Cloud Hosting for Government Agencies: Drupal Platform as a Service

Overview: Acquia Managed CloudPlatform As A Service

Kieran Lal

Technical Director, Enterprise Sales

Hosting vs. Platform as a Service

Mission critical Drupal applications require more than just virtual machines

Virtual Machines

Bring us your code and files..

and we’ll handle the rest.

Vs.

Drupal Lifecycle events

Requires expert skills and significant time

Set-up/LaunchSet-up/Launch ProductionProduction Site EvolutionSite Evolution

Build•Load balancers•Fast page cache•App Servers•Database•File systems•Web servers•App Configuration•HA architecture

Deploy•Integrated Git/SVN•Drag and drop content management

Drupal Lifecycle events

Requires expert skills and significant time

Set-up/LaunchSet-up/Launch ProductionProduction Site EvolutionSite Evolution

Build

Deploy

Application updates• Drupal App code

• Security release

Infrastructure updates• OS• Debugging• Security

Operations• 24X7 monitoring & alerts• Backups• Load testing

Drupal Lifecycle events

Requires expert skills and significant time

Set-up/LaunchSet-up/Launch ProductionProduction Site EvolutionSite Evolution

Build

Deploy

Application updates

Infrastructure updates

Operations

Diagnosis•Site/App failure•Infrastructure failure•Security Breach

•DDOS

•Traffic spike

Resolution•Resize•Recover (Multi-region)

•Staging/QA

•Caching strategies

•Customize

Can I build this myself?

Platform as a Service stack

Low Cost, Flexible, Reliable

Virtual elastic cloud resources, High

availability, Configuration management, Monitoring,

Optimization, Caching

Platform Features

ApplicationLifecycle

Management

Customized environment, Analyze, Code management, Workflow, Cloud migration

Platform Architecture

Search, Spam, Insight, Mobile, Functional testing, Marketing testing, Load testing,

Runtime reporting

Application NetworkServices

24/7 break-fix, Advisory support, Technical account managers, Audits: Site, security,

performance

World Class Application Support

Sure, but some assembly is required

Traditional hosting

• Hardware

• Virtual machine

• Power

• Network

• Operating System

Managed hosting providers

• Will provide high availability architecture

- Installation only

• Will reboot servers

• Will call you when the servers or virtual machines fail

How do I make my Drupal application secure, scalable and high-performance?

Automated configuration management

• Dozens of config files

• Cloud servers fail. You need to recover quickly.

• Site traffic increases and decreases. You need to resize quickly.

• Configuration files need changing. Policy based configuration keeps files secure.

Optimization

• Systems• Load balancer

• Memcache

• Web server

• PHP

• Opcode cache

• File Server

• Drupal

• Database – Percona

• Newrelic for diagnosis

• XHProf, Maatkit for resolution

• Systems resources monitoring: top, freemem, etc

Monitoring

• What to monitor?• Load balancer

• Memcache

• Web server

• PHP

• File Server

• Drupal

• Database – MySQL

• CPU

• Memory

• Disk space, etc

• Expert response to 25 different alerts

Development lifecycle

• 10 principles of continuous integration

• Software deployment best practices

10 principles of continuous integration

• Maintain a code repository

• Automate the build

• Make the build self testing

• Everyone commits to the build everyday

• Every commit (to the baseline) should be built

• Keep the build fast

• Test in a clone of the production environment

• Make it easy to get the latest deliverables

• Everyone can see the results of the latest build

• Automate the deployment

Software deployment

• Release

• Install and activate

• Deactivate

• Adapt

• Update

• Built-in

• Version tracking

• Uninstall

• Retire

Remote administration

• Security patching to staging & prod envs

• PHP error & Drupal log review

• Best practices in site layout

• Deploy code, config site

• Proactive site fixing

• Set-up staging environments

Network Services – Acquia Network• Acquia Search (managed Solr)

• Mollom (SPAM blocking)

• New Relic (stack monitoring)

• Visual Website Optimizer

• Drupalize.me

• SEO Grader

• Lingotek

• Blitz.io

• Yotta

• Blazemeter

• Buildamodule

• Chartbeat

• Tracelytics

Drupal support and advisory hours

• Break-fix support

• 24/7 response on Service Level Agreement

• Advisory support

- Security

- Scalability

- Performance

- Deployment

- Configuration mgmt

- Staging

Expert Services

Consulting Services:

• Architecture assessments

• Load testing

• Site audits

• Performance & scalability audits

Your custom code and database

• Your custom code

• Your custom theme

• Your database

• Your assets

• Your web services

• Your content editors

• Your site developers

Flying as a Service

Current US Government Compliance LandscapeFISMA, DIACAP and FedRAMP are standardized approaches to security assessment,

authorization, and continuous monitoring for information systems utilized by the Federal government.

FISMA - Federal Information Security Management Act of 2002. Applicable to non-DoD agencies.

DIACAP – Department of Defense Information Assurance Certification and Accreditation Process. Applicable to DoD related agencies.

With both FISMA and DIACAP each information system must be documented, reviewed by independent third party assessor and authorized by authorizing officials.

Can be time consuming, expensive

FedRAMP – The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services

FISMA, DIACAP and FedRAMP Process

Federal Compliance - High Level Process1. Categorize the System –

FIPS 199Confidentiality, Integrity,

Availability

2. Select the controls – NIST 800-53

3. Implement the controls and document them

-System Security Plan-Privacy Impact Assessment

4. Assess – Contract with Third Party Assessor

-3PAO reviews SSP and creates STE & POA&M

5. Authorize – This package of documents submitted to the

Authorizing Official who reviews, comments, asks for

revisions.-grants IATC and/or ATO

6.Monitor – Continuous update to SSP , continuous mitigation of items identified in STE and

POA&M

FedRAMP - Federal Risk and Authorization Management Program

• Establishes an “authorize once, use many times” framework for cloud computing products and services. FedRAMP is meant to supersede FISMA and DIACAP for cloud products.

• FedRAMP was established on Dec 8, 2011 via a memorandum produced by the Federal Chief Information Officer and is due to achieve Initial Operating Capacity in 2012.

• Based on the same NIST publications as FISMA with added controls pertinent to the cloud

• Acquia Managed Cloud Controls and Documentation are “future proof as they include all the FedRAMP controls

FedRAMP

FISMA Compliance in Acquia CloudAcquia Managed Cloud is a Shared Responsibility Model: PaaS (AMC) built on IaaS (Amazon AWS)Three primary layers in the shared responsibility model:•Application Layer (Drupal)•OS Stack Layer (Linux, Windows, Database, etc)•Infrastructure Layer (Datacenter, network)

*Each entity must document the controls for which they are responsible for.*

Acquia Cloud Customers inherit the controls from Acquia Managed Cloud and Amazon AWS

Achieving FISMA Compliance in Acquia Cloud

Acquia Cloud High Level Control Overview

Extensive documentation

https://docs.acquia.com/cloud/arch/security

Dedicated Federal Sales team

Contact Sean Burns sean.burns@acquia.com

Acquia can provide agencies existing FISMA System Security Plans (Acquia and Amazon).

Follow up with Acquia