Akamai Lines Background

Akamai maintains a series of policies and procedures to manage the network that transmits customer data securely. We maintain and enforce a Deployed Network Access Policy outlining the controls, roles, and responsibilities that ensure employees only have the access privileges necessary to do their jobs.

The policy applies to write-enabled (root or administrator) access to the Akamai deployed network, a collection of servers that have external IP addresses and whose access is controlled by Platform Operations. All access is restricted to authorized personnel and depends on the need and role of the employee. Only the vice president of platform operations can approve exceptions.

Any employee seeking a specific level of access must be approved in advance, with approvals documented for regular audits. The employee's manager must be notified whenever a default approval is exercised. The manager must acknowledge this notification within a reasonable time after the grant is issued, and the acknowledgment must be documented identically to standard approvals.

Those requiring root access to machines covered by this policy and who are not members of a pre-approved role group can request access for a limited time for a specified list of machines. In those instances, all temporary access grants to machines covered by this policy must be restricted to authorized personnel. The employee requesting access must have the request approved by the employee's manager, a Platform Operations Senior Engineer, and a Network Owner or an Incident Manager.

Diligent record keeping is an essential part of the Access Control policies. Platform Operations must maintain an auditable record of each instance where someone received time-limited network access.

This record includes answers to specified questions from the NOCC, authentication approval, and a unique ID for the grant issued.

Another way we manage access control is through Authgate, an Akamai-developed system for accessing edge machines via SSH with restrictions that can allow or disallow user access based on machine type or number of machines that user has accessed in a day. All accounts in Authgate and deployed network access are managed by the NOCC.

Putting an ssh identity for all employees on all production servers would be a security nightmare (as well as a logistical nightmare), offering very little access control and very little reporting. With Authgate, only the Authgate's ssh identity is allowed access to the edge machines. Employees connect to authgate via gwsh (a wrapper around ssh), and authgate controls whether or not the connection is forwarded to the edge machine. Access via Authgate is controlled using Grants. Grants are managed using authgate-ui. All grants are contained within a single file (the grants file). Basically, a grant allows a given class of users access to a given class of machines for a given period of time. Grants also define the remote username that is used to log into the edge server.