Acquia Managed Cloud and DIACAP
by Chris Brown
Acquia has submitted our first DoD Information Assurance Certification and Accreditation Process (DIACAP) package working with our customer, the Defense Security Cooperation Agency (DSCA) customer this past month. This is still a major milestone for the Acquia and for the DSCA project as a whole. This was truly a team effort between each of the individual teams at Acquia and with our partner on the effort SecureInfo.
The Acquia team decided to split the DIACAP submissions into two packages: Application and Infrastrucuture. By spliting the package and inheriting controls, we can more efficiently meet regulatory standards for Managed Cloud customers who require DIACAP accreditation . This strategy works very well in highly standardized environments such as a cloud based environment or where standardized virtual machines are used for the infrastructure. I have observed this used successfully in a virtualized environment while working at Department of Homeland Security (DHS) Headquarters. The separation between Application and Infrastructure packages helps manage control responsibility with our cloud provider, Amazon who was managing their own package covering AWS related controls. We needed a way for three parties to collaborate with one another without stepping on each other’s toes. We expect moving forward as new customers are deployed on your cloud environment or existing customer information is to be updated that the process will be quicker and easier to manage.
Delivering for DSCA drove significant investment in our security engineering and operational processes. We used this opportunity to improve everything from server hardening and disaster recovery plans to ensuring our operations team follows industry best practices. As a startup company and a project team on a fast moving project these items are often forgotten about until an incident actually occurs. Acquia has also hired an Director of Internet Security who will be an active participant as the information assurance representative on change control boards, help will future standards information assurance (IA) compliance efforts, and to continually work to ensure we are aware of the latest threats and software to protect our systems. This position will help to focus the entire company even more around IA concerns which will benefit our customers and ourselves. Other results of the effort were improvements auditing and user management, disaster recovery planning and, and protection of data at rest. These results have helped to greatly improve the security posture of the application and Managed Cloud, with benefits for all of our customers.
The process also should how much computing has changed over the past few years. While putting the package together it was evident that there were a number of challenges that will need to be addressed with the advent of cloud and virutualized environments. Some of those challenges are:
- Ensuring proper service level agreements throughout the stack
- Proper disposal of data share disks
- Multi-tenancy in both hardware and applications
- Who owns the security responsibility? In other words, how are the swim lanes of responsibility draw between the parties involved?
It will be interesting to see how both the DIACAP and Federal Information Security Management Act (FISMA) standards change with the advent of virutalization and cloud.
Acquia looks forward to servicing additional Government customers, both Civilian and Defense related.