Information for: DEVELOPERS   PARTNERS

Security and compliance

This page describes how Acquia Cloud, building on Amazon Web Services (AWS) and using Drupal, provides a secure environment for your applications. It includes the following sections:

Shared responsibility model of Acquia Cloud

Security in Acquia Cloud is a shared responsibility between Acquia, Amazon Web Services, and the subscriber. Acquia Cloud provides a secure platform where Acquia subscribers can build and manage world-class, highly secure Drupal applications. Acquia manages, monitors, and secures the environment where Acquia subscriber applications run, including the operating system and LAMP (Linux, Apache, MySQL, PHP) stack and network layers of Acquia Cloud. Acquia provides tools, support, and resources enabling subscribers to keep secure Drupal applications.

Subscribers have various responsibilities around the security of the applications they host with Acquia Cloud. Subscribers must understand what data they intend to collect and store in their Drupal application. They must ensure they address risk and compliance requirements, which correlate to the importance and sensitivity of the data. Subscribers must ensure they address security during the development lifecycle of their Drupal application, and ensure they follow secure development best practices and conduct security testing as part of the change process. Subscribers must ensure the security controls deployed to the Drupal application are in line with the risk and the mission of the application. Subscribers are responsible for the security of the web applications they manage on the Acquia platform, while Acquia is responsible for security controls at the network and platform layer.

Acquia Cloud is built using Amazon’s AWS data centers, and uses Amazon’s Elastic Compute Cloud (EC2), Amazon S3, and Elastic Block Store (EBS) services. Amazon personnel do not have logical access to Acquia Cloud hosts or applications, nor can they access the data of any Acquia Cloud subscribers hosted by Acquia Cloud platforms.

Amazon AWS control environment

To maintain the high level of security Amazon provides to its subscribers, it doesn’t disclose every detail about network topology, physical locations, and AWS-specific security procedures to the public. Acquia Cloud leverages Amazon’s certifications and attestations providing assurance to Acquia and its subscribers about the security of the infrastructure, network, and physical security layers of Acquia Cloud. Amazon shares certification information about the AWS control environment with strategic partners such as Acquia under nondisclosure agreements (NDAs) which prohibits Acquia from releasing this information to any unauthorized party. Acquia is committed to maintaining a high degree of transparency and trust with its subscribers, so Acquia makes as much information available to its subscribers as it can legally disclose.

To find more information about the security of Amazon AWS, see AWS Cloud Security or contact Acquia.

Physical security

Amazon’s AWS data centers follow and enhance best practices in data center physical security. The exterior physical security is military grade. Personnel who enter the data center are authorized and verified by a government issued ID, and two-factor authentication at each entrance point. Each entrance is monitored by video surveillance, and Amazon logs and audits all access. All visitors and contractors must present identification and sign in. Visitors are always escorted by authorized staff. Amazon AWS does not permit guests, subscribers, or strategic partners such as Acquia to either tour or inspect its data center. Therefore, Acquia can’t facilitate any physical inspection of AWS hosting facilities for subscribers.

Acquia maintains some infrastructure on its premises—for example, IP phone switches and LAN equipment. This equipment isn’t used either to host subscriber applications or to store sensitive subscriber information. Acquia cooperates with subscribers who want to speak with the Acquia security team to discuss the Acquia Cloud control environment.

Subscriber segregation

Acquia Cloud Enterprise provides independent, logically separate environments for each subscriber application. Certain parts (web servers and databases) of the subscriber’s primary technology stack in Acquia Cloud Enterprise are provisioned on unique, logically distinct servers, except for load balancers. Dedicated load balancers are available to Acquia Cloud Enterprise subscribers at an added cost. In Acquia Cloud, Acquia manages host-based firewall policies, which provide logical isolation between distinct subscriber environments in Acquia Cloud. Other parts of the technology stack, such as CDEs, Remote Administration environments and code repository environments, are shared.

Systems access controls

Acquia limits privileged access both to the information on the subscriber servers under its management and to the servers themselves. Access is limited to authorized personnel. Network layer controls ensure privileged access is always enforced through secure bastion hosts, using encrypted tunnels through nonstandard ports. Authentication requires multi-factor authentication and each user’s credentials are encrypted in transit and at rest. Access attempts are logged and monitored using a security information and event management (SIEM) system.

Subscribers can provision non-privileged user accounts to the subscriber’s web nodes using the Acquia web-based user interface and APIs. With the Acquia platform, subscribers can create named users and upload those users’ SSH public keys, which are deployed to the subscriber’s web servers, enabling non-privileged access using SSH. The Acquia platform provides application administrators with the ability to add non-privileged users’ accounts and SSH keys, which are then deployed to the subscriber’s Acquia Cloud web nodes.

