Rapidly Responding to Security Vulnerabilities
by Will OKeeffe
It’s an unfortunate fact of life on the web that security threats and vulnerabilities are exposed on a regular basis. We have to be ready for them at all times and at any cadence. Just two weeks ago, both the OpenSSL TLS MITM and Ubuntu Kernel vulnerabilities became public within hours of one another. At Acquia, our stance is that we’re ever vigilant and always ready for these situations. Our customers’ businesses, their reputations, and ours depend on that.
Our ability to quickly assess any exposed security threat, understand the impact on customer environments and take action is a baseline requirement of all the enterprises we support. Acquia is committed to a fast response with enough information to provide assurances and/or information our customers need to make decisions. To that end, we have established a process for responding to these broader security threats. This process has been developed based on our years of experience as well as benchmarking other companies that have demonstrated world-class security response and customer service protocols.
Our process is comprised of a few simple elements:
- Early Warning - We have our network of experts tied into critical groups and projects in the critical software communities. While it’s not possible to pick up every potential threat ahead of time, we feel the strong network gives us a running start in many cases.
- Rapid Triage - When an issue arises, our domain experts are empowered to own the technical issue and determine its affect on our customers and systems. In addition, we have the communication tools in place to quickly liaise with any vendors who may be impacted as well. The culmination of this exercise, is a defined scope of activity followed by detailed remediation steps.
- Ownership and Action - In parallel with our triage efforts, we name an incident manager, responsible for coordinating technical activities, and a communication manager, responsible for both external and internal communications. These individuals ensure actions are taken and closed and any issues are resolved. The key to their success is that they function more like air traffic controllers rather than detailed task owners.
- Communication - Any event that has a security tag appended to it has the potential to generate emotional and passionate responses, and rightfully so. In our experience, the best way to mitigate that is through constant and transparent communication with all of our stakeholders. Internally, we operate an easy to read dashboard that shows the tasks required to complete the remediation with simple green/yellow/red status queues and a clear owner. Externally, we work diligently to make sure we keep our customer’s up-to-date. Utilizing multiple channels including our Acquia Help Center & Library, e-mail, status.acquia.com, and our twitter channel (@acquia_support), we provide clear information as to who is affected, what actions are required, and the current status of Acquia’s remediation efforts.
- Learn - We close each incident cycle with a continuous improvement exercise which is scoped to the size of the issue and response and anchored with our overall goal of ensuring customer success. This is an honest assessment by everyone involved focused on making Acquia’s response even better for the next incident.
Customers choose Acquia not only because of our knowledge, skills, and great service, but also because they view us as a trusted advisor that will partner with them to provide a best in class digital experience. We understand this and, as a result, we measure ourselves based on our customers’ success. Their sites must be up, available, and highly secure. When working with the foremost digital properties in the world, we can’t accept anything less.