Blue Code Hero Background

Akamai Compliance Programs

Learn more about how Akamai products and services follow privacy laws, regulations, certifications, and frameworks.


MAS (Singapore)

Overview

The Monetary Authority of Singapore (MAS) regulates financial institutions in the banking, capital markets, insurance, and payments sectors incorporated in Singapore. The MAS includes published Outsourcing Guidelines for local financial institutions on risk management of outsourcing arrangements, which cover:

  • Engagement with MAS on outsourcing
  • Sound practices on risk management of outsourcing arrangements
  • Cloud computing

Resources

MAS Outsourcing Guidelines

Amendments

Akamai Compliance

Akamai services used by financial service providers incorporated in Singapore are considered outsourced activities under these guidelines. Since Akamai services are compliant with the guidelines, financial services customers incorporated in Singapore can not only continue using Akamai services, but also deploy them as a key part of an outsourcing compliance strategy.

Applicable Akamai Services

  • Secure CDN with Enhanced TLS and related services
  • Web performance products, such as Ion, when running on the Secure CDN with Enhanced TLS
  • Cloud security products, such as Kona Site Defender and Bot Manager, when running on the Secure CDN with Enhanced TLS 
  • Prolexic DDoS Mitigation Services
  • Akamai Identity Cloud

Payment Services Directive (PSD2)

Overview

The revised Payment Services Directive (PSD2) by the EU and Open Banking, the UK implementation of PSD2, requires financial institutions to open their payment infrastructure, granting third-party provider (TPP) access to their customers’ bank account data. Regulatory bodies are driving this initiative to facilitate innovation, competition, and efficiency in financial services by enabling TPPs to provide payment and account information services to consumers.

Resources

DIRECTIVE (EU) 2015/2366

Akamai Compliance

Akamai solutions help financial institutions comply with PSD2 by enhancing customer experiences, application stability, and security controls. The Akamai Intelligent Edge Platform serves as a conduit for communication between TPPs and the financial institution. Akamai security services protect the institution’s APIs from unauthorized access and ensure only authenticated access requests are processed. Akamai helps with PSD2 compliance by:

  • Enhancing the customer experience
  • Providing access control and governance for APIs
  • Protecting APIs against attacks
  • Delivering common and secure communication (SSL/TLS)
  • Preventing screen scraping
akamai-compliance-psd2-callout-image.jpg

 “Internal APIs and proprietary apps are replaced by public APIs and third-party apps when third-party providers (TPPs) act between a bank and its customers.”

Downloads / Links

Applicable Akamai Services

Identity Cloud, Secure Content Delivery, Kona Site Defender, Ion, DSA, and API Gateway.

Q&A

Is Open Banking the same as PSD2?

Open Banking is the PSD2 implementation in the UK. It is based on a ruling — issued in August 2016 by the United Kingdom Competition and Markets Authority (CMA) — that required the nine biggest UK banks to allow licensed startups direct access to their data, down to the level of account transactions. See also Wikipedia.

Why is the PSD2 implementation always a customized solution?

PSD2 will always be a custom implementation because of the unique needs of each certificate authority Trust Provider (TP), specific legislation for EU countries, and internal compliance requirements according to individual company policies.


IRAP (Australia)

Overview

The Information Security Registered Assessors Program (IRAP) is an Australian Signals Directorate (ASD) initiative to provide high-quality information and communications technology (ICT) security assessment services to the government. The Australian Cyber Security Centre (ACSC) within the ASD produces the Australian Government Information Security Manual (ISM). The purpose of the ISM is to outline a cybersecurity framework that organizations can apply to protect their information and systems from online threats.

The ISM consists of more than 700 security controls that define security requirements in more than 80 areas, such as:

  • Cybersecurity incidents
  • System hardening
  • Vulnerability management
  • Patching
  • Cryptography
  • Network design
  • Application development

Resources

Akamai Compliance

Akamai is assessed every two years by an independent auditor for compliance with the IRAP Security Controls defined in the ISM. Akamai’s most recent IRAP assessment was conducted in 2021. The assessment covered both Akamai’s production and corporate network environments, and the resulting compliance assessment report was completed by NJOY Security in September 2021. A letter certifying the completion of the assessment the IRAP Official Assessor is available subject to nondisclosure agreement (NDA).

Please contact your Akamai account team for more information.

