Akamai Technologies Ltd

Akamai Enterprise Application Access

Enterprise Application Access (EAA) is a new approach to remote access. It provides a unique, secure, and more convenient alternative to traditional remote-access technologies such as VPNs, RDP, and proxies. EAA ensures no one can get to applications directly because applications are hidden from the Internet and public exposure.


  • Keep users off the corporate-network with unique cloud proxy architecture
  • Centralise security & access control across on-prem, IaaS-SaaS apps
  • Native multi-factor auth for enterprise apps
  • Local server load balancing
  • Single sign-on for all enterprise apps across on-prem, IaaS-SaaS
  • Complete auditing of user activity
  • Dynamic Acceleration


  • Make your infrastructure invisible on the Internet.
  • Reduce attack surface with no lateral movement on the network
  • Lock down firewall or security groups to all inbound traffic
  • Control access rights for users to specific apps
  • Authenticate users using MFA across email, SMS, TOTP or Duo
  • Increase app availability by balancing traffic across internal infrastructure
  • Leverage SSO to seamlessly access on-prem, IaaS and SaaS applications.
  • Log users’ client information, geolocation and actions taken.
  • Improve app performance through protocol optimizations.
  • Reduce capex and opex by leveraging simple cloud service.


£2 per user per month

  • Education pricing available
  • Free trial available

Service documents

G-Cloud 10


Akamai Technologies Ltd

Mike Havelock

07711 424216


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Hybrid cloud
Service constraints No
System requirements A virtual machine in the DC or cloud environment

User support

User support
Email or online ticketing support Email or online ticketing
Support response times We operate various SLAs depending on the chosen support plan and severity of the issue. - https://www.akamai.com/us/en/services-support/
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.0 AA or EN 301 549
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels Standard Support is included with all Services at no cost. Named Enhanced Support includes all of Standard Support plus an aligned technical support engineer for proactive support, faster response SLA's, live support 24/7, unlimited support request, two training courses. Technical Advisory Support services are a designated technical account manager available during business hours. It provides pre- and post-sales technical consultation, assistance with strategic initiatives through ongoing engagement, scheduled periodic status meetings, conducting periodic Engagement Reviews, sharing of industry and technology best practices with customers.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We provide fully managed integration of the service which includes a knowledge transfer of the basics. We also offer full portal administration training and have formal training courses that customers can attend. We also provide custom onsite training for customers if required. Self service training is also available via the management portal. We also provide a community where customers can ask questions and provide tips and tricks.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction By request, all configuration settings can be exported in XML format.
End-of-contract process Customer access to the service via the portal is stopped and the service ceases to perform. There are no costs associated with contract ending, unless the customer chooses to renew. EAA is also integrated with Splunk and can work with other SEIMs

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service None
Accessibility standards None or don’t know
Description of accessibility Through an HTML5 compatible browser.
Accessibility testing NA
What users can and can't do using the API Every configuration and report can be done through an open API
API documentation Yes
API documentation formats
  • HTML
  • PDF
API sandbox or test environment No
Customisation available Yes
Description of customisation Administrators can customize which locations they can use, which security constraints they want to set, and which policies they want the users to abide by. In addition customers can tailor the look and feel of the services landing page and application dashboards to reflect their corporate identity.


Independence of resources We operate over 250,000 servers globally - all of which act as part of our platform. Our DNS platform always directs requests to servers that are available and not under high load. Due to the wide scale of the platform, there is significant overcapacity to allow for peak usage.


Service usage metrics Yes
Metrics types Category, Location, Domains, Resolved IP, Autonymous System Name, Lists, Policies, Actions, Detected By, Confidence, Machine Name
Reporting types
  • API access
  • Real-time dashboards
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations EU-US Privacy Shield agreement locations
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Other
Other data at rest protection approach Akamai acts as a conduit between customers infrastructure and end-users and doesn’t store data that customers haven't selected to be cached. Data selected by the customer is cached to be shared between end-users that ask for the same information. As such, it is not considered as “secret"" and is not encrypted at rest.

