White Paper

Akamai Information Security

Management System Overview
Securing the Cloud
Table of Contents

PREFACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

EXECUTIVE SUMMARY. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

AKAMAI NETWORK OVERVIEW. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Mapping the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Functioning of the System and the Information Flow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Users Internal/External. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Network Intelligence and DNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

ORGANIZATION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Privacy Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

EDGE PLATFORM SECURITY. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Physical Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Host System Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Network Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Software Reliability and Integrity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Monitoring and Response. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

VULNERABILITY MANAGEMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

INCIDENT RESPONSE AND MANAGEMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

PERSONNEL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

DISASTER RECOVERY AND BUSINESS CONTINUITY. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Service Delivery Network Disaster Resiliency. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Akamai Facility Disaster Planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

SECURITY INITIATIVES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

ISO 17799/27000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Security Reviews. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Payment Card Transaction Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Security for End-Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

SUMMARY. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Akamai Information Security Management System Overview 1

Preface
Akamai cannot guarantee that the policies and procedures describe in the document
will not change in the future, and this document is not intended to bind Akamai to
any particular course of product marketing or development.

This document is intended to provide an overview of Akamai’s Information Security

Management System (ISMS) and the security practices and policies designed to ensure
a secure and reliable service offering. It is intended for security architects, network
administrators, or other technical audiences concerned specifically with performing
due diligence on the security of Akamai’s service. More specific inquiries should
be made through Akamai sales contacts and will be forwarded to the appropriate
Akamai staff for prompt response. While this document is not intended to cover
every possible aspect of Akamai security, we believe it provides a sufficiently broad
overview of most areas of importance to clients or partners.

This document includes an overview of Akamai’s core technologies and services to

provide a context for understanding the security framework that protects Akamai’s
network. Comprehensive overviews of individual service offerings are available from
Akamai sales representatives.

Executive Summary
Akamai is committed to sharing its Information Security Management System (ISMS)
in order to help its customers successfully and securely integrate their web environments
with Akamai’s service. This paper describes what Akamai does to prevent malicious or
unauthorized use of the Akamai EdgePlatform. This protection is comprised of a formal
vulnerability management framework, security management processes, and clear organi-
zational roles and responsibilities. The basis of the approach is to satisfy control objectives
consistent with ISO 27002 and generally accepted standards of information security,
as applicable to the Akamai environment.

Akamai’s Information Security Management System addresses each of the three basic
security dimensions (Integrity, Confidentiality, and Availability), to allow information
to be shared appropriately in an efficient and effective manner by the design and
implementation of management, operational and technical security controls.

Akamai approach is structured to limit business damage by preventing and minimizing

the impact of physical and logical disruptions by combining intelligent load management
algorithms with unmatched capacity. Unlike traditional solutions, which may provide
confidentiality or integrity at the expense of availability, Akamai’s globally distributed
platform ensures a highly available Internet presence for its customers in a secure
fashion by minimizing exposure to the vagaries of the Internet.

Strong security begins with comprehensive security practices and requires continuous
attention and improvement to ensure a consistent, repeatable, secure environment.
Security forms the foundation for every aspect of Akamai’s business, from system
design and security policy to operations management; not only for network security
within the Akamai corporate network, but also to better secure the Internet and each
customer’s web presence.

Akamai welcomes inquiries and feedback about its security practices. Please contact
a member of the Akamai sales team, who will forward the request to the appropriate
security team members for a prompt response.
Akamai Information Security Management System Overview 2

