 Hi guys, welcome to building and securing government sites in the cloud My name is Chris straw. I'm introducing today's panel of speakers. We have a Michael Meyer He's the director of information security at Acquia Chris Brown a technical account manager at Acquia and Jim Salem the vice president of cloud services So we'll be talking to you guys about Security the cloud and how we do it for our various clients in Acquia Thanks, thanks Chris So just a brief you on what we'll be covering today We're going to be reviewing the current US government compliance landscape where we are now where we'll be going We'll talk about how Cloud service providers such as us and others can achieve federal compliance We'll be talking about International and developing compliance standards related to US government standards We'll be taking a look at case studies Particular case study that we've worked out at Acquia and then we'll be looking at how Acquia has achieved compliance for our hosting platform So first I'd like to touch on the opportunity You know, I think that Everyone realizes that US federal compliance can be Quite a mundane and boring topic this slide. It makes it really interesting for it for everyone. I think That there is a lot of opportunity for in this sphere So, you know first Drupal Governments are expanding the use of Drupal Not only in the US, but in the internationally as well. So why is that the case? You know Drupal is open source. I think you know everyone There's realizing the the benefits of open source in terms of it is cost-effective Effective obviously vis-a-vis proprietary license software It is been proven secure. It's used by open source software including Drupal and many other platforms is used by firms across the world hundreds of thousands Obviously it's proven itself to be a secure platform And lastly in terms of Drupal Drupal facilitates agencies to share work amongst themselves so One agency may develop a custom Drupal solution and they're free to share it with other Agencies across government without any charge So, you know the federal government has prioritized cloud-first strategy It's very exciting for us as a cloud service provider Vivek Khandra is a former US federal CIO Put out a white paper called federal cloud computing strategy Last year and it spelled out what the strategy was for the federal government in regards to the public cloud Couple key points of the the paper outlined their recognition recognition of the fundamental shift that we see Not only in the federal space, but across the IT landscape the shift to cloud computing In the white paper he targets 20 billion out of the 80 billion dollar federal IT spending for cloud services That's an annual annualized budget He you know cloud computing represents significant cost savings for for government and of course for us all as taxpayers So, you know, it's multiple benefits for all of us Cloud computing allows government to you know, just as with the private sector to more quickly change It's more agile. It's it's easier easier to scale. So it's much easier to provision Services on the fly than it is to have to procure set up and manage your own your own infrastructure Similar to what's going on in the US. We see we see similar initiatives in the UK Australia, Hong Kong all over the place So we think that this this is the tip of the iceberg We see this gestating and continuing over the next few years So we're we're excited about that So currently In terms of US government compliance, there's two main drivers or standards. There's fizma and there's die cap Fizma is is a legislation that came out in 2002 and it's applicable to non-department of defense agencies die cap is very similar Standard for for certification and it's applicable to Department of Defense so with both fizma and die cap each Information system must be documented Documented reviewed by independent third-party cessers and authorized it is an extremely time-consuming and expensive endeavor It's highly inefficient It's it can be frustrating and time-consuming So, you know, this is the current landscape that I think you know agencies and and service providers are all dealing with We're very excited About FedRAMP which which is aims to solve that that inefficiency problem So FedRAMP is a initiative that's been Formulating over the last year or two It's due to become production mandated federal authorization standard for cloud service providers this year We expected according to what's been published sometime the next three to six months So FedRAMP is an authorized once and use many times framework. So Whereas you know fizma and die cap each system in our case in a Drupal shop each website has to be documented and authorized FedRAMP allows a solution to be authorized Once and allows any agency throughout government to leverage that authorization So that is such a Such a more efficient model. It's going to save a lot of money for the federal government That's why it's very you know, it's very interesting to talk with So FedRAMP is based on the same NIST publications as fizma and die cap With additional controls added that are pertinent to cloud environment Recently published is the FedRAMP concept of operations it outlines how FedRAMP will work Who the responsibilities and ownership and process? It's very similar to fizma and die cap And it's outlined in a in that memo So I wanted to touch on important to fizma die cap and and FedRAMP are our NIST NIST is the National Institute of Standards it define NIST is the agency which is tasked with defining these publications which are best practices That government agency government agencies and the accreditation Utilize in order to to meet their the Control objectives, so the the most highlighted some of the important ones here FIPS-199 is is what starts the process. It's the It's how you categorize your information system. So what compliance objectives do you need to reach? So fizma is basically a FIPS-199 is basically a spreadsheet which lists many different details about The confidentiality of the data that the website will host what