New RelicDries ’ siteDatabase analysisaccesslog - show 30% db time, should be writing to syslogcache_block - not using memcache, writing straight to database, not optimal~55% wasted writing to db versus memcache
Cloud Hosting for Government Agencies: Drupal Platform as a Service
Overview: Acquia Managed Cloud Platform As A ServiceKieran LalTechnical Director, Enterprise Sales
Hosting vs. Platform as a ServiceMission critical Drupal applications requiremore than just virtual machines Bring us your Virtual Machines code and files.. Vs. and we’ll handle the rest.
Drupal Lifecycle events Set-up/Launch Set-up/Launch Production Production Site Evolution Site Evolution Build •Load balancers •Fast page cache •App Servers •Database •File systems •Web servers •App Configuration •HA architecture Deploy •Integrated Git/SVN •Drag and drop content managementRequires expert skills and significant time
Drupal Lifecycle events Set-up/Launch Set-up/Launch Production Production Site Evolution Site Evolution Build Application updates • Drupal App code Deploy • Security release Infrastructure updates • OS • Debugging • Security Operations • 24X7 monitoring & alerts • Backups • Load testingRequires expert skills and significant time
Drupal Lifecycle events Set-up/Launch Set-up/Launch Production Production Site Evolution Site Evolution Build Application updates Diagnosis •Site/App failure Deploy Infrastructure •Infrastructure failure updates •Security Breach •DDOS Operations •Traffic spike Resolution •Resize •Recover (Multi-region) •Staging/QA •Caching strategies •CustomizeRequires expert skills and significant time
Traditional hosting • Hardware • Virtual machine • Power • Network • Operating System
Managed hosting providers • Will provide high availability architecture - Installation only • Will reboot servers • Will call you when the servers or virtual machines fail
How do I make my Drupal applicationsecure, scalable and high-performance?
Automated configuration management • Dozens of config files • Cloud servers fail. You need to recover quickly. • Site traffic increases and decreases. You need to resize quickly. • Configuration files need changing. Policy based configuration keeps files secure.
Optimization • Systems • Load balancer • Memcache • Web server • PHP • Opcode cache • File Server • Drupal • Database – Percona • Newrelic for diagnosis • XHProf, Maatkit for resolution • Systems resources monitoring: top, freemem, etc
Monitoring • What to monitor? • Load balancer • Memcache • Web server • PHP • File Server • Drupal • Database – MySQL • CPU • Memory • Disk space, etc • Expert response to 25 different alerts
Development lifecycle • 10 principles of continuous integration • Software deployment best practices
10 principles of continuous integration• Maintain a code repository• Automate the build• Make the build self testing• Everyone commits to the build everyday• Every commit (to the baseline) should be built• Keep the build fast• Test in a clone of the production environment• Make it easy to get the latest deliverables• Everyone can see the results of the latest build• Automate the deployment
Software deployment• Release • Built-in• Install and activate • Version tracking• Deactivate • Uninstall• Adapt • Retire• Update
Remote administration • Security patching to staging & prod envs • PHP error & Drupal log review • Best practices in site layout • Deploy code, config site • Proactive site fixing • Set-up staging environments
Current US Government Compliance Landscape FISMA, DIACAP and FedRAMP are standardized approaches to security assessment, authorization, and continuous monitoring for information systems utilized by the Federal government. FISMA - Federal Information Security Management Act of 2002. Applicable to non- DoD agencies. DIACAP – Department of Defense Information Assurance Certification and Accreditation Process. Applicable to DoD related agencies. With both FISMA and DIACAP each information system must be documented, reviewed by independent third party assessor and authorized by authorizing officials. Can be time consuming, expensive FedRAMP – The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services
Federal Compliance - High Level Process 1. Categorize the System – FIPS 199FISMA, DIACAP and FedRAMP Process Confidentiality, Integrity, Availability 2. Select the controls – NIST 800-53 3. Implement the controls and document them -System Security Plan -Privacy Impact Assessment 4. Assess – Contract with Third Party Assessor -3PAO reviews SSP and creates STE & POA&M 5. Authorize – This package of documents submitted to the Authorizing Official who reviews, comments, asks for revisions. -grants IATC and/or ATO 6.Monitor – Continuous update to SSP , continuous mitigation of items identified in STE and POA&M
FedRAMP FedRAMP - Federal Risk and Authorization Management Program • Establishes an “authorize once, use many times” framework for cloud computing products and services. FedRAMP is meant to supersede FISMA and DIACAP for cloud products. • FedRAMP was established on Dec 8, 2011 via a memorandum produced by the Federal Chief Information Officer and is due to achieve Initial Operating Capacity in 2012. • Based on the same NIST publications as FISMA with added controls pertinent to the cloud • Acquia Managed Cloud Controls and Documentation are “future proof as they include all the FedRAMP controls
FISMA Compliance in Acquia Cloud Acquia Managed Cloud is a Shared Responsibility Model: PaaS (AMC) built on IaaS (Amazon AWS) Three primary layers in the shared responsibility model: •Application Layer (Drupal) •OS Stack Layer (Linux, Windows, Database, etc) •Infrastructure Layer (Datacenter, network) *Each entity must document the controls for which they are responsible for.*
Achieving FISMA Compliance in Acquia CloudAcquia Cloud Customers inherit the controls from Acquia Managed Cloud and Amazon AWS
Follow up with AcquiaExtensive documentationhttps://docs.acquia.com/cloud/arch/securityDedicated Federal Sales teamContact Sean Burns email@example.comAcquia can provide agencies existing FISMA System Security Plans (Acquia and Amazon).