Akamai Network Overview This data is merged with the latency and packet loss information
collected real-time from large samplings of nodes on our network.
Akamai operates the EdgePlatform, a global network of Other data collected includes geographic location of IP addresses,
tens of thousands of servers in nearly a thousand networks latencies from numerous points on the Internet, DNS information,
in scores of countries. Akamai builds, operates, updates, health of key transit regions of the Internet, and observed routing
manages and maintains the software operating on this decisions. The information is collected in a distributed manner
platform and employs sophisticated network monitoring and distributed algorithms determine an optimal “map” of
technologies to track, analyze and report on current/ end-user IP addresses to Akamai servers.
real-time system-wide conditions and trends, including
security events. Functioning of the System and the
Information Flow
The overall security of Akamai’s network relies on several
It is important to note that Akamai personnel do not require
factors, which work together to provide a secure solution
access to our customer’s internal systems. Akamai EdgePlatform
with defense in depth. These components include physical
servers operate as surrogate web servers pulling content from
security, host and software security, network and compo-
the origin site using standard protocols such as HTTP and HTTPS
nent design, and 24x7 monitoring and response.
and do not have any access to the back-end systems of the
customer’s hosted facility. The EdgePlatform will simply handle
Mapping the Internet the end-user’s access to the customer’s Internet web site and
Akamai has devised a number of proprietary algorithms will make the same end-user request to the web servers (or
to leverage its distributed architecture. Akamai’s network the origin servers) within the customer’s hosted facility for the
is designed to operate automatically, in real-time, in the purpose of retrieving or refreshing content.
most effective and efficient manner possible. Topological
measurements are continuously performed. BGP feeds
from hundreds of networks are combined with real-time
trace-routes and other measurements to determine the
overall connectivity of the Internet.

End Users

2. Request for content that needs

2. to
Request for content
be fetched or is that needs
un-cacheable 1. End User
to be fetched or is un-cacheable 1. End User
is forwarded to the origin
is forwarded to the origin. requests
requests

GET GET

Internet

200 Ok 200 Ok
Customer Fire Akamai Edge
Origin Wall Servers
3.3.Content
Contentis
delivered
is delivered
from Edge
from Edge

End Users

Figure 1: Akamai EdgePlatform Data Flow

The Akamai EdgePlatform system data flow, illustrates how
a customer’s Internet web site is delivered to end-users.
Akamai Information Security Management System Overview 3

Users Internal/External
“External users” refers to members of the public with access to the Internet who
are requesting the customer’s web site content. Data provided would be information
managed and published by the customer through its hosted facility. External users do
not require authentication outside of services available within HTTP to access the web
site content. Processing provided on the EdgePlatform system is web server functionality,
specifically responding to requests for content within the protocols supported on the
EdgePlatform. These are standard functions in delivering web site content and appli-
cations over the Internet.

“Internal users” for the EdgePlatform system are authorized Akamai personnel monitoring
and maintaining the EdgePlatform system in general and any authorized customer person-
nel. Akamai personnel do not exercise administrative access to a customer’s web content,
except as any other external user. Authorized Akamai personnel will have operational
control over the EdgePlatform system, ensuring that its distributed network of servers
is functioning properly. Authorized customer personnel have access to the reporting tools
and customer support tools via the Akamai customer portal. Reporting tools provide data
about the customer web site traffic at an aggregate level.

Network Intelligence and DNS

Akamai’s network intelligence system employs DNS and is a necessary requirement for
proper operation of many of Akamai’s service offerings. Akamai’s network intelligence
infrastructure is spread across the global platform, performing regular and continuous
tests on a variety of aspects of network performance and reliability. Data points are
aggregated in multiple locations and multiple redundant maps (data structures mapping
end-users to edge servers) are generated for each specific service. Maps are run through
an integrity-checking process prior to being pushed to Akamai’s DNS servers.

Akamai’s DNS infrastructure uses the end result of each map-making cycle to determine
optimal mapping for end-users. Akamai’s network intelligence system uses a set of top-
level DNS name servers, authoritative for a variety of domains, and uses technology
similar to Enhanced DNS.

Organization
Akamai launched commercial service in April 1999 and security has been extremely
important from the beginning. The Akamai Information Security Program is structured
in accordance with ISO 17799 and ISO 27001 international standards for information
security. Akamai has engaged outside audit teams to conduct assessments of Akamai’s
security program against these standards.

