Shared responsibility model of Cloud Platform¶

Security in Cloud Platform is a shared responsibility between Acquia, Amazon Web Services, and the subscriber. Cloud Platform provides a secure platform where Acquia subscribers can build and manage world-class, highly secure Drupal applications. Acquia manages, monitors, and secures the environment where Acquia subscriber applications run, including the operating system and LAMP (Linux, Apache, MySQL, PHP) stack and network layers of Cloud Platform. Acquia provides tools, support, and resources enabling subscribers to keep secure Drupal applications.

Subscribers have various responsibilities around the security of the applications they host with Cloud Platform. Subscribers must understand what data they intend to collect and store in their Drupal application. They must ensure they address risk and compliance requirements, which correlate to the importance and sensitivity of the data. Subscribers must ensure they address security during the development lifecycle of their Drupal application, and ensure they follow secure development best practices and conduct security testing as part of the change process. Subscribers must ensure the security controls deployed to the Drupal application are in line with the risk and the mission of the application. Subscribers are responsible for the security of the web applications they manage on the Acquia platform, while Acquia is responsible for security controls at the network and platform layer.

Cloud Platform is built using Amazon’s AWS data centers, and uses Amazon’s Elastic Compute Cloud (EC2), Amazon S3, and Elastic Block Store (EBS) services. Amazon personnel do not have logical access to Cloud Platform hosts or applications, nor can they access the data of any Cloud Platform subscribers hosted by Cloud Platform.

Amazon AWS control environment¶

To maintain the high level of security Amazon provides to its subscribers, it doesn’t disclose every detail about network topology, physical locations, and AWS-specific security procedures to the public. Cloud Platform leverages Amazon’s certifications and attestations providing assurance to Acquia and its subscribers about the security of the infrastructure, network, and physical security layers of Cloud Platform. Amazon shares certification information about the AWS control environment with strategic partners such as Acquia under nondisclosure agreements (NDAs) which prohibits Acquia from releasing this information to any unauthorized party. Acquia is committed to maintaining a high degree of transparency and trust with its subscribers, so Acquia makes as much information available to its subscribers as it can legally disclose.

To find more information about the security of Amazon AWS, see AWS Cloud Security or contact Acquia.

Physical security¶

Amazon’s AWS data centers follow and enhance best practices in data center physical security. The exterior physical security is military grade. Personnel who enter the data center are authorized and verified by a government issued ID, and two-factor authentication at each entrance point. Each entrance is monitored by video surveillance, and Amazon logs and audits all access. All visitors and contractors must present identification and sign in. Visitors are always escorted by authorized staff. Amazon AWS does not permit guests, subscribers, or strategic partners such as Acquia to either tour or inspect its data center. Therefore, Acquia can’t facilitate any physical inspection of AWS hosting facilities for subscribers.

Acquia maintains some infrastructure on its premises—for example, IP phone switches and LAN equipment. This equipment isn’t used either to host subscriber applications or to store sensitive subscriber information. Acquia cooperates with subscribers who want to speak with the Acquia security team to discuss the Cloud Platform control environment.

Subscriber segregation¶

Cloud Platform Enterprise provides independent, logically separate environments for each subscriber application. Certain parts (infrastructure and databases) of the subscriber’s primary technology stack in Cloud Platform Enterprise are provisioned on unique, logically distinct infrastructure, except for load balancers. Dedicated load balancers are available to Cloud Platform Enterprise subscribers at an added cost. In Cloud Platform, Acquia manages host-based firewall policies, which provide logical isolation between distinct subscriber environments in Cloud Platform. Other parts of the technology stack, such as CDEs, Remote Administration environments and code repository environments, are shared.

Systems access controls¶

Acquia limits privileged access both to the information on the subscriber infrastructure under its management and to the infrastructure themselves. Access is limited to authorized personnel. Network layer controls ensure privileged access is always enforced through secure bastion hosts, using encrypted tunnels through nonstandard ports. Authentication requires multi-factor authentication and each user’s credentials are encrypted in transit and at rest. Access attempts are logged and monitored using a security information and event management (SIEM) system.

Subscribers can provision non-privileged user accounts to the subscriber’s web nodes using the Acquia web-based user interface and APIs. With the Acquia platform, subscribers can create named users and upload those users’ SSH public keys, which are deployed to the subscriber’s infrastructure, enabling non-privileged access using SSH. The Acquia platform provides application administrators with the ability to add non-privileged users’ accounts and SSH keys, which are then deployed to the subscriber’s Cloud Platform web nodes.

Security Patch Management¶

Relevant Acquia personnel (for example, security and engineering teams) subscribe to relevant security notification feeds, including Ubuntu security notices, US-Cert and Drupal Security notices. When a patch or update applicable to Cloud Platform has been published, the patch and vulnerability is reviewed to determine its relevance to the Cloud Platform environment as detailed at Security. If relevant, a tracking ticket is created for Security Engineering teams to assess and score the vulnerability based on applicability, likelihood, impact and mitigating factors using industry-standard scoring frameworks (such as CVSS). A fix for the vulnerability is then incorporated into a later release based on the rating and in alignment with Acquia’s standard patching cadence. If the patch or update requires a service restart affecting subscribers, a notification is sent to Cloud Platform subscribers to inform them of the impending maintenance.

