The goals of the Information Security Program are to:
- Enhance the experience and security of our customers
- Make security a competitive advantage
- Manage security and privacy risks to a level deemed appropriate by Akamai senior management
- Comply with all legal and regulatory requirements as efficiently as possible
- Provide ongoing security training to employees
The fundamental principles of Akamai's security program are:
Least Privilege. This is the principle by which an architecture, product, or service is designed so that each system entity (e.g., an individual user or machine) is granted the minimum system resources and authorizations that the entity needs to do its work. This principle tends to limit damage that can be caused by an accident, error, or unauthorized act.
Deny All That Is Not Explicitly Permitted. Anything that is not explicitly allowed is denied. The default for all configurations should be to deny access and to deny modification unless explicitly required by the specification/contract.
Separation of Duties. The practice of dividing the steps in a system function among different roles combined with allocating responsibilities and privileges in such a way that prevents an individual or a small group of collaborating individuals from inappropriately controlling multiple key aspects of a process and causing unacceptable harm or loss.
Defense in Depth. This works by building multiple layers of security, compartmentalizing the network and adding access control points closer to the various assets that are being protected. This allows the overall security not to be reliant upon a single defense mechanism.
Risk Segmentation. This is designed to create deliberate and pre-planned isolation of access to only that data that can be associated with designated persons and their "need to know." If one compartment is compromised, it should be equally difficult for an intruder to obtain access to each subsequent compartment.
Secure Failure. When a system fails, for any reason, the system should fail to a secure state. This principle also applies at startup such that when a system is initialized the initial state is the most secure state and then functions are activated maintaining that secure state. This principle is often known as “fail-closed.”
Simplicity. A simple system is more easily secured than a complex system, as there is a reduced chance for error. Unused and unneeded components and functions are removed to reduce the complexity, allow easier diagnostics, and increase reliability.
Universal Authentication and Authorization. Firmly established identity- and role- based authorization are used to make explicit access control decisions. Commonality of authentication systems reduces the need for a user to maintain many authentication secrets; commonality of authorization systems reduces the likelihood of unaudited permissions violating least privilege as employees change roles.
Accountability. An essential ingredient of security systems is the ability to determine who performed any given action and which actions occurred during a specific time interval. Violations or attempted violations of computer security can be traced to individuals or entities that can be held responsible.
Who's Responsible for What
The InfoSec department, under the direction of the Chief Security Officer, is responsible for the following security functions:
- Oversee security on the deployed (production) networks
- Develop and maintain the vulnerability tracking system
- Develop and maintain the authenticator tracking system
- Coordinate with the Legal department on law enforcement
- Conduct internal-based security investigations related to policy violations
- Advise on upcoming projects and products
- Oversee security audits and assessments
- Respond to security incidents
- Provide security awareness training and advice
- Handle customer-facing security questions
- Oversee the incident management process
- Oversee the severe vulnerability projects and process
- Monitor threats and communicate them to the public and tell the overall public story of Akamai security
The Enterprise Security group is responsible for overseeing security of the corporate networks and systems. This includes:
- Conducting security assessments for new third-party and productivity applications
- Coordinating with Enterprise Infrastructure Services teams supporting the corporate environment
- Managing reactive security around phishing, malware and signature updates
All directors and managers are responsible for ensuring that information security processes are integrated into their organization's operational processes and for ensuring that personnel comply with all information security policies, processes, standards, and guidelines. All managers are responsible for ensuring appropriate security training of personnel working under their direction.
Owners of information resources, applications, repositories, and databases are responsible for creating and maintaining the policies, procedures, guidelines and standards to secure the data entrusted to them appropriately. For example, they may document appropriate roles and responsibilities for administrators and users of the application. Such owners are responsible for monitoring and auditing their controls to ensure compliance.
Employees are responsible for reading, understanding, and complying with all policies, procedures, guidelines, and standards that apply to their role. They are also responsible for acknowledging receipt of training and policy documents annually.
The Architecture Review Board consists of architects for each major service or part of the Akamai engineering and Platform Operations organization, except those from the Luna and Aura divisions. Collectively and individually, the Architecture Review Board is charged with ensuring the integrity of the Akamai system.
The Chief Security Architect is a member of this group and is responsible for defining and maintaining security architecture, integrating security architecture solutions with the deployed network infrastructure architectures, and providing strategic and tactical security reviews.
The Vice President of Corporate Services provides senior management real-time reporting on physical events and incidents that require review throughout the year.