Akamai's corporate and production networks are fully separated, Akamai employees don't have access to cached customer data. To access the production environment, Akamai employees must receive a grant from our proprietary access-control system. Grants are time-limited and all requests are reviewed quarterly for consistency and accuracy.
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach SIEM, Reports, CSV, Syslog
Data export formats
  • CSV
  • Other
Other data export formats
  • Reports
  • SIEM
  • Syslog
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability 99.9% availability
Approach to resilience We operate over 250,000 servers globally in 3,750 locations within 134 countries - all of which act as part of our platform. Our DNS platform always directs requests to servers that are available and not under high load. Due to the wide scale of the platform, there is significant overcapacity to allow for peak usage.
Outage reporting Akamai will send notifications via the Luna Portal, Akamai Community, email and/or any other pre-established channels of communication for Service Outages that affect G10.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels Administrative access to the Luna platform will restrict access to management portal
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for Between 1 month and 6 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification Cisco Systems Inc
PCI DSS accreditation date 28/06/2017
What the PCI DSS doesn’t cover Customers are instructed that only products running on the Secure Content Delivery Network, and Enterprise Application Access are in-scope for PCI and that no other systems are intended or should be used for the transmission, processing, or storage of cardholder data. Nevertheless, Akamai's products and services running on the Secure Content Delivery Network, and Enterprise Application Access may be configured to be used by customers in their cardholder data environment, and may be included in the scope of customers' PCI assessments.
Other security certifications Yes
Any other security certifications
  • FedRAMP
  • Service Organisation Control 2 Type II
  • ISO27002

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards Other
Other security governance standards PCI DSS
SOC 2 Type II
Information security policies and processes The Akamai information security program has established procedures in security testing, software security and deployment of policy and guidance, metrics reporting, change control, incident management, physical security and event monitoring and other activities. Through cooperative efforts within Akamai, security practices are maintained via effective access control mechanisms, thorough network and software architecture design review, strict access controls, pervasive use of authentication and encryption protocols, and employee and contractor background investigations. Formal, scheduled, pro-active reviews of information security practices are conducted through internal assessments and evaluations conducted by Information Security, Engineering, Development, Operations and Executive Leadership. In addition, information security oversight and evaluation is conducted through internal and external audits as well as and post-event analysis. Operational security practices are established and appear pervasive throughout all entities managing the production network.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach The change management process for software changes is chaired by the Director of Operations and the Release Manager. The process reviews all changes and potential customer impact. Any releases are signed off on by appropriate parties, which always include the SVP of Engineering and SVP of Delivery.

To minimize the risk of the corruption of information systems and the accidental removal of security controls a formal change control procedure must be followed when making changes to any production system.

Changes in the CDN are implemented in phases, to observe impact and prevent interruptions.
Vulnerability management type Supplier-defined controls
Vulnerability management approach The vulnerability management process is set forth to ensure timely deployment of security patches and remediation of vulnerabilities to maintain confidentiality, integrity, and availability of Akamai systems and applications. The lifecycle of the vulnerability management includes tasks such as: investigate new vulnerabilities, remediate vulnerabilities, and close out the records when applicable. If the vulnerability is impacting to Akamai, the Information Security team is responsible for shepherding the vulnerability through all of the stages, ending in the closure stage. Please see this post for more information:
Protective monitoring type Supplier-defined controls
Protective monitoring approach New vulnerabilities are identified and tracked. Vulnerabilities are identified by: Receiving vendor and security researcher vulnerability announcements, Monitoring vendor reporting distribution lists and reporting forums, monitoring public reporting forums (CERT, Bugtraq, SANS, etc) These Subscriptions help identify vulnerabilities that might impact Akamai information systems and networks. Additionally, the Information Security teams analyse Akamai's software and architecture to identify potential vulnerabilities. Once a specific vulnerability is identified, it is assigned to an Information Security and a subject matter expert to remedy. Vulnerabilities that do not impact Akamai are marked as such and closed.
Incident management type Supplier-defined controls
Incident management approach Akamai operates a documented Technical Crisis and Incident Management Process, this document can be shared with customers. Akamai has designed its technical systems and human operations with many safety controls and sensors to help prevent and detect issues in our environment as they arise. If a customer-identified issue cannot be solved by Akamai Support then an incident is declared. For all severity levels, we have an Incident Manager role identified to evaluate the severity of a situation and coordinate with others working on the problem. A Service Incident Report is produced identifying failures and highlighting changes to prevent reoccurrence.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £2 per user per month
Discount for educational organisations Yes
Free trial available Yes
Description of free trial The full version of the software for a period of 60days

Service documents

pdf document: Pricing document pdf document: Service definition document pdf document: Terms and conditions
Service documents
Return to top ↑