Accordingly, Akamai continually strives to improve upon its security practices. Included
in Akamai’s ongoing security efforts are regular internal reviews and risk assessments
for corporate, information, and network security. As Akamai continues to roll out new
services on its network, security plays a fundamental role in product design and review
for every new feature. In addition to performing frequent internal security reviews,
Akamai’s security professionals meet regularly with a cross-functional executive team
to review corporate and network security issues.
Akamai Information Security Management System Overview 4

Akamai has a dedicated Information Security Group. the Payment Card Industry Data Security Standard, such as video
The Senior Director of Information Security is responsible cameras, fire suppression and guards. For more information about
for security of the system and the company. The Director Secure Content Delivery contact your Akamai sales representative.
reports to the Senior Vice President of Networks and
Operations, provides a security status report to the CEO Host System Security
regularly, and works with management across the com-
pany to prioritize and schedule security efforts. All Akamai servers are designed to function as a bastion host,
obviating the need for enclaving the systems behind a separate
Akamai performs both qualitative and quantitative risk firewall. The systems are hardened to withstand various types
assessments of the service network infrastructure on an of attack, including various denial-of-service attacks and other
on-going basis. Risk assessments consider the value of the known vulnerabilities.
assets being protected, the exposure presented to those
assets by vulnerabilities, and the likelihood of exploitation Akamai deploys security-hardened servers and adheres to the
by various threats. principles of minimum access and least privilege. Akamai disables
all non-essential IP services on deployed servers to limit opportuni-
Akamai has a formal incident response process that includes ties for unauthorized network access. Remote administrative
root cause analysis of the incident. See the section Incident access is only available via cryptographically secure connections
Response & Management for more information. and all electronic access to Akamai servers is logged. To further
limit access, read-only views and limited diagnostic tools are
Privacy Policy provided to Akamai personnel performing system diagnostics
and analysis, eliminating the need for administrative access
Akamai does not collect or aggregate personally identifiable to accomplish these functions. Network Operations enforces
information about its customers’ users. The Akamai privacy Akamai’s access control policies and security key management.
policy is available on the Company’s web site.
Access Control
http://www.akamai.com/html/policies/privacy_principles.html
Akamai’s EdgePlatform servers do not have individual user
accounts, and user-level applications (e.g., web browsers) are
EdgePlatform Security removed from the system, eliminating the most common virus
infection vectors. The systems are hardened by closing all un-
The overall security of Akamai’s network relies on several needed ports and by removing extraneous software packages
factors, which are designed to work together to provide and network services.
a comprehensive secure solution with defense in depth.
These components include physical security, host system Administrative logins are restricted to trained and authorized
security, access control, network design, software reliability Akamai employees. The Network Operations Group maintains
and integrity, and 24x7 monitoring and response. and enforces Akamai’s access control policies and key manage-
ment. Read-only views are provided to a limited number of
Physical Security authorized personnel performing system diagnostics and analysis.
Akamai’s EdgePlatform servers are deployed in facilities
worldwide, many of which provide state-of-the-art access Each authorized Akamai user has a set of unique public-key
control. Akamai requires its providers to enforce verification pairs for authentication purposes, and access occurs via an SSH
of Akamai service requests; providers may not attempt to proxy enforcing a role-based access control model. These key
gain any sort of access to Akamai systems without written pairs are rotated frequently, and Akamai’s Network Operations
instructions from Akamai. Failed systems are returned directly and Information Security teams routinely review access privileges.
to Akamai-contracted facilities that follow strict handling
procedures to repair and return them to service. Although Software changes are executed via automated processes, obviating
Akamai stipulates the above requirements for facility providers, the need for most human intervention. Akamai’s deployed network
it is important to note that Akamai is not dependent on their functions in an autonomous mode without users logging into the
compliance to protect its network. The network is designed servers to conduct routine system administration.
such that physical compromise of Akamai machines can have
only a limited impact on the system as a whole and critical Network Design
systems are placed in more secure and trusted locations.
Akamai’s unique distributed intelligent network is designed
to eliminate single points of failure. Its self-correcting properties
Secure Content Delivery Network servers are deployed in allow it to address machine, data center, and network problems
professional and secure collocation facilities. These facilities and route around any outages or areas of inefficiency for optimal
incorporate physical requirements designed to comply with reliability of content and application delivery. Akamai has servers
Akamai Information Security Management System Overview 5

in almost every major network in the US and around the world. This, along with
dynamic routing technology, enables Akamai to continue operating in the presence
of almost any network outage.