The Senior Director of Systems Administration and the Vice President of Corporate Services are responsible for authorization of access to corporate information processing facilities.
The Executive Vice President of Platform is responsible for authorization of deployed network information processing facilities. Akamai's deployed network servers are deployed in facilities worldwide. Akamai requires co-location facility partners to restrict physical access to those with prior authorization and picture identification. Akamai also requires its providers to enforce verification of Akamai service requests; providers may not attempt to gain any sort of access to Akamai systems without written instructions from Akamai.
The Legal department maintains a Non-Disclosure Agreement (NDA) form. A signed copy must be on file with the Legal Department before confidential information is discussed with non-employees. Individual employees are responsible for understanding the nature of information they're releasing and ensuring that all sensitive Akamai information is properly identified as such. If an employee has any questions about what procedures are necessary, they should review the NDA and Acceptable Use Policy (AUP).
Rather than rely on an annual risk assessment, Akamai manages risk to its deployed networks on a continuous basis. Vulnerabilities are investigated and managed on a daily basis. Critical vulnerabilities that may result in disclosure, alteration, or destruction of sensitive data are turned into formal security incidents and managed through Akamai's "Technical Crisis and Incident Management Process." Vulnerabilities and incidents are reviewed with the senior management team throughout the year.
Akamai has implemented a multi-stage vulnerability assessment framework. Security risks undergo a qualitative risk assessment, as laid out in the Risk Matrix which evaluates the potential severity of a risk, as well as the attackers that could instantiate a risk. Based on these two factors, the vulnerability will receive a classification which indicates the severity of the risk. Additionally, risks caused by software defects are also scored using the Common Vulnerability Scoring System (CVSS), a system that has a higher focus on likelihood than on potential damage.
Based on the risk & CVSS scores, remediation projects are prioritized between line managers, and/or system owners, and InfoSec. InfoSec maintains a database of assessed security risks, and is responsible for evaluating newly identified risks, and identifying risk areas in need of further assessment.
Akamai uses a four-tier information classification:
- Akamai Public
- Akamai Confidential: NDA Required for Release
- Akamai Confidential: Internal Use Only
- Akamai Confidential: Restricted Distribution
Those handling Akamai documents are instructed to appropriately label them to indicate the classification and sensitivity of the information. Labeling documents alerts the holders of that document to the presence of proprietary and confidential information and warns the holders of any special access, controls, or safeguarding requirements.
Akamai's policy is that information in all forms be accompanied by timelines for retention and disposal based upon business justification as documented by the information asset owner. The Legal department is responsible for defining the Record Retention policy.
The policy also states that information relevant to potential or existing litigation involving the company should be retained. When a user has questions concerning if information is relevant to potential or existing litigation, they are asked to contact a member of the Legal Department.
Procedures for the handling and storage of information are established to protect this information from unauthorized disclosure or misuse. Managers are responsible for ensuring appropriate security training of personnel working under their direction to properly execute these procedures.
Those responsible for all storage media containing Akamai Confidential information should erase the items according to generally accepted principles before disposal. In the event the media cannot be erased, the media is physically destroyed using the mechanism provided by the Akamai's Vice President of Corporate Services.
The disposal of expired or obsolete non-electronic, e.g., paper, information happens through the use of authorized mechanisms. Akamai's Vice President of Corporate Services is responsible for providing a paper-shredding service and ensuring containers are available at all Akamai facilities.
Certain types of information have special handling requirements:
Financial and Employee Information: This category includes all non-public Akamai financial information as well as private information about Akamai employees. Those managing such information are instructed to prominently mark it with a list of who should have access. For example, information about an employee's personal history should be marked “Akamai Confidential: Restricted Distribution.”
Electronic Mail: All employees are expected to follow the "Electronic Communications Use Policy," Given the insecure nature of electronic communication, caution should be used before e-mailing sensitive information. All electronic mail systems should employ adequate safe guards to protect electronic mail in transit and storage. Cryptographic controls may be used to protect sensitive information when sent using electronic mail.
Telephones and Sensitive Information: Akamai has resources employees can use to deal with suspected social engineering attempts, mobile phone issues and malware.
Internet Communication: The Legal department has defined the company policy for "Message Board, Chat Room and Public Disclosure Policy. "Akamai confidential information shouldn't be disclosed or discussed in personal web sites or blogs (e-journals). News media, industry analysts, and others routinely surf blogs for sensitive and insider information. Social networking accounts using the Akamai name, logo, or other information that implies the account represents the company are restricted to authorized personnel. Akamai's confidential information is restricted from public disclosure on personal social networking sites.
