Information for: DEVELOPERS   PARTNERS

Security and compliance

This topic describes how Acquia Cloud, building on Amazon Web Services (AWS) and using Drupal, provides a secure environment for your applications. It includes the following sections:

Shared responsibility model of Acquia Cloud

Security in Acquia Cloud is a shared responsibility between Acquia, Amazon Web Services, and the subscriber. Acquia Cloud provides a secure platform where Acquia subscribers can build and manage world-class, highly secure Drupal applications. Acquia manages, monitors, and secures the environment where our subscriber applications run, including the operating system and LAMP (Linux, Apache, MySQL, PHP) stack and network layers of Acquia Cloud. Acquia provides tools, support, and resources enabling our subscribers to keep secure Drupal applications.

Subscribers have various responsibilities around the security of the applications they host with Acquia Cloud. Subscribers must understand what data they intend to collect and store in their Drupal application. They must ensure that they address risk and compliance requirements, which correlate to the importance and sensitivity of the data. Subscribers must ensure that they address security during the development lifecycle of their Drupal application, and ensure they follow secure development best practices and conduct security testing as part of the change process. Subscribers must ensure the security controls deployed to the Drupal application are in line with the risk and the mission of the application. Subscribers are responsible for the security of the web applications they manage on the Acquia platform, while Acquia is responsible for security controls at the network and platform layer.

Acquia Cloud is built using Amazon’s AWS data centers, and uses Amazon’s Elastic Compute Cloud (EC2), Amazon Simple Storage Service (S3), and Elastic Block Store (EBS) services. Amazon personnel do not have logical access to Acquia Cloud hosts or applications, nor can they access the data of any Acquia Cloud subscribers hosted on Acquia Cloud platforms.

Amazon AWS control environment

To maintain the high level of security Amazon provides to its subscribers, it doesn’t disclose every detail about network topology, physical locations, and AWS-specific security procedures to the public. Acquia Cloud leverages Amazon’s certifications and attestations providing assurance to Acquia and its subscribers about the security of the infrastructure, network, and physical security layers of Acquia Cloud. Amazon shares certification information about the AWS control environment with strategic partners such as Acquia under nondisclosure agreements (NDAs) which prohibits Acquia from releasing this information to any unauthorized party. Acquia is committed to maintaining a high degree of transparency and trust with its subscribers, so Acquia makes as much information available to its subscribers as it can legally disclose.

To find more information about the security of Amazon AWS, see AWS Cloud Security or contact Acquia.

Physical security

Amazon’s AWS data centers follow and enhance best practices in data center physical security. The exterior physical security is military grade. Personnel who enter the data center are authorized and verified by a government issued ID, and two-factor authentication at each entrance point. Each entrance is monitored by video surveillance, and Amazon logs and audits all access. All visitors and contractors must present identification and sign in. Visitors are always escorted by authorized staff. Amazon AWS does not permit guests, subscribers, or strategic partners such as Acquia to either tour or inspect its data center. Therefore, Acquia can’t facilitate any physical inspection of AWS hosting facilities for subscribers.

Acquia maintains some infrastructure on its premises—for example, IP phone switches and LAN equipment. This equipment isn’t used either to host subscriber applications or to store sensitive subscriber information. Acquia cooperates with subscribers who want to speak with the Acquia security team to discuss the Acquia Cloud control environment.

Subscriber segregation

Acquia Cloud Enterprise provides independent, logically separate environments for each subscriber application. Each part (web servers and databases) of the subscriber’s technology stack in Acquia Cloud Enterprise is provisioned on unique, logically distinct servers, except for the load balancers. Dedicated load balancers are available to Acquia Cloud Enterprise subscribers at an added cost. In Acquia Cloud, Acquia manages host-based firewall policy (IPTables), which provides network isolation between logically distinct subscriber environments in Acquia Cloud.

Systems access controls

Acquia limits privileged access both to the information on the subscriber servers under its management and to the servers themselves. Access is limited to its authorized full-time operations and support teams. Network layer controls ensure that privileged access is always enforced through secure bastion hosts, using encrypted tunnels through nonstandard ports. Authentication requires multi-factor authentication using a user account, private key, passphrase, and security token. Each privileged user’s password-protected SSH key is stored on an encrypted volume. All access attempts using SSH are logged and retained for audits.

Subscribers can provision non-privileged user accounts to the subscriber’s web nodes using the Acquia web-based UI and APIs. The Acquia platform gives subscribers the ability to create named users and upload those users’ SSH public keys, which are deployed to the subscriber’s web servers, enabling non-privileged access using SSH.

