Acquia and Security: Planning a Next-Gen Strategy for Your Business

Drupal's security team created a framework to report and prioritize the mitigation of security vulnerabilities discovered in the CMS.

A secure customer is a happy customer. It’s no wonder that professionals from countless industries — technology, education, pharmaceuticals, financial services — will tell you the same thing: security is critical. It is vital that organizations take note, because failing to appreciate the consequences of a security breach can be catastrophic, for both employees and customers. The evidence in support of data privacy and security controls has never been more clear:

  • Researchers at the University of Maryland found that the average computer with internet access faces an attempted cyberattack every 39 seconds. One in three Americans is affected every year.
  • Approximately 65 percent of cyberattacks are aimed at small- and medium-sized businesses, according to a report by the Kelser Corporation, a technology consulting firm.

In other words, whether it’s from malware, phishing, botnets, ransomware, a password attack or denial-of-service attack, threats to cybersecurity are evolving as quickly as security solutions. And these threats are not insignificant — the Ponemon Institute has found that the average cost of a single cyberattack is $5 million. Facebook lost 3% of its market value after it was revealed that 50 million accounts were compromised. Sony incurred $1.25 billion in expenses from lost revenue, compensation and legal fees after a 2011 data security incident.

It’s almost never wise to rely on a third-party service or vendor to anticipate your needs — almost all digital assets require ownership and buy-in from stakeholders. This means as a decision-maker, you must be informed about your asset’s needs and proactive about procuring solutions. However, Acquia customers have a leg-up on this process. Acquia — as well as Drupal, the open source content management system Acquia is built upon — takes security very seriously and makes it easy for its customers to stay one step ahead of most threats out there.

A Strong Foundation — A Secure Asset

Drupal is designed to prevent critical security vulnerabilities, including the Top 10 security risks identified by the Open Web Application Security Project (OWASP). As such, Drupal has proven to be a secure solution for enterprise needs and is routinely used in many high profile, critical websites. Naturally, Drupal’s codebase is continuously probed, scanned and analyzed for security vulnerabilities. Through peer review and a large and continuously growing community of experts and enthusiasts, Drupal’s core APIs have been strengthened over the long life of Drupal to mitigate common vulnerabilities.

Acquia is similarly dedicated to the monitoring and improvement of Drupal code and maintains an entire security team to fulfill that mission.The Drupal Security Team at Acquia includes approximately 40 people, several of whom are full-time Acquia employees. Acquia’s security team works with the Drupal Security Working Group, whose mission it is to ensure that Drupal core and Drupal's contributed project ecosystem boast world-class security, as well as provide security best practices for site builders and module developers.

The Drupal Security Working Group reviews and supports the work of Acquia’s Drupal Security Team. Drupal’s security team created a framework to report and prioritize the mitigation of security vulnerabilities discovered in both Drupal core and Drupal contributed modules. The team also provides best practices for secure module development and Drupal website creation and configuration.

Acquia and Security: What to Expect

Acquia uses an automated process to deploy a security update branch to the Remote Administration (RA) environment, which facilitates the deployment and testing of security updates without disrupting ongoing development in other environments. Security updates are implemented using a semiautomated queue. At this time, automated updates are initiated as follows:

  • When a core security update is announced on, the queue will be initiated within 24 hours of the release. Clients should receive tickets within 24 to 48 hours.
  • Production websites are periodically scanned for core and module security updates.
  • Alternatively, updates can be initiated at the specific request of the client.

After the queue is initiated, update automation will detect security updates, initiate the update process and create a new ticket notifying your team that an updated branch is ready to test on the RA environment. In the event of a security update, Acquia informs all contacts designated by your team administrators as collaborators. All tickets initiated by the RA team are assigned to the primary contact on the account. Acquia customers can edit this list on their Teams and Permissions pages. To ensure that specific team members receive notifications on your Teams and Permissions page, include appropriate team members as collaborators on all help requests by default.