Applicable Akamai Services

  • Secure CDN with Enhanced TLS, and the services running on it 
  • Web performance products such as Ion, when running on the Secure CDN with Enhanced TLS
  • Bot Manager Standard and Premier 
  • Cloud security products, such as Kona Site Defender and Bot Manager, when running on the Secure CDN with Enhanced TLS
  • Edge DNS

Dates / Term / Auditor

Akamai’s latest assessment was completed by NJOY Security on August 23, 2021.


Critical Infrastructure (Germany)

Overview

Since June 2017, Akamai has fulfilled the requirements for critical infrastructure service providers for its content delivery network services in Germany, implemented by the German BSI (Federal Office for Information Security). In accordance with the underlying legislation, the BSI Act, Akamai performs a third-party audit every two years to prove that its technical and organizational measures appropriately protect its system and ensure the availability, integrity, authenticity, and confidentiality of its services.

Resources

Akamai Assessment

As part of the audit, Akamai Germany provides evidence to the BIS of its state-of-the-art security ensuring the availability, integrity, authenticity, and confidentiality of its critical systems. The basis for these audits is Akamai’s SOC 2 Type 2 report, ISO 27002 assessment, and several on-site audits by the auditor in data centers across Germany.

Downloads / Links

Applicable Akamai Services

Akamai CDN

Q&A

How long have Akamai CDN services been critical infrastructure services in Germany?

Since June 2017.

What about Akamai’s security services?

Security services are not considered a critical infrastructure service according to the BSI Act.

Akamai is a recommended provider of distributed denial-of-service (DDoS) protection services to other critical infrastructure services providers. See also Qualified DDoS Mitigation Service Providers (German).


FedRAMP

Overview

A U.S. government compliance program, the Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

FedRAMP created and manages a core set of processes to ensure effective and repeatable cloud security for the U.S. government. It established a mature marketplace to increase utilization and familiarity with cloud services.

Resources

FedRAMP

Akamai Certification

Since 2013, the Akamai Intelligent Edge Platform has a FedRAMP Joint Authorization Board (JAB) Provisional Authorization to Operate (ATO) for a moderate baseline, as an infrastructure as a service (IaaS) provider.

Downloads / Links

Akamai’s FedRAMP Marketplace page

Applicable Akamai Services

  • Akamai Intelligent Edge Platform for HTTP and HTTPS delivery (known as the ESSL and FreeFlow Networks) and services running on them
  • Kona Site Defender with Kona WAF
  • Edge DNS (with DNSSEC)
  • NetStorage
  • Media streaming services
  • Akamai Control Center
  • Global Traffic Management

Dates / Term / Auditor

Akamai’s third-party assessor for FedRAMP is Coalfire Systems, Inc.  

Akamai has been FedRAMP authorized since August 23, 2013, and undergoes annual assessments and continuous monitoring to remain compliant.   

Q&A

How do I access Akamai’s FedRAMP documentation?

Customers can get the “Package Access Request Form” from the FedRAMP Marketplace website

What is Akamai’s FedRAMP Impact level? 

Akamai’s FedRAMP authorization is at the Moderate Impact level. According to FedRAMP, a Moderate Impact system comprises “nearly 80% of CSP applications that receive FedRAMP authorization and is most appropriate for CSOs where the loss of confidentiality, integrity, and availability would result in serious adverse effects on an agency’s operations, assets, or individuals. Serious adverse effects could include significant operational damage to agency assets, financial loss, or individual harm that is not loss of life or physical.”

At this time, Akamai has not sought FedRAMP authorization for the High Impact level.


ISO/IEC 27001:2013

Overview

ISO/IEC 27001 formally specifies an Information Security Management System (ISMS), a suite of activities concerning the management of information risks.

The ISMS is an overarching management framework through which the organization identifies, analyzes, and addresses its information risks. The ISMS ensures that the security arrangements are fine-tuned to keep pace with changes to the security threats, vulnerabilities, and business impacts — an important aspect in such a dynamic field.

Resources

ISO/IEC 27001:2013

This standard provides guidance aimed at ensuring that cloud service providers offer suitable information security controls to protect the privacy of their customers’ clients by securing the personally identifiable information (PII) entrusted to them.

The standard serves as a reference for selecting PII protection controls when implementing a cloud computing information security management system based on ISO/IEC 27001. It also provides guidance on implementing PII protection controls.

