Guide

Shared Responsibility Model

This document describes the division of responsibilities between the customers and Akamai. It specifies tasks that both customers and Akamai have with respect to the configuration, operation and management of App & API Protector Hybrid, sensitive data protection, scalability, and communication with third-party vendors.

1. Management of secrets

1.1. Akamai’s responsibilities

Akamai is responsible for preparing and enforcing procedures on rotating certificates that ensure communication between its internal services and App & API Protector Hybrid.

1.2. Customers’ responsibilities

Customers must ensure that their environments are secure, which includes implementing relevant access controls to running processes and logs.

Customers are also required to rotate tokens in App & API Protector Hybrid connection configurations at least once a year. The recommended practice is to rotate tokens at least twice a year.

If customers discover that a token has been compromised (for example, it has been shared with or accessed by unauthorized third parties), they must immediately generate a new token, register it on their infrastructure, and revoke the old token.

Tokens are used to authenticate and authorize Protector instances. Customers are responsible for safeguarding their tokens against any misuse.

2. Configuration

2.1. Akamai’s responsibilities

Akamai is responsible for providing minimal system requirements to ensure smooth and SLA-compliant operation, and providing updates to those requirements with each new software version.

2.2. Customers’ responsibilities

Customers are responsible for configuring their environments and providing resources required for PRODUCT_NAME to run according to specifications. This includes configuring infrastructure components, such as traffic routing, certificates, and related services required for secure and reliable access. They must also monitor their environment to prevent or manage any performance problems. Detailed configuration guidance is provided in the App & API Protector Hybrid deployment guide.

It is also the customers’ responsibility to make sure that their infrastructure setup allows Protector (an integral part of App & API Protector Hybrid installed on client’s infrastructure) to communicate with Akamai services in order to enable update options, data collection, and monitoring.

To leverage all features of App & API Protector Hybrid, customers are required to propagate the X-Forwarded-For (XFF) header in their routing configuration. The XFF header identifies the IP address of users connecting to a web server through proxy. Without it, App & API Protector Hybrid’s options for traffic protection and inspection may be limited. Customers should configure their on-premises proxy to add the XFF header to all incoming traffic so that Protector can check the XFF header value in individual requests. Note that although App & API Protector Hybrid checks the XFF header by default, the header used for client IP forwarding can be changed in the Security Configuration to match the header applied by the customer’s on-premises proxy.

To ensure operational safety and reliability of Protector, customers are required to provide persistent storage for its instances to retain:

  • Application logs
  • Configuration files inside instances

Failure to provide such storage prevents upscaling or creating new instances.

Customers are not allowed to modify any files stored by any Protector instances, or the state of any running processes (such as, sending signal, killing process, and so on, with the sole exception being the graceful shutdown of the Protector process as part of a standard instance operation).

3. Software installation and update

3.1. Akamai’s responsibilities

Akamai is responsible for providing a guide describing the installation and update processes of its product on the customer’s infrastructure.

If any new backend and application release notes are published, all information about changes will be provided in the documentation and notifications published in Akamai Control Center, along with a link to release notes.

Similarly, if a new application version is released on the marketplace, customers will get a notification in Akamai Control Center. All processes that are run with an older version of the Protector will be marked on App & API Protector Hybrid home page, and there will be a notification of the required update.

All update processes will be performed without any interruption of service, protections, or customers’ business logic.

Akamai is required to notify its customers about critical updates related to vulnerability fixes. This includes providing instructions on how to fix a vulnerability issue, along with details on potential consequences if the fix is not implemented.

3.2. Customers’ responsibilities

Customers are responsible for installing the software on their infrastructure and handling any installation updates. They are also responsible for configuring and maintaining the supporting environment, including traffic routing, certificate provisioning and rotation, and related services required for PRODUCT_NAME to function properly.

Akamai is not responsible for the customers’ ecosystem design, hands-on installation, uninstallation, updates, or administration of App & API Protector Hybrid within the customers’ infrastructure.

Akamai will not liaise with third-party vendors providing other ecosystem services to customers. Akamai representatives will only meet with such vendors in customers’ presence (which can be virtual).

Customers must also keep track of Akamai notifications on new software versions available. All software updates should be scheduled in the nearest maintenance window on the customer’s environment. Failure to perform software updates to one of the supported releases may result in downgraded performance or unsupported features. Note that Akamai’s software support policy applies to the latest three releases of the software. It means that support is available for users on the current version of the software and the two previous versions. After a new version is released, support for any earlier version (earlier than the latest three releases) will be discontinued. If necessary, customers can also downgrade their installation to one of the supported versions.

In critical scenarios where vulnerabilities are detected and a new software version containing a fix is available, customers must cooperate with the Akamai team and update their environment as soon as possible.

Customers shouldn't apply the same App & API Protector Hybrid connection configuration to multiple environments as it may cause compatibility issues between different versions and configurations. To protect multiple environments, customers should create separate connection configurations for each cloud-based deployment and register separate tokens for each one.

4. Monitoring and notifications

4.1. Akamai’s responsibilities

Akamai is required to monitor Protector installed on the customers’ infrastructure and notify them about any critical events and statuses.

In particular, Akamai will monitor aspects such as:

  • Metrics and performance of Akamai’s internal services
  • Active configurations and metrics on their performance and protections
  • Possible malfunctions and security breaches in Protector instances
  • Customers’ actions, such as activations, the creation of new configurations, or any failures to create and activate configurations

Akamai is responsible for providing information about stored metrics and monitored traffic coming from the customers’ application. Akamai will provide such reports via:

  • Akamai Control Center notifications
  • Audit logs
  • Security Center trends
  • Web Security Analytics (WSA)
  • Protector instances’ log files that have been created (and their locations) on the customer’s infrastructure, including the format and specifics of those files.

