Last updated 2021-12-14
Fastly operates a comprehensive information security program that includes administrative, physical, and technical safeguards to protect its infrastructure, data, services, and customers.
Fastly's security program is based on the NIST Cybersecurity Framework comprised of annually reviewed security policies, designated roles and responsibilities for its experienced professionals, and formal procedures developed focused on risk.
Fastly institutes information security policies that are published internally and reviewed annually. The policies contain principles and point to standards that cover controls and procedures designed to protect Fastly and Fastly’s customers.
Fastly designates roles and responsibilities for the security of its services. Fastly assigns a Chief Information Security Officer to oversee its security program and retains best in class professionals in the field to apply it.
Fastly maintains formal procedures for the identification, assessment, and treatment of information security and availability risks, threats, and vulnerabilities to its services. The procedures include an annual risk assessment, risk analysis and treatment plan, and a risk register.
- Annual risk assessment: Fastly conducts an annual risk assessment to measure the state of security risk across the company. The results of this assessment are shared with the senior leadership team to ensure appropriate visibility and treatment.
- Risk analysis and treatment plan: Each identified enterprise security risk is evaluated and ultimately managed to acceptable levels by implementing associated controls and mitigation plans commensurate with the risk.
- Risk register: Fastly maintains documentation of identified risks, threats, and vulnerabilities related to its services. Assigned personnel help assess and remediate identified items, in line with the related risk and vulnerability management procedures.
Fastly understands that to adequately protect its services, customers, and customer data, multiple safeguards must be applied to all layers of Fastly’s business and technology practices. Fastly’s process, technology, and physical security controls are designed specifically to provide a defense-in-depth approach and can be categorized as follows:
Fastly manages access to its production systems using the following:
- Authentication: Employees are required to use unique user accounts and multi-factor authentication for remote access to production systems.
- Authorization: Employee access to production systems is restricted based on appropriate roles.
- Audit: Logs of access attempts (both success and failure) to production systems are kept and monitored.
- Access grants and revocations: Employee access to production systems is granted based on the principle of least privilege and manager approval. That access is reviewed at least quarterly and is removed when no longer needed or upon employee separation. Access roles are enforced by Fastly systems and devices.
Fastly manages data security using the following:
- Customer credentials management: Fastly secures customer-provided private keys and credentials throughout their lifecycle and stores private keys and API tokens in encrypted repositories. Customer-provided private keys are encrypted at rest and are re-encrypted on a regular interval. The key encryption keys are stored in a secrets management system and private keys are decrypted in memory at the edge when requested and removed from memory after a short period of time. Customer passwords are salted and hashed at rest and Fastly enables encryption for customer account passwords in transit. Access to private keys is restricted to only those individuals whose role requires it.
- Authorized access to customer data: Fastly may directly access or modify customer accounts or configurations as necessary to provide the services, prevent or address service or technical issues, as required by law, or as customers expressly permit. For the same reasons, Fastly may also access or modify equipment, systems, or services that manage customer data.
- Privacy and protection-by-design approach: Fastly maintains a "privacy and protection-by-design" approach that is manifested in a data governance program and documented separately in the data management documentation online.
Fastly manages application security using the following:
- Secure development practices: Fastly engineers are trained annually on secure coding concepts, including the OWASP Top 10 and CWE Top 25. Code is peer-reviewed and run through automated testing before deployment to production systems. After review and testing, code is initially deployed to a limited number of locations in the Fastly network for further monitoring. If no problems are encountered, code is gradually deployed across the Fastly network.
- Application security analysis: Fastly security engineers and third-party validators conduct periodic analysis and regular penetration testing of Fastly-written code.
- Automated code analysis: Fastly deploys technology to automatically identify and report on identified vulnerable dependencies.
Fastly manages system and network security using the following:
- Asset management: Fastly maintains an inventory of its hardware and services deployed within the Fastly network.
- Configuration standards: Fastly maintains secure configuration standards, including restricted ports, protocols, and services, and removal of insecure default settings.
- Patch management: Fastly patches its production systems on a regular basis and applies out-of-band patches for newly-identified risks.
- Endpoint management: Fastly manages its production systems by verifying appropriate security settings are in place, including logging and monitoring, host-based firewalls, and session management.
- Audit and monitoring: Fastly logs relevant security-related events, including authentication successes or failures to production systems and the use of certain commands. Fastly investigates events triggered by anomalous activity or suspicious behavior.
- Documentation: Fastly maintains accurate network diagrams and internal documentation of its systems and services.
- Access Control List (ACL) review: On at least a semi-annual basis, Fastly conducts a production system ACL review of its endpoint firewall and router rulesets.
- Intrusion Detection: Fastly maintains mechanisms designed to detect potential intrusions at the network and host level. Fastly inspects and responds to detected events, as necessary, to address threats.
Fastly production systems reside in a combination of Fastly-managed data centers and cloud infrastructure environments. Regardless of the physical location of the infrastructure or its operator, Fastly evaluates and applies the same minimum, mandatory physical security controls.
