Fastly Next-Gen WAF security measures

Fastly's security measures for the Fastly Next-Gen WAF (powered by Signal Sciences) (Next-Gen WAF) include safeguards that help protect your data as it moves through the Next-Gen WAF. It has three deployment options: Edge, Core, and Cloud WAF. The security measures described on this guide apply to the entirety of the Core and Cloud WAF deployments. For Edge deployments, the security aspects and associated data handling are covered by the terms on this page. The hosted components of Edge deployments are hosted within Fastly's Compute at Edge environment and are subject to our security measures.

Authentication and authorization

• Our systems and devices enforce user roles or similar measures to control the extent of access we grant individual users.
• We control access to privileged systems using Zero Trust access policies that use client certificates and two-factor authentication.
• Our authentication requirements, such as passwords, are in line with industry standard practices.

Business continuity and operational resilience

• We monitor production operation systems and supporting systems to detect service-related and non-compliance issues on a continuous basis. The systems are monitored 24x7 to ensure constant availability to clients.
• If an update has potential impact to customer uptime, we will determine a timeline for the update and communicate the impact to customers via https://www.fastlystatus.com.
• We maintain our services in multiple Availability Zones (AZs) to operate production applications and databases that are more highly available, fault-tolerant, and scalable than would be possible from a single data center.
• We update impacted customers using various communication methods (such as https://www.fastlystatus.com), depending on an incident's scope and severity.

Cloud infrastructure data center and physical security

We rely on data center space under the control of Amazon Web Services (AWS) and their physical security controls. As part of our third-party security review process, we confirm that these providers maintain appropriate physical security measures to protect their data center facilities.

Customer and end user data management

• We do not store sensitive customer data processed by Core deployments in the cloud. Customers process this data in local environments under their control with no remote access by our employees.
• We store and retain customer data that is sent to us and that is processed via the security components of Next-Gen WAF for up to 30 days.
• The Next-Gen WAF analyzes requests. We retain and use data about the operation and reliability of our processing of requests to monitor, maintain, and improve our services, our business operations, and our security and compliance programs. Subject to confidentiality obligations to our customers, we only disclose this data in anonymized and aggregated form.

Encryption

We use industry-accepted encryption technologies to encrypt sensitive information. All client data is encrypted in transit using TLS.

Governance

• We have formally assigned information security duties to our personnel. Our Chief Security Officer and Security organization work with other departments to safeguard sensitive information related to our services.
• Our policies and procedures help us maintain security in our systems, processes, and employee practices. Our Security organization formally reviews these policies and procedures at least annually.
• We integrate risk assessment activities with various processes to identify and address information security risk to the company and customer data on our network.
• We perform risk-based evaluations of the security measures of our vendors. We review these security measures before we begin using a vendor, and we ask the vendor to formally acknowledge these measures. We re-evaluate vendor security measures on a recurring basis thereafter.

Human resources security

• Our employees formally agree to safeguard the sensitive information they may view, process, or transmit as part of their job functions.
• We train our people to protect the data and devices they use. Each employee receives security awareness training as part of new hire procedures, and current employees take this training annually.
• We screen new employees as part of the hiring process. Screening activities depend on applicable local regulations and may include criminal background checks and reference checks.

Identity and access management

• We periodically inspect access privileges to make sure our personnel have appropriate access to our systems and data.
• We promptly update or remove an employee's access to our network to match that employee's current job function or employment status.

Logging and monitoring

• We configure thresholds within our monitoring tool to alert when a security policy has been violated. Threshold policies are reviewed on an annual basis for accuracy and appropriateness.
• We restrict, log, and monitor information security management systems activity with anomaly alerting. We aggregate and securely store the activity in a centralized internal log server.

Network and infrastructure security

• We review and validate information systems and network device configurations against established security policies and procedures.
• We regularly perform vulnerability scans and third-party penetration tests on our network. We review and address findings from these activities to help maintain the security of our network.
• To maintain awareness of potential security vulnerabilities, we monitor public and private distribution lists, as well as reports submitted through our responsible disclosure process. We validate and implement security patches for critical vulnerabilities within 24 hours of discovery. For non-critical vulnerabilities and updates, we schedule and deploy vendor-provided patches on a regular basis.
• To protect from known vulnerabilities, we maintain assets at the latest version and patch levels currently supported by vendors. Priority of patch deployment is based on vulnerabilities and risks it poses to the environment.

Security incident management

• We maintain a formal incident response plan with established roles and responsibilities, communication protocols, and response procedures. We review and update this plan periodically to adapt it to evolving threats and risks to our services.
• We will notify affected customers within 48 hours of validating an unauthorized disclosure of customer confidential information.