is the availability requirements are are are there any Any data pertinent to national security? What are the implications if the site goes down? so going through the FIPS worksheet you will arrive at Different ratings for each category for each of those three categories You may you may find that confidentiality There's no confidential data low, but maybe the site the availability requirements are are important So that may get get you to a medium So based on that categorization you arrive at a what's called the high-water mark So the highest level of rating for each of those categorizations Is what your system is rated it must meet and then? That turns into the the requirements Based on the next this document that we'll touch on Must meet so this 853 it's currently at revision three These outline all of the controls That must be documented for a information system So this 53 is divided into The all the various domains of security covering everything from Physical security, how do you do risk assessments? What is your personnel security? How do you on board new new user new employees new staff? Do you do security training? How do you protect the environment physically? environmental controls To to everything to the application itself, how do you manage authentication? Logging etc. etc. So NIST 853 is like the Bible of security controls The FIPS one and I worksheet determines what which of those controls are necessary to meet so low medium high There you have a lot more onus to to Implement a lot more of the NIST 853 controls You know based on whether you're a low medium or high NIST 830 is risk assessments. It's it's about doing Vulnerability scanning how do you determine risk for your environment and how do you apply? The how do you adjust your security controls in relation to the risk that your system may face? So I just wanted to touch on the High-level process for this is for all all three of these standards Fizma diecap and FedRap. So the first step as we talked about is categorize your system Court using FIPS one and a nine worksheet Then based on what your cat categorization is Select the controls from NIST 853 Then you must you know, obviously you've the controls are implemented in your system And the main document in your what's called your package the the paperwork that gets submitted to the Authorizing official is called your system security plan. So your system security plan is outlining is a it's like a book Which outlines? What is this it describes the system the website and then it takes every single NIST control that is applicable to that system and Describes how you've implemented the controls relevant to your system The another one more kind of important piece is the privacy impact assessment. So is there any privacy? Obviously is becoming more and more critical for for Information systems Is there any privacy data personal information being uploaded and what are the ramifications of that? So you've documented your controls, you know, obviously is a lengthy process The next step in the process is to assess the controls So there are the third-party assessors. These are independent firms They're like an auditor they come in and they review your system security plan and actually test your systems Do you do what you say you do? and then Based on that that that's a lengthy process. It can be time-consuming expensive as I mentioned Based on that there's two two Documents that that come out of that the STE and the poem the ST is basically here's what the auditor the independent reviewer found Here are the controls relevant you know it did the service provider or the System owner did they meet the controls as they've described? And then the poem, you know, no system is going to be a hundred percent in line within this controls It's very extensive and a very high bar to reach So the poem is meant to document the things that are not yet in place But it's the plan of action to ensure that you are working on Fixing those things that have been outlined So it's not it's not a matter of being you know a hundred percent in line with the the NIST 853 controls It's a matter of documenting them accurately having a third-party Assessor review them and create a plan of action to ensure that you're meeting the You're addressing them and you're moving in or towards compliance with all of the controls So that package including you know all of those documents are giving to an authorizing official in the federal government That Ayo as they're called Reviews the the documents they they have a back-and-forth with use the service provider The they'll have comments maybe you know some controls not documented Enough perhaps it's the format of something it depends on the person that's reviewing the package hopefully based on that review process and the the back-and-forth that Authorizing official will will then grant the IATC or the ATO so if you don't get a full ATO ATO is like the gold ring that you want as a service provider authority to operate If that's not granted you will hopefully get an interim authority to connect and that's basically the authorization to go live with your site and then you have 90 days to To fix things as the official has outlined for you And then finally you know once you've gotten your your authorization the process is pretty much never-ending You must continue Updating your system security plan as the system changes You continue to fix things that you've identified as weaknesses in the poem and in the ST In Fed ramp the process requires Reauthorization every every three years you must redo the process But hopefully you're updating your documentation as you go forward so cloud is kind of a new is a new thing for for the government and you know these these compliance standards They weren't really designed with cloud in mind so we had to really we had to really think about how we addressed You know the documenting our compliance and obtaining compliance in a cloud model So we we think we're you know cutting new new ground here And we think we've got a good way that we've we've a good approach to documenting the