4.2. Customers’ responsibilities

Customers are required to monitor the system behavior using dedicated views in Akamai Control Center:

  • App & API Protector Hybrid home page,
  • Security Center
  • Web Security Analytics

Customers are responsible for configuring the internal SIEM system that ensures connection to logs stored by each Protector instantiated on their environment.

Customers may use provided information to create notifications and monitor the system behavior.

Should Akamai Global Services or the software engineering teams need to debug or resolve any installation issues, customers are required to provide information, such as configuration details, or specific logs stored on their infrastructure. Without any backdoor access or fetching data from a running environment, Akamai Global Services or the software engineering team will not be able to debug and support customers.

5. Scalability

5.1. Akamai’s responsibilities

All backend applications supporting the operation of App & API Protector Hybrid will be scaled and have resources for handling customer traffic. Configurations will be provided for each running instance of the application.

Akamai Global Services and engineering teams will use the metrics provided by each Protector instance to analyze performance issues on customers’ environments and provide feedback or recommendations for configuration updates.

5.2. Customers’ responsibilities

Akamai is not responsible for scaling customers’ cloud components. Customers are required to create a scaling plan according to expected traffic, which includes:

  • load balancing,
  • creating required number of instances,
  • providing needed resources, such as CPU and memory.

Customers are also advised to monitor and create notifications on their cloud components performance and adjust configuration based on such information.

6. Personally Identifiable Information (PII)

6.1. Akamai responsibilities

App & API Protector Hybrid only collects data necessary to inform customers on their system behavior and applied protections.

To provide data samples to Web Security Analytics, Akamai will store the same data sets as for the Edge WAF:

  • Triggered rules
  • Rule score
  • Selectors (request data which was considered as an attack)
  • Headers
  • Cookies
  • Client IPs (if available and provided in the XFF header or other configured client IP headers)
  • Customer configurations (account ID, contract ID, configuration ID, App & API Protector Hybrid and connection ID)
  • Protected origin information, such as hostnames, paths of requests
  • Protection time

Such data may be stored if customers don’t want to have it inspected in the request/response body, and this option is configurable in a dedicated App & API Protector Hybrid security configuration > Advanced Settings.

Collected data includes standard HTTP request information, such as IP, method, query parameters, cookies, and so on.

6.2. Customers' responsibilities

Customers must ensure that their cloud environments are secure, which includes implementing relevant access controls to application logs. They are also required to ensure that no data is leaked from their environment.
Customers are not allowed to connect debugging tools to running App & API Protector Hybrid processes. Any attempt to do so will be detected and reported to Akamai in order to prevent security breaches or leaking Akamai’s IP address.

7. Billing

7.1. Akamai’s responsibilities

All billing procedures and processes associated with App & API Protector Hybrid will be SOX-compliant. Data needed for billing will be signed and counted to prevent corruption or any missing information.

Akamai will collect data and provide both reports and invoices for customers’ review via standard reporting and invoicing systems that are already in use for other products.

7.2. Customers’ responsibilities

Customers are required to enable connectivity between Protector instances running on their infrastructure with Akamai’s internal systems for billing purposes.

Akamai’s installation guide will contain detailed information on how to configure outbound connections (for example, allowed domains, ports, HTTP methods, and so on).

If such connectivity is blocked and not reestablished within 24 hours, App & API Protector Hybrid will stop its operation and customers will lose protection of their applications.

In case of any disruptions on the environment or inconsistency of data, customers may provide internal logs of Protector instances to Akamai. Akamai will investigate and audit such information.

8. Customers’ ecosystem

8.1. Akamai’s responsibilities

Akamai may give advice regarding best practices, minimum hardware requirements, and communication needs of App & API Protector Hybrid.

8.2. Customers’ responsibilities

Customers are responsible for administering and maintaining their own infrastructure where App & API Protector Hybrid will operate (cloud, physical infrastructure, IaaS, PaaS), herein referred to as the “ecosystem”.

Customers must maintain their ecosystem in a way that allows for connectivity of Protector instances running on their infrastructure with Akamai’s internal systems. It is required to ensure security event fidelity, policy deployment capability, and health/heartbeat function.

Customers are responsible for coordinating any non-Akamai ecosystem vendors (cloud, software, or hardware providers) if any ecosystem issues arise. If Akamai identifies any issue root causes that are beyond the scope of App & API Protector Hybrid (for example, underlying communication, hardware, or unknown problems), customers are required to coordinate with third parties to resolve such issues. Akamai shall not act as a liaison between customers and third-party vendors with respect to the customers’ ecosystems. Akamai will only meet with third-party vendors in customers’ presence.

Troubleshooting

9.1. Akamai’s responsibilities

Akamai is responsible for providing interfaces and tools that aid in troubleshooting, such as traceroute tests, diagnostic output, health check data (both locally and in Akamai Control Center), software and policy versioning, crash dump, and local logging.

9.2. Customers’ responsibilities

Customers are responsible for gathering and submitting any locally-obtained crash dump files or diagnostic information to Akamai every time they report an issue.

They must also share necessary information (such as logs, queries, data/time information) on non-flagged security events if any false-negatives are suspected. Akamai does not maintain, transport, or store logs for traffic deemed benign by App & API Protector Hybrid.

For any communication failures, customers are required to investigate internal routing, firewall, or any blockages in their ecosystem which may prevent Protector’s communication with Akamai, and vice-versa.

Updated 1 day ago