examples from the real world. If you find yourself wiring together everything from Varnish to Apache to MySQL to Solr to backup storage (and especially if you're looking for answers better than just throwing it all behind a main firewall), this talk is for you. Just promise that afterwards you’ll use what you learn for the good of the galaxy and that you won't go build a planet sized weapon of mass destruction.
“Death Star” security happens whenever a system relies entirely on an outermost security layer — and fails catastrophically when breached. Especially as stack layers multiply, they shouldn’t all run in a single, trusted virtual private cloud (or similar isolation in a traditional data center). Sharing secrets doesn’t scale, either, as systems multiply and external services integrate with your site and user base.
Instead, we’ll be exploring methods strong enough to cross the public Internet, flexible enough to allow new services without reconfiguring existing systems, and robust enough to avoid single points of failure. Security architecture using a defense in depth approach for every step and every layer will help prevent a young Jedi shooting a proton torpedo through a hole the size of a wamp rat and destroying your hard work. To do this, we'll discuss:
Public key infrastructure (and where that's possible)
Federated identity (for infrastructure and websites)
Capability-based security (rather than traditional role-based access control)
Data encryption in transit and at rest
Building a security consciousness amongst your team
A session for projects and teams of all sizes this will be an interactive time filled with lessons learned and examples from the real world. If you find yourself wiring together everything from Varnish to Apache to MySQL to Solr to backup storage (and especially if you're looking for answers better than just throwing it all behind a main firewall), this talk is for you. Just promise that afterwards you’ll use what you learn for the good of the galaxy and that you won't go build a planet sized weapon of mass destruction.