Security is important for every website. When employees leave a project or company for whatever reason, you must review their security access to prevent potential future tampering or the loss of important data. Failure to secure your subscription after an employee departure can result in issues like the following:
- Incorrect credit card charges
- Failure to receive Cloud Platform notifications
- Account and application security breaches
Cloud Platform security steps
If you are a Cloud Platform subscriber, review the following steps to secure your websites after an employee’s departure:
Remove the employee from your Acquia Teams
The subscription administrator should remove the employee from all teams. If the administrator is the departing employee, the departing employee can designate a new organization owner. If this isn’t possible, create a Support ticket and copy the previous owner on the ticket for an easier transition, if possible. If the previous owner is unavailable, see Transferring ownership from an unavailable owner.
- Remove any employee-specific entries from your Users and Keys page
- Sign in to the Cloud Platform user interface and navigate to your environment in an application.
Click Users and SSH Keys.
This displays the Users and keys page.
- Change the passwords for the private keys or generate new keys entirely.
Remove the employee from any elevated roles on your websites
Check any single sign-on solutions your organization uses.
Remove the employee’s entries from the Teams and Permissions pages
For information about how to do this, see Transferring ownership of an organization. For information about completely deleting a user account from Cloud Platform, see GDPR Data Subject Rights requests.
Update credentials in Pipelines
Pipelines performs jobs with the credentials of the user who first performs a Pipelines job for that subscription. If the departing employee provided the credentials for your subscription, your Pipelines jobs may fail. For more information, see User permission issues.
Drupal security
Be sure to review the following items to secure your website after an employee’s departure:
Change any administrative passwords to which the employee had access
Affected passwords can include the website itself, shell accounts, and phpMyAdmin.
Review the Drupal roles and permissions
Edit the employee’s account in your Drupal website, and change their access to a lower permission level, or set it to blocked.
Review recent code changes
If the parting is less than amicable, a departing individual may commit code allowing continued access to the website through a back door.
- Revoke access to servers and version control systems
- Review IP allowlists on firewalls and Apache (or your) .htaccess files
Change the salt for your encryption
For more information about encryption salting, see this Wikipedia article.