London May 21st, and Paris May 23rd. Meet, learn, and celebrate everything Product Experience!

en

Security Overview

Security: A Journey, Not a Milestone

Continuous Improvement and Culture Building

Akeneo focuses on improving information security and embedding security into all operations. Our operational processes help us to deliver reliable and secure services. We ensure the Akeneo employees are well-trained to protect client data and assets. We work with partners and suppliers who focus on security in our collaborations.

ISO27001-Compliant Internal Security Framework

An Information Security Management System (ISMS) formalizes Akeneo’s security strategy. The ISMS is compliant with the ISO27001 standard. The framework has global policies for main security measures from the standard.

Security team and organization

Our top managers lead the security policy and enforce it in the organization.

The Information Security Manager (ISM) is in charge of enforcing the security policy. He works with stakeholders to define risks, uses control, makes sure of compliance, and manages security measures.

Our security team’s main mission is to enforce security measures that follow the ISO27001 standard. They work with the ISM to make sure everyone in the organization is aware of security risks and follows security policies.

We use a risk management system that follows ISO 27005 standards. This helps us decide what security measures are most important and lowers the risks that could affect your data.

How we secure your data at Akeneo

  • Security Awareness: A culture of security awareness is cultivated among our team, making them the front line in our defense against potential threats.
    • Security awareness sessions are mandatory for every employee
    • Additional security learning sessions are mandatory for technical positions (dev, cloud eng, support)
  • Identity and Access Management: Akeneo ensures customer data security through robust authentication and authorization practices, employing SSO, MFA, and a strict Role Based Access Control. Furthermore, the access control configuration undergoes regular reviews to enhance its effectiveness.
  • GCP hosting usage with security certification
  • Backup Policy: We ensure the resilience of your data through a robust backup process that is automated, tested, and monitored, and that keeps the backups immutable. We ensure that no more than 24 hours of data loss is permissible, and safeguards are in place to prevent tampering or deletion of backups.
  • Customer Data Interaction Regulations: Akeneo’s employees are only authorized to access customer environments or data in case of troubleshooting or incidents.
  • Segregation of Environments: GCP Projects are inherently isolated in terms of network, resources, and Identity and Access Management. Development and production environments are segregated at the project level in the Google Cloud Platform (GCP).
  • Security in Application Development: As a SaaS software vendor, Akeneo follows industry-accepted standards and procedures, which include information security controls that address common web application risks (OWASP TOP 10), third-party component security, and vulnerability handling.
  • Workstations and Tools Security: We boost security with strong passwords and 2FA. We use MDM to monitor laptops. It ensures encryption, antivirus, locked screens, and software tracking.
  • Threat Detection and Alerting: Akeneo uses a Security Information and Event Management system (SIEM) to monitor for suspicious behavior and quickly detect it. The system also has alert mechanisms for notifications.
  • For more information, you can contact your Customer Success Manager (CSM) to obtain documentation related to the way we protect your data.

Compliance and Certifications

Akeneo is an ISO27001-certified cloud SaaS vendor. We commit to complying with GDPR and CCPA regulations. We have two goals for our ISMS: improving our security standards and promoting a secure culture. Also, we want to provide strong security assurance to our third parties.

Data protection

Access to production environments

Akeneo focuses on managing identity and access securely.

Authentication: We use personal identifiers for user identification. Our access policies have strong requirements, like a 10-character password and mandatory multi-factor authentication. We also use Single Sign-On for tools and services.

Authorization: We control access to customer environments, in line with the least privilege principle. Only teams that handle support and operations have access. Akeneo employees can only access customer environments for troubleshooting.

Audit logs: All changes in the production environments are logged. Those logs are used to detect malicious behavior.

User access

Authentication: Akeneo’s products allow users to log in with a username and password. We strongly recommend setting up SAML Single Sign-On for a more secure authentication process.

Authorization: Akeneo offers Role-Based Access Control (RBAC) to protect data based on domain-specific requirements.