- Physical access management: Fastly uses providers that maintain industry standard physical and environmental protections, including perimeter protection, security guard assignment, access logging and review, and video surveillance.
- Physical access to production systems: Physical access is granted only to approved personnel. Requests for access are evaluated by authorized personnel and based on proof of proper credentials, appropriate and documented use-case, and limited to areas specified in their permissions.
- Environmental security safeguards: Providers protect their systems with controls including power redundancy, fire suppression, and other environmental controls.
- Secure hardware destruction: Providers use industry standard secure destruction of all production hardware prior to disposal.
Fastly manages human security using the following:
- Employee background screening: Fastly conducts background screenings on each of its employees upon hire, with recurring criminal conviction checks periodically thereafter, and maintains a policy requiring employees to report any criminal convictions during the course of employment, each as permitted by applicable local regulations.
- Confidentiality agreements: To safeguard sensitive information that employees may view, process, or transmit as part of their job functions, all employees enter into confidentiality agreements with Fastly.
- Awareness training: All employees receive security training upon hire and annually thereafter designed to help protect Fastly and its customers. Mandatory annual training includes security awareness that covers application of best security practices in day-to-day work and privacy to ensure each employee understands how to identify sensitive information and comply with regulations.
To ensure that the controls described above are consistently applied and effective in their intended use, Fastly continuously monitors and improves its security measures. Fastly institutes strict processes and testing procedures as follows.
Fastly follows a defined set of procedures to develop and deploy technology changes. These changes include updates to software, configurations, and devices that support Fastly’s services.
- Testing: Fastly tests changes at various stages of development and confirms the changes operate as expected in a non-production environment before completing a deployment into its services.
- Change approval and notification: Fastly prepares, approves, and communicates change notices to maintain awareness among employees who manage the Fastly network and systems. Fastly maintains rollback procedures to address deployment issues if they arise.
- Post-implementation review: Fastly confirms the success of changes after deployment.
- Change monitoring: Fastly uses multiple monitoring and alert mechanisms to enhance the visibility of technical changes and help ensure adherence to change management processes.
Fastly monitors for vulnerabilities in its production systems using the following measures:
- Internal and external vulnerability scanning: On a regular basis, Fastly automatically analyzes its production systems for vulnerabilities.
- Vulnerability mitigation: Fastly assesses the risk of identified or reported vulnerabilities, and mitigates vulnerabilities in a timely manner. Mitigations for vulnerabilities deemed highest severity are implemented within twenty-four (24) hours of validation.
- Distribution lists and vendor notification: Fastly monitors publicly disclosed and vendor confidential distribution lists and notifications from software vendors for vulnerabilities.
On a semi-annual basis, Fastly engages a third-party to conduct a penetration test of Fastly production systems. Identified issues are prioritized and handled in order based upon the severity of the evaluated risk they pose.
Fastly maintains recurring audits and assessments that confirm its security program meets various industry standards and regulatory requirements.
Fastly uses third-party vendors and service providers to support its services. Fastly evaluates its vendors for security controls and risk to Fastly and its services prior to using vendor services, and regularly thereafter based on vendor risk.
Fastly aims to provide a consistently reliable and secure platform. With this in mind, Fastly is always monitoring for threats and systems disruptions so incidents are detected, responded to, and recovered from in a timely manner.
Fastly maintains a formal incident response plan to address security-related incidents. The plan contains established roles and responsibilities, communication protocols, and response procedures. Fastly reviews and updates the plan periodically to adapt it to evolving threats and risks to its services. Representatives from key departments are assigned to address security-related incidents. These personnel coordinate the full lifecycle of incidents, from detection, through response, and recovery. Included within these processes is communication with external contacts as needed.
Fastly notifies affected customers within forty-eight (48) hours of validating any unauthorized disclosure of customer data. Following any security-related incident, Fastly investigates and takes corrective action in a timely manner according to the incident management plan and provides affected customers with periodic updates.
Fastly manages business continuity using the following:
- Service failover: Fastly production systems are designed to be prepared for service failover. Production systems are deployed on infrastructure in multiple regions or zones to provide redundancy in the event of degraded performance or operational issues with a provider. If failure of a service occurs within a single region or zone, Fastly will automatically attempt to use infrastructure in another region or another infrastructure provider.
- Internet redundancy: Fastly data centers and cloud infrastructure providers have connections with multiple internet service providers.
- Service monitoring: Fastly monitors reporting channels to detect service-related issues. Personnel are available 24x7x365 to confirm and respond to disruptions of its services.
- Communication and Reporting: Fastly provides service interruption updates to customers using various communication methods (including status.fastly.com), depending on an incident's scope and severity.
- Business continuity plan and testing: Fastly has a business continuity plan for its production systems that is reviewed, approved, and updated annually. Fastly tests its business continuity plan on an annual basis.
- Data backups: Fastly conducts regular backups of data, excluding cached customer data, to support the recovery and availability of its services. Data backups are tested on a quarterly basis to validate backup recovery procedures.