Akamai completed its first assessment against the SOC 2 standard this summer, and has released its first report on compliance under NDA.
What is the SOC 2?
The SOC (Service Organization Controls) 2 is a security standard aimed at Service Organizations. The SOC 2 is developed and maintained by the AICPA (American Institute of CPAs),which breaks goals for secure operations into 5 different categories called trust principles. The trust principles include Security, Availability, Processing Integrity, Confidentiality, and Privacy. An organization may be assessed against one or more of the trust principles. There is no certification available for the SOC 2 standard, as the controls of each trust principle, called common criteria, are interpreted by each organization undergoing assessment.
It is this flexibility that makes the SOC 2 such an important standard for Akamai and its customers. By allowing the assessed organization to define how they meet goals, and then provide evidence to prove that adherence, service organizations are able to document and prove non-standard models of security operations.
What is a SOC 2 report?
In lieu of a certificate of compliance, qualified third party assessors produce a report on compliance for the assessed organization, discussing the assessed organization's:
Description of the systems, technologies, and operations in scope for the assessment;
Interpretation or application of common criteria in the form of narratives or justifications;
Evidence provided to support the narrative or justification being met by the assessed organization (which may be any combination of system-based evidence, subject matter expert interviews, or other forms of proof, depending on the narrative approach);
The Assessor's perspective on how complete, effective, and applicable to the common criteria the assessed organization's narratives and evidence are; and
At any point in the report, the assessor may have findings regarding the assessed organization's ability to meet the goals expressed in the common criteria, or any other goal expressed by the organization.
There is no certificate of compliance. Instead, qualified third party assessors produce a report on compliance for the assessed organization, discussing the assessed organization's: system description, scope, control descriptions for meeting common criteria, evidence, and suitability of the organization's descriptions and evidence.
Reports come in one of two formats:
Type 1: Assesses evidence from a single point-in-time, showing that if the controls operate as intended, the assessed organization would meet its goals; and
Type 2: Assesses evidence across a larger span of time, typically 6 months to 1 year, showing that the assessed organization consistently meets its goals.
What can we expect from Akamai's SOC 2 report?
Akamai had its first SOC 2 assessment during summer 2016 against two trust principles -- Security and Availability -- and scoped the assessment against its security-focused products, using both Secure Content Delivery Network architecture and Prolexic architecture, as well as some critical infrastructure, including the Luna customer portal and Key Management Infrastructure. The assessment included:
full system description of the scoped applications and their operations,
narratives for how Akamai meets common criteria, and
a range of evidence for the assessors, including documentation (policy, process, design documents), interviews (with business owners, architects, and operators), and direct evidence (sample reports from tools, processes, and tests).
Akamai's third party assessors worked with Akamai to create a final Type 1 report available under NDA to both customers and prospects. For a copy of the report, please check with your account team to ensure you have a Non-Disclosure Agreement in place, and they will be able to share the final product with you.
The 2016 SOC 2 Type 1 report is significantly more descriptive than the other compliance materials Akamai shares with customers, such as its PCI Attestation of Compliance, and contains more of the decision processes, operational methodology, and philosophy behind Akamai's architecture and design. Akamai is using this first Type 1 report internally as a gap analysis to ensure that its first Type 2 report, expected in 2017, has specific, measurable, and consistent evidence to apply to its narratives.
We hope that Akamai's new work with the SOC 2 standard will assist customers who want to do a risk assessment of their use of Akamai, and will demonstrate Akamai's ability to protect its customers' services and applications. We are particularly proud of the coverage of the Availability trust principle, as it will demonstrate the high availability, resilience, and redundancy of Akamai's Intelligent Platform, and of the inclusion of the Prolexic architecture, which is operated separately from the Kona security-focused product suite, though both are managed by the same business unit.