Customer Data Segregation

Logical isolation between customers is a key principle of our data protection strategy. Each customer’s data and features are isolated at the application and database levels. This segregation undergoes rigorous testing during security penetration tests, assuring the resilience of our protective measures.

Encryption Practices

Akeneo uses encryption at rest and in transit. Akeneo encrypts all stored data, including backups, using AES-256 on Google Cloud Platform. Google Cloud handles the encryption keys and infrastructure. Data in transit is protected with TLS v1.3.

Personal data protection

Akeneo has put procedures in place in order to comply with the GDPR and CCPA regulations. Akeneo solutions are not designed to store and process Personal Data (PD). In most situation, the only personal data process in Akeneo’s products are email login for users. Akeneo acts as a processor and Akeneo’s customer is the controller of the data processing.

Infrastructure Security

Google Cloud Platform (GCP) handles the physical infrastructure of our products. Hence, GCP takes full responsibility for its security. Akeneo focuses on the virtual infrastructure.

We use Infrastructure as Code (IaC) to set up GCP-managed infrastructures. Real-time data from GCP ensures continuous monitoring for proactive infrastructure security.

The security team watches for changes in GCP-managed infrastructures using our SIEM system. This helps identify any problematic behavior.

Strict limitation control access to GCP-managed infrastructures. Only a small, well-trained group has access, and it’s limited to short durations.

Application Security

Akeneo prioritizes security in the development of its products to protect against potential threats. Here’s how we prioritize security at every stage:

Design Stage

During the design stage, ADRs (Architecture Decision Records) include a detailed security impact analysis. Taking action early helps create a strong foundation for a safe application design.

Implementation

Highly skilled software engineers with security knowledge implement changes. They receive regular training to stay updated on threats and best practices. We carefully review code changes for quality and adherence to best practices.

Pre-Production Review

Before changes are made, thorough reviews are done to check how they might affect security. These careful checks make sure that only secure and reliable code is used.

Vulnerability Resolution

Critical vulnerabilities are fixed within a day and important ones within a week.

Independent Penetration Testing

Every year, contractors conduct penetration tests on our products. This ensures an unbiased evaluation of our security measures. The results of penetration tests are addressed in the same manner as any other vulnerability.

Shared Responsibility model

As a SaaS vendor, we are responsible for securing the data you entrust to us. However, you are responsible for your access control and the data that you choose to store in the application.

Since you know who needs to access what, you are responsible for giving permission to read, modify, import, or export data from Akeneo products. You are also responsible for the nature of the data. We assume you stored only product-experience-related data in Akeneo products. The following types of data are considered out of the scope of PXM products:

  • Personally identifiable information (PII)
  • Sensitive personally identifiable (SPI)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Personal health information (PHI)
  • Any transaction-related details, including but not limited to Orders, Delivery, Payments, Vouchers, and Returns.

When integrating, the client is responsible for security. When data goes through a client’s API or custom middleware with our API client, the service operator (like the client’s IT or a tech partner) is responsible for the data security.

Incident Response

Incident Detection and Response

All subparts of our services are monitored to detect degradation of the service. Our SREs organize a 24/7 on-call service and have all the documentation and tools needed to restore the service.

Threat Detection and Response

Our SIEM gathers security-relevant data (signal) from audit and access logs and the thread detection system. The security team leverages the SIEM to detect threats from external and internal actors. Upon detection of a security incident, a dedicated response team is swiftly assembled. The team has three important tasks. They investigate, contain the threat, and eradicate the security issue.

Disaster Recovery Plan

At Akeneo, our Disaster Recovery Plan (DRP) is designed to minimize the impact of adverse situations on our clients. We prioritize our recovery actions based on what matters most to your business. We test the plans regularly to make sure they work when needed. During these tests, we focus on meeting our service level commitment by closely monitoring the recovery time. During the recovery process, we ensure that our security standards stay in place.

Post-Incident Analysis

All involved personnel conduct a detailed post-mortem analysis after service recovery. The goal is to address the threat and prevent it from happening again. We use post-incident analyses to improve our security and protect against future threats.