Managing risk is a key aspect of any business. This becomes more complicated when additional parties, such as vendors are brought into the mix. One of the strongest pieces of guidance on managing vendors that customers have brought to Akamai comes from the US Office of the Comptroller of the Currency (OCC) Bulletin 2013-29, wherein the OCC recommended that financial institutions strengthen their preparedness around third-party risk management, particularly in the field of cybersecurity. Many other global regulations exist with similar requirements.
As Akamai is a critical or strategic third-party vendor for some customers, our security and availability may be of note to your regulators and assessors, regardless of your location or industry. Because Akamai's risks to your business as a service provider are complex and are offset by providing additional infrastructure and availability, finding the right ways to discuss our position in your organizational goals can be difficult. Below follows a brief overview of Akamai's position from a customer's third-party risk perspective, based on some of the most common third party risk management processes and topics. Throughout this post, links will take you to additional resources that may help you think and speak about Akamai's position in your organization.
Resilience and Limited External System Dependencies
Akamai's global scale, dynamic load-balancing, customizable caching, DNS solution, and security solutions are all sold with a high-availability Service Level Agreement. Akamai has built a highly resilient Intelligent Platform that reaches across multiple Internet service providers, power grids, data centers, hardware manufacturers, and geographic regions. This system design ensures that risk presented by any single dependency is minimized for Akamai customers and services globally. More information about the resilience of Akamai's Platform is available here.
Continuous Monitoring, Intelligence, and Defense
Akamai participates in many security intelligence sharing communities, such as FS-ISAC. Akamai's Kona Security Solutions benefit from analysis of Akamai's aggregate traffic data, and Akamai's Security Operations Center (SOC) staff fight attacks every day, giving them unparalleled experience. Akamai's support teams can work with customers when they see anomalous activity, or receive threats from adversaries, to make sure their digital properties are protected and available. Akamai's security teams also release regular information to customers & the public through advisories, blog posts, integration guides, and State of the Internet reports. Akamai's Control Portal provides customers the opportunity to see their traffic in near-real-time and adjust configuration as needed. Akamai's Network operations Command Center (NOCC) runs 24/7/365 out of multiple locations protecting the performance and health of Akamai servers and tracking routes all over the Internet.
Akamai's Technical Incident Management program is based on an approach to managing unplanned work and understanding the complete systems in which hazards and losses may occur. Akamai treats all incidents as learning experiences to improve its model of development and operations. The Incident Management procedures take incidents through a severity rating and three phases of work, each with their own entrance and exit criteria, required roles, and processes. The Technical Incident Management process is loosely linked to the Service Incident model that allows customers to work with their account support teams to identify problems and resolutions for service issues. This coupling allows customers to receive prompt notifications in the case of technical issues that could impact their data, service, or configurations, and allows the technical incident management process to run at full speed when customer notifications are not necessary.
Security Standard Compliance
In order to provide assurances to customers, regulators, and end users, Akamai has committed to a rigorous security standard compliance posture with a range of standards that address multiple customer verticals and regions globally.
Akamai built its Information Security Program in alignment with the ISO 27001/27002 standard family, and is annually assessed against the 27002 standard in order to attest its continued adherence to the Program.
Akamai has been a PCI-accredited Merchant Service Provider for many years, focusing the scope of its assessment on the Secure Content Delivery Network, which was designed with the protection of sensitive data, including cardholder data, in mind.
Akamai's sensitive data protection also addresses Personal Health Information and Personally Identifying Information. Akamai is annually validated as HIPAA compliant for its US-based healthcare customers, and Akamai has worked diligently to manage its data privacy posture to address the needs of our European customers.
Akamai has recently added the SOC 2 standard to its roster, producing a Type 1 report in 2016, and following up with a Type 2 report in 2017.
Akamai has Provisional Authorization to Operate (P-ATO) as a Cloud Service Provider under the US FedRAMP standard and is pursuing its provisional authorization for FedRAMP+.
Akamai has recently begun work toward its first IRAP assessment managed by the Australian Signals Directorate (ASD) to support many of its Australian customers.
Akamai is also validated as HIPAA compliant for its US healthcare and PHI-focused customers.
Sensitive Data Protection
Akamai's Secure Content Delivery Network was designed to support the secure delivery of dynamic data, including that of a sensitive nature, through the use of strong cipher suites for encryption, private key protection, and enhanced physical security, including locked and monitored server racks and remote administration. In addition, delivery over Akamai's Platform ensures that many network hops between end users and origin infrastructure are protected by Akamai's servers. Akamai's security products offer the ability to monitor network traffic and block attacks before they reach a customer's origin infrastructure.
Akamai is committed to helping its customers reach their security goals wherever possible, and we are happy to speak with you more about our own risk management as well as the risk trade-offs you may be making as you use Akamai to deliver your content faster, and more securely, over our Platform.