Akamai App & API Protector: Maximize Security Through Simplicity
Building incredible digital experiences often involves leveraging serverless edge computing, microservices-based architectures, IaaS environments, client-side functionality, and APIs. These modern development practices, while designed to produce highly personalized, fast, and always-on user experiences, also inextricably introduce new vulnerabilities and risks. IT and security teams also struggle to support the business given the high velocity of code releases and the inability to keep pace with changing applications and APIs. Cybercriminals, meanwhile, can quickly and easily launch a credential stuffing attack by purchasing stolen credentials and renting a botnet. After speaking with our customers, solving for any one or a combination of these challenges may require multiple security products from different vendors which, if disjointed and difficult to use, can ultimately hinder situational cyber awareness, increase costs, and can be the source of intraorganizational and operational friction.
A convergence of tech solutions
Multiple products translate to higher costs, more complexity, and the need for skilled talent — this is untenable for many organizations. The critical role of securing web applications and APIs in today’s global business world amid evolving attacks, ranging from web app business logic attacks to API abuse to DDoS, requires holistic and extensible security you can actually use. At Akamai, our customer-focused mission is to maximize value with ubiquitous and powerful application and API security that is automated and simple.
When you are working on a massively distributed platform and rely on APIs a lot, security is a major problem. So we opted for Akamai edge protection.” — Software Analyst, Services Industry, Source: Gartner Peer Insights, July 16, 2021.
For multiple consecutive years, global industry analyst firms and customers have recognized Akamai for industry-leading application and API security; as a leader, we are excited to reveal our next-level web application and API protection (WAAP) solution designed to bring together many of our core technologies like web application firewall, bot mitigation, API security, and DDoS protection in a single solution.
Introducing Akamai App & API Protector.
Powered by Akamai’s new adaptive security engine, it provides a modern approach to protecting entire web and API estates.
More protections straight out of the box
App & API Protector provides a holistic set of powerful protections designed to produce the highest security outcomes. Unlike solutions that provide “good enough” security, the simplicity of App & API Protector belies some of the most advanced and sophisticated technologies. It’s no wonder why over 92% of Akamai customers use our application and API security controls in deny mode.
Detect up to two times more attacks with a 5x reduction in false positives — new multidimensional adaptive threat-based detections combine Akamai’s platform intelligence with data/metadata from each web and API request. This data is then actioned with decision-making logic designed to identify and stop attacks with surgical-grade precision. Adaptive detections have shown up to a fourfold increase in the median number of attacks identified across SQLi, XSS, RFI, and CMDi, with over a 5x reduction in false positives for maximum protection, without impact to users.
Reduce your surface area of API risk with automatic discovery and security — automatically and continuously analyze traffic to discover known, unknown, and changing APIs — including their endpoints, definitions, and characteristics — and then use a simple workflow to protect APIs from DDoS, injection, and credential stuffing attacks. Every API request is automatically inspected for malicious code, regardless of whether you choose to apply positive security controls. Gartner’s 2021 Critical Capabilities for Cloud Web Application and API Protection report gave Akamai the top spot among all competitors for the API security and DevOps use case.
See and stop bad bots — Detect and mitigate unwanted bots with bot visibility and mitigation capabilities built directly into App & API Protector. Akamai’s bot detections will automatically scale as bot traffic continues to constitute a larger percentage of overall traffic, protecting your business as it grows. Gain visibility to understand the impact of bots on digital properties and block bad bots when needed. Unlike other solutions, Akamai has industry-leading bot technology with an expansive directory of over 1,500 known bots, giving you the ability to create your own bot definitions and proactively monitor and mitigate against bot attacks.
Figure 1: Included bot visibility and mitigation capabilities with App & API Protector
Smarter and stronger with automation
Products that are difficult to use introduce risk and operational overhead. That’s why we designed App & API Protector with as much automation as possible to offload and simplify day-to-day tasks and reserve what requires human analysis for humans. The automation isn’t just a one-time benefit that degrades over time — it continues to improve and evolve as Akamai pushes out new innovations.
Self-tuning to reduce demand on your team — all security triggers (including true attacks and those misidentified as attacks) are automatically and continuously analyzed with machine learning and given policy-by-policy tuning recommendations. You can receive alerts when new recommendations are available and easily accept them with one click via the UI, or automate with APIs, the command-line interface (CLI), or Terraform provider.
Akamai security researchers automatically update protections — deploy a completely hands-off approach to application and API security with adaptive protections that are fully managed by Akamai. Over 330 world-class security researchers use advanced machine learning and data mining techniques to continuously analyze over 300 TB of daily attack data to automatically update your protections against the latest threats.
DevOps integration that keeps pace with business — integrate with Akamai APIs using the Akamai CLI, Terraform, or scripts in your CI/CD automation pipeline. Enable rapid onboarding of applications; create uniform management of security policies across large application and API portfolios; centralize security enforcement across hybrid and multi-cloud infrastructures; and improve collaboration between DevOps and security teams in a GitOps workflow for optimal coverage to ensure security that keeps pace with today’s rapid pace of development.
Figure 2 - Example HCL code for managing hostnames protected by App & API Protector using Terraform
“Simple is better than complex” — Zen of Python
Taking a lesson on simplicity from developers, organizations also need to rethink how their WAAP solution not only drives stronger protections, but adds value with ease of use. This easier workflow will ultimately help reduce risk and provide greater contextual insight to enable a better understanding of the cyberthreat landscape. App & API Protector — which will supersede Kona Site Defender and Web Application Protector — was designed with a “simplicity first” mindset to help leaders make more informed risk-based decisions in real time and execute mission-critical activities without suffering from operational paralysis. Purpose-built for today’s modern applications and APIs, it boasts configuration and automation flexibility and free tier entitlements to image and video optimization, API acceleration, and edge computing to not only operationalize WAAP security but also drive development velocity.
Powerful, automated, and simple. To learn more about App & API Protector, download the product brief or contact your Akamai representative today.
Gartner, Critical Capabilities for Cloud Web Application and API Protection, Watts, Hils, D’Hoinne, and Handa, 20 September 2021
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
