Security & Compliance

As Akamai looks to drive the cloud security model to new heights, the reality is that security is about much more than applying the appropriate security controls. Establishing a Trusted relationship, both in business and security operations, is key to the overall acceptance of a service platform. This can only be truly accomplished by providing transparency, communication, accountability and validation throughout the entire lifecycle.
Guiding Principles
As a means to ensure reasonable and acceptable assurance that Akamai’s Application and Information Systems maintain a high level of security throughout their given life-cycles, the Soha Information Security Program operates under the following Guiding Principles
Align with well known and industry accepted security frameworks, approaches, and compliance requirements, maintaining the appropriate technical, personnel, administrative, physical, and environmental controls at all times.
Protect against known threats and vulnerabilities across software, hosts, network resources, with continuous validation performed by internal and external assessments.
Maintain data and software confidentiality and integrity throughout the platform, incorporating cryptographic protection and validation methods.
Produce actionable intelligence for identifying and remediating security anomalies and malicious activities across both internal and external operations, supporting rapid incident response processes
Remain available 24x7x365, preserving business continuity and ensuring Akamai systems are able to continue performance of essential functions under a broad range of circumstances.
Security Framework
The Akamai Security program incorporates and builds on numerous industry standard security frameworks (ISO, COBIT, OSA), optimized for high-performing agile models, with the ability to rapidly integrate changes in security strategy as more advanced and distributed attack vectors are identified. Components Include:
External factors, such as Business & Technology Drivers, Regulatory Landscapes, and Threat/Risk Landscapes, which contribute to the overall Security Mission.
Provides guidance on determining information security objectives and how to measure progress toward achieving them.
Design, Build & Run
Technical implementations of Security Architecture, Engineering & Operations, to effectively manage risk.
Identification, awareness, and communication across technical and business functions.

Akamai’s Security Program Domains highlights the key concepts associated with each domain. The domains provide the foundation of security principles and practices related to the Confidentiality, Integrity, and Availability of the Akamai Cloud platform.

Documentation (Policies, Standards, Procedures)
Training & Awareness
Regulatory Compliance
Laws, Investigations & Ethics
Vendor Management
Risk Management

External Security Assessments
Vulnerability Scanning, Analysis & Remediation
Application Threat Modeling

Asset Management
File Integrity Monitoring
Configuration Management
Change Management

Centralized Account Management
Remote Access
Role-Based Access Control (RBAC)
-Factor/Multi-factor Authentication

Secure Development Practices
Quality Control Testing
Static/Dynamic Code Analysis
Production Deployment Procedures

Data Classification & Protection Guidelines
Data Encryption Standards
Data Handling Procedure
Certificate Lifecycle Management (PKI)

Security Tools Management
Reporting & Escalation
Monitoring & Alerting
Security Incident Triage & Response

Actionable Intelligence Collection
Log Management
Security Metrics
Risk Analysis & Scoring

Akamai has developed a comprehensive, multi-faceted approach to compliance by incorporating common core elements of multiple standards and integrating into engineering, development, and operational processes. This approach isolates the regulation-specific controls and allows Soha to categorize risk based at an aggregate level to ensure coverage is complete and accurate across various audit frameworks.

Core Domains are composed of common requirements spanning 3 major Security Control Frameworks (PCI, SOC2, CSA) and are incorporated as baseline standards for Soha operations. Framework Specific requirements are included within the compliance scope for particular frameworks as part of assessment/certification processes.

As new standards are considered based on regulatory/customer requirements, they will be evaluated against the Soha Compliance Framework and requirements distributed accordingly for incorporation into Soha Standards.

The Payment Card Industry (PCI) Data Security Standard (DSS) is an information security standard defined by the Payment Card Industry Security Standards Council. The certification is designed to prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations which hold, process, or exchange cardholder information from any card branded with the logo of one of the card brands.

A validated service provider is one that has undergone an audit by an independent QSA and is found to be in conformity with the PCI security standards outlined in the latest version of the Data Security Standard published by PCI Standards Council.

To learn how Soha Systems can assist your PCI compliance requirements, download the Soha PCI Datasheet.

The SOC 2 and SOC 3 reports both look at a service organization’s controls relevant to the security, availability, or processing integrity of a service organization’s system or the privacy or confidentiality of the information the system processes.

These reports are based on AT Section 101, Attest Engagements, and the controls are evaluated using the trust services principles and criteria.

soc2-logo STAR certification provides multiple benefits, including indications of best practices and validation of security posture of cloud offerings against the CSA’s Cloud Controls Matrix (CCM).

CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to cloud computing.