Akamai Certification

Identity Cloud obtained its latest ISO 27001 certification on May 14, 2021.

Akamai’s subsidiary, Asavie, obtained its latest ISO 27001 certification on October 22, 2021.

Applicable Akamai Services 

  • Akamai Identity Cloud
  • SPS Secure Mobile
  • SPS Secure IoT
  • SPS Secure Edge

Dates / Term / Auditors

A-LIGN Assurance provides the ISO 27001 certification for Akamai Identity Cloud. The latest certification is dated June 17, 2021. 

Certification Europe provides the ISO 27001 certification for Asavie, and the SPS Secure Mobile, SPS Secure IoT, and SPS Secure Edge services. The latest certification is dated October 22, 2021.   

Q&A

Why are there two different ISO 27001 reports for Akamai?

These two audits arose out of Akamai’s acquisition of Janrain, Inc. in 2019, which led to the Identity Cloud solution, and the acquisition of Asavie in 2020, which led to the SPS Secure Mobile, SPS Secure IoT, and SPS Secure Edge services. At this point, these are the only Akamai services subject to an ISO 27001 audit.  

How do I obtain a copy of Akamai’s ISO 27001 certifications?

Your account team can provide these certifications to you.


ISO/IEC 27018:2014

Overview

This standard provides guidance aimed at ensuring that cloud service providers offer suitable information security controls to protect the privacy of their customers’ clients by securing the personally identifiable information (PII) entrusted to them.

The standard serves as a reference for selecting PII protection controls when implementing a cloud computing information security management system based on ISO/IEC 27001. It also provides guidance on implementing PII protection controls.

Resources

ISO/IEC 27018

Akamai Certification

A-LIGN Assurance provides the ISO 27018 certification for Akamai Identity Cloud. The latest certification is dated June 17, 2021. 

Applicable Akamai Services 

Akamai Identity Cloud

Q&A

Which regions are covered by Akamai’s ISO 27001/27018 compliance?

The ISO 27001/27018 certification of the Akamai Identity Cloud service covers all global regions except for the Russian Federation.

How do I obtain a copy of Akamai’s ISO 27001 and 27018 certifications?

Your account team can provide these certifications to you.


PCI DSS Level 1

Overview

Payment Card Industry Data Security Standard (PCI DSS) compliance is required for any business that stores, processes, or transmits payment card data. Developed by the major credit card companies, the PCI DSS defines measures for ensuring data protection and consistent security processes and procedures around online financial transactions. Businesses that fail to maintain PCI DSS compliance are subject to steep fines and penalties.

As formulated by the PCI Security Standards Council, the mandate of PCI DSS compliance includes: 

  • Developing and maintaining a security policy that covers all aspects of the business
  • Installing firewalls to protect data
  • Encrypting cardholder data that is transmitted over public networks
  • Using antivirus software and updating it regularly
  • Establishing strong passwords and other cybersecurity protocols
  • Enforcing rigid access controls and monitoring access to account data

For large merchants and service providers that process high volumes of online financial transactions, PCI DSS compliance is enforced by annual validations performed by an independent Qualified Security Assessor (QSA). 

Resources

PCI Security

Akamai Certification

Akamai’s Attestation of Compliance (AoC) serves as evidence for our customers that our in-scope services are compliant with the PCI DSS v. 3.2.1 security standard. 

In connection with our PCI DSS compliance, Akamai performs a quarterly third-party external penetration test of the secure CDN. Results of these quarterly penetration tests, and compliance documentation and/or certification, are available for customers under nondisclosure agreement (NDA).

Downloads / Links

Applicable Akamai Services

  • Secure CDN, and the services running on it
  • Web performance products such as Ion and EdgeWorkers, when running on the Secure CDN
  • Cloud security products such as and Kona Site Defender and Bot Manager, when running on the Secure CDN
  • Page Integrity Manager
  • Akamai MFA
  • Bot Manager Premier
  • mPulse digital performance management services

Q&A

Is Akamai PCI DSS Certified?

Yes, Akamai is certified as a PCI DSS Level 1 Service Provider, the highest level of assessment available. The compliance assessment was conducted by Specialized Security Services, Inc., an independent Qualified Security Assessor (QSA). The PCI DSS Attestation of Compliance and Responsibility Matrix are publicly available.  

If my website is using Akamai, how can I be sure that it is PCI DSS compliant?