Acquia manages access to the cloud environment’s Apache docroot directory using version control; there is no write access to this directory. Acquia subscribers provision non-privileged access to their Acquia Cloud web nodes through Acquia’s web-based Acquia Cloud management interface. The Acquia platform provides application administrators with the ability to add non-privileged users’ accounts and SSH keys, which are then deployed to the subscriber’s Acquia Cloud web nodes.

OS and LAMP stack security patch management

Acquia’s security and operations teams subscribe to relevant security notification feeds, including Ubuntu security notices, Tenable security notices, and US-Cert. When a patch or update has been published at the operating system layer or specific to a software component, the patch and vulnerability is reviewed to determine its relevance to the Acquia Cloud environment. If relevant, a tracking ticket is created for Security Engineering teams to assess and score the vulnerability based on applicability, likelihood, impact and mitigating factors utilizing industry-standard scoring frameworks (such as CVSS). A fix for the vulnerability is then incorporated into a later release based on the rating and in alignment with Acquia’s standard patching cadence. If the patch or update requires a service restart affecting subscribers, a notification is sent to Acquia Cloud subscribers to inform them of the impending maintenance.

Acquia uses a standardized Ubuntu Linux distribution and a central management platform to deploy security patches across all Acquia Cloud server instances.

Acquia has a formal risk-rating system based on factors such as likelihood, impact, and severity, and deploys patches according to the following schedule:

Risk Level Schedule
Critical 7 days
High 30 days
Medium 90 days
Low Based on risk

Antivirus upload scanning

Acquia installs ClamAV on all Acquia Cloud web servers. ClamAV is an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware, and other malicious threats. To enable ClamAV virus scanning on files as they are uploaded to your Drupal application, install, enable, and configure the ClamAV module, which connects to the ClamAV program on your Acquia Cloud server. For more information, see Enabling virus scanning for file uploads.

File system encryption

Acquia provides encryption at rest for all EBS volumes by default. In certain circumstances, EBS volumes for subscribers may not be encrypted. If you have any questions about the encryption status of your EBS volumes, contact your Account Manager.

SSL and HTTPS

You should configure SSL certificates on the primary domain name for your applications to provide SSL security for authentication functions and for any secure transactions taking place.

  • All paid applications on Acquia Cloud can use SSL.

  • Dedicated load balancers are not required.

  • Subscribers can use their own certificate from any SSL vendor.

  • Acquia supports all valid SSL certificates: single-domain, multi-domain (UCC/SAN), wildcard, extended validation, and self-signed.

  • This feature is available to all subscribers.

  • Read more about Enabling SSL.

  • Acquia Cloud Professional — Subscribers can enable SSL entirely on their own using the SSL page in the Acquia Cloud interface. Subscribers must provide an SSL certificate themselves.

    Important

    Acquia Cloud Professional subscribers cannot use SSL on a bare domain name, such as https://example.com. SSL must be in the following format: https://www.example.com.

  • Acquia Cloud Enterprise — Subscribers can enable SSL entirely on their own using the SSL page in the Acquia Cloud interface, or contact Acquia Support to enable SSL. Subscribers must provide their own certificate.

Data and physical media destruction

Subscriber confidential information is never stored outside of the AWS infrastructure for extended periods of time or on physical media, such as a CD or removable USB media.

Subscriber data would only be transferred outside of Amazon’s EC2 environment if needed to help solve a subscriber’s problem, if the problem required local resolution steps, and if the subscriber explicitly authorized the data. After resolving the issue, the files would be purged. In practice, subscriber-sensitive information is never stored on laptops, mobile devices, or physical media outside of the protections AWS provides.

When a subscriber cancels service with Acquia, the subscriber’s servers are terminated, and the application data is deleted. Hard drives and other storage media are never removed from the data centers before the data has been sanitized, so that the data cannot be recovered. When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process designed to prevent subscriber data exposure to unauthorized individuals. AWS uses the techniques detailed in DoD 5220.22-M (National Industrial Security Program Operating Manual) or NIST 800-88 (Guidelines for Media Sanitization) to destroy data as part of the decommissioning process. If a hardware device can’t be decommissioned using these procedures, the device will be degaussed or physically destroyed in accordance with industry standard practices.

Logging

The Acquia Cloud platform ensures the appropriate level of logging is implemented at the application (Drupal), web server (Apache), load balancing (Nginx), database (MySQL-Percona), and operating system layers (Linux) necessary for analysis and investigation into an incident or issue. Each layer of the stack logs to the local environment in real time. Logs are backed up to S3 storage daily and retained for three months.