Transcription
A Response toRequest For InformationCyber-Security Assessment, Remediation, and Identity Protection, Monitoring, andRestoration ServicesSeptember 3, 2015Prepared By:Micah Maryn, CISSPSenior Solutions EngineerAkamai Technologies, Inc.11111 Sunset Hills RoadSuite 250Reston, VA 20190703-581-6423mimaryn@akamai.com
ContentsIntroduction . 2KEY SERVICES . 3Background . 3COMPANY FACTS AND FIGURES: . 4ACCREDITATIONS AND COMPLIANCES . 5AKAMAI CLOUD SECURITY SOLUTIONS . 6Web Site & Application Security- Kona . 6Network & Infrastructure Security- Prolexic . 7DNS Protection- FastDNS . 9Contact Information . 11Akamai Response to RFI Section IV . 12INTRODUCTIONAkamai is the leading distributed security platform for helping enterprises across the globe to providesecure, high-performing user experiences on any device, anywhere. Akamai's security solutions arebased on a Multi-Perimeter Cloud design that provides multiple defenses to protect from DNS attacks,Web Application attacks and Network Infrastructure attacks. Our Intelligent Platform providesextensive reach, coupled with unmatched reliability, security, visibility and expertise. Akamai alsoremoves the complexities of connecting the increasingly mobile world, supporting 24/7 consumerdemand, and enabling enterprises to securely deliver sites and application over the Web.In addition, Akamai has assembled a team of security experts who are proactively engaged in increasingthe security posture of our customers and our platform. These individuals not only are working tomitigate threats now, but aggregating data from our platform to discover emerging threats and developsuccessful mitigations.Akamai has been protecting websites since its inception: On September 11, 2001- Flash mobs and loss of major Internet connections inside the WorldTrade Center crippled the availability of many news and information sites. Akamai was able toscale up to absorb the increased demand and route around the damaged Internet infrastructureso that the sites delivered by Akamai continued to be operational. In July 2009- Akamai defended numerous US Government, commerce, and financial servicessites from a multi-day 124-Gbps DDoS coming from South Korea with no operational impact. In December 2014- Akamai successfully defended 320 Gbps and 71 mpps (millions of packetsper second), multiple vector (network, application, and DNS) attack which targeted a singlecustomer.Akamai currently provides cloud security services to some of the best-known companies in the world,and US Government agencies, mitigating 10-15 attacks a day. In addition to supporting our directcustomers, Akamai is actively engaged in cyber security working groups, including, Forum of Incident Response and Security TeamsThe Open Source Web Application Security Project (OWASP)The FBI-led “Botnet Threat Focus Cell”Industry Botnet Group (IBG)September 3, 2015AKAMAI CONFIDENTIALPage 2 of 15
KEY SERVICESAkamai offers three core cloud security services along with several professional security services.1.2.3.4.Web Site and Application Security- leveraging our globally distributed reverse proxy platform.Network Layer Security- leveraging our globally distributed Prolexic scrubbing platform.DNS Layer Security- leveraging our globally distributed DNS platformProfessional Security Services- including: Security assessments Threat advisory services Managed security servicesIn the following section, Akamai will provide additional details on each of our core services. Additionally,we have included a brief whitepaper with our response, Akamai Cloud Security Solutions: ComparingApproaches for Web, DNS and Infrastructure Security. We highly recommend reviewing this piece as itdoes a very good job of discussing our approach, comparing the alternatives and highlighting thebenefits of our solution options.BACKGROUNDAkamai understands the importance of protecting the availability of your websites, applications, anddata centers as well as the confidentiality and integrity of your content and data. Akamai alsounderstands that attacks are increasing in size and complexity. As attacks become larger and morefrequent, and threats become more complex, it can become increasingly difficult for state and localagencies to manage security threats and ensure the availability, integrity, and most importantly, theconfidentially of their data.Akamai has extensive experience providing DDoS mitigation and web security for eCommerce, financialservices, and government customers.Akamai provides market-leading, cloud security services which protect the origin infrastructure from,network layer, application layer, DNS Layer, and other malicious activity. Combining highly-distributed,robust architecture, The Akamai Intelligent Platform extends the security perimeter to the edge of theInternet, often