Overview
Akamai powers and protects life online. Every day, billions of people connect with their favorite brands to shop online, play games, share ideas, manage money, and so much more. They may not know it, but Akamai is there, delivering a fast, reliable, and secure experience.
Akamai understands that security is fundamentally important to modern life online, and we are committed to protecting our customers’ data that is used across our services as well as our corporate infrastructure. To this end, we have implemented a comprehensive information security program, supported by leading security technologies including Akamai’s own security products and services, to provide comprehensive safeguards against current and future threats.
Shared Responsibility Model
Customers control many aspects of Akamai solutions, and consequently, customer decisions have an impact on security. Akamai therefore adopts a shared responsibility model that defines the roles and responsibilities of different parties involved in delivering and consuming our products and services.
In this model, customers are responsible for leveraging the Akamai services appropriate for the sensitivity of their data, and configuring them correctly to address the risks associated with their applications. For example, when using content delivery solutions, customers must select TLS settings and caching policies suitable for their use cases. When using cloud computing solutions, customers must take steps to secure the workloads they run on Akamai, including the secure management of the underlying operating system and software stack. Similarly, customers are responsible for securing their own infrastructure that they integrate with Akamai services.
In turn, Akamai is responsible for the secure development and operation of the Akamai Connected Cloud platform that powers all of our products, ensuring that Akamai services do not violate the security and privacy properties dictated by correct customer configuration.
Further information on the shared responsibility model can be found, for example, in the Responsibility Matrices for PCI DSS compliance, available on Akamai’s Information Security Compliance site. Below, we expand on Akamai’s information security program, and describe how Akamai fulfills its part of security responsibilities.
Information Security Governance
Akamai has a designated information security organization, InfoSec, led by the Chief Security Officer (CSO). This team of security experts is tasked with maintaining Akamai’s information security program and overseeing all aspects of security at Akamai.
While InfoSec is an independent organization, it closely coordinates with the rest of the business every day, including Engineering, Services, Legal, and Human Resources, in order to manage the company’s overall security risk profile.
Akamai has a well-established governance structure that supports InfoSec’s ability to identify, assess, and mitigate security risks. Akamai’s Information Security Committee (ISC) is a key security governance body chaired by the CSO and composed of internal executive stakeholders from across the business. The ISC regularly exchanges risk information with senior management to inform critical decisions. In addition, members of the Akamai Board of Directors periodically receive security posture updates from the CSO.
Capabilities
Akamai’s information security program is designed to protect the Akamai Connected Cloud, and in turn the data we process on behalf of Akamai customers, as well as Akamai’s internal corporate systems, data, and people.
Some of the key security capabilities Akamai employs are as follows.
Risk Management. The InfoSec Risk Management Team continuously monitors Akamai’s security risk exposure, identifying, evaluating, and tracking both emerging and known risks via our comprehensive risk management process. Risks are tracked in a central risk register, the status of risks exceeding the company’s risk tolerance is periodically communicated to the security governance bodies described previously, and resolution efforts are coordinated with the respective risk owners.
Continuous Monitoring. The Global Security Operations Team (GSO) under InfoSec continuously monitors Akamai systems by ingesting and correlating security signals from multiple data sources via a dedicated team supported by automation and orchestration. The Network Operations Command Center (NOCC) complements GSO’s capabilities by continuously monitoring Akamai systems for performance, capacity, and indications of technical issues. Both teams are distributed across multiple continents with failover capabilities.
Vulnerability Management. The Threat and Vulnerability Management Team under InfoSec oversees Akamai’s comprehensive vulnerability management process, establishing overarching policy and metrics, assessing the severity and impact of vulnerabilities, and providing guidance to system owners for accurate mapping of vulnerabilities to their assets and timely remediation of issues.
Incident Management. Akamai has a robust incident management process designed to ensure that the appropriate staff will be available to address technical and security incidents. The three phase process involves containment of the immediate threat and assessment of the circumstances to establish a task force of subject matter experts for the issue at hand, full remediation and its verification according to the team’s resolution criteria, and finally, post-incident reviews and long-term policy, process, and control enhancements based on lessons learned.
Threat Intelligence and Security Research. Akamai’s security experts monitor, analyze and respond to emerging threats. They have the benefit of leveraging Akamai's unique visibility into the Internet traffic and landscape provided by the largest and the most distributed cloud platform in the world. Akamai collaborates with industry partners, law enforcement agencies, special interest groups, professional organizations, standards bodies, academic institutions, and open source communities to enhance its threat intelligence capabilities. Akamai also contributes to the security literature with its own in-house research capabilities and shares novel insights with the community.
Secure Development. Secure development is a responsibility shared by all system owners and engineering units at Akamai, and the Product Security Team under InfoSec provides specialized security expertise to system designers and developers during the process. In addition to overseeing the generally applicable secure design, secure coding, and security testing requirements across the business, and responding to requests for hands-on guidance on demand, the Product Security Team also supplies development teams with security architects that work one-on-one with them, conducting threat modeling at early design stages, and then steering developers through the formal security review gates in Akamai’s standard system development process. Akamai’s internal Penetration Testing team supplements these capabilities with system-specific adversarial testing exercises.
Security Standards Compliance. Akamai undergoes recurring audits to demonstrate compliance with ISO 27001, ISO 27017, ISO 27018, ISO 27701, PCI DSS, SOC 2 Type 2, FedRAMP and many other standards listed on Akamai’s Information Security Compliance site. Akamai also periodically undergoes vulnerability scanning and penetration testing exercises performed by qualified third party vendors as these security standards necessitate.
Customer Trust. The Customer Trust team under InfoSec is a specialized team of security experts that interface with Akamai customers, ensuring that their security questions are answered. Customer Trust is available to discuss all aspects of Akamai’s information security program, architecture, use of cryptography, and other low-level technical details together with their security implications. Customer Trust also coordinates on-site audits with customers that wish to take a closer look at Akamai’s operations.
Conclusion
Akamai is proud to be a trusted partner for thousands of customers across various industries and regions, delivering secure and reliable cloud services that enhance their online presence, security and performance. Akamai is constantly investing in its security capabilities and innovations to stay ahead of the evolving threat landscape and to protect our platforms, customers and end users of our customers from cyberattacks.