Akamai Diversity

The Akamai Blog

Information Security Custom Audits for Akamai Customers: How to Get the Most Value from Your Assessment

Over the last two years, Akamai has seen an increase in the number of customers who wish to run their own review of Akamai, either to satisfy their own information security or risk management program, or to gain the expertise to explain Akamai to their regulators and consumers. This increase is due to a confluence of factors, from Akamai's increased global sales presence, to heightened regulation of certain verticals by governments and other organizations. We expect to see demand for custom assessments continue to grow in 2017 and beyond, and we expect the breadth and depth of questions from customers to increase as well.

Customer assessments allow companies to see more of Akamai's operations, processes, and philosophies than we can make available in take-away documentation. Often, we are able to invite subject matter experts to speak with customers or provide views of our Network Operations Command Center (NOCC), Security Operations Center (SOC), or custom monitoring tools and dashboards to help customers gain a better understanding of how Akamai meets it service levels, guarantees, and operational standards. These audits are also a chance for customers to look below the product layer of Akamai and understand the infrastructure and employees that support the services they purchase.

Below are some of the major decision points customers face when they purchase a custom assessment, and my team's observations on each follow, so that as more customers consider their first audit of Akamai, they can make the best choices for their needs and budget.

Location: Company Headquarters or Satellite Office?

For customers with many vendors to assess, it is often cost-prohibitive to visit the headquarters of every vendor. As a global company, Akamai often has smaller offices nearer to customer headquarters that can be used for sharing and viewing protected material that we cannot send to a customer. These assessments can often be hosted by my team at hours that are convenient for the global locations, rather than during the business hours of our corporate headquarters. For customers looking to understand the basics of Akamai and see some tools and documentation that are not publicly available, these remote assessments are an exceptional choice for ease and convenience.

What is not possible during remote assessments are usually the more showy aspects of the custom assessment program, such as subject matter expert interviews, tours of operational work areas, or data center visits to see sample deployments of our servers. For customers who anticipate wanting or needing deep dives into particular areas of concern such as access controls, technical incident management, or corporate security, it is far more effective to visit headquarters where many more staff who can be tapped to provide demonstrations, give presentations, or answer detailed questions are available.

Agenda Focus: Architecture or Operations?

Customers are asked to generate an agenda for their assessment at the time of purchase, in order to ensure that Akamai is able to prepare appropriately. While the agenda will be refined as Akamai and the customer cooperate to understand the motives, needs, and critical questions behind the assessment, an initial decision to make is whether the assessment will be aimed at understanding the technical architecture of Akamai's solutions and Platform, or the operations, monitoring and maintenance of Akamai's systems.

Of course an assessment can cover both, but the kinds of subject matter experts that Akamai may bring in to support questions will be different if the customer is interested in how products and systems are designed, built, controlled and released, or in how the products and systems are maintained, monitored, and used. This is a finicky distinction to make during the assessment planning process, and the more clear customers can be about their preferences, the better the assessment outcomes can be.

Evidence: Expert Interviews or Evidence Samples?

Another distinction in planning a customer assessment that is easily overlooked is deciding on the priority of gathering evidence samples versus building relationships and an understanding of Akamai's principles and principal subject matter experts. We recommend that customers use their custom assessments to better understand the systems that generate evidence for our compliance with security standards like the SOC2, as greater leaps in understanding and relationships are possible through this form of assessment than through evidence review.

Akamai's rigorous information classification and handling makes gathering and redacting samples for customers complex. We are highly conscious of protecting the information of our other customers, our customers' end-users, our employees, as well as protecting other categories of sensitive data. A full-time team focuses on our third party assessment program year-round, and much of their work is gathering and redacting evidence, and providing context for the evidence to our assessors. We highly encourage customers to review our third party assessments, particularly our SOC 2 report, for attestations about evidence that we do what we say. When customers do require evidence samples, we often require additional time to prepare, or more rigorous negotiation over what samples we'll be able to share.

Assessor: Customer-led or Third Party Assessor-led?

Many customers wish to use a third party assessor to review Akamai. Professional, full-time assessors are often quite skilled at quickly building an understanding of a service provider and their operations. It is critical, however, that customers send representatives from their own organization to any assessment that includes third party assessors.  We have found that when assessors arrive without their clients, they are often unfamiliar with what assets, properties, and data types the customer sends over Akamai's Platform, and how the services have been configured. This added context is necessary to review not only Akamai's security controls, but how they relate to our customers.  In assessments without customer participation, the custom audits have often resulted in longer follow-up periods as materials are translated across different stakeholders, unusable reporting for the customer, assessments that missed critical facets of a customer's concerns, and even repeat assessments with customer presence.

The largest benefit of a custom assessment is that it can be used to supplement Akamai's rigorous third party assessment program (against security standards such as PCI DSS, SOC2, ISO 27002, etc.) with a review of a customer's implementation and configuration of the services.

Conclusion

We have seen customer assessments of Akamai result in improved partnerships between Akamai and our customers, deeper knowledge of Akamai inside customer organizations, better alignment of Akamai services with customer business goals, and safer configurations of Akamai services for customers. None of this is surprising, but the less obvious benefit of the customer assessment program is that Akamai receives feedback from its customers, too, about what they expect of their service providers, how we can improve our organization and our offerings, and more. It's not unusual for subject matter experts to come to customer assessments with questions of their own, or for customer feedback to make big changes in Akamai's future posture. We love this chance to gather direct engaged input from customers, and look forward to many more customer assessments this year!

Leave a comment