Acquia uses a standardized Linux distribution and management tooling to deploy security patches across Cloud Platform.

Acquia has a formal risk-rating system based on factors such as likelihood, impact, and severity, and deploys patches according to the following schedule:

Deployment of these patches can cause brief interruptions in service.

Antivirus upload scanning¶

ClamAV is an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware, and other malicious threats. Acquia installs the ClamAV executable on all Cloud Platform infrastructure. To leverage ClamAV for virus scanning, you must install, enable, and configure the ClamAV module. This module connects to the ClamAV executable on your Cloud Platform infrastructure. For more information, see Enabling virus scanning for file uploads.

File system encryption¶

Acquia now enables encryption at rest for EBS volumes by default. In certain circumstances, EBS volumes for subscribers may not be encrypted. If you have any questions about the encryption status of your EBS volumes, contact your Account Manager.

SSL and HTTPS¶

You can configure SSL certificates for multiple domains in your applications. SSL certificates provide SSL security for authentication functions and any transactions taking place. Although Acquia supports the SSL feature, you must manage the SSL certificates. For more information, see SSL on Cloud Platform.

• All paid applications on Cloud Platform can use SSL.
• Dedicated load balancers are not required.
• Subscribers can use their own certificate from any SSL vendor.
• Acquia supports all valid SSL certificates: single-domain, multi-domain (UCC/SAN), wildcard, extended validation, and self-signed.
• This feature is available to all subscribers.
• SSL requests terminate at the load balancer layer.
• Cloud Platform Professional: You can enable SSL through the SSL page in the Cloud Platform user interface. You must provide your own SSL certificate. For more information on configuring SSL for your domain, see SSL on Cloud Platform. 

• Cloud Platform Enterprise: You can enable SSL through the SSL page in the Cloud Platform user interface. You must provide your own SSL certificate. For more information on configuring SSL for your domain, see SSL on Cloud Platform.

Data and physical media destruction¶

Subscriber confidential information is never stored outside of the AWS infrastructure for extended periods of time or on physical media, such as a CD or removable USB media.

Subscriber data would only be transferred outside of Amazon’s EC2 environment if needed to help solve a subscriber’s problem, if the problem required local resolution steps, and if the subscriber explicitly authorized the data. After resolving the issue, the files would be purged. In practice, subscriber-sensitive information is never stored on laptops, mobile devices, or physical media outside of the protections AWS provides.

When a subscriber cancels service with Acquia, the subscriber’s infrastructure is terminated, and the application data is deleted. Hard drives and other storage media are never removed from the data centers before the data has been sanitized, so the data can’t be recovered. When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process designed to prevent subscriber data exposure to unauthorized individuals. AWS uses the techniques detailed in DoD 5220.22-M (National Industrial Security Program Operating Manual) or NIST 800-88 (Guidelines for Media Sanitization) to destroy data as part of the decommissioning process. If an infrastructure device can’t be decommissioned using these procedures, the device will be degaussed or physically destroyed in accordance with industry standard practices.

Logging¶

Cloud Platform ensures the appropriate level of logging is implemented at the application and platform layers for Acquia-managed assets to enable necessary analysis and investigation into an incident or issue. Acquia uses a SIEM system to retain the logs for up to 390 days. As noted in the shared responsibility section, subscribers are responsible for implementing security for their Drupal applications, which includes appropriate logging and monitoring practices and protocols. Acquia offers capabilities such as log forwarding to assist subscribers.

Acquia Search¶

Acquia Search is hosted by a shared infrastructure with logical separation between each subscriber’s data. Each subscriber application’s index data is segregated into separate data files and directories. Each subscriber application is provisioned with a separate account ID and key. Authorization to the search infrastructure allows each individual application to access its own search data. An HMAC signature is both in the request and the response to ensure proper authorization and the integrity of the content. The session between the application infrastructure and the search infrastructure is encrypted over SSL if available.

Security and compliance in Cloud Next¶

Acquia developed and maintained the Cloud Next version of Cloud Platform with enterprise-grade security as the top priority. Cloud Next includes the following security benefits compared to Classic Cloud:

• Faster auto-scaling during traffic spikes to maximize site availability, even during an attack
• Rotating cloud capacity to minimize the lifespan of all nodes
• On-demand capacity to further eliminate long-lived nodes and minimize the number of nodes running each application at any given point in time
• Faster, invisible patching to remediate vulnerabilities more quickly with minimal impact to site availability
• Improved monitoring, logging, and auditing to maximize Acquia’s visibility into platform activities

FedRAMP compliance for Cloud Next technologies will be included as part of Acquia’s future audit cycles.

FedRAMP applications will not be granted access to Cloud Next technologies until these audits are complete.

Subscribers with applications already on Cloud Next who require formal compliance certifications may request a reversion to Cloud Classic infrastructure by creating a Support ticket. Alternatively, contact your Acquia account team with any questions or concerns.