within in one network hop of the client user; where the attacks begin.The Akamai Intelligent Platform architecture includes a 100% availability SLA and extends your securityperimeter into the cloud, mitigating threats before they reach your infrastructure. Furthermore, TheAkamai Intelligent Platform aggregates massive amount of data regarding Internet conditions, Darknettraffic, and malicious activity. This data, along with information gathered from mitigating 10-15 attacksper day enables Akamai to identify correlations, new attack signatures, and emerging threats. Akamai isthen able to use this threat intelligence to further improve our products, features, and rules sets, as wellas providing threat intelligence data to our customers.September 3, 2015AKAMAI CONFIDENTIALPage 3 of 15
COMPANY FACTS AND FIGURES: Year Incorporated:August 1998 Corporate Headquarters:Akamai Technologies Inc.Corporate Headquarters150 BroadwayCambridge, MA 02142www.akamai.com Security Operations CenterFt. Lauderdale, FL Akamai Technologies, Inc. is Publicly Traded: (NASDAQ: AKAM) Revenue2014 annual revenue of 1.96 billion, up 24 percent /financial reports.html) Dun and Bradstreet Report:Akamai Technologies Inc. DUNS # is 128521528Akamai has included an S&P Capital IQ report along with a the Fidelity/S&P Capital IQ FinancialStatement Current Employees5,100 Akamai’s customers are some of the best-known organizations in the world. Over 20 public and private sector on-line education services Multiple K-12 and Higher Education institutions Both Houses of the U.S. Congress All Branches of the U.S. Military All 15 Cabinet Agencies of the US Government 10 out of the top 10 US Banks All top 20 global eCommerce Sites All top anti-virus companies All top 30 Media and Entertainment companiesAkamai is proven. Akamai delivers daily Web traffic reaching more than 26 Terabits per second. Akamai delivers over 2 trillion of daily Internet interactions. 90% of the world's Internet users are within a single "network hop" of an Akamai server. Akamai can work with any customer's Web environment, no matter how sophisticated.September 3, 2015AKAMAI CONFIDENTIALPage 4 of 15
ACCREDITATIONS AND COMPLIANCESAkamai services current support the following compliances and accreditations: FedRAMP- Provisional JAB ATO FISMA FIPS 199- Low and Moderate ATOs PCI- Tier 1 Merchant Service Provider ISO-27002FedRAMP- Provisional JAB ATOThe Akamai Intelligent Platform has been FedRAMP accredited with a Joint Authorization Board (JAB) ProvisionalAuthority to Operate (P-JAB-ATO) that meets the FedRAMP requirements as a Public Cloud Service Model and anInfrastructure as a Service (IaaS) Model. A FedRAMP P-JAB ATO is a certification by the JAB of Akamai’scompliance with FISMA as well as several of the NIST Special Publications, including NIST 800-53, and FIPSpublications. Akamai’s FedRAMP information can be found here, http://cloud.cio.gov/fedramp/akamai.The accreditation boundary for the Akamai Content Delivery Network (CDN) covers a majority ofAkamai’s infrastructure and services, including:Content Delivery Infrastructure & DDoS Mitigation ServicesInternal Systems & InfrastructureHTTP Delivery Edge ServersLuna Control Center PortalAkamai NOCCDNS & DNSSEC ServiceHTTPS (Secure Delivery) Edge serversKey Management InfrastructureGlobal Traffic Management (GTM) SystemAkamai’s DNS ServersStreaming ServersNetStorageFISMAPrior to the FedRAMP Mandate, Akamai had already meet FISMA compliance and supported a ModerateSP 800-53 baseline of controls with one sub-network supporting a High controls baseline with additionalconfigurations and products prior to our FedRAMP accreditation in August 2013. Akamai also supportscustom DoD/Intel requirements.FIPSPrior to our FedRAMP Accreditation, Akamai had received an Authorization to Operate (ATO) from theUS Department of Homeland Security (DHS) and the Nuclear Regulatory Commission at a FIPS-199 LOW,and an ATO as part of a larger US Air Force system at a FIPS-199 Moderate. Our DHS ATO and supportpackage is available as a reference, from our DHS COTR upon request.PCI- Tier 1 Merchant ServiceAkamai is certified as a Tier 1 Merchant Service Provider under PCI-DSS, as evidenced by our listing onthe Visa website. To maintain this accreditation, Akamai undergoes quarterly network scanning andannual penetration tests by a 3rd party certified by the PCI standards council.ISO-27002Akamai has implemented an Information Security Management System (ISMS) based on the ISO27001/2 (formerly 17799) Code of Practice for Information Security Management and undergoes anannual assessment by an independent third party in accordance with the ISO standard.As a cloud computing provider, we are unlike the traditional hosting providers who engage inaccreditations of the ISMS of a data center against the Operations Management domain of ISO 27001/2.Instead, we engage our auditors to investigate our ISMS as it applies to the complete ISO 27001/2 set ofSeptember 3, 2015AKAMAI CONFIDENTIALPage 5 of 15
