Skip to main content

Blog Post

Guardr for Drupal 8: Meeting Enterprise Security Requirements

by Mark Shropshire
May 15, 2017

What is Guardr?

Guardr is a Drupal distribution with a combination of modules and settings to enhance a Drupal application's security and availability to meet enterprise security requirements. These security requirements have been added after a review and study of industry best practices from security standards, regulatory controls, and security certifications. These include but are not limited to:

  • NIST - National Institute of Standards and Technology
  • PCI DSS - Payment Card Industry Data Security Standard
  • FERPA - Family Educational Rights and Privacy Act
  • CISSP - Certified Information Systems Security Professional
  • HIPAA - Health Insurance Portability and Accountability Act
  • ISO/IEC 27001 - International Organization for Standardization/International Electrotechnical Commission Information technology — Security techniques — Information security management systems — Requirements

Guardr's philosophy is based around the CIA Information Security Triad where confidentiality, integrity, and availability are held in high regard.

For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades.

Maintaining and Improving Guardr

In addition, Guardr maintainers are always on the lookout for modules and settings that will harden the security of Drupal by protecting against risks detailed by OWASP in the "OWASP Top 10 Most Critical Web Application Security Risks." Some of these risks are ones that the Drupal community witnesses with the release of Drupal Security Advisories.

  • Speaking of the included contrib modules, here are some of the criteria used to select modules for inclusion.
  • Does the module fulfill a part of the CIA Information Security Triad?
  • Does the module address an OWASP Top 10 Security Risk?
  • Previous Guardr team/community experience with the module?
  • Is the additional module worth the attack surface increase?
  • Availability or is the community working towards a stable release?

Guardr for Drupal 8

While the Drupal 7 version of Guardr has been available for 5 years, I am pleased to announce the first alpha release of Guardr for Drupal 8: Guardr 8.x-1.0-alpha1. Drupal 8 Core has a number of built-in security enhancements that help websites and applications maintain security and availability. Guardr builds on top of Drupal 8’s foundation by adding Core hardening configurations via Guardr Core Included Drupal 8 contrib modules extend site security through improved login security, session management, system auditing and logging, and other features.

Below are the items the Guardr community sees as next steps to help drive Guardr for Drupal 8 to a stable release:

  • Continue working through the D7 to D8 module crosswalk plan
  • Evaluate additional Drupal Core hardening and implement in Guardr Core
  • Feature: Ability to add certain Guardr recommendations to existing Drupal 8 installs
  • Update documentation for Guardr 8
    • Related project pages
    • Add new Guardr 8 specific documentation

I had the pleasure of presenting Raising The Security Bar with Guardr at DrupalCon Baltimore. There are more details on the project and great Q&A at the end of the session.

Get involved

We would love your help! If you are interested in contributing to Guardr, we have needs which include writing documentation, supporting Guardr users, testing patches and updates, and developing new features. Getting involved in the issue queue is a great place to start. If you want to chat about how to help, feel free to ask questions in IRC at “#drupal-guardr” or Tweet us at @guardrproject.

Meet team member, Mark Shropshire

As a Senior Director of Development, Mark “shrop” loves working at the intersection of leadership and technology. Over his 20-plus-year career as a technical team leader, Shrop held IT roles at a large urban research university and a nationally recognized graphic communications company prior to Mediacurrent. He has a passion for personal and team growth, aligning individual purpose with Mediacurrent’s vision. Shrop focuses empowering teams to excel while using best of class open source technology solutions.

His passion for team growth has extended to his mentorship and maintainership of open source projects such as various Drupal modules and Guardr, the Drupal security distribution. Speaking of mentorship, shrop has a big heart for helping others see the value of leadership, mentorship, and serving others through his goServeOthers and SHROPCAST podcasts. His focus and love of mentorship helped him grow and start new mentorship programs at Mediacurrent.

Shrop is active in the Charlotte North Carolina tech community through meetup group leadership, mentorship, and participation. He believes giving people a chance and helping them grow and find careers in tech changes lives.

Learn more about Mark >

Related Insights