Security

Forrester Report: The State of GDPR Readiness

Security

Adhering to the latest compliance and standards, the Acquia platform has been architected to protect your business.

 

At Acquia we take the security of our products very seriously. We educate our staff on security best practices and our development process includes quality assurance steps to ensure our products are of high quality and secure. However, like all complex software products, it is possible that a security vulnerability may be present in one of our products. If you discover a security issue or vulnerability in an Acquia product or service, we ask that you report this to us confidentially.

Please email the details to our security team at [email protected] We appreciate responsible disclosure and will acknowledge security researchers when an issue has been reported, adhering to the following parameters.

Acquia does not currently have a bug bounty program in place, however we are happy to credit researchers with their name and a link to an address of their choosing (e.g. Twitter or personal website) on our Hall of Fame below.

Parameters and exclusions

  • Do not access, destroy or negatively impact Acquia’s or its customers’ data in any way.
  • Do not use automated scanners. (The use of automated scanners may result in investigative action and your IP being blocked.)
  • You make a good faith effort to avoid privacy violations and interruption or degradation of Acquia’s services during your research. (e.g. Denial of Service)
  • Do not conduct any type of physical or electronic attack against Acquia’s personnel, offices or data centers.
  • You allow Acquia reasonable time to investigate your report and carry out any necessary remediation.
  • Do not violate any laws or breach any prior agreements.

Please do not report the following issues:

  • Displayed server software banners or other version information.
  • Descriptive error messages.
  • Missing HTTP security headers. ( e.g. X-Frame-Options )
  • Missing or incorrect SPF records.
  • CSRF on forms that are available to anonymous users
  • Username / email enumeration
  • Disclosure of known public files. (e.g. robots.txt)

Acquia will not initiate legal actions against researchers, as long as they adhere to these parameters. Acquia reserves the right to only credit researchers who have reported an issue that is proven and of sufficient severity.

What details should you include when reporting a security issue

Please provide as many relevant details as you can, such as:

  • How the vulnerability can be exploited and the potential impact.
  • How you discovered the vulnerability and clear steps to reproduce.
  • Any proof of concept attack and/or images showing the attack vector.
  • Any known patches or controls to mitigate the vulnerability.

Acquia would like to thank the following people who have responsibly disclosed vulnerabilities to us

Security Hall of Fame

A special thanks to the following people that have responsibly disclosed vulnerabilities to Acquia in the past:

- S.Vijay - Twintech Solutions (facebook.com/cracbaby)

-Fabio Pires (@fabiopirespt)

-Francesco Mifsud (@GradiusX)

-Cody Zacharias

-Kamil Sevi (@kamilsevi)

-Emanuel Bronshtein (@e3amn2l)

-M.R.Vignesh Kumar (@vigneshkumarmr)

-Prajal Kulkarni (www.prajalkulkarni.com)

-Himanshu Kumar Das (@mehimansu)

-Ajay Singh Negi

-Atulkumar Hariba Shedage

-Chiragh Dewan (@ChiraghDewan)

-Rafay Baloch (rafayhackingarticles.net)

-SimranJeet Singh

-Adam Ziaja (adamziaja.com)

-Piyush Malik (@ThePiyushMalik)

-Harsha Vardhan

-Wan Ikram (@rinakikun)

-Krutarth Shukla

-Narendra Bhati (facebook.com/narendradewsoft)

-Ahmad Ashraff (@yappare)

-Tejash Patel & Parveen Yadav

-Joeri Poesen

-Vedachala (@vedachalaka)

-Sebastian Neef & Tim Schäfers

- (@internetwache)

-Vinesh Redkar (AVsecurity.in)

-Samandeep Singh (@samanLEET)

-Dhaval Chauhan (@17haval)

-Nitesh Shilpkar (@NiteshShilpkar)

-Umraz Ahmed (@umrazahmed)

-Ehraz Ahmed (@securityexe)

-Jigar Thakkar (Infobit Technologies)

-Tushar. R. Kumbhare (Defencely)

-Siddhesh Gawde

-Frans Rosén (www.detectify.com)

-Chirag Paghadal

-Yuji Kosuga (@yujikosuga)

-Rafael Pablos (silverneox.blogspot.com)

-Reegun Richard Jayapaul (linkedin.com/in/reegun)

-Nitin Goplani (in.linkedin.com/in/nitingoplani)

-Yogesh Modi

-Ali Hassan Ghori

-Turzo Ahmed

-Ashesh Kumar

-Muhammed Gamal Fahmy (https://www.facebook.com/profile.php?id=646694111)

-Mandeep Singh Jadon

-Kiran Karnad

-Akshay Pandurangi (https://www.facebook.com/akshay.pandurangi.7)

-Somesh Yadav

 

Security by Design

Acquia’s platform and software were built from the ground up with security in mind. Customers get a secure environment with an array of strong access and authentication controls, as well as different firewall controls for best-in-class defensive security capabilities. Each of the following features ensure your site is protected from day one.

