Security by Design
Acquia Platform Security
As a part of Acquia’s commitment to delivering a secure environment for our customers, we offer Security by Design. This means the Acquia Platform is architected with an array of strong access and authentication controls, as well as different firewall controls, providing best-in-class defensive security capabilities. These control technologies allow our platform to be secure, by design. Download the Security by Design PDF here.
When you work with Acquia, these security measures come with the platform right out-of-the-box:
- Multiple Layers of Firewall
- Multi-factor Authentication
- Vulnerability Management
- Security Event Logging and Monitoring
- Security Incident Response
Multiple Layers of Firewall
Each of these security controls is built into our platform to help ensure your sites are resilient and secure from day one. With these platform-level security controls, we’re able to minimize risks to the security of your site. Below are the benefits these features will provide for your organization.
A key component of Defense in Depth by Design is having multiple layers of firewalls set-up to protect your sites and data. Acquia’s cloud-based architecture provides multiple layers of firewall:
AWS Security Groups
This is a hypervisor layer firewall that is managed by Acquia. The Amazon Web Services (AWS) security groups implement IP-based restrictions that act as the perimeter firewall into the Acquia Cloud Platform.
IP-based restrictions are in place to protect individual servers. These restrictions only allow network traffic that is necessary for the website to function, to be administered, and to be monitored. These restrictions provide logical customer separation. For example, web server to load balancer communications are walled off for each customer, ensuring separation and offering added security.
Strong authentication methods are critical to a cloud security implementation. At Acquia, we utilize multi-factor authentication to help ensure the security of the Acquia Cloud Platform:
Acquia requires multi-factor authentication for privileged access to our platform, including a private key, a private one-time use token, a passphrase, and a user account. Only authorized Acquia personnel are granted privileged access to the platform based on their job function.
Acquia also requires all internal personnel use multi-factor authentication for access to the Acquia web user interfaces, which includes a user account, passphrase, and short message service (SMS) security code. While enabling two-factor authentication is required for Acquia personnel, it’s an optional measure for customers. We always recommend that customers turn on this important security feature.
A fundamental value proposition of the Acquia Cloud Platform is the timely identification, triage, and resolution of security vulnerabilities.
Acquia obtains vulnerability information from a variety of sources including US-CERT, the FBI, threat intelligence feeds, and vendor announcements. Upon receipt of this information, Acquia determines the criticality, risk, and applicability of the vulnerability, and takes necessary action to resolve it. In addition, vulnerability scans are performed on a monthly basis to identify any new vulnerabilities. A third-party penetration test is also performed on an annual basis. Patching of these vulnerabilities is performed based on the scan results and the Acquia triage and review.
Security Event Logging and Monitoring
The security paradigm has shifted from prevention alone to a focus on security event detection and response.
At Acquia, we recognize this, and have responded with an extensive security event logging and monitoring program. This includes many custom alerts and dashboards within our Security Information and Event Management (SIEM) system. These alerts and dashboards are specific to our platform and the threats our customers face. Our security, operations, and engineering teams proactively monitor these alerts and dashboards to look for specific (anomalous) events.
Security Incident Response
Security incident response is a crucial part of our security function. In the current technical threat landscape, security incidents will happen no matter what safeguards you put in place.
This means that a focus on security incident detection, containment, attack data preservation, eradication and recovery, and communications is absolutely critical to any information security program.
At Acquia, we have implemented the proper technology and skill sets to respond quickly and effectively during security incidents. This includes a proactive security monitoring program to alert on specific (anomalous) events, often at different frequencies, to stay plugged into what’s going on across our platform. These security event notifications include both real-time and daily alerts. Upon declaration of a security incident, designated incident commanders are responsible for executing our security incident response plan, which includes a timely response, containment, and customer notification.
Acquia maintains a comprehensive backup solution for website code, static files, and databases. Integrated backup facilities use Amazon’s Elastic Block Store (EBS) and Simple Storage Service (S3).
The Acquia Cloud Platform takes hourly snapshots of the passive master database, file system, and code repository. These snapshots are programmatically stored in Amazon S3 buckets (Amazon's highly available cloud storage) and used to restore a site in the case of multiple disk failure or total data center loss. Backup data stored in Amazon S3 is maintained in the same region (US-East, US-West, EU-East, etc.) where the production site is located. Amazon S3 repositories are distributed amongst multiple Availability Zones (data centers) and multiple devices within each Availability Zone for redundancy.