Blog

Managing Akamai Security as Code

November 2, 2020 · by Mike Elissen ·
Categories:

Managing security solutions as code is an important part of any DevSecOps strategy. In this blog, I will guide you on your path when it comes to everything you need to know to manage your Akamai Security solutions with the Akamai Developer toolbox. 

This blog is designed for anyone who is interested in managing Akamai Security solutions through the use of Akamai Developer tools. Akamai Control Center has been the de facto way of managing your Akamai Security solutions, with the rise of API usage and the creation of Akamai APIs, this is slowly changing. More customers, partners, and internal Akamai resources are relying on Akamai API to manage their Akamai Security solutions.

Our mission at Akamai Developer aims to offer you a better experience to solve technology challenges such as cybersecurity, web performance, and