controls, against our entire company, both corporate facilities and the production network of tens ofthousands servers in approximately a thousand networks. We provide the summary of findings fromthat assessment to our customers as evidence that our security program is in-place and functional, theexecutive summary of which is available to existing and prospective customers under NDA.Code of Ethics & Regulatory ComplianceAkamai is committed to conducting our business with the highest level of ethics and integrity and incompliance with all applicable laws and regulations. Akamai expects all of our executive officers andmanagers to be leaders in adhering to high ethical standards and all employees to follow suit. We striveto deal honestly and fairly with all parties with whom we interact in the course of our business. Toformalize this commitment, Akamai has adopted a Code of Business Ethics that applies to all of ouremployees. In addition, Akamai adheres to Sarbanes-Oxley Compliance regulations, quarterly employeetrainings and holds an Acceptable Use Policy to maintain the integrity of traffic delivered on its network.AKAMAI CLOUD SECURITY SOLUTIONSAkamai cloud security solutions provide cloud-based protection not only from DDoS attacks targetingyour network infrastructure and web sites/applications, but also from web application attacks targetingthe integrity and confidentially of your data.Akamai has several offerings which address: Web Site and Application SecurityNetwork Layer and Infrastructure SecurityDNS Layer SecurityWEB SITE & APPLICATION SECURITY- KONAAkamai’s Kona security services provide cloud based Web site and application security features. Builtinto Akamai’s Content Delivery Platform, a globally distributed platform consisting of 175,000 serversdeployed in over 102 countries on 1,300 networks, Kona offloads the amount of traffic coming into theorigin, regardless of the origin location, and inspects inbound traffic using Akamai cloud based WAF.A site or application can be configured using Kona on the Akamai Intelligent Platform by simply doing aCNAME to Akamai in the DNS.The Kona solution provides: HTTP and HTTPS content delivery over our global platform of 175,000 servers, including over60,000 in the US Dynamically elastic-absorbing peak traffic caused malicious activity or increased demand forcontent without impacting performance Route traffic dynamically to mitigate the ever changing network conditions of the Internet DDoS Mitigation and Enhance security by identifying, absorbing, and blocking security threats IP white/black list controls and geo-blocking Rate limiting controls A fully functional cloud base Web Application Firewall (WAF)o Includes OWASP Top 10 and ModSecurities CRSo Also includes proprietary rules which fill gaps in the industry standard CRS.September 3, 2015AKAMAI CONFIDENTIALPage 6 of 15
o Fully configurable, allowing for site/application specific policies and custom rulecreation.Client IP Reputationo Using the threat intelligence data aggregated by the Akamai platform to identify IPspushing malicious traffic, and assigning a risk score based on the volume and type oftraffic, to dynamically block IPs actively pushing malicious traffic.Direct to Origin protections which only allow connections from clients passing through theAkamai reverse proxy, and the security controls within The Akamai Intelligent Platform.Site Failover to custom web pages.100% availability SLA of the Akamai Intelligent PlatformKona can be contracted as a self-managed service or a managed service. When contracted as a managedservice, Akamai’s security experts working in our Security Operations Center (SOC) will also provide: Customer specific documentation of incident response procedures and escalation processes. Traffic Rate monitoring 24x7 Attack Mitigation SupportIn addition to the security benefits, Kona will provide performance improvements gained from thereverse proxy caching functionality and routing optimizations. Furthermore, Akamai’s advancedperformance optimizations can be used in conjunction with Kona’s security features. The advancedoptimizations are able to dynamically adapt content based on a client user’s location, device, andcurrent bandwidth, thus provide ding an optimal user experience for all users regardless of device.NETWORK & INFRASTRUCTURE SECURITY- PROLEXICNot all attacks are going to target the application layer (Ports 80/443). For attacks targeting theinfrastructure, Akamai recommends our Prolexic solution.As part of the Akamai Intelligent Platform, Prolexic provides a cloud-based architecture to