controls and and Achieving compliance and base basically what it is is so you know, there's there's three types of Cloud environments, right? There's a software as a service An application so provided to you know the an agency pre-built application There's platform as a service Platform as a service is You can build a platform within you know within an environment that's been designed to support such a platform An example that that we do at aquea is a is Drupal Gardens is software as a service And then a platform as a service is aqua managed cloud You can build a Drupal site in in aquea managed clouds platform as a service So in both those cases, they are built on an infrastructure as a service That's what in aqueous case. We use Amazon. So our cloud is built on another provider's cloud We're a sass we're past and there are an infrastructure as a service So how do you that's kind of a complex? Environment to try to demonstrate that were every piece of the puzzles in line with all the controls So the way our approach we need to every Control every nest 853 control. We've divided it into Responsibility layers, so there's the application layer, which is you know in our case Drupal So the application layer can be the responsibility of The Drupal can be fully in compliance with the the requirements or it could not be depending on how it's developed So where who's developing the application and who's managing the users? As the provisioned in the application through its lifecycle That's the entity that's responsible for the application layer So in some cases it may be the agency in some case it may be a third-party developer In our case sometimes it may be aqua who also does some development So then there's the the operating system stack In our case of aqua cloud. It's the Linux lamp stack So this is what we do to manage the the operating system Apache PHP Drupal as their as their managed throughout our cloud. That's what we do So we're fully responsible for the OS stack layer and then there's the infrastructure layer, which is in our case Amazon So that's the data center. How is the data center physically secure? How do they manage their network infrastructure? How do they manage their HVAC and their electrical that services the data center? So those are all in our case Amazon responsibilities So the main the main point is The authorizing official they want to see that system fully documented every single piece of the stack and every single control So, how do you how do you address that? So in an aqua managed cloud as an example And where this is a pass built on Amazon's infrastructure as a service Kind of we show the picture here So Aqua's response for the application lamp stack And from where we live inside of Amazon's AWS So in the 800 in the in our system security plan This is how we've done it basically every single control is built is divided into three sections the application layer The lamp stack layer and the infrastructure layer So the aqua managed cloud system security plan is where we've worked on it for a fizma Diacap and currently for Fed ramp We have to document every single part of the stack we need to describe Is it the customers responsibility typical in the case of the droopal layer? the lamp stack Typically aqua responsibility for our purposes And then we'll describe the control. How do we secure the access? How do we do? You know authorization for our for our privileged users whatever the control is and then and then the Infrastructure layer is is the responsibility of Amazon So our approach is basically we work very tightly with our partner Amazon here The authorizing official when we go for our our certification Is basically going to get our our system security plan for Amazon for aqua managed cloud and they're going to Read through that as they go through each control at the infrastructure layer We're referring to Amazon system security plan where that control at the infrastructure layer is fully documented So the you know at the end of the day that there's going to be two big books of system security plan Our responsibility is covered in this one Amazons in this one. They cross-reference to each other And lastly we have a control mapping. So we'll It's a spreadsheet which shows you know for each control who is responsible Some controls are entirely Amazon's responsibility in our case for example physical security You know there's no no case where aqua is responsible for physical security of the cloud environment So that's what you know It's the full package that we're providing at the end of the day to the to the authorizing official That's been our that's our approach in the share responsibility model So moving on I just wanted to touch on you know how how Fisma and the NIST standards and FedRAMP can how do they relate to international standards? The main international standard which other governments utilize is the ISO standards ISO is the international organization of for standardization The main in an IT environment the main the main standard is the ISO 2702 and it's very similar to the NIST 853 in terms of its approach. So It's a list of best practices Through throughout, you know for everything from the same Domains of security that NIST covers risk assessments policies human resource personnel, etc. Etc Base in regards to ISO there are two two levels of Compliance So service provider like like aqua You know we can we have the the ISO standard We can go through each control and we can do a self evaluation Do we meet the standard? You know yes, no Where where the answer is no becomes our gap analysis and our in our plan for achieving ISO compliance Once you've Establish yourself and you you you've done your self evaluation You could bring in a third party much like a third-party assessor for with Fisma to evaluate your Controls an independent auditor to to validate that you're in compliance with the ISO standard From that you can achieve ISO certification One more just one of the time there are many so many standards of security and best practices out there There's one more that's kind of important