Because of Akamai’s intelligent load management algorithms, attacks against

one customer are unlikely to have significant impact on other customers. Akamai’s
technology also enables containment of potential damage caused by an attacker.
If suspicious or unusual behavior is detected from an Akamai server, that machine
can be suspended by directing traffic away. This can be done without impact to
Akamai’s service; each server has a set of back up machines that can take over its
duties within seconds. Entire data centers can be suspended from serving traffic
as well, with minimal impact, as Akamai’s dynamic mapping system will direct
users to new data centers within minutes. These fault-tolerant features take effect
automatically when machines or data centers fail for any reason, allowing Akamai
to continue serving content and applications reliably, even when portions of the
service network are not able to serve Internet traffic.

Software Reliability and Integrity

Akamai engineering uses a revision control system that restricts modifications and
provides check-in time notification tracking of source code submissions. Access to
source code is authenticated with public-key cryptography.

Before being installed on Akamai’s network, software undergoes extensive code

review, as well as unit, system, and regression testing. After being system-tested
on a test network, the code and configuration changes to be installed are encrypted
and signed.

These changes are installed in a staged fashion to ensure minimal impact to Akamai
services. Software is installed over secure connections with safeguards to check that
components are of the correct revision and have not been modified in transit. In the
unlikely case that problems are discovered during the roll-out, Akamai’s fault-tolerant
mapping system will direct users away from the affected machines as the problems
are addressed.

Akamai’s advanced software management system provides tight control over the
soft-ware and configuration on all machines. Any deviations from the specified
configuration are corrected, resulting in a highly consistent state across the network.

Akamai also tightly controls all software on the servers. No CGI scripts or customer
created executables are run on Akamai servers—with the notable exception of our
EdgeComputing service that uses a specially designed “sandbox” environment. For
more information about EdgeComputing contact your Akamai sales representative.

Monitoring and Response

Vigilant system monitoring plays a key role in Akamai network security. Each Akamai
server has a set of “watch-dog” components that provide system-level monitoring
for security events and anomalies such as usage, performance, process counts and
abnormal behavior. These components report through a distributed database system
that provides alerting and reporting to Akamai’s Network Operations Command
Center (NOCC). Additional automated systems within the NOCC analyze and report
on system-wide conditions and trends. The 24x7 NOCC staff continually monitors
network status, including checking machine performance, data center status, net-
work connectivity, and general Internet health, and is trained to respond immediately
to any sign of intrusion or other trouble. Machines or entire regions can be suspended
with very little impact on the Akamai service.
Akamai Information Security Management System Overview 6

Vulnerability Management Personnel

Akamai has developed an integrated and systematic vulnerability Every Akamai employee is required to sign a confidentiality
management process to manage remediation across both the agreement as a condition of his or her employment. In addition,
EdgePlatform network and the Akamai corporate infrastructure. Akamai personnel undergo background checks at the time of hire.
Success metrics and noncompliance reporting are delivered to
both Akamai management and system owners. Access to systems is provided as required by job function, subject to
approval policies specific to the type of information to be accessed.
The formal tracking method for managing security vulnerabilities
begins with members of Akamai’s Information Security Group Akamai employees are provided with our security policy, our business
monitoring software vendor notifications and public reporting ethics policy, and a general security orientation. Akamai employees
forums (e.g., CERT). Software vulnerabilities are analyzed using must review and acknowledge these policies annually.
both a quantitative risk analysis system (the Common Vulnerabil-
ity Scoring System) and a qualitative risk analysis system (a threat
actor/severity model). Disaster Recovery and Business
Identified security issues are added to the security project
Continuity
management database. Akamai’s tightly controlled infrastructure Akamai’s commitment to customer service includes disaster
allows patches and system updates to be deployed quickly and preparedness. Akamai has developed written procedures, policies
securely, when the Information Security group determines the and strategies, including tests of the Disaster Recovery systems,
need for such measures. to add-ress the potential effects of disasters or other unexpected
events that could impact the company’s operations. Akamai’s

Incident Response and program defines two types of disasters:

Management • Service Delivery Network Disaster is a failure at a component,

system, facility, or network level involving the EdgePlatform net-
Akamai has a formal, well-documented incident response work. This level of disaster is typically handled by use of multiple
process. The process includes procedures for escalating to redundant components or systems.
the technical and business team members with the appropriate
expertise based on the severity and complexity of the incident. • Akamai Facility Disaster is a failure that impacts Akamai
Escalation paths contain multiple levels, should the first contact corporate facilities, such as major power outage, flooding,
not be immediately available. major storm damage to the building, etc. This level of disaster
is typically handled with a combination of system redundancy
In the event of suspicious activity related to a customer’s and failover protocols.
content or account management, Akamai will notify the
designated customer representative. Service Delivery Network Disaster Resiliency

Akamai does not have a standard SLA for security incidents The structure and operation of the Akamai EdgePlatform are
due to the incidents’ varied nature. As noted above, Akamai inherently designed to minimize the possibility that a disruption
provides timely response via customer portal notifications, could have any network-wide effect. The built-in self-correcting
email or other communications with appropriate levels of properties allow it to be uniquely able to deal with machine,
information based upon the specific incident and its custo- data center, and network problems; routing around any outages
mer impact. for optimal reliability of content delivery. This also means that
it is easier to contain potential damage caused by a disruption
Akamai utilizes a variety of host-based audit controls to that affects even a significant number of servers or data centers.
provide intrusion detection. Every Akamai server monitors Entire data centers can be withdrawn from service, with minimal
a large collection of events including usage, performance impact, as Akamai’s dynamic mapping algorithms will direct users
and abnormal behavior. These events are reported through to new data centers within minutes. These fault-tolerant features
a distributed database system into Akamai’s monitoring automatically activate when machines or data centers fail for any
system that provides alerting intelligence to the Network reason, allowing Akamai to continue serving content reliably. Net-
Operations Command Center (NOCC). NOCC staff are work-related disaster recovery plans and procedures are constantly
trained and on call to provide incident management in reviewed to ensure the integrity, stability, and fault-tolerance of
accordance with Akamai’s incident response procedures. the system.
Akamai Information Security Management System Overview 7

Akamai Facility Disaster Planning

Akamai has an Emergency Response Team that meets regularly to implement policy
and test recovery plans. Documented evacuation plans for all corporate facilities are
provided to employees both in writing and through posted evacuation plans.

The Akamai deployed network is managed by the Network Operations Command

Center (NOCC). The primary Akamai NOCCs are located in Cambridge, Massachusetts,
and Bangalore, India. Akamai has designed our Network Operations Command Center
(NOCC) to be redundant, enabling automatic recovery from facility disasters. Edge-
Platform technology components are designed to provide data protection at all levels
and Akamai has backed up critical data in separated geographic locations.

Secondary operations sites are located in San Mateo, California, and Reston, Virginia,
providing redundant capability for ongoing operations in the event of a metro disaster
in either or both of our primary locations.

Security Initiatives
For businesses where a web presence plays an integral part in success, delivering content
over the Internet means balancing the reward of easy, universal access to content against
the difficulty of protecting the integrity of those accessible systems. Akamai’s commitment
to best-in-class security policies and practices is designed to minimize the risk to our
customers—allowing each to take advantage of the optimal wide-reaching delivery
mechanism for its content while retaining the protection and control they demand.

ISO 17799/27000
Akamai undergoes an annual readiness assessment to determine compliance with the
ISO 17799 standard “Information technology – Security techniques – Code of practice
for information security management.” ISO 17799:2005 measures 11 control categories:

• Security Policy

• Organization Of Information Security

• Asset Management

• Human Resources Security

• Physical And Environmental Security

• Communications And Operations Management

• Access Control

• Information Systems Acquisition, Development And Maintenance

• Information Security Incident Management

• Business Continuity Management

• Compliance
Akamai Information Security Management System Overview 8

Security Reviews Security for End-users

Security is extremely important to Akamai and our customers. Akamai has a well-established support model for responding
Accordingly, Akamai continually strives to improve upon our to end-users with security concerns. Most users initiate
security practices. Included in Akamai’s ongoing security efforts correspondence with Akamai’s Customer Care organization.
are regular internal reviews and risk assessments for corporate, Customer Care will work with the user to determine if there
information, and network security. Furthermore, as Akamai is a potential security issue. If Customer Care is unable
continues to roll out new services on its network, security plays to resolve the concern, the Information Security Group
a fundamental role in service design and review for every new is contacted to provide additional support and diagnostics.
feature. In addition to performing frequent internal security
reviews, Akamai’s security professionals meet regularly with Akamai’s network and systems may occasionally act as a
a cross-functional executive team to review corporate and conduit or storage mechanism for personal user information
network security issues. that is collected by our customers (e.g., Akamai could have
log data that would match IP addresses of end-users to the
Payment Card Transaction Security sites they have visited). Akamai is committed to meeting all
of our obligations to our customers to protect their data and
Akamai accelerates online credit card transactions for 75 only to collect, use, and disclose it for authorized purposes.
of the top 100 online retailers. To help its retail customers
achieve compliance with the Payment Cards Industry Data
Security Standard (PCI-DSS), Akamai has secured certification
from the PCI Standards Security Council for our Secure Content
Delivery Network. To maintain compliance, Akamai undergoes
an annual penetration test and quarterly vulnerability audits
from a PCI-certified third party. Akamai provides its PCI Compli-
ance customers with access to automated tools for validating
site configurations, infrastructure reports, and contractual
obligations for PCI compliance, incident notification, and
incident response.
Akamai Information Security Management System Overview 9

Summary
Akamai’s Information Security Management System (ISMS) is designed
to ensure that Akamai’s EdgePlatform provides the most secure way to
increase performance and reliability across the Internet.

Strong security begins with comprehensive security practices and requires

continuous attention and improvement to ensure a consistent, repeatable,
secure environment. Security forms the foundation for every aspect of Akamai’s
business, from system design and security policy to operations management;
not only for network security within the Akamai corporate network, but also
to better secure the Internet and each customer’s web presence.

Akamai strives to address each of the key security principles of confidentiality,

integrity, and availability in its network, software, and service offerings. Unlike
traditional solutions, which may provide confidentiality or integrity at the expense
of availability, Akamai’s globally distributed platform ensures a highly available
Internet presence for its customers, in a secure fashion, without subjecting
them to the vagaries of the Internet.

Akamai welcomes inquiries and feedback about its security practices. Please
contact a member of the Akamai sales team, who will forward the request
to the appropriate security team members for a prompt response.
1 November 2009 - This document is intended to provide certain background information on Akamai as of the above date. This information is subject to change from time to time
as Akamai’s business and systems change, and thus should not serve as a representation or warranty.

The Akamai Difference

Akamai® provides market-leading managed services for powering rich media, dynamic transactions, and enterprise applications online. Having pioneered the content delivery market
one decade ago, Akamai’s services have been adopted by the world’s most recognized brands across diverse industries. The alternative to centralized Web infrastructure, Akamai’s
global network of tens of thousands of distributed servers provides the scale, reliability, insight and performance for businesses to succeed online. Akamai has transformed the
Internet into a more viable place to inform, entertain, interact, and collaborate. To experience The Akamai Difference, visit www.akamai.com.

Akamai Technologies, Inc.

U.S. Headquarters International Offices

8 Cambridge Center Unterfoehring, Germany Bangalore, India
Cambridge, MA 02142 Paris, France Sydney, Australia ©2009 Akamai Technologies, Inc. All Rights Reserved. Reproduction in whole or
in part in any form or medium without express written permission is prohibited.
Tel 617.444.3000 Milan, Italy Beijing, China
Akamai and the Akamai wave logo are registered trademarks. Other trademarks
Fax 617.444.3001 London, England Tokyo, Japan contained herein are the property of their respective owners. Akamai believes that the
U.S. toll-free 877.4AKAMAI Madrid, Spain Seoul, Korea information in this publication is accurate as of its publication date; such information
(877.425.2624) Stockholm, Sweden Singapore is subject to change without notice.

www.akamai.com