Akamai Identity Cloud Security

Our customer’s success (and consequently, our own) depend on our commitment to maintain the security, confidentiality, integrity, and availability of the digital identities we host. We simply must protect the employees, customers, and third parties whom our customers authorize to access their online properties or managed devices. That’s why our global platform architecture uniquely features field-level scoped data access, complete database encryption of data at rest, leading service availability and data reliability, distributed backups, and disaster recovery capabilities second to none. It is also why the Akamai Identity Cloud leads the competition in accredited third-party certifications.

How We Keep Your Customer Identity Data Secure

Security Monitoring, Blocking, and Fraud Protections

Akamai Identity Cloud continuously monitors our production environments for the state and health of the Akamai Identity Cloud platform. We gather detailed key performance indicator (KPI) metrics on uptime and availability for every service. Abnormalities trigger alerts to the Network Operations Command Center (NOCC) staff, on-call 24/7/365.

Brute Force Attacks (Account Takeovers)

Akamai Identity Cloud offers account-locking functionality to protect against brute force password attempts. After a specific number of failed attempts from a user, Akamai Identity Cloud locks an account. This feature is completely customizable Customers determine when and how to block additional login attempts. In addition, the Akamai Identity Cloud offers CAPTCHA- and SMS-based authentication options. Customers can choose to implement these for step-up authentication at any login attempt threshold.

Advanced Persistent Distributed Attacks

Akamai Identity Cloud has experience in successfully staving off distributed attacks. By proactively monitoring for bots/malicious activity — correlating dozens of custom metrics specific to login and registration — we can block the numerous sets of dynamic IPs that malicious actors spin during an attack.

Through IP-blocking and whitelisting, Akamai Identity Cloud can ensure that access is granted only when authorized. For example, Akamai Identity Cloud can identify IP addresses from specific countries or regions and block them from registering and/or logging in on a per customer choice (geoblocking). It can also block specific lists of IP addresses (e.g., lists of known bad IP addresses and black hat-associated IP addresses). If IP addresses are legitimate but exceptions to standard rules, or if they’ve been erroneously added to blacklists, Akamai Identity Cloud can whitelist them ensuring that IP addresses on this list are always accepted.

Denial-of-Service Attacks

Online Business Systems, Inc., an external third-party penetration testing firm, tested Akamai Identity Cloud’s ability to withstand DoS attacks. Bot mitigation strategies include rate limiting to mitigate bot DoS attacks, reCAPTCHA to mitigate bots that create fake user profiles, and both client- and server-side validation to ensure that all field values are legitimate.

Trend Monitoring

Akamai Identity Cloud employs custom API monitoring on a per-customer basis to establish trends in usage as well as to identify and block abnormal usage patterns. It is proven to successfully identify and mitigate malicious activity on behalf of Akamai Identity Cloud customers. And because each customer is unique, Akamai Identity Cloud can implement alerting and blocking rules that reflect inherent trend differentiations.

Adjusting a customers custom blocking rules is a collaborative process between Akamai Identity Cloud and the customer. Different customers have different risk appetites and risk tolerances, and these affect trade-offs between blocking some legitimate traffic and assuming some costs of fraud. Advanced persistent attacks might involve multiple adjustments of the custom policy engine rules.

Intrusion Detection

OSSEC intrusion detection system automatically reviews logs for suspicious activity on a regular basis. New account creation fraud protections include CAPTCHA- and SMS-based authentication — options that a customer may choose to implement as a step-up authentication protection against scripted account creation attacks. Akamai Identity Cloud proactively monitors for bots/malicious activity by correlating dozens of custom metrics specific to login and registration, as well as by identifying anomalies specific to a customer’s unique traffic patterns.

The Akamai Identity Cloud Security Management Program

Please contact your account team to review Akamai Identity Cloud ISO 27001, AT-101 and SOC 2 Type 2 report for a detailed description of the information security management system (ISMS). An overview is summarized below.

Information Security Management System

The Akamai Identity Cloud ISMS Governance Policy is defining and supporting the ISMS in place. The ISMS manual is available to customers under NDA upon request. The information security management committee (ISMC) is responsible for ensuring that the Akamai Identity Cloud maintains conformity to the ISO 27001:2013 and ISO 27018:2014 (PII protection in the cloud) standards through the implementation of policies and procedures defined within the ISMS manual.

The ISMC consists of the CEO, CFO, CTO, VP Engineering and Operations, General Counsel, and CSO. The ISMS also ensures that standards are maintained to continue to also be compliant for Cloud Security Alliance (CSA star) Level 2 certification, HIPAA/HITECH compliance, Privacy Shield certification, OIDC RP certification, SOC 2 Type 2 (Security, Availability Confidentiality) compliance, and TRUSTe certification.

All security policies and procedures are reviewed and approved for use on an annual basis, or more frequently as determined by risk. Risk assessment remediation can result in updates to policies and procedures to ensure they remain effective.

The effectiveness of Akamai Identity Cloud ISMS is measured by quarterly and annual metrics that accurately reflect the status of the implementation and operation of Akamai Identity Cloud security systems and controls. All staff members receive security and privacy training upon hire and annually thereafter.

Access Control

For Akamai Identity Cloud services access to the respective systems are strictly controlled. This access is removed for changes in roles and employee departure. Access reviews are performed quarterly. We use VPN, SSH, and multi-factor authentication to control access to production systems.

Backups

Customer data is always simultaneously written to encrypted databases in multiple data centers (hot/hot backups) in separate availability zones (AZs). Point-in-time encrypted backups are taken nightly, stored in multiple databases across AZs, and kept current with incremental backups taken every 300 seconds.

Business Continuity

Akamai tests and reviews business continuity policies on an annual basis. Because of Akamai Identity Cloud’s high-availability deployment model across all accessible AZs per region, invoking business continuity would require a regional disaster simultaneously impacting all of the AZs in a region, plus each of their backup utilities.

There is no single point of failure. Using the U.S. East AZ as an example, there would have to be 30–60 simultaneous failures over separate data centers to invoke business continuity. Akamai Identity Cloud services runbooks to transfer customers from one region to another have been thoroughly tested in the exceptionally unlikely event of an entire region of multiple separate data centers being lost simultaneously. “Security and privacy by design” is one of Akamai Identity Cloud’s core tenets. Security and privacy are included throughout the software development lifecycle.

Firewalls and Zero Trust

In addition to industry standard firewalls for all data that enter the internal data network from any external source, Akamai Identity Cloud uses security groups that act as virtual firewalls to control inbound and outbound traffic.

Security groups provide a network-based blocking mechanism that firewalls also provide. However, security groups are easier to manage. Akamai Identity Cloud also has architected a Zero Trust VPC model to further protect your data. Zero Trust is a security model that addresses the shortcomings of failing perimeter-centric strategies by removing the assumption of trust. With Zero Trust, there is no default trust for any entity — including users, devices, applications, and packets — regardless of what it is, and its location on or relative to the corporate network. Please see the Akamai Identity Cloud high-level infrastructure document for more details.

Field Level Data Scoped Access

Akamai Identity Cloud has specifically designed scoped access authorization directly into its CIAM platform. This uniquely designed and customizable functionality ensures that in case a registered user submits sensitive data, such data is only used for the purpose for which it was submitted. This scoped access at the field level can be used for as many profile databases you choose to set up.

Scoped access provides organizations with the ability to grant granular, field-level access rights for each of the customer credentials used when querying a user record. This is critical in reducing the risk of customer data exposure. Scoped access provides an unparalleled ability to grant exactly the right type of data access to other systems in an organization’s websites, mobile applications, third-party applications, platforms, and services that make up a marketing tech stack. It can even be applied to digital agencies that might require select pieces of user data to run a campaign on a company’s behalf. Customers also have the option to scope different access for different sites that all write to the same database.

Encryption

Akamai Identity Cloud encrypts all data in transit. The platform leverages encryption to protect data and virtual machine images during transport across and between networks and in hypervisor instances. All data in transit utilize the latest TLS encryption standards (2048/256 bit keys) and TLS1.1 or greater security protocols. Akamai Identity Cloud offers full disk encryption for data at rest and further protects data by ensuring that every access point (UI/APIs for tool, site, application, agency, etc.) is scoped for least privilege to ensure that only necessary data fields can be accessed. All data replicas and backups from multi-AZs (up to 10 separate data centers each) are also encrypted.

Other Data Protections

  • Abstraction layer: Akamai Identity Cloud services provide a consistent abstraction layer on top of access to the data. The underlying data stores are designed for consistency, reliability, and data privacy, and are optimized for performance.
  • Other access controls: OAuth 2.0 compliant.
  • Secure data: Each Akamai Identity Cloud deployment and its associated data is isolated in its own logically discrete production environment. Multi-tenant security controls, including unique session tokens, configurable session timeout values, and password policies are applied to prevent unauthorized access.
  • Scoped dashboard access: Akamai Identity Cloud uses roles to enforce dashboard access. Customers can configure 2FA for customer administrators. Customer administrators control data access to their Akamai Identity Cloud application.
  • Data center security: Professional security staff who use video surveillance, intrusion detection systems, and other electronic means control physical access to Amazon Web Services (AWS) data centers, where the customer data is processed, both at the perimeter and at building ingress points. Authorized AWS staff use multi-factor authentication mechanisms to access data center floors. Centrally managed antivirus protection helps prevent harmful software code from affecting our services or customer data.
  • Schema validation: Akamai Identity Cloud validates customer schemas at deployment time to ensure sensitive data elements such as passwords are not stored in the clear.
  • bcrypt hashing algorithm: This has a cost factor of 10 for password protection.
  • Input validation: Used for data integrity.

Scans

Akamai Identity Cloud engages an industry-recognized third-party to perform an independent, impartial network penetration and application vulnerability test annually. Customers can view test reports by request. The application vulnerability testing is based on OWASP, SANS, CWE, and WASC standards.