This document provides an overview of Acquia Managed Cloud, a Platform as a Service for hosting Drupal applications. It discusses how Acquia Managed Cloud handles the full lifecycle of Drupal applications, including setup, deployment, updates, operations, and diagnosing and resolving issues. Acquia Managed Cloud provides automated configuration management, optimization services, monitoring, development practices, and expert support to ensure Drupal applications are secure, scalable and high-performance. The document also discusses how Acquia Managed Cloud achieves compliance with US government standards like FISMA and FedRAMP for federal agencies through a shared responsibility model and extensive security documentation.

1. Overview: Acquia Managed Cloud
Platform As A Service
Kieran Lal
Technical Director, Enterprise Sales

2. Hosting vs. Platform as a Service
Mission critical Drupal applications require
more than just virtual machines
Bring us your
Virtual Machines code and files..
Vs. and we’ll handle
the rest.

3. Drupal Lifecycle events
Set-up/Launch
Set-up/Launch Production
Production Site Evolution
Site Evolution
Build
•Load balancers
•Fast page cache
•App Servers
•Database
•File systems
•Web servers
•App Configuration
•HA architecture
Deploy
•Integrated Git/SVN
•Drag and drop content
management
Requires expert skills and significant time

4. Drupal Lifecycle events
Set-up/Launch
Set-up/Launch Production
Production Site Evolution
Site Evolution
Build Application updates
• Drupal App code
Deploy • Security release
Infrastructure
updates
• OS
• Debugging
• Security
Operations
• 24X7 monitoring & alerts
• Backups
• Load testing
Requires expert skills and significant time

5. Drupal Lifecycle events
Set-up/Launch
Set-up/Launch Production
Production Site Evolution
Site Evolution
Build Application updates Diagnosis
•Site/App failure
Deploy Infrastructure •Infrastructure failure
updates •Security Breach
•DDOS
Operations •Traffic spike
Resolution
•Resize
•Recover (Multi-region)
•Staging/QA
•Caching strategies
•Customize
Requires expert skills and significant time

6. Can I build this myself?

8. Platform as a Service stack
World Class Application 24/7 break-fix, Advisory support, Technical account
Support managers, Audits: Site, security, performance
Application Network Search, Spam, Insight, Mobile, Functional testing,
Services Marketing testing, Load testing, Runtime reporting
Application Customized environment, Analyze, Code management,
Lifecycle Workflow, Cloud migration
Management
Low Cost, Flexible, Virtual elastic cloud resources,
Platform Features Reliable High availability, Configuration
management, Monitoring,
Optimization, Caching
Platform Architecture

9. Sure, but some assembly is required

10. Traditional hosting
• Hardware
• Virtual machine
• Power
• Network
• Operating System

11. Managed hosting providers
• Will provide high availability
architecture
- Installation only
• Will reboot servers
• Will call you when the servers or
virtual machines fail

12. How do I make my Drupal application
secure, scalable and high-
performance?

15. Automated configuration management
• Dozens of config files
• Cloud servers fail. You need to
recover quickly.
• Site traffic increases and decreases.
You need to resize quickly.
• Configuration files need changing.
Policy based configuration keeps
files secure.

16. Optimization
• Systems
• Load balancer
• Memcache
• Web server
• PHP
• Opcode cache
• File Server
• Drupal
• Database – Percona
• Newrelic for diagnosis
• XHProf, Maatkit for resolution
• Systems resources monitoring: top,
freemem, etc

17. Monitoring
• What to monitor?
• Load balancer
• Memcache
• Web server
• PHP
• File Server
• Drupal
• Database – MySQL
• CPU
• Memory
• Disk space, etc
• Expert response to 25 different
alerts

18. Development lifecycle
• 10 principles of continuous
integration
• Software deployment best
practices

19. 10 principles of continuous integration
• Maintain a code repository
• Automate the build
• Make the build self testing
• Everyone commits to the build everyday
• Every commit (to the baseline) should be built
• Keep the build fast
• Test in a clone of the production environment
• Make it easy to get the latest deliverables
• Everyone can see the results of the latest build
• Automate the deployment

