cybersecurity in the cloud

Safety First: Acquia's Proactive Approach to Security and Compliance

Last summer, Twitter CEO Jack Dorsey had his Twitter account infiltrated by hackers which they used to broadcast hate speech and bomb threats to millions of followers. This high-profile attack compromised the safety and personal information of millions of Twitter users and once again underscored the importance of continually updating and improving security measures. The breach exploited a feature that allowed Twitter users to link their mobile number to their accounts and send tweets via SMS. The threat actors used what’s called SIM-swapping to gain control of Mr. Dorsey’s mobile number. Following the public incident, Twitter announced they were temporarily disabling the ability to tweet via SMS and experts recommended stronger authentication practices, such as a physical security key, like a Yubico Key, which plugs into a computer’s USB port and verifies a user via physical means. 

The Twitter example is just one of many breaches and data vulnerabilities that have raised concerns about the state of cybersecurity lately. With web threats evolving at a rapid pace, even major tech companies are often left in the position of defending themselves against poorly secured systems, applying updates or removing ineffective tech only once the organization has been compromised. In the last few years, two-factor authentication (2FA) via SMS (and phone) has become increasingly less reliable to the point where the National Institute of Standards and Technology (NIST) no longer recommends (and, in fact, suggests against) using SMS for 2FA. Newer 2FA methods, such as physical keys based, called U2F (Universal Two-Factor) based on the FIDO standard created by Google and Yubico are becoming increasingly more popular. In response to the rising expectations, Apple recently announced that they would begin offering support for the FIDO standard enabling the use of U2F keys in Safari on iOS and macOS.

yubico key

It’s not enough to simply respond once a problem has been identified or add-on a few more layers of security to keep pace. At Acquia, we’ve taken a proactive approach to security and preparing for the future. Over two years ago (before Apple even supported the FIDO2 standard in Safari on iOS or macOS) Acquia was an early adopter of Yubico’s U2F Security Keys and they were made mandatory for all employees. Recently, we’ve also disabled 2FA via SMS and phone for all users. Our security teams are focused on innovation and recognizing future needs before many of the world’s top software companies. Analysts like Forrester believe organizations should adopt a proactive, zero-trust stance to protect customers, where they never assume they’re completely protected against a future attack and take an active initiative in seeking out better solutions. 

Moving Beyond Standard Compliance, Investing in the Future

Acquia doesn’t view security as an afterthought. We dedicate significant resources to maintaining the latest security certifications that matter most for our users. While some of our competitors may treat compliance as just checking off another box with a single SOC compliance or a handful of table-stakes qualifications, we’re investing in the most up-to-date protection measures that give the organizations who work with us the confidence and peace of mind that their data and the personal information of their customers are protected. Today, Acquia maintains compliance with the following standards and regulations:

  • SOC 1 Type II (SSAE No. 18 and ISAE No. 3402)
  • SOC 2 Type II
  • Payment Card Industry Data Security Standard (PCI DSS)
  • ISO 27001
  • FedRAMP Moderate
  • FISMA
  • Cloud Security Alliance Security, Trust and Assurance Registry (CSA STAR)
  • EU cookie regulations
  • HIPAA
  • GDPR
  • CCPA

Acquia’s extensive portfolio of certifications was accomplished with the needs of today’s user in mind as well as the advances we expect to see coming around the corner. Security is never static and Acquia continues to evaluate new compliance frameworks. Each of these certifications requires continuous vigilance to maintain and requires commitment and active adherence throughout the entire organization.

Security at the Core of Customer Experience 

Acquia is trusted by customers who have some of the most stringent security and compliance requirements in the world from government to healthcare to financial services. This is due to our shared responsibility model that is designed to encompass every touchpoint within the customer experience. Our security operations architecture spans our infrastructure provider, Acquia’s own 24/7 security team and the customer themselves. For these highly regulated industries, any vulnerability from phishing attacks to malware threats poses a significant risk both financially and in terms of lost trust from customers. The Ponemon Institute has found that the average cost of a cyber attack is $5 million and in 2014 one analyst reported that a single data breach at Sony resulted in a loss of $1.25 billion in total revenue, compensation and legal fees.

In today’s highly competitive digital ecosystem, establishing transparent and credible relationships is paramount. In a 2019 Acquia survey on data privacy, we found that “65% of consumers say that they would stop using a brand that was dishonest about how they used their data.” Millennials and Gen Z consumers are more concerned than ever with how businesses are using and protecting their data. In order to win their confidence and establish digital trust, Intercede recommends companies “invest in modern identity management and secure authentication techniques that minimize the risk of data exposure and hacks.” With so much at stake, there’s no room for compromise, which is why Acquia is trusted to power digital experiences for institutions like the IRS, Paychex and Steward Health Care. The need to establish trust with your customers is steadily rising in every space from federal to commercial institutions. Earning this trust needs to be treated as a strategic initiative and the baseline for designing all of your future customer experiences. There’s no room for cutting corners.

Instilling a Security-First Mindset Across the Internal Organization

As more advanced hacking methods continue to arise, cybersecurity is an ever-evolving battlefield where brands must ensure strong defense, protection and response. To be effective, security must be an organization-wide priority, not the sole responsibility of the IT department. In addition to conducting regular external audits, every Acquia department from R&D to Talent to Customer Success is responsible for frequent testing of their programs, password policies, background checks, and annual security training.

We ensure all team members are regularly informed and educated about the latest security requirements through all internal channels. Acquia’s IT team regularly distributes an Information and Technology newsletter, ensuring that all employees have visibility into our latest updates and policies. When we recognize an industry practice is out of date, such as the SMS authentication, we act immediately to disable it and make the change to something more secure. There’s an instilled sense of urgency within the DNA of the company, meaning that large-scale improvements can be made much more quickly. Acquia’s open architecture is attuned to manage any new vulnerability when it arises and automatically deploys needed measures to repair or prevent potential issues. 

Moreover, we are proactively investing in innovative methods designed to equip the customers we serve with the most efficient and robust ways of managing, storing and acting upon their customer data. We’re pursuing new methods of vulnerability management, password protection, bot management and Web Application Firewalls (WAFs). While there may be no 100% impermeable way to avoid all risks, Acquia is leading the charge for security advances at scale. We understand protecting our customers is never optional.

Michael Ehrich, vice president of information technology and enterprise applications, Acquia

Michael Ehrich

VP, IT & Enterprise Applications

Michael Ehrich is the vice president of information technology and enterprise applications at Acquia. He leads the company’s internal technology systems and oversee Acquia’s global facilities. He was previously senior vice president of finance for ERGOS Technology Partners. He previously owned managed IT services provider AIO Network Solutions before its 2015 acquisition by ERGOS.