The Client
Arizona State University is one of the largest public research universities in the United States, enrolling more than 194,000 students across its campuses and online programs. Known for its commitment to access, innovation, and public impact, ASU operates a vast digital presence to serve students, faculty, researchers, and the public across a wide range of academic and institutional functions.
The Situation
ASU's web ecosystem had grown into a fragmented, decentralized environment that could no longer keep pace with the university's security and compliance obligations. Across 426 independently managed Drupal sites, inconsistent patching, varying Webspark versions, uneven accessibility compliance, outdated design components, and brand drift had become systemic. Sites didn’t consistently receive the latest security patches, accessibility updates, or bug fixes — and at the scale of millions of monthly interactions, that inconsistency represented serious institutional exposure.
Beyond risk reduction, ASU needed to achieve measurable improvements in operational efficiency and editorial productivity, eliminate redundant upgrade work being performed independently across departments, and establish the structured content and governance foundations necessary for staged Drupal AI adoption. Its goal was not simply modernization, but institutional stabilization at scale through a unified enterprise governance model.
The Challenge
The migration involved 426 production sites, 1,391 contributed and custom modules, and 852 UAT validation processes — all supporting academic programs, institutional communications, and public audiences at a significant scale. Any instability could affect millions of monthly users, so modernization had to proceed without service disruption or reputational impact.
Decentralized governance had allowed module proliferation and varying upgrade timelines across units, constraining releases to quarterly cycles and preventing the web team from consistently implementing accessibility and branding standards. Centralizing governance meant reconciling that fragmentation without stripping departments of the tailored functionality their academic and operational workflows depended on.
The Solution
ASU migrated all 426 sites to Acquia Cloud Platform and consolidated them into structured stacks managed through Acquia Site Factory. Acquia Site Factory provides centralized control over shared codebases, synchronized deployments, and environment management across Webspark, College, and ASU Drupal stacks.
A published release schedule defines quarterly upgrade releases alongside regular weekly and bi-weekly patch cycles, replacing 426 independent release schedules with a single enterprise operating model. Stack maintainers and trusted partners can plan development predictably while keeping all sites aligned with current security, accessibility, and Drupal core requirements.
Acquia Cloud Edge integrates managed Web Application Firewall rules and centralized security monitoring, providing edge-layer threat mitigation before traffic reaches the application infrastructure — an essential feature given the volume of activity across ASU's thousands of subdomains.
Acquia Code Studio enforces Git-based workflow discipline through structured pull request review, hotfix controls, and semantic tagging. Building on that framework, ASU developed a formal trusted partner program—a structured model that allows approved development partners to contribute and maintain custom code within defined boundaries. Contributor requirements span semantic versioning, security review, accessibility compliance, lifecycle ownership agreements, and adherence to the unified release cadence. Locally engineered DDEV tooling allows partners to develop safely against Site Factory stacks without bypassing governance controls, preserving extensibility without sacrificing discipline.
Webspark, delivered as a Composer-based Drupal profile, standardizes structured content schemas and embeds ASU's Unity Design System, enforcing accessible, brand-aligned UI components at the CMS layer. Given that most users traverse multiple subdomains in a single session, consistent design and interface behavior are critical to maintaining a coherent institutional experience.
To validate AI readiness, ASU established a controlled-experimentation branch to evaluate Drupal AI modules within defined boundaries. This sandbox includes provider abstraction via ai_provider_aws_bedrock, core AI modules, and editorial integrations to test AI-assisted authoring workflows — all operating under the same semantic versioning, release cadence, and access controls as production code. By validating provider-agnostic integrations and structured content compatibility in a controlled environment, ASU confirmed that its unified operating model and content architecture can support staged Drupal AI capabilities without compromising security, compliance, or platform stability.
The Results
Consolidating 426 sites into a governed ecosystem managed through Acquia Site Factory has delivered measurable gains in efficiency, security, and institutional capability. Automated weekly and bi-weekly releases and structured quarterly upgrade cycles now save approximately 3,408 hours per quarter, eliminating the redundant upgrade work previously performed independently across academic and administrative units.
Where more than 400 sites once operated on independent release schedules, all stack sites now run under a unified enterprise cadence. ASU’s web team consistently deploys security patches, accessibility updates, and critical fixes across a digital ecosystem serving 35 million monthly page views, materially reducing patch variability and shortening vulnerability exposure periods at an institutional scale. Acquia Cloud Edge strengthens the university’s protection against malicious traffic and bot threats before requests reach application infrastructure, while contributor governance prevents unmanaged module proliferation and enforces secure, accessible development standards.
Centralization has enabled rather than restricted autonomy. With structured stacks and a published release schedule, stack maintainers and trusted partners can confidently plan development within clear governance boundaries. Webspark and ASU's Unity Design System now deploy consistently across all sites, eliminating the accessibility and brand variability that decentralized release schedules had previously allowed to persist across thousands of subdomains.
Structured content schemas, disciplined versioning, and consolidated hosting provide the architectural foundation for staged Drupal AI adoption — already validated through controlled sandbox experimentation. The result is not simply a consolidated hosting environment, but a secure, governed, and AI-ready digital platform operating at institutional scale.