APIs are a key catalyst in digital transformation, empowering companies to create new and innovative business models. At the same time, APIs can increase threat vulnerability and attack surface. A lack of appropriate API protection can expose you to downtime and malicious attacks, including unintended misuse by legitimate users. These malicious attacks and misuse scenarios absolutely must be controlled as part of your API security architecture.
Akamai has a powerful two-pronged solution: Akamai API Gateway makes it easy to validate legitimate API consumers and add governance to your APIs, while Akamai’s Kona Site Defender protects your API endpoints from malicious traffic. In tandem, these products will help you build a comprehensive security architecture for your APIs.
Let’s look at four use cases that illuminate the differences between API Gateway and Kona Site Defender.
Use case #1: API authentication
Prevent illegitimate consumers from accessing APIs.
Akamai solution: API Gateway empowers you to authenticate consumers via API key. API keys are unique strings generated by API Gateway to uniquely identify each API consumer. Using this key-based authentication method, Akamai’s edge servers reject requests that don’t have the proper key, preventing illegitimate consumers from accessing your APIs.
Use case #2: API authorization
Prevent consumers from accessing resources without permission.
Akamai solution: API Gateway allows you to control access for API consumers by performing authorization using JSON Web Tokens (JWT). Cryptographic validation is typically much faster than using identifier-based access tokens (where the resource server must make a network query to get the underlying authorization information). JWT enables externalized, distributed authentication where the issuing of a token is decoupled from validating its content.
Use case #3: Quota management
Limit the number of requests that API consumers can make over a given time period. (For example, establishing tiered access levels where “Platinum” partners gain unlimited access, but “Silver” partners are limited to 1,000 requests per week.)
Akamai solution: API Gateway makes it easy to define the allowed number of API requests by API key, thereby allowing you to enforce these business SLAs. Quota for each API key is defined independently, giving you full control over consumption.
Note: The other method to throttle API requests is rate limiting (typically set in terms of total requests per second or minute), and Akamai is planning to introduce this functionality with a future release of API Gateway. Here is a blog post that clarifies the differences between rate limiting and quota management and discusses how you can leverage Akamai solutions to control/throttle API requests.
Use case #4: DDoS protection
Prevent adversaries from overloading origin in an attempt to bring down API infrastructure.
Akamai solution: Kona Site Defender’s IP-based rate limiting protects your API endpoints from malicious traffic. When a bad actor is identified, requests from that IP can be blocked.
We hope you found these use cases helpful in understanding how Kona Site Defender and new API Gateway can help you build a comprehensive security architecture for your APIs. Check out our detailed documentation and getting started guides that will make it easy for you to get up and running with API Gateway, and we encourage you to take this new product for a test-drive with a free 90 day trial of API Gateway on the Akamai Marketplace.
Shantanu Kedar is a senior product marketing manager at Akamai Technologies.