Security Patch Management

Relevant Acquia personnel (for example, security and engineering teams) subscribe to relevant security notification feeds, including Ubuntu security notices, US-Cert and Drupal Security notices. When a patch or update applicable to Acquia Cloud has been published, the patch and vulnerability is reviewed to determine its relevance to the Acquia Cloud environment as detailed at Acquia security. If relevant, a tracking ticket is created for Security Engineering teams to assess and score the vulnerability based on applicability, likelihood, impact and mitigating factors using industry-standard scoring frameworks (such as CVSS). A fix for the vulnerability is then incorporated into a later release based on the rating and in alignment with Acquia’s standard patching cadence. If the patch or update requires a service restart affecting subscribers, a notification is sent to Acquia Cloud subscribers to inform them of the impending maintenance.

Acquia uses a standardized Linux distribution and management tooling to deploy security patches across Acquia Cloud.

Acquia has a formal risk-rating system based on factors such as likelihood, impact, and severity, and deploys patches according to the following schedule:

Risk Level Schedule
Critical 7 days
High 30 days
Medium 90 days
Low Based on risk

Deployment of these patches can cause brief interruptions in service.

Antivirus upload scanning

Acquia installs ClamAV on all Acquia Cloud web servers. ClamAV is an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware, and other malicious threats. To enable ClamAV virus scanning on files as they are uploaded to your Drupal application, install, enable, and configure the ClamAV module, which connects to the ClamAV program on your Acquia Cloud server. For more information, see Enabling virus scanning for file uploads.

File system encryption

Acquia now enables encryption at rest for EBS volumes by default. In certain circumstances, EBS volumes for subscribers may not be encrypted. If you have any questions about the encryption status of your EBS volumes, contact your Account Manager.

SSL and HTTPS

You should configure SSL certificates on the primary domain name for your applications to provide SSL security for authentication functions and for any secure transactions taking place.

  • All paid applications on Acquia Cloud can use SSL.

  • Dedicated load balancers are not required.

  • Subscribers can use their own certificate from any SSL vendor.

  • Acquia supports all valid SSL certificates: single-domain, multi-domain (UCC/SAN), wildcard, extended validation, and self-signed.

  • This feature is available to all subscribers.

  • SSL requests terminate at the load balancer layer.

  • Read more about Enabling SSL.

  • Acquia Cloud Professional: Subscribers can enable SSL entirely on their own using the SSL page in the Acquia Cloud user interface. Subscribers must provide an SSL certificate themselves.

    Important

    Acquia Cloud Professional subscribers cannot use SSL on a bare domain name, such as https://example.com. SSL must be in the following format: https://www.example.com.

  • Acquia Cloud Enterprise: Subscribers can enable SSL entirely on their own using the SSL page in the Acquia Cloud user interface, or contact Acquia Support to enable SSL. Subscribers must provide their own certificate.

Data and physical media destruction

Subscriber confidential information is never stored outside of the AWS infrastructure for extended periods of time or on physical media, such as a CD or removable USB media.

Subscriber data would only be transferred outside of Amazon’s EC2 environment if needed to help solve a subscriber’s problem, if the problem required local resolution steps, and if the subscriber explicitly authorized the data. After resolving the issue, the files would be purged. In practice, subscriber-sensitive information is never stored on laptops, mobile devices, or physical media outside of the protections AWS provides.

When a subscriber cancels service with Acquia, the subscriber’s servers are terminated, and the application data is deleted. Hard drives and other storage media are never removed from the data centers before the data has been sanitized, so the data can’t be recovered. When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process designed to prevent subscriber data exposure to unauthorized individuals. AWS uses the techniques detailed in DoD 5220.22-M (National Industrial Security Program Operating Manual) or NIST 800-88 (Guidelines for Media Sanitization) to destroy data as part of the decommissioning process. If a hardware device can’t be decommissioned using these procedures, the device will be degaussed or physically destroyed in accordance with industry standard practices.

Logging

The Acquia Cloud platform ensures the appropriate level of logging is implemented at the application and platform layers for Acquia-managed assets to enable necessary analysis and investigation into an incident or issue. Acquia uses a SIEM system to retain the logs for up to 365 days. As noted in the shared responsibility section, subscribers are responsible for implementing security for their Drupal applications, which includes appropriate logging and monitoring practices and protocols. Acquia offers capabilities such as log forwarding to assist subscribers.