for For the cloud environment that I want to touch on the cloud security Alliance So the cloud security Alliance is is organization made up of industry leaders in the cloud space users Associations and some vertical markets representation. So basically they've they've produced a couple initiatives the CSA Has come out with the CSA security guidance. It's a publication that Produces recommendations and cloud and guidance for cloud service providers Similar to NIST and and ISO these are best practices for particular to cloud environments So they're a little bit further developed in regards to a cloud service provider, which is you know a little bit unique From you know traditional IT so and then there's the CSA consensus initiative questionnaire this is a list of Controls or questions that a service provider like like us goes through and We validate Do we meet this control objective? Yes or no And then this and how did we do that and then that we publish this Up on their CSA's website And that's that's used For companies of weather and government or more typically in the private sector to evaluate cloud service providers Are they meeting best practices as defined by the CSA? So there's you know as abundance of best practices, you know We talked about the the main ones in the federal space and international And there's so many more Unfortunately, you know, unfortunately for for accurate we're we're serving customers in health care. So we've got to deal with HIPAA We have some UK specific customers that are interested in ISO and Kobe Financial sector there's SAS 70 and the bits shared assessment program They're all designed by different vertical markets to achieve the same objective. Are you meeting best practices? So how do you how do you meet them? it's a lot of work to try to document and read through each standard and Validate that you're in compliance with this whole range of Computer standard of industry best practices the cloud security alliance has published something which helps a lot in that regard Particularly to two organizations like us who have prioritized FISMA and this standards Because we have aligned our controls with FISMA well, it turns out that we've also Aligned our controls with ISO. They may be in a different section or different wording But the gist of it is the controls are are similar So the CSA has come out with a control matrix Which shows the all the NIST 853 controls and maps them to all these other standards, so that's a great help to us as a service provider How can we ensure that we're meeting compliance? We don't have enough time to? to you know Attack each one individually. We can leverage what the CSA has done to validate We're meeting control best practices across this whole range of standards With that I'm going to turn it over to Chris Brown who's going to talk about our One use case that we have So before I start I mean who here has actually had to go through a FISMA or a DiCap accreditation for any type of application. Okay, good. So there's some people here who can empathize with our You know what we had to go through to actually make this happen so I'm talking about DSEA global net is a Social networking application that we created for the Defense Security Cooperation Agency DSEA Underneath the development team branding of Team Firebird, which includes Merlin International as a prime Aquia VML form 1 and navigation arts So as part of that platform We actually provide out a lot of different capabilities So we weren't actually having to go out and credit just like hey Here's Drupal core or maybe here's Drupal core with a couple pieces on to it But we're actually providing out for blogging for event management for actually doing emailing kind of like Facebook emailing with the private messaging capabilities SMS messaging Some file management chat discussions. So there was a lot actually into the platform that we actually had to get accredited We actually got our package delivered August of last year I believe it took us about six months to really put together I think we can do it a lot faster now for a couple different reasons One was our strategy on how we actually put together the package, which was actually splitting up The actual documentation and the policies and controls for the infrastructure side Which now we can actually leverage across all of our hosting partner of our hosting customers that actually want to come in and be FISMA compliant or Diacap compliant because now we can handle that set of documentation and then the application can ride on top of that Inherit those controls and actually just have to worry about implementing the application layer controls So it did take us a while to actually get done, but it is done There were a number of components that we had to actually work with other than Drupal and their traditional lamp stack We were dealing with P WIC for doing some analytics to make sure that that was secured up We had it deal initially for our chat capabilities with Jabber and the Jabber D server But we are actually moving over to Comet chat and the Ajax push engine to use our for our chat capabilities coming out at the end of this month and for user management We're actually using open LDAP to help us actually with some compliance standards And the whole system was based off of the Drupal commons platform, which is actually to Drupal 6 Release distribution and we were writing obviously on top of the managed cloud Which was providing out for our lamp stack and on top of the Amazon EC2 cloud So I just kind of split it up there as far as like, you know, where are the pieces of you know The cloud architecture from SAS pass and infrastructure as a service So there were some things that we actually had to take care of that people probably don't really think about all that often when they're building out websites And one of the first things is that making sure that people couldn't actually be logged in on two different computers So we actually had to go out and make sure that when someone logged into the system that the other session was actually logged out And what's