Customers are responsible for their own PCI DSS certification and should engage a Qualified Security Assessor (QSA) to validate their controls and obtain certification. Customers and their QSAs may rely on Akamai’s Attestation of Compliance for the portion of their cardholder data environment to use Akamai’s PCI DSS compliant services. Akamai’s PCI DSS Responsibility Matrix spells out the responsibilities of Akamai and our customers with respect to each of the PCI DSS requirements. Your account team may provide you with our PCI DSS Customer Configuration Guide, which provides more details as well. 

Is Akamai listed on the Visa Global Registry of Service Providers and the Mastercard Compliant Service Provider List?

Yes. Akamai is listed on the lists provided by both Visa and Mastercard. This shows that Akamai has met all applicable program requirements of these major payment card companies.  

Can I review an executive summary of Akamai’s quarterly Approved Scanning Vendor (ASV) vulnerability scans and external penetration tests?

Yes. Your account team may provide this information subject to standard nondisclosure agreement (NDA).


SOC 2

Overview

SOC (Service Organization Controls) is a security standard established by the American Institute of Certified Public Accountants (AICPA) that reports on controls that directly relate to the security, availability, processing integrity, confidentiality, and privacy at a service organization.

Resources

AICPA SOC Suite of Services

Akamai Certification

Akamai receives annual SOC 2 Type 2 reports, which demonstrate that our security controls are continuously audited over the course of the year.  

In addition, in 2021, Akamai received a SOC 2 Type 1 report, specifically with respect to the Bot Manager Premier and Account Protector solutions. Akamai plans to include these products in a SOC 2 Type 2 report in late 2022.

Applicable Akamai Services

Akamai’s primary SOC 2 Type 2 report covers the Security and Availability Trust Service Criteria. The Akamai services in scope for this report are as follows:

  • Secure CDN with Enhanced TLS
  • Prolexic DDoS mitigation services
  • Akamai Control Center customer portal
  • Additional systems supporting access management, key management, and other infrastructural systems

The Akamai Intelligent Edge Platform comprises many different distributed systems that serve a variety of purposes and support our various products and services. The Secure CDN with Enhanced TLS and the supporting systems covered by the report are the distributed servers and systems used to deliver and protect web properties that transit or process sensitive end-user information. Akamai services running on the Secure CDN with Enhanced TLS leverage all of the security and availability controls tested in the primary SOC 2 Type 2 report. Examples of such services that may run on the Secure CDN with Enhanced TLS include:

  • Web performance products such as Ion and Dynamic Site Delivery, when running on the Secure CDN with Enhanced TLS
  • Cloud security products, such as Kona Site Defender, Kona DDoS Defender, Web Application Protector, and Bot Manager Standard, when running on the Secure CDN with Enhanced TLS

Akamai’s 2021 SOC 2 Type 1 report covers the Security and Availability Trust Service Criteria. The Akamai services in scope for this report are as follows:

  • Bot Manager Premier
  • Account Protector

Akamai’s SOC 2 report for Akamai Identity Cloud covers all five Trust Service Criteria.

Dates / Term / Auditor

Akamai’s SOC 2 Type 2 report covering the Security and Availability Trust Service Criteria is generated by Ernst & Young LLP and covers the period from January through September of each year.  

The SOC 2 Type 2 report for Akamai Identity Cloud, which covers all five Trust Service Criteria, is generated by A-LIGN Assurance and covers the period from May 1 through April 30 of each year. 

The SOC 2 Type 1 report for Bot Manager Premier and Account Protector is effective as of September 30, 2021.

Q&A

Who performs the independent audit of Akamai for its SOC 2 reports?

Ernst & Young LLP performs independent audits of Akamai’s core content delivery network solutions, Bot Manager Premier and Account Protector, which covers the Security and Availability Trust Service Criteria.

A-LIGN Assurance performs Akamai’s independent audit of Akamai Identity Cloud, which covers all five Trust Service Criteria.

How do I get a copy of the SOC 2 report?

Your Akamai account team can provide you with a copy. 

What regions are covered?

Akamai’s SOC 2 reports cover Akamai’s services as a whole, and are not limited to particular regions.

What period is covered by Akamai’s SOC 2 report?

Akamai’s SOC 2 report by Ernst & Young LLP covers the period from January 1 through September 30 of each year. Akamai’s SOC 2 report by A-LIGN Assurance covers the period from May 1 through April 30 of each year. The SOC 2 Type 1 report does not cover a period, but is effective as of September 30, 2021.

