Acquia Shields Users of Cloud Version of Drupal CMS

A new security service provides additional protection for users of the cloud-hosted version of the Drupal content management system.

app security

Acquia, the lead commercial sponsor behind the open-source Drupal content management system (CMS), is rolling out a new service to help secure Drupal sites hosted on the Acquia Cloud. The Acquia Shield provides access and isolation security for those that host their Drupal sites on the Acquia Cloud service, which itself is hosted on Amazon Web Services (AWS).

Drupal is a popular open-source CMS used to power many of the world's leading sites, including and The Acquia Cloud service provides a hosted, commercially supported Drupal CMS to its customers.

"Acquia Shield enables our customers that have sensitive data that is on-premises to move data back and forth to the cloud with a secure mechanism," Christopher Stone, senior vice president of products and development at Acquia, told eWEEK.

In terms of access, the Acquia Shield leverages Amazon's Virtual Private Cloud (VPC) and Virtual Private Network (VPN) services.

"It integrates with a long list of consumer and enterprise-grade VPN devices on the back end," Andrew Kenney, vice president of Platform Engineering at Acquia, explained to eWEEK. "We've added extra capabilities, including automated configuration, and we monitor the VPN connection for support."

The Acquia Shield provides both remote access security components and cloud isolation elements. Kenney commented that Acquia Shield is a logically isolated cloud deployment, with network segmentation from other users of the cloud.

Proper cloud isolation can extend beyond protecting cloud customers from each other to also enable Web best practices for development and deployment. An example of a security control best practice that Acquia Shield can help to enforce is that the development version of a Website can't reach a production database. The Acquia Shield system can also be used to enable secure connectivity to an enterprise's identity system, including Microsoft's Active Directory.

The idea of providing a secure remote connection into a cloud deployment is not a new one. In April, Verizon announced its private IP service access for the cloud that leverages MPLS (Multi-Protocol Label Switching) connectivity. Although Acquia is not officially offering Private IP/MPLS-based access as part of Acquia Shield, Stone hinted that Acquia has done some custom work for a number of its federal customers to enable secure access.

Amazon Deployment

Kenney explained that Acquia has been an AWS customer for the last six years and Acquia runs nearly 10,000 boxes on the Amazon EC2 classic service. The plan over the course of the next year for Acquia is to move all of its customers to the newer Amazon VPC platform, which provides logical network isolation within the Amazon cloud.

"Acquia Shield is a separate add-on above that, giving customers their own sliver of the network, with guaranteed network security," Kenney said.

While Acquia Shield provides an additional layer of protection for Drupal, Stone emphasized that Acquia is already providing enhanced security for its users. As an example, with the recent Shellshock vulnerability in BASH (Bourne Again SHell), Acquia was able to proactively patch its users.

Drupal itself was the subject of high-impact SQL injection vulnerability in October. The open-source Drupal project warned that if users had not patched within seven hours of the initial patch being made available, they likely were hacked. There were a number of different ways that organizations chose to protect themselves from the Drupal vulnerability, including the use of a Web Application Firewall (WAF).

"We chose not to use a WAF; we proactively patched all of our customers to make sure they were not vulnerable," Kenney said.

Another area of risk for Website owners is the increased prevalence of distributed denial-of-service (DDoS) attacks. Stone noted that Acquia wants to be able to offer DDoS protection to its customers, and it's on the roadmap for next year.

Looking forward, Stone said Acquia will also be looking at helping organizations on compliance-related deployments for specifications including the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS) and FedRAMP. In addition, Acquia is looking at leveraging emerging Amazon services for network security, including intrusion prevention system (IPS) and Next Generation Firewall, according to Kenney.

One thing that isn't likely to change is the back-end cloud provider for the Acquia Cloud.

"We're very happy and thrilled to be closely aligned with Amazon," Stone said. "We haven't lost a customer to an OpenStack competition; we picked the right horse."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.