Layered Firewalls

Multiple layers of firewalls ensure that only trusted network traffic is permitted to and from your Acquia environment.

Multi-factor Authentication

Strong authentication methods are critical to a secure cloud. Acquia provides multifactor authentication support to prevent unauthorized access to your Acquia Cloud environment.

Vulnerability Management

A fundamental value proposition of the Acquia Cloud Platform is the timely identification, triage, and resolution of security vulnerabilities.

Security Event Monitoring

Acquia uses a security event log storage and monitoring platform. Security alerts are constantly monitored and tuned by skilled analysts to ensure the integrity of the systems your site is running on.

Secure File Permissions

The majority of attacks against sites attempt to take control of the web service. The Acquia Platform has restricted file permissions by default. This prevents any unauthorised changes to your site code and any malicious file uploads from executing.

Disaster Recovery and Site Backups

Acquia maintains a comprehensive backup solution for disaster recovery. The Acquia Cloud provides customers with easy to access code, file, and database backups of their site.

Security Through Standards - Acquia Compliance

Acquia has a comprehensive compliance portfolio that validates the security of our platform. This compliance portfolio includes a variety of industry specific audits and certifications performed by independent third parties. These independent evaluations rate the design and operational effectiveness of Acquia’s security controls.

SSAE16/ISAE 3402: Service Organization Control (SOC 1) Type II

Statement on Standards for Attestation Engagement (SSAE) No. 16 is an attestation standard used to evaluate the design and operating effectiveness of Acquia’s information technology controls that impact our customers’ own internal controls over financial reporting.

SSAE 16 is an American auditing standard issued by the American Institute of Certified Public Accountants (AIPCA). In order to meet the requirements of international accounting standards, Acquia receives a “SSAE 16/ISAE 3402 Combo Report.” The ISAE 3402 report provides coverage to support the financial reporting requirements of International organizations.

Service Organization Control (SOC 2) Type II

Acquia’s SOC 2 Report includes an assessment against the Common Criteria principles of Security, Availability, and Confidentiality.

Payment Card Industry - Data Security Standard (PCI-DSS)

For customers that process, store, or transmit cardholder data Acquia provides a PCI-DSS compliant hosting platform to ensure the protection of your customer's cardholder data in accordance with PCI-DSS version 3.2.

Health Insurance Portability and Accountability Act (HIPAA)

The Acquia Cloud Platform meets the requirements of the HIPAA Security Rule and HITECH for electronic Protected Health Information (ePHI).

FERPA

The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records.

ISO 27001

Acquia is ISO 27001 certified. You can see our certification mark here. ISO/IEC 27001:2013 (ISO 27001) is a globally recognized security standard driven by the implementation of an information security management system (ISMS).

FedRAMP

The Acquia Cloud Platform is FedRAMP compliant, and detail on authorizing agencies can be viewed in the FedRAMP Marketplace.

Security Through Innovation - Acquia Security Products

For customers on the Acquia Platform, we offer additional layers of security on top of our built-in protection. The Acquia Cloud Edge family of products includes Acquia Cloud Edge Protect and Acquia Cloud Edge CDN. We also offer Acquia Cloud Shield, an isolated section of Acquia Cloud. 

Acquia Cloud Edge Protect

Acquia Cloud Edge Protect mitigates the effects of DDoS and application level attacks for our Acquia Cloud Enterprise (ACE) and Acquia Cloud Site Factory (ACSF) customers.

Acquia Cloud Edge CDN

Acquia Cloud Edge CDN provides a global content delivery network (CDN) that accelerates the delivery of your site to visitors, wherever they may be.

Acquia Cloud Shield

Acquia Cloud Shield is a dedicated, logically isolated environment within Acquia Cloud that has a customizable network configuration.

Acquia Cloud VPC Family

Data is the lifeblood of your organization, and at Acquia, we recognize the importance of the proper classification of information and handling of data. Our ‘Acquia Cloud VPC Family’ is a suite of virtual private cloud (VPC) products designed to provide elevated and compliant protection for sensitive data.

Security Features

It’s a frame of mind, a culture, a commitment. The security threat landscape is constantly evolving in this digital age. Meeting the challenges of these threats requires expertise, technology, financial resources and collaboration. At Acquia, we have made the security investments required to provide our customers a robust and secure platform – with the required people, process and technology. This includes securing our platform by design, offering complementary security products and services, and a portfolio of independent third party compliance audits to validate the robustness of our security program.

 

Security Features Acquia
Role-based access controls
Secure file permissions
Key-based SSH authentication
Encrypted volumes by default
SAML and two-factor authentication support
Automated backups and disaster recovery
Automated platform monitoring
Anti-malware software support
DDOS protection*
Virtual private cloud*
HIPAA-compliant environment*
PCI-DSS-compliant environment*
* Available as add-ons