Working With Outsiders
The Information Security Program also applies to our dealings with outside services that supply artwork and advertising copy, provide assistance in public relations and meeting planning, perform printing and copying of sensitive company materials for customer presentations, conferences and government filings, and deliver other services to Akamai. This includes facilities staff, security contractors, maintenance, janitorial and decorating staff.
Our data is most vulnerable when in transit. Reasonable measures for the value of the information are taken to avoid eavesdropping or corruption of the data in transit. The Akamai mailrooms are used for physical transport of data between sites. Akamai also works with data security standards that protect data at rest/in storage.
Outside firms that handle data for Akamai are instructed to treat it with the same care that Akamai would.
Policy states that Akamai passwords should never travel over the network unencrypted — when typing them into a web browser, look first for the SSL “locked” icon. If someone inadvertently transmits a password insecurely, they are instructed to notify the InfoSec Department and the system owner for guidance on rotating the password.
Those traveling with sensitive information are asked to take extra precautions. The amount of sensitive material carried should be limited to what is necessary. Sensitive information, such as a laptop, should remain under the control of an employee at all times. It should never be placed in checked baggage or otherwise sent out of the control of an Akamai employee. Sensitive information should not be discussed in close quarters on public transportation or in public areas.
Policy states that discussion of sensitive business information should be avoided unless the appropriate NDA agreement is in place and the discussion can take place in private.
Employees who give public presentations and participate in panel discussions at an industry meeting are asked to ensure their presentation or discussion is appropriate and approved by their supervisor. At trade shows, Akamai does not share any advance knowledge concerning what Akamai is planning or working on unless it has been approved for public release.
Sensitive documents and materials do not belong at trade shows. Employees are instructed to be careful to safeguard sensitive material during shipment, before, during and after meetings and trade shows.
Akamai fully cooperates with all law enforcement agencies through the Information Security team. Employees are instructed to take the individual's name, organizational affiliation, and contact information and immediately pass the request to the Legal Department. They are also instructed not to furnish information from Akamai without the permission of the Information Security team.
Routine news announcements and press releases concerning Akamai events, programs and services are issued only by authorized personnel. Requests from the news media for comment are channeled through the Corporate Communications Department.
The Senior Director of Corporate Communications has a communications strategy and policy in place providing specific company guidelines for dealing with the media.
For customer inquiries about services available from your division or group, employees are asked to take the individual's name and telephone number and pass the request to an authorized representative in their group. They are instructed not to furnish copies or information from Akamai employee lists or phone books to vendors, employment agencies or others seeking this information.
All industry analyst requests for information should be directed to the Analyst Relations department. For additional details refer to the Corporate Communications Department.
Akamai's physical security responsibilities are divided among Corporate Services, Network Infrastructure Engineering (Deployment), and Platform Operations. Every employee is responsible for the security of their work area and equipment in their care.
The Vice President of Corporate Services is responsible for the physical security of all Akamai offices.
Access control measures are required for all Akamai offices and data centers. Non- employees should sign in and out, and must be escorted at all times. Movement within such areas must be easy for employees, but should be difficult for an intruder.
Akamai employees generally have access to all common work environments such as offices, cubicles, and conference rooms. Critical areas, such as internal data centers, and infrequently visited areas, such as storerooms, are restricted to only those with documented need. The organizational owner of the area is responsible for reviewing the list of authorized personnel at least once a year.
The Vice President of Corporate Services is responsible for providing appropriate duress alarms.
The Vice President of Corporate Services is responsible for the physical security incident reporting process.
Network Operations Command Center (NOCC)
The largest Akamai Network Operations Command Center (NOCC) is located in Cambridge, Massachusetts. Additional NOCCs are located several countries. Physical access is limited to authorized personnel and controlled by key card. The NOCC is staffed 24 hours a day, 7 days a week by Platform Operations personnel.
The Senior Director of Global Network Operations is responsible for NOCC security.
The Director of Infrastructure Engineering is responsible for the physical security of the Akamai deployed networks. This includes identifying risks of external facilities and providers used by the deployed network and establishing appropriate mitigating controls and safeguards.
The Director of Network Infrastructure is responsible for ensuring an appropriate review of the external facilities incident response procedures, disaster recovery plans, and service level agreements is conducted prior to any Akamai systems being deployed to the facility.
