GUEST ESSAY: A primer on content management systems (CMS) — and how to secure them

By Sebastian Gierlinger

You very likely will interact with a content management system (CMS) multiple times today.

Related: How ‘business logic’ hackers steal from companies

For instance, the The Last Watchdog article you are reading uses a CMS to store posts, display them in an attractive manner, and provide search capabilities. Wikipedia uses a CMS for textual entries, blog posts, images, photographs, videos, charts, graphics, and “talk pages” that help its many contributors collaborate.

Chances are strong that your corporate website uses a CMS, and perhaps you have a separate CMS for documents and other files shared by your employees, partners, and suppliers.

Security is essential for a CMS. That’s obviously true if the content in that system requires some level of privacy and access control for internal use, such as for legal documents, customer contracts, and other assets. Security is also necessary if your retrieval system (such as a website or mobile app) has a paywall or is restricted to only a subset of people, such as customers or resellers.

What about public information? Even if you give your content away, you don’t want to allow unauthorized people to add, delete, or tamper with your files.

A big concern on Wikipedia is vandalism. There are automated systems in place to detect and reverse vandalistic edits. You also don’t want unscrupulous individuals to download your content in bulk or re-host it on their own websites without permission.

CMS 101

Today, there are two major types of common CMS platforms:

•The older “traditional” or “monolithic” CMS platforms include a content repository (usually a multimedia database), the administrative console (where content is added and categorized), the presentation system (which makes nice-looking pages), and the search engine.

Gierlinger

•The newer “headless” CMS, running in the cloud, contains everything but the presentation system. Instead, the CMS presents a series of application programming interfaces (APIs) that can be used by programmers creating your websites, mobile apps, and other display systems. A headless CMS is more flexible and customizable than traditional CMS platforms.

Nearly all CMS platforms, whether traditional or headless, offer some level of built-in security to authenticate users who are allowed to view, add, remove, or change content.

Best security practices

Sad to say, those basic measures may not be enough to prevent bad actors from stealing, destroying, or tampering with content. As every computer security professional knows, if anything is on the Internet, it’s subject to increasingly sophisticated attacks.

According to the IBM Data Breach Report 2021, data breaches in the United States reached $4.24 million last year, and a study by Storyblok revealed that 64.3 percent of CMS users worry about the security of their CMS—while 46.4 percent actually had a CMS security issue affect their content.

What can you do about it? The best practices for securing your CMS begin with these five low-hanging-fruit steps:

•Make sure that your CMS platform’s access control and encryption features are turned on and configured correctly.

•Provide employees and content contributors with only as much ability to access or change the content as they actually require. In most organizations, very few people need the ability to add, delete, or change content, or to modify other users’ access privileges.

•When employees leave, turn off their CMS access immediately.

•Design the system so that the servers containing the content cannot be accessed except via the CMS platforms, so that bad actors can’t sneak in and steal, delete, or tamper with the data.

•If you are using a CMS hosted in your data center, then you need to be sure to promptly apply fixes and patches provided by your technology vendor. (If you are using a cloud-based headless CMS, the vendor handles this for you automatically.)

Moving beyond those standard security operations, here are three advanced techniques for maximizing the security of your CMS platform—and its content:

Verify that your CMS platform’s technology provider is adhering to the strongest levels of computer security and privacy; one way of determining this is to look for current certification to the latest ISO 27001 Information Security Management standard.

•Design your architecture in a way where the CMS back end (the behind-the-scenes content repository) is not directly coupled to the front end (the presentation system). This strategy separates your assets and if one end is attacked, the other end is not compromised.

•Make sure the CMS platform uses a robust web application firewall (WAF), conducts continuous automated and manual security tests and uses state of the art encryption technology. All APIs should use the TLS v1.2 (or higher)  encryption protocol, because systems using an older version of TLS are a security risk.

Securing a CMS is not difficult, especially with a headless CMS platform running in the cloud. To do the job right, however, make sure that your employees follow good procedures, and that your platform provider is certified as following the ISO 27001 process. The best practices here provide a solid roadmap and checking for protecting your content.

About the essayist: Sebastian Gierlinger is vice president of engineering at Storyblok, a supplier of CMS services based in Linz, Austria.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone