CDN Report Card Rating CDNs Response to Heartbleed Incident

A couple of weeks back, Andy Ellis, Chief Security Officer of Akamai, published a detailed blog post on the heartbleed incident, and so did EdgeCast, Limelight, and most other CDNs. Also, Andy responded to my email when I requested an update on their action plan, and blew me away by answering within a few minutes. Akamai receives the highest marks for the handling of the heartbleed incident from start to finish. However, there is another major CDN that didn’t get a passing grade. We all understand that security incidents happen, but communication to the public is extremely important. Leaving customers and potential prospects in the dark about a major incident paints a picture of that CDN, and says a lot about them.

 CDN Report Card: Handling the Heartbleed Incident (1=worse, 10=best)
  • Akamai: 10
  • Incapsula: 9.5
  • CloudFlare: 9.5
  • EdgeCast: 9
  • Limelight: 9
  • Fastly: 9
  • Yottaa: 9
  • MaxCDN: 9
  • Level 3: Didn’t pass 🙁

However, we didn’t hear a pin drop from Level 3. The last time I checked, Level 3 had a bunch of customers using SSL. It’s just hard to believe there was no impact to the Level 3 ecosystem when all other CDNs were impacted. Even if there was no impact, notifying the public about their action plan would have been the right thing to do. Response to security incidents isn’t only a security issue, it’s also a sales issue, as it’s going to impact the buying decision of many potential CDN customers when they are evaluating CDNs. To many online companies, vendor responsiveness to security issues is important to the success of their online business.

Security Incident Response Impact to the Sales Process

If I’m a CDN customer looking at Akamai, EdgeCast and Level 3, and we find out that Akamai and EdgeCast published a detailed action plan on a security incident, but Level 3 did not, what does that tell me about Level 3? It takes more than just POPs, and bandwidth to win in the extremely competitive CDN game. A well thought out communications security policy on notifying the public about security incidents is a must nowadays, especially with all breaches happening today.