Akamai's Secure Content Delivery (ESSL) network requires specialized controls, for example, ESSL servers should only be deployed in locked cabinets with motion-detecting cameras. The Network Infrastructure Engineering (Deployment) group should consider security requirements when selecting network partners and vendors.
While most visitors to Akamai have legitimate reasons for visiting us, we have visitor policies that are tailored to specific facilities and areas. The policy states that:
- Badges be worn visibly at all times in all Akamai locations and that employees ask to see badges of visitors or call Corporate Security.
- Short-term visitors be escorted by an employee at all times while on Akamai property.
- Employees be aware of tailgating; while it's perfectly reasonable to hold a door for a colleague, it's equally reasonable to check that a badge is visible.
- When visitors are expected in a work area, confidential information be stored or covered.
- A clear “need to know” and the existence of an NDA be confirmed before discussing proprietary information or giving access to areas where visitors may hear or be exposed to sensitive information, proprietary processes or data displayed on computer screens.
- Critical business infrastructure be located in secure areas. Redundant power and cooling systems and fire detection and protection systems are part of a baseline protection. Systems requiring high availability have redundant systems located in alternate data centers to mitigate other unforeseen environmental threats. Power and data cabling is limited to secured areas. Cabling running between secured areas are run through conduits.
Policy states that all security incidents, weaknesses and malfunctions be reported as expediently as possible.
Platform Operations has staff trained to handle security incidents affecting the distributed network and is the center for all security incident management and response. The NOCC will appoint an incident manager to resolve the issue and involve other personnel or departments as necessary, according to the Technical Incident Response Procedure.
If the event is suspected or confirmed to be an information security event, the issue is escalated to a security subject matter expert. Many security subject matter experts are also trained as Technical Incident Managers (TIMs).
Weekly meetings are held to review incident reports from critical incidents and other security events.
Physical evidence is collected by a member of InfoSec and is kept in positive control at all times until it can be provided to a member of law enforcement or the courts. When available, Chain of Custody bags are used for evidence small enough to fit inside the bag. Any evidence that cannot be turned over to law enforcement is stored inside a locked office or inside of a safe restricted to the Information Security team.
Digital evidence is to be collected by a member of InfoSec with the assistance of members other teams as needed. All evidence is to be cryptographically signed and recorded to a form of removable media and, whenever possible, stored in the Information Security Department.
Akamai's process includes network controls to mitigate risks to Akamai when data is transferred across the network.
Installations with user machines (e.g., corporate offices) or backend machines that are not intended for global use (e.g. database servers) are designed to be protected by physically separate firewall devices. Network Engineering is responsible for installing and configuring the firewalls.
Services that need to cross the firewall are considered for reimplementation in a more secure fashion, such as application level encapsulation or a site-to-site VPN. The Information Security team is available for design assistance.
The Enterprise Infrastructure Services group is responsible for providing and supporting a suite of VPN software to allow Akamai workstation computers to connect to the corporate network from outside the corporate firewall security boundary. It is strongly recommended that this software be used only on machines conforming to Akamai security policy and standards.
Application-level access to the corporate network is available through SSH.
Access to the corporate network is restricted to approved software. Employees may not construct their own network-layer access to the corporate network.
The ESSL (secure deployed) network is required to meet additional industry standards, such as PCI-DSS.
Computer Media Handling
Computer media should receive attention based on the data stored on the various devices. In most cases, this is “Akamai Confidential: Internal Use Only.” Media storing financial, HR, legal or customer information is meant to be treated appropriately. Akamai also has a process for Sensitive Data Destruction and Equipment Disposal.
Some media — most notably Vendor and Rescue CDs — are distributed under NDA but to such a wide extent that they are essentially public. Those compiling such CDs are instructed to be aware of this level of distribution and not include unnecessary confidential information.
For distribution within the company the use of removable media is typically avoided. For certain cases of distribution outside the company or for off-line backup of critical data CD-R, DVD or storage devices are appropriate. Such items should be clearly marked in accordance with section 8, "Information Handling." Such media should be treated with the same care as a computer holding the data, and securely wiped or destroyed when no longer needed. Akamai Confidential data contained on dynamic removable memory such as USB storage devices and memory cards for PDAs, cell phones, cameras, etc. should be securely deleted when no longer needed.
Akamai Confidential material should not be placed on removable media and taken outside the company.