Akamas takes security seriously and provides enterprise-grade software where customer data is kept safe at all times. This page describes some of the most important security aspects of Akamas software and information related to process and tools used by the Akamas company (Akamas S.p.A) to develop its software products.
Akamas manages the following types of information:
- System configuration and performance metrics: technical data related to the systems being optimized. Examples of such data include the number of CPUs available in a virtual machine or the memory usage of a Java application server;
- User accounts: accounts assigned to users to securely access the Akamas platform. For each user account, Akamas currently requires an account name and a password. Akamas does not collect any other personal identifying information;
- Service Credentials: credentials used by Akamas to automate manual tasks and to integrate with external tools. In particular, Akamas leverages the following types of interaction:
- Integration with monitoring and orchestration tools, e.g. to collect IT performance metrics and system configuration. As a best practice, Akamas recommends using dedicated service accounts with minimal read-only privileges.
- Integration with the target systems to apply changes to configuration parameters. As a best practice, Akamas recommends using dedicated service accounts with minimal privileges to read/write identified parameters.
Akamas is a fully GDPR compliant product.
Akamas is an on-premises product and does not transmit any data outside the customer network. Considering the kind of data that is managed within Akamas (see section "Which information is managed by Akamas"), specific security certifications like PCI or HIPAA are not required as the platform does not manage payment or health-related information.
Akamas takes the need for security seriously and understands the importance of encrypting data to keep it safe at-rest and in-flight.
All the communications between Akamas UI and CLI and the back-end services are encrypted via HTTPS. The customer can configure Akamas to use customer-provided SSL certificates in all communications.
Communications between Akamas services and other integrated tools within the customer network rely on the security configuration requirements of the integrated tool (e.g. HTTPS calls to interact with REST services).
Akamas is an on-premises product and runs on dedicated virtual machines within the customer environment. At-Rest Encryption can be achieved following customer policies and best practices, for example leveraging operating system-level techniques.
Akamas also provides an application-level encryption layer aimed at extending the scope of at-Rest encryption. With this increased level of security, sensitive data managed by Akamas (e.g. passwords, tokens, or keys required to interact with external systems) are safely stored in Akamas databases using industry-standard AES 256-bit encryption.
In case of Akamas hosted on an AWS machine you may optionally create an EC2 instance with an encrypted EBS volume before installing OS and Akamas, in order to achieve a higher level of security.
Passwords are securely stored using a one-way hash algorithm.
Akamas comes with a default password policy with the following requirements:
- have a minimum length of 12 characters.
- contains at least 1 uppercase and 1 lowercase character.
- contains at least 1 special character.
- is different from the username.
- must be different from the last password set.
Customers can modify this policy by providing a custom one that matches their internal security policies.
Akamas enforces no password rotation mechanism.
- When running on a Linux installation with KDE's KWallet enabled or with GNOME's Keyring enabled, the credentials will be stored in the default wallet/keyring.
- When running on Windows, the credential will be stored in Windows Credential Locker.
- When running on a macOS, the credential will be stored in Keychain.
- When running on a Linux headless installation, the credentials will be stored in CLEAR TEXT in a file in the current Akamas configuration folder.
Akamas provides fine granularity control over resources managed within the platform. In particular, Akamas features two kinds of resources:
- Workspace resources: entities bound to one of the isolated virtual environments (named workspaces) that can only be accessed in reading or writing mode by users to whom the administrators explicitly granted the required privileges. Such resources typically include sensitive data (e.g. passwords, API tokens). Examples of such resources include the system to be optimized, the set of configurations, optimization studies, etc.
- Shared resources: entities that can be installed and updated by administrators and are available to all Akamas users. Such resources only contain technology-related information (e.g. the set of performance metrics for a Java application server). Examples of such resources include Optimization Packs, which are libraries of technology components that Akamas can optimize, such as a Java application server.
Akamas logs traffic from UI and APIs. Application level logs include user access via APIs and UI and any action taken by Akamas on integrated systems.
Akamas logs are retained on the dedicated virtual machine within the customer environment, by default, for 7 days. The retention period can be configured according to customer policies. Logs can be accessed either via UI or via log dump within the retention period. Additionally, logs have a format that can be easily integrated with external systems like log engines and SIEM to support forensic analysis.
Akamas is developed according to security best practices and the code is scanned regularly (at least daily).
The Akamas development process leverages modern continuous integration approaches and the development pipeline includes SonarQube, a leading security scanning product that includes comprehensive support for established security standards including CWE, SANS, and OWASP. Code scanning is automatically triggered in case of a new build, a release, and every night.
Akamas features modern micro-service architecture and is delivered as a set of docker containers whose images are hosted on a private Elastic Container Registry (ECR) repository on the AWS cloud. Akamas leverages the vulnerability scanning capabilities of AWS ECR to identify vulnerabilities within the product container images. AWS ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project.
If a vulnerability is detected, Akamas will perform a security assessment of the security risk in terms of the impact of the vulnerability, and evaluate the necessary steps (e.g. dependency updates) required to fix the vulnerability within a timeline related to the outcome of the security assessment.
After the assessment, the vulnerability can be fixed either by recommending the upgrade to a new product version or by delivering a patch or a hotfix for the current version.