great again about Drupal in the community is that we had the ability to do that utilizing the automatic logout module So that proved to be relatively simple to pull in implement and and drop it in and be compliant A related piece of code, which we actually had to do a little bit more work with was the ability to block users on Failed attempts and then also to actually based on those attempts when they could actually try again on another Sorry where they could actually try again after a specified period of time so we actually had to do a couple different things there one was actually to create a Custom module to where we are querying our our LDAP database and counting the number of failed attempts to log in to LDAP and We've tied that into the login security module to actually perform the lockout in the block of the user The other thing we had to do is make sure that people are actually logged off after in activity So people weren't allowed aren't allowed to actually log on to the site Leave it open and have it open all the time. So after a 20 minutes of time has elapsed We actually had to log the person out to make sure that you know other people weren't coming in and actually using their session So again, we used the automatic logout module for that And finally kind of in conjunction with the infrastructure team We actually had to put clam av onto each of our servers so that because we were doing file management When each file was actually uploaded into the system. We had to actually scan that File for viruses verify that there were no viruses and if viruses are actually found on a file I'll reject that file and not allow it to be loaded into the system So those were some of the little things that we actually had to think about that, you know Typically when you're going out and building websites, even when they're authenticated websites, you may not actually kind of think about We also had to do because we're dealing with things like P WIC LDAP chat systems All our third-party Communications had to be encrypted over SSL. So there's no ability to To do any type of HTTP traffic. Everything actually gets redirected on the website and talking between all of our components over HTTPS or in the case of talking to LDAP over an LDAP-S protocol Next one of the reasons why we did use LDAP for the user authentication was not only They can we use that for our system of record for who our user actually is within our system so that things like chat our Website P WIC can actually go to that system of record for the users for authentication But also it helps us to be compliant to FIPS 140-2 Which states all the type of encryption standards that you have to comply to When you're building out sites and one of the things that you have to encrypt is user passwords, so open LDAP makes it very easy to Utilize sha one which is FIPS 140-2 compliant to actually encrypt those passwords for us And then a lot of the stuff that we had to actually think about wasn't necessarily Technical in nature, but it goes around the idea of governance So making sure that you're writing out the policies of how users are actually Activated on the account how users are reactivated if they've been blocked out You know what role should users new users in the system actually have We had to make sure that when we have site admins come on not only do those site admins actually have their site admin account But also a non-elevated account so that they can do most of their work in that non-elevated account And then to we actually had to create a policy so that user one wasn't utilized You know if you go in and everyone's using user one as an admin you don't know who's making that change So it's really an auditing policy that you have to come in so you can actually see every change that's made on the system by a user and That's why we don't allow for user one This is probably one of the more interesting slides. I myself had gone through accreditation and some previous jobs in the DOD and You know a lot of stuff was Relatively easy because I was running inside of DOD accredited data centers. So I was able to inherit all those controls But with the cloud is a little bit different, especially within the public cloud so within the intelligence communities There's the idea of called common criteria or NIAP and again. This is another set of standards to where you actually put You know a set of code your application into the Intelligence community to actually validate it and actually give it a rating on how secure it actually is And you'll hear terms like PL 1 3 5 Which kind of talk about the levels of which your Code is actually conforming to so you can actually be utilized in there But again, that's a long-winded process You know a lot of people never even really make it through so Drupal has not gone through that but you know within die cap they actually asked for it. I Mentioned the governance around user one that is important. We had to take user one From a group standing that multiple people knew the password for it as an accepted risk Within our die cap package Haven't really found a good way around it other than just making a password and dumping it But I'm not really sure that's really what we want to do The other issue is multi-tenancy in the cloud and You know because we're not only we're sharing hardware or sharing software a lot of times and probably most importantly Are the disk drives for the hardware side and what we found is that for the security personnel? We really had to do an education about all the security boundaries. There are Within the cloud so that we could actually share all these resources out there and you know within die cap within FISMA You know one of the things you're always going to find is they want separated Hardware for all the applications and that just does not happen in the cloud So there's a lot of education you have to do with the security officers who actually go looking at your At your packages and then finally Mike kind touched on this earlier is that shader responsibility model. We have to work with Amazon from an application side I