Do you have a bridge letter covering the period since the last covered period?

Your account team can provide you with a bridge letter covering the period from October 1 through December 31 of the previous year, with respect to the SOC 2 report by Ernst & Young LLP.

How often are the Akamai SOC 2 reports issued?

Each of Akamai’s SOC 2 reports are issued once per year.

Does Akamai have a certificate of SOC 2 compliance?

There is no certificate of compliance. Instead, qualified third-party assessors produce a report on compliance for the assessed organization, discussing its system description, scope, control descriptions for meeting common criteria, evidence, and suitability of the organization’s descriptions and evidence.

Does Akamai have a SOC 1 report?

Akamai does not undergo a SOC 1 audit. The purpose of a SOC 1 report is to address a service provider’s internal controls that may impact its customers’ financial reporting. Akamai’s services do not directly impact customers’ financials or accounting controls, so a SOC 1 audit is not relevant to Akamai.


ISO 27002

Overview

ISO/IEC 27002:2013 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), referred to as information technology — security techniques — code of practice for information security controls.

ISO/IEC 27002:2013 gives guidelines for organizational information security standards and information security management practices including the selection, implementation, and management of controls taking into consideration the organization’s information security risk environment(s). 

It is designed to be used by organizations that intend to: 

  • Select controls within the process of implementing an information security management system based on ISO/IEC 27001
  • Implement commonly accepted information security controls
  • Develop their own information security management guidelines

Resources

Akamai Assessment

Akamai is assessed annually for compliance with ISO 27002, which defines controls around a company’s information security program. An executive summary of that report is available to customers and partners subject to nondisclosure agreement (NDA) with Akamai. Contact your account team for more information. 

Applicable Akamai Services

Akamai’s ISO 27002 assessment applies to all Akamai offerings and our overall information security program.

Q&A

When was Akamai’s ISO 27002 assessment?

CFGI completed Akamai’s latest ISO 27002 gap assessment on March 5, 2021.

Can I obtain a copy of the assessment?

Your account team can provide you with an executive summary of our latest ISO 27002 assessment.


NIST

Overview

The National Institute of Standards and Technology (NIST) 800-53 security controls are generally applicable to U.S. Federal Information Systems. To ensure sufficient protection of confidentiality, integrity, and availability of information and information systems, federal information systems typically go through a formal assessment and authorization process.

The NIST Cybersecurity Framework (CSF) is supported by governments and industries worldwide as a recommended baseline for use by any organization, regardless of sector or size. Agencies are now required to implement the CSF under the Cybersecurity Executive Order.

Resources

NIST

Akamai Assessment

The Akamai Intelligent Edge Platform has been validated by third-party testing performed against the NIST 800-53 controls as well as additional FedRAMP requirements. Akamai’s NIST authorization is at the Moderate Impact level.

See Akamai’s FedRAMP compliance page for more information about FedRAMP compliance, which includes the relevant NIST controls.

Downloads / Links


EU–U.S. Privacy Shield

Overview

Facilitating the safe sharing of information between the European Union (EU) and the United States (U.S.), the EU–U.S. Privacy Shield is a framework that regulates transatlantic exchanges of personal data for commercial purposes. One of its purposes is to enable U.S. companies to more easily receive personal data from EU entities under EU privacy laws meant to protect EU citizens. The EU–U.S. Privacy Shield is a replacement for the International Safe Harbor Privacy Principles, which were declared invalid by the European Court of Justice in October 2015.

Resources

Privacy Shield Framework

Akamai Assessment

Akamai’s processing activities are certified under the EU–U.S. Privacy Shield program and under the Swiss–U.S. Privacy Shield program, and Akamai remains committed to the programs, though the programs cannot serve as data transfer mechanism any longer since the Schrems II judgment by the European Court of Justice. 

Downloads / Links

Akamai’s Privacy Shield Certification

Applicable Akamai Services

All Akamai services are in scope of the Privacy Shield certification. Akamai’s internal HR processing activities are not covered. 

In case customer HR data is part of the customer’s web properties and processed by Akamai in course of the provisioning of Akamai services, the processing of the customer HR data is covered by Akamai’s Privacy Shield certification.

Q&A

What’s the term of Akamai’s certification?

The certification cycle is one year. The current term is outlined in Akamai’s Privacy Shield certification.