Building a world-class security program at Acquia

Hi, I'm Mike Lemire, and it’s been three months since I’ve joined the Acquia team as Director of Information Security, and I wanted to share some of the what is happening here in the realm of information security.

A little about me. I began my career in IT in the publishing industry during the mid-90s. As manager of IT at InStyle magazine, I built one of the first intranet sites at Time Inc.’s magazine division. I moved into the financial services sector working at a hedge fund, then at JPMorgan, eventually ending up at RiskMetrics Group, a rapidly growing financial services firm. RiskMetrics was a pioneer in the financial services space, having turned a locally installed risk-analysis application into a highly successful web-based SaaS platform. I initiated the information security and business continuity programs at RiskMetrics, and instituted security best practices and controls in line with the most stringent requirements from our customers, many of the largest financial institutions in the world. I obtained my CISSP certification in 2006.

Reducing risk by applying best practices in the context of the classic security triad of confidentiality, integrity, and availability has become my passion. Security touches every facet of an organization, from personnel to change control, from application development to application security, as well as protecting our assets and those of our customers. As risks to information and information systems continue to grow, good security practices are no longer seen as an inhibitor to businesses; they are now deemed crucial to enabling business success.

I am delighted to have joined Acquia, and honored to work with this incredibly talented and dedicated team. Acquia presents a unique opportunity because it is both “in the cloud” and based on the very successful open-source platform, Drupal. These factors present tremendous opportunities, as well as some challenges.

It is incredibly expensive to build and manage data centers, as well as provision and maintain hardware. Cloud computing enables private and public entities to reduce costs, and has lowered the barriers that prevent new companies from forming and succeeding. Open-source software has similarly lowered costs and barriers. The tremendous success, and in many cases, dominance of open-source software such as Linux, Apache, MySQL, and Drupal, attest to the fact that open source is here to stay, and will continue to flourish. The necessity of a strong control environment is the same in the cloud as it is in traditional IT settings. Everything we have learned from a long history of traditional IT security remains applicable: we must secure the confidentiality and integrity of data, and we must maintain continuity of services. These fundamentals are enabled and strengthened by adhering to standards, best practices, and regulations such as ISO 27002, SSAE16, PCI-DSS, HIPAA, FISMA, and by new developing standards such as FedRAMP and the Cloud Security Alliance’s GRC program.

Acquia recognizes the importance of Information Security to its success, and the continued adoption of the cloud model and open-source software. We believe a strong control environment is necessary to reduce barriers for our customers who want to gain from the benefits of cloud computing and of Drupal. We’ve already achieved major compliance milestones and are working on more, for both Drupal and the Acquia Cloud: we have gained FISMA accreditation and we are in process of DIACAP MAC II Sensitive accreditation for a significant DoD customer, and we are working on FISMA moderate accreditation for a federal agency, both hosted in the Acquia Cloud. Our next major compliance objective is FedRAMP, a new federal standard for accreditation of cloud-based service providers that is meant to streamline the accreditation process for federal agencies who want to gain the cost and ease of deployment benefits of the Acquia Cloud.

My mission at Acquia is to provide the most secure, highly-available Drupal platform that facilitates our customer’s success, and to further enable the success of both Drupal and the cloud-computing model. At Acquia, these are exciting times for Drupal and cloud computing, and I am very psyched to be a part of it.