have to work with the the With our manage cloud within aquia And so you know we have to start building out like where do these swim lanes reside? So who owns security at what level who owns the performance at a certain level? So what are the SLAs we have to build between each of these organizations to ensure that we can actually meet the demands of our customer? So those were some of the kind of more interesting things that we found out that were some of the challenges that we had and getting accredited So I'll turn over to Jim right now to talk about what we implemented for the infrastructure Thanks, Chris Well, we heard about the compliance process from Michael and heard about the application level security From Chris and I'm going to talk about the infrastructure layer the specifically about the managed cloud service that we put together to really support compliance not just for DSA, but a number of Government customers and eventually commercial to meet commercial compliance standards as well And it really breaks down into these four areas. I'm going to talk about is the Drupal stack itself How do we make that robust and secure and then the management around that stack because again? We're managing servers for hundreds of customers We want to make sure that we can manage those consistently and make it reproducible So we don't have to go with through hand-tweaking separate compliance processes for each customer really excited about Fed ramp and the ability to roll out Infrastructure at lower cost For many for many federal customers. I'll talk a little bit about the policies and procedures from an operational standpoint that we need to put in place and then To me and as an engineer, it's all about testing. How do we make sure that these standards stay? What we think they are that they work and that they're reliable and the key thing with compliance is you got to start early You got to almost start earlier than the engineering of these solutions because there is so much work to be done To put the together the documentation This is a high-level architecture diagram of the aquia cloud. I'm not going to spend a lot of time on it here Some of it's very conventional for high availability architectures Some of it is our own special sauce, but we have information on our website. There's also a Barry Jaspin did a Good presentation on it a couple years ago in the San Francisco Drupal con But essentially as you know, we're built on the Amazon Web Services EC2 Cloud and they've taken care of that first level of certification fisma SAS 70 and then what we've had is Infrastructure to make sure it works for with a in a high availability configuration I want to talk a little bit about high availability because that's something that's been very key for some of our federal customers one of our customers is a FEMA and they have a requirement that no matter what kind of disaster is going on the site stays up and running So one thing we do is for all of our managed cloud customers. We split the hardware into two data centers Amazon calls them availability zones, but they're really data centers And so one load balancer in each data center The webs are split in half between data centers and the databases and file servers are split between the data centers so essentially an entire data center can go down the website will stay up and running and You know, that's especially important with the cloud because you can have failures and you have to be able to recover from those seamlessly I Haven't pictured our multi-region replication and that's something that was key for FEMA They wanted to have both an east coast presence and a west coast presence There's some real challenges with that with Drupal doing active active Multi-region failure where you have a significant latency between the data centers is really not practical for Various reasons in Drupal be happy to talk about it Afterwards, I don't know of anybody that succeeded at it if somebody out there has please let me know because we'd love to do it We use for we use some software called tungsten for multi-master replication within my SQL We've had very good experience with that and I know Pricona is also releasing technology to which promises to do the same I think our real secret sauce at aquia for what we've done is the management architecture We've built around this and again, I think anytime you're going to build out an infrastructure You're going to need to have some of these components for a fully compliant infrastructure So again, this is somewhat aquia specific, but I think this is necessary for anybody building something in the cloud that needs to meet Compliance standards, you know, the first thing is controlled access to the boxes. You need to have two factor authentication for sysadmins Whether that applies to Drupal as well. I think in some cases it might as well for admin access to Drupal But certainly access to the boxes themselves has to be controlled by two-factor authentication Can't share accounts. That's sort of the equivalent Chris mentioned you can't have people using the user one account Likewise, you can't have everybody using the root account on Linux So everybody has to have their own login and then accomplish the task you need root for Using using sudo or something similar and then we also have a bastion host That every that all the sysadmins have to log in through and that gives us an audit trail Who logged in when and did what and you have to go through there to get to any of our production boxes? backups a lot of times compliance requires Disaster recovery and backup plans so automating the backups Piece is important having you know just depending on somebody to do it by hand periodically is not the way you want to go The configuration management is an area. We've put a lot of time into You can see I have that circle with the sort of our cluster of managed cloud servers different setups That's supposed to indicate it's kind of hard to read, but it's supposed to indicate Lots of different customers in there that those other servers service and we have a centralized