20. Software deployment
• Release • Built-in
• Install and activate • Version tracking
• Deactivate • Uninstall
• Adapt • Retire
• Update

31. Remote administration
• Security patching to staging & prod
envs
• PHP error & Drupal log review
• Best practices in site layout
• Deploy code, config site
• Proactive site fixing
• Set-up staging environments

32. Network Services – Acquia Network
• Acquia Search (managed Solr)
• Mollom (SPAM blocking)
• New Relic (stack monitoring)
• Visual Website Optimizer
• Drupalize.me
• SEO Grader
• Lingotek
• Blitz.io
• Yotta
• Blazemeter
• Buildamodule
• Chartbeat
• Tracelytics

35. Drupal support and advisory hours
• Break-fix support
• 24/7 response on Service Level
Agreement
• Advisory support
- Security
- Scalability
- Performance
- Deployment
- Configuration mgmt
- Staging

36. Expert Services
Consulting Services:
• Architecture assessments
• Load testing
• Site audits
• Performance & scalability audits

37. Your custom code and database
• Your custom code
• Your custom theme
• Your database
• Your assets
• Your web services
• Your content editors
• Your site developers

38. Flying as a Service

39. Current US Government Compliance Landscape
FISMA, DIACAP and FedRAMP are standardized approaches to security assessment,
authorization, and continuous monitoring for information systems utilized by the
Federal government.
FISMA - Federal Information Security Management Act of 2002. Applicable to non-
DoD agencies.
DIACAP – Department of Defense Information Assurance Certification and
Accreditation Process. Applicable to DoD related agencies.
With both FISMA and DIACAP each information system must be documented, reviewed
by independent third party assessor and authorized by authorizing officials.
Can be time consuming, expensive
FedRAMP – The Federal Risk and Authorization Management Program (FedRAMP) is a
government-wide program that provides a standardized approach to security
assessment, authorization, and continuous monitoring for cloud products and
services

40. Federal Compliance - High Level Process
1. Categorize the System – FIPS 199
FISMA, DIACAP and FedRAMP Process Confidentiality, Integrity, Availability
2. Select the controls – NIST 800-53
3. Implement the controls and
document them
-System Security Plan
-Privacy Impact Assessment
4. Assess – Contract with Third Party
Assessor
-3PAO reviews SSP and creates STE &
POA&M
5. Authorize – This package of
documents submitted to the
Authorizing Official who reviews,
comments, asks for revisions.
-grants IATC and/or ATO
6.Monitor – Continuous update to
SSP , continuous mitigation of items
identified in STE and POA&M

41. FedRAMP
FedRAMP - Federal Risk and Authorization Management Program
• Establishes an “authorize once, use many times” framework for cloud
computing products and services. FedRAMP is meant to supersede FISMA
and DIACAP for cloud products.
• FedRAMP was established on Dec 8, 2011 via a memorandum produced by
the Federal Chief Information Officer and is due to achieve Initial Operating
Capacity in 2012.
• Based on the same NIST publications as FISMA with added controls pertinent
to the cloud
• Acquia Managed Cloud Controls and Documentation are “future proof as they
include all the FedRAMP controls

42. FISMA Compliance in Acquia Cloud
Acquia Managed Cloud is a Shared Responsibility
Model: PaaS (AMC) built on IaaS (Amazon AWS)
Three primary layers in the shared responsibility
model:
•Application Layer (Drupal)
•OS Stack Layer (Linux, Windows, Database,
etc)
•Infrastructure Layer (Datacenter, network)
*Each entity must document the controls for
which they are responsible for.*

43. Achieving FISMA Compliance in Acquia Cloud
Acquia Cloud Customers inherit the controls from Acquia
Managed Cloud and Amazon AWS

44. Acquia Cloud High Level Control
Overview

45. Follow up with Acquia
Extensive documentation
https://docs.acquia.com/cloud/arch/security
Dedicated Federal Sales team
Contact Sean Burns sean.burns@acquia.com
Acquia can provide agencies existing FISMA System Security
Plans (Acquia and Amazon).