protectorganizations from DDoS attacks before they reach the data center. It employs a globally distributedDDoS mitigation infrastructure to inspect network traffic for DDoS attacks and then mitigate thoseattacks, forwarding clean traffic to the data center. By stopping attacks in the cloud, Prolexic can provideseveral benefits over traditional approaches including massive scale, reducing costs, simplifieddeployment and leveraging Akamai’s expertise.Prolexic provides organizations with dynamic protection against a broad range of potential DDoS attacktypes, regardless of complexity and even as they change over the course of an attack. This includes bothnetwork-layer DDoS attacks, such as UDP and SYN floods, as well as application-layer DDoS attacks, suchas HTTP GET and POST floods.September 3, 2015AKAMAI CONFIDENTIALPage 7 of 15
Prolexic Service FlowEach scrubbing center contains the full range of DDoS mitigation technologies and inspects networktraffic passing through it and mitigating any discovered DDoS attacks. Customers route their networktraffic onto the Akamai platform by making a BGP route advertisement change. Once activated, Prolexicwill propagate the route to all scrubbing centers and advertise it to the Internet. This provides thefollowing benefits: All inbound network traffic routes through a scrubbing center where Akamai SOC staff caninspect it for DDoS attack characteristics. Users and attackers automatically route through a high performance scrubbing center,distributing attack load while minimizing additional latency for legitimate users. Outbound network traffic returns to the user through its normal path without routing through ascrubbing center. The service provides a high level of redundancy. If a scrubbing center ever goes offline, networktraffic will automatically route to next closest scrubbing center. After inspecting for DDoS attacks, Prolexic Routed then forwards clean traffic to the destinationdata center. The Akamai platform uses a private backbone to backhaul clean traffic to one oftwo scrubbing centers closest to the destination data center, where it is then forwarded througha Generic Route Encapsulation (GRE) tunnel or a direct connection to the origin data center.Within each scrubbing center, Akamai employs over 20 different security technologies to mitigatedifferent types of DDoS attacks. Akamai SOC staff performs real-time analysis of network traffic duringongoing attacks and apply different mitigation technologies as needed, even as the attack vectorsemployed change over time. Through a cloud-based service delivery model, organizations benefit fromAkamai’s experience in selecting and managing best-of-breed DDoS mitigation technologies for the mosteffective response to any type of DDoS attack.All scrubbing centers employ a dual-path architecture that segments clean and DDoS attack traffic, asshown in figure below. In normal operation, network traffic will pass through the scrubbing center on abypass network path with minimal additional latency. When an attack is detected, Akamai SOC staff willisolate traffic to targeted destination IP addresses and reroute it through a separate mitigation networkpath within every scrubbing center for further analysis and mitigation.September 3, 2015AKAMAI CONFIDENTIALPage 8 of 15
Prolexic Traffic SegmentationSegmenting clean and suspected attack traffic provides two advantages:1. By automatically routing traffic to non-targeted IP addresses through the bypass network path,Prolexic minimizes the performance impact of mitigation activities on clean traffic.2. By applying mitigation only to traffic destined for known targeted IP addresses, Prolexicminimizes the risk of collateral damage that mitigation activities may have on clean traffic andother applications.Prolexic can be implemented as an Always-On or On-Demand solution. When used in an On-Demandconfiguration, customers would simply push out a BGP route advisement to route traffic to the Prolexicscrubbing platform when an attack or suspicious activity is detected.When Prolexic is used in an “On-Demand” posture it is recommended to leverage our Flow BasedMonitoring (FBM) service. This service allows the customer to export sampled netflow from their edge(internet facing) routers directly to Akamai flow collectors. This data is sampled every 60 seconds andcompared to established baselines from the previous 7 days. Volumetric anomalies trigger alerts thatwhen reaching critical levels; trigger the Akamai SOC to engage with the customer via their
The Akamai Intelligent Platform has been FedRAMP accredited with a Joint Authorization Board (JAB) Provisional Authority to Operate (P-JAB-ATO) that meets the FedRAMP requirements as a Public Cloud Service Model and an Infrastructure as a Service (IaaS) Model. A FedRAMP P-JA ATO