configuration database that keeps track of What kind of servers we have deployed? for each customer and then using a software like puppet to automate the software deployment as well as using our own custom Scripts that we've developed to manage configuration files allows us that even if you know Amazon lost an entire data center And we had to rebuild things from scratch in another data center. We have all that configuration information Stored and ready to go and we could bring up new servers literally in minutes And again that lets it that makes it very auditable by people who are reviewing compliance And it makes it that we can consistently roll out secure Services and if there's for example a critical security patch released right now We have about three hundred about three thousand servers that we're managing and we can roll out those security patches Literally within within a few hours across all those servers using that infrastructure Again, this is probably overkill for most people But I think many of these components you do need to build out a secure and compliance Compatible infrastructure monitoring is also critical. We use Nagios and a bunch of other stuff on top of that Policies and procedures again, this is where you'll spend a lot of time meeting compliance Important to just just start with it start get get what you Can get what you can work with there's some examples out there on the web that you can Work with and there's certainly a lot of consultants out there that will help produce the policies and procedures It's got to be written down and you have to follow them the auditors will come in They will ask everybody on your team How do you manage this and if it doesn't match up to your written policy? That's something that's going to go on the poem that Michael talked about and you're going to have to address Those are a few of the key policies you have to include on that But again the the NIST 853 document will define all those That you need and then finally, you know, I'm a huge fan of of testing Realistically if you don't test it, it's not going to work. It's not going to meet compliance. So Things we do it at Acquia is we audit we every night We are running a full battery of tests on all of our software and management systems And we'll actually spin up a hundred different server instances During the course of the night just to make sure all of our automated processes work And those tests include both positive and negative security tests as well And that's one way that we can manage all these servers and maintain a high degree of reliability and uptime ongoing vulnerability scans are important We use a couple tools in this area Rapid seven and what's the other? Qalus to you to perform security scans on it just in case something slips through and that's often Or that's often a requirement of to meet the compliance requirements. It's having these things run on a regular basis And then for things like automated failover you want to test you want to actually test the failover We did something with FEMA where we tested the failover from West Coast to East Coast And they were very excited it It actually took you know ten minutes to completely fail over their application and that delay was largely in the CDN They were using to do it But you know my experience a lot of years in the internet space is if you don't test it It doesn't work backups won't work unless you test restoring them failover doesn't work unless you test it And then you also want to test your processes. What's your escalation process in an emergency? Hopefully those don't happen too much, but if you do have a security incident denial of service attack Any kind of compliance or vulnerability issue? What kind of processes do you have in place to handle those and again you want to test those? So that's all I have to say and we have some time for questions and Chris Strahl will Thanks to our panel for coming appreciate it guys I'll go ahead and take any questions and relay them to the group and they'll they'll answer them Anybody Go ahead. Yeah for the die cap accreditation Yeah, so the question was if they could leverage our documentation for For accreditation so yes if you bring a customer on to the Aquia managed cloud and you have to go through die cap accreditation you can leverage those documents because what you would be saying within your application Documentation is that when you see control that is based around infrastructure You say I inherit from the aquia managed cloud and if they need to see that documentation We can hand that off to them or or to use to hand off to the proper people There's one up here. I think it is it is that I mean So a shot one is a hashing algorithm. So the hashing encryption. Sorry Yes, everything is hasha you can figure it out I've just been told that we can actually have people line up at the microphone in the middle of the aisle that have questions And that way we'll get a nice line in queue and we don't have to repeat the questions as they're said Building on the first question about using your documentation for compliance With Amazon being ready FISMA compliant. Are you waiting on Fed ramp for that to be? Compliant from Aquia side or are you going to do FISMA compliance in the meantime? How's that going to work? So we're we're We have initiatives for die cap FISMA and Fed ramp You know we have existing customers who required a die cap CNA process We have existing customers who acquired a FISMA CNA process And we're really excited about Fed ramp We're working on a Fed ramp package for aqua managed cloud We're working really tightly with Amazon so that we have two packages that will Be lever, you know that will work together for Fed ramp. We want to be ready right out of the gate Now Fed ramp is the same, you know the same as FISMA with extra stuff So the package that we're creating for Fed ramp is really our our best effort. We're putting a lot into it Well, we're able to leverage the work that we've done for Fed ramp for any any agencies that want to host an aqua cloud That need to be you know that need to go through FISMA CNA before Fed ramp goes live So basically we're including all the FISMA, you know related controls plus the we're also going to include the Fed ramp controls In in our documentation that we can leverage Again and again until Fed ramp goes live and then hope you know once we get Fed ramp Authorization hopefully when we'll have to go through again and again Does that answer your question? Okay, I didn't so much have a question as a comment There are a couple things that you guys said about Drupal 6 that don't apply to Drupal 7 I want to make sure people knew that The encryption requirements don't require LDAP now Drupal 7 actually allows you to select multiple encryption capabilities for passwords and There was another one today guys we're talking about that doesn't apply to D7 anymore I Understand the commas isn't out for D7. There was a code sprint on Friday So whoever wants to participate please do because I really want we're getting ready to use it for our organization But Some of the compliance things you guys have to do may not necessarily apply for fixer coming along behind you Yeah, you're right I mean that's why I wanted to be very specific when I was pointing out what our accreditation boundary was that we were using Drupal 6 of people On the testing are using any CEI testing and what are you using? I'm sorry. Can you repeat what testing are using any continuous integration testing on the Drupal part of it? Yes, exactly. We have a build server that runs every night that that builds our You know all of our management software, and then we run system tests on that which Take about an hour and a half to run through all the different configurations we support Well, and one thing I didn't mention earlier, and I think was left out is one of the ways One of the concerns about shared disks that we've addressed is having an encrypting file system So DSEA for example encrypts all the data that's stored on the disks and that helps meet those standards Hi, have you guys worked with any federal courts? I'm not yet not that I'm aware of okay You know I'm from California, and we represent the largest federal court in nation and Washington is extremely strict when it comes to You know system assessments To the point where they don't allow any inbound traffic to our websites at all and My question is in terms of LDAP If we're gonna have user authentication using the LDAP, how will your system be able to? Integrate that given that we won't allow any type of Inbound traffic to our system or one thing that One thing that often is allowed is is V is acts inbound access via VPN I don't know if that's true in your case, but often you can set up a VPN I should have mentioned that but it that is something we support in in managed cloud is VPN access, which is the way people usually work around that you can also encrypt LDAP and authenticated via Client-side SSL certificates as well as another option, but VPN is usually that's met that I'm sorry. We just one more question. This is about cost Is is is would this be the hosting part would would this be part of a aquia Subscription like enterprise subscription or is this a whole separate cost? And the and if that's the case Do you have any documentation in terms of a cost or estimating cost for for your services? Well, it's it's very it's specific to the particular customer, but it is part of it It is an aquia enterprise subscription, but the compliance piece Especially for fisma is the substantial additional cost to pay for you know each fisma Accreditation requires a separate set of documentation for that. So We charge for it separately. The hope is with Fed Fed ramp We can actually package it up and have a very standard offer, but I'd be happy to talk about cost afterwards if you want to Thank you So I work with some local governments that I know are planning to go into production with dev cloud is versus managed cloud Do you contrast sort of what both on a from a compliance standpoint is also just and also just a practical standpoint what considerations dev cloud users should be thinking about as the stick for managed cloud Yeah, so dev cloud is Dev cloud is uses the same technology as managed cloud, but it doesn't have the high availability That's really the the biggest difference between it. It's a single server integrated environment But it has the same UI same management tools as managed cloud The the challenge with that is usually the right now the compliance piece, especially if you're trying to meet fisma standards You know the the cost for just the compliance pieces is so dramatic that it almost makes sense to go to manage cloud In that case, but we're also looking all the compliance work that we're doing applies to dev cloud as well And especially in the commercial sphere and as Fed ramp comes on board You know, that's something that would probably apply to dev cloud But we haven't really we don't have a specific offer there yet Related note for Drupal Gardens. Do you have any governments yet looking at those in production and have you done any looking at How those would map on that certification? Well for our enterprise Drupal Gardens where somebody gets basically their own private version of Drupal Gardens And we have a couple customers on that now. I think I don't think we've formally announced that but we have a big announcement coming Sure, but that's something that we could We could certainly do compliance for that I think it's a little bit more problematic because Drupal Gardens is a multi-tenant solution So haven't really given that a lot of thought of where the redo Compliance there, but again the compliance costs the auditing costs are so high That you you might be thinking it might be it might be a better fit to that But it's something for us to think about especially again FedRAMP. I think is a real game changer here And just like Amazon has introduced, you know, a dev cloud hosting service specifically for for government That's something as FedRAMP comes on board. We might consider for the rest of our product line Anyone else? All right. Thanks a lot guys