Akeyless Security

At Akeyless, our top concern is protecting our customers’ most sensitive information – their secrets; credentials, certificates and encryption keys.

Compliance and Authorizations

We put a lot of effort in order to be compliant with the top standards and regulations available:

  • FIPS 140-2

    First secret management solution to meet the National Institute of Standards and Technology (NIST) FIPS 140-2 validation.

  • SOC 2 Type II Compliant

    SOC 2 compliance is a component of the American Institute of CPAs (AICPA)’s Service Organization Control reporting platform.

  • ISO 27001:2013

    ISO/IEC 27001 is the international standard for information security, ensuring information security is kept by addressing people, processes and technology.

Product security features

Get the best secrets security solution in the market. Your secrets, which are your most valuable assets, are kept secured threw their entire lifecycle

  • Encryption at rest with Zero Knowledge

    All your secrets and keys are encrypted via Akeyless Distributed Fragments Cryptography™ (DFC) technology where encryption keys never exist as whole. Together with Akeyless Customer Fragment approach, your sensitive information cannot be accessed by Akeyless nor any other third party.

  • Encryption in motion

    All data transfers are encrypted using the most updated protocols (TLS 1.2 and up) in order to keep your secrets secure at all times.

  • Audit logs

    Use audit logs to monitor anomalies, assist in forensics, and demonstrate compliance.

  • SIEM integration

    Akeyless integrates with various SIEM solutions in order to provide monitoring, reporting and alerting capabilities.

  • Two-factor authentication

    Akeyless inherits 2FA authentication established in your third-party IdPs.

Compliance & Certifications

Current compliance & certifications

  • Soc 2 Type II Attestation

    SOC 2 Type II Attestation provides an assurance that Akeyless meets and exceeds the highest standards of information security. SOC2 Type2 means that all security controls are not only presented and implemented, they are also effective which gives our customers the highest assurance in our security.

  • ISO 27001:2013

    ISO 27001:2013 is the de-facto standard for information security management. It dictates various steps (like asset mapping and risk assessment) that helps the organization improve its information security management.

  • FIPS 140-2

    FIPS 140-2 is the assurance that our cryptographic controls provide a secure framework for our customer’s information. It is tested and approved by the US National Institution of Standards and Technology. 

Business Practices

Personnel & Processors

  • All Akeyless employees and contractors must pass background checks. Upon onboarding, all employees sign a confidentiality agreement. On their first day, all employees go through security training. During employment, employees get security training at least annually. Developers go through a secure development training to ensure the security of our code and products.

  • Policies

    Akeyless developed an array of security policies in order to manage and dictate the way security is implemented. All policies are reviewed at least annually and are adjusted to changes in the information security field.

  • 3rd party security management

    Akeyless uses top cloud service providers who provide state of the art security in the platforms. This complies with our approach that no 3rd party will increase the level of information security risk of Akeyless. Additionally, Akeyless DFC Technology can provide proactive insider threat attack protection, where neither Akeyless nor the CSP have access to the customers secrets and keys (assuming Zero Knowledge is enabled by the customer).

  • Incident Response Plan and Business Continuity Plan

    No company is immune from security and business continuity incidents. For that reason, Akeyless has developed an Incident Response Plan and  a Business Continuity Plan that allows the company to react to incidents in a timely manner and be prepared

Network & Data Security

Network Security

  • Secure Infrastructure

    Application level security is essential to secure our customer’s secrets, but the security is not completed without implementing a secure infrastructure. Akeyless implements a secure infrastructure approach with using stat of the are security measures in its infrastructure.

  • High availability

    Akeyless platform runs from different global regions and cloud service providers in order to eliminate the risk of service outage and to provide continuous service.

Data Security

  • Data in transit encryption

    All data in transit is encrypted via TLS 1.2 and above and SSH.

  • Data at rest encryption

    All data at rest is encrypted using our patented Distributed Fragments Cryptography and standard cryptographic algorithm which ensures that your data is only accessible to you and even not to Akeyless

  • Data Backup

    Akeyless maintains a Data Backup and Snapshot Policy that requires restoration capabilities within common industry timelines. Databases are replicated across multi regions and multi cloud operations.

Business Continuity / Disaster Recovery

  • Akeyless SaaS platform is deployed on multi availability zones and multi regions for  cross az and cross region high availability. So when a zone or an  entire region is not functioning the service continues to operate. Additionally, the multi-region deployments are used for Geolocation based policy.

    For Disaster Recovery Akeyless also uses inherent features like multi regions read replicas, versioning, and snapshots to ensure high availability of the customers data.

Application Security

Security Development

  • Secure development

    Akeyless application is developed with secure development concepts in mind. Starting from the developer who writes the code and going through a secure code review, every piece of code is inspected in order to identify potential vulnerabilities.

Security testing

  • Penetration testing

    Akeyless is conducting penetration tests on a regular basis in order to identify gaps in both the security of its application and its infrastructure. The gaps identified are mitigated according to their level of risk and are retested in order to assure that they pose no risk to the solution.

Authentication and Access Management

  • Akeyless supports a very wide variety of Authentication methods for both machine access and human access.

    For machine access, Akeyless supports:

    • Cloud identities (CSP IAM) such as AWS IAM, Azure AD, and GCP.
    • On-prem machines using Akeyless Universal Identity™.

    For human access, Akeyless supports LDAP, SAML, OIDC , and JWT, which are used by known identity providers such as Okta, Azure AD, and others. In cases where MFA is required, the settings will take place on the Identity Provider’s configuration system, as Akeyless isn’t the Identity Issuer.

    Akeyless also supports the use of API Keys for authentication of both human and machine identities.

Monitoring and reporting

  • Akeyless integrates with various SIEM solutions in order to provide monitoring, reporting and alerting capabilities. Akeyless logging system take note of all the system/application logs, event logs, error logs and user activity logs.In addition, Using the Akeyless Log Forwarding System, you can transfer all the logs to your log server.

    Supported logs services:

    • Syslog
    • Splunk
    • Logstash
    • Elasticsearch
    • Logz.io

Report your security concerns to Akeyless.