It’s also important to remember that security updates are implemented as depending on your subscription preferences:

  • Inform Only subscriptions: Acquia will send out a security update notification for Drupal Core SA releases within 24 to 48 hours of the announcement. These tickets are for notification purposes only and no action is required on them. They will be automatically resolved. If you would like your subscription updated, set your preferences to Full Deploy and respond on the initial ticket, and both an update and a new ticket will be created.
  • Full Deploy subscriptions: Acquia’s RA team will update all Full Deploy subscriptions by using an automated process. Your team will receive a new ticket detailing all of the changes after updates have been deployed and are ready for testing on the RA environment. Use of this environment prevents any disruption to your ongoing development.

Next, it’s onto the nitty gritty. All security updates are implemented as follows:

  • After an update is deployed and a ticket is sent, the time to solve the ticket depends on testing and troubleshooting.
  • Moving through each update step requires your approval. Acquia will not deploy a secure branch to either your testing or production environment without explicit approval by a member of your team.
  • After a tag has been approved, Acquia will move to production as soon as possible, or during a scheduled and approved deploy window.

Quick Tips for Secure Success

Acquia has many processes and policies in place to make sure that you and your assets are as secure as possible. However, you can and should make sure your environment is set up properly to be appropriately informed of any and all security updates. Here are some key action items to keep in mind to make sure your assets are as secure as possible:

  • Acquia’s security update automation requires that your subscription is correctly set up, so you should ensure that all required steps to set up your remote administration are fully implemented.
  • Standard Remote Administration subscriptions will only receive security updates using Acquia’s automated security update process. It is the responsibility of your team to ensure that your website is compatible with the automated update process.
  • Premium Remote Administration clients may request assistance in ensuring your website is compatible with Acquia’s security update automation.
  • Acquia’s security update automation behaves according to Remote Administration preferences set per subscription. Unless these preferences are manually set, the default preferences will be used.

Please note that Inform-Only subscriptions will receive a ticket noting recommended security updates, but no action will be taken. If you would like to receive an update, you must change your preference to Full Deploy. This can be changed back after the specific update is complete.

The RA environment differs based on the type of customer. Be sure to keep the following points in mind:

  • For Acquia Cloud Platform Enterprise clients, the RA environment is hosted on RA–specific shared Acquia servers and will have no impact on development, staging or production servers during step 1 of the update process above.
  • RA environments for Acquia Cloud Platform Professional customers are configured to consume no critical system resources while the website sits idle, and all critical resources remain available to the production website.

Scheduling Production Deploy Windows

If you would like an update deployed to production at a specific time, Acquia can schedule this update to be performed by automation. This service is available 24/7. However, you should be aware of the following items when requesting to schedule production deploys:

  • To allow time for scheduling, all requests must be made with a minimum of one full business day’s notice. Although we cannot guarantee a window with fewer than 24 hours’ notice, we will do our best to accommodate these requests, when possible.
  • Be sure to provide a one-hour window in your preferred time zone for the deploy, and clearly state your time zone in the ticket. Acquia will confirm the window. If the deploy is during standard business hours, we will assign it to a member of our team to monitor the process.
  • Acquia will begin the update during the window. During standard business hours, any delays or issues will be communicated through the existing ticket.
  • Production deploy requests occurring outside of the standard business hours for your support region will be unmonitored. If your production deploy happens at this time and you experience issues, file a critical support ticket as per standard procedures for critical support.
  • If your production deploy scheduled outside of standard business hours does not complete successfully, you will not be notified. If the scheduled deploy does not complete successfully, let us know by updating the existing ticket, and we will assist with rescheduling the deploy.


It is in an organization’s best interest to perform due diligence on any vendor’s compliance with applicable industry standards and regulations, and as a vendor, Acquia works just as diligently as you do to build trust with our customers. In short, the Acquia team is deeply committed to the digital security of our customers. Our secure platforms, as well as our track record, workflows and credentials, prove it.

However, it’s just as important for you to be aware of Acquia’s platforms, policies and procedures so that your organization is able to make the most of your collaboration with Acquia. With a little research, followed by a few action items, your team should be in top shape when it comes to security and can focus on what you do best, and so can Acquia.

Featured Resources

View More Resources