Staying Ahead on Security: Why Acquia is Disabling PHP 5.3

The biggest risk for any website is security. Research has shown that the average cost of a data breach is several million dollars. The last two years have seen a number of high-profile security breaches affecting millions of people, including:

• 145 million eBay users
• 70 million Target customers
• over 20 million U.S. government job applicants.

That’s why it’s important to ask yourself: Does your company have the expertise and resources to manage your websites’ security?

Acquia Cloud engineering and operations teams are constantly responding to security threats and updating hundreds of mission-critical software packages behind the scenes. Do your engineers know how to manage the complexity of the hundreds of mission-critical software packages required to run modern websites? Do they have the processes in place to get notified of vulnerabilities and roll out changes before attackers can exploit them?

It can easily cost millions of dollars for the expertise and development required to manage your websites’ security in-house. If you’re managing your own security and not spending that money, you may be making trade-offs that put your business and your reputation at risk.

Many companies can’t afford that kind of investment in security expertise, and that’s why many of them choose Acquia Cloud. Acquia Cloud removes a number of risks and challenges of building and running websites, including security risks. We have invested those millions of dollars in expertise, processes, and hardened security architecture so that our customers stay safe without having to think about it. And we are evaluated annually by independent third party auditors to validate our practices and alignment with standards.

Our security practices extend beyond our platform and infrastructure. Our Remote Administration team can update user applications when Drupal core or contributed modules are out of date. Password strength and multi-factor authentication requirements can be enforced to log into the Cloud administration dashboard, and actions on that dashboard are managed via granular access controls (complete with an activity stream to audit changes). We also offer protection at the network level with Acquia Cloud Edge to deny malicious web requests and Acquia Cloud Shield for keeping especially sensitive information inaccessible from the public internet.

One other way we make sure our customers stay safe is to disable software that has reached its end-of-life and is no longer receiving security updates. For that reason, we recently disabled PHP 5.3 on our platform (the lowest version we now support is PHP 5.5). As we do whenever we deprecate functionality, we provided our customers an extended notice period and worked with them to make sure their applications work on newer, secure versions of PHP. If you’re using a vendor that continues to run insecure versions of such mission-critical software, you should think twice about their security practices. When you use Acquia Cloud, we stay on top of those risks so that you don’t have to.

One example of our commitment is our response to security events, like when we were the only Drupal platform-as-a-service company to protect all customer sites against the critical Drupalgeddon vulnerability without any loss of site functionality or availability. Similarly, when vulnerabilities like Heartbleed, POODLE, Shellshock, and others (from the past year alone) shook the foundations upon which websites rely, Acquia was able to rapidly update our entire fleet of affected servers while keeping our customers’ sites online.

If you’re unsure about your security situation or requirements, talk to us and we can help you figure out what you need. One option is our security workshop where we work with you to analyze your situation and offer recommendations.

It’s better to find out your requirements - especially legal ones like PCI compliance - as early as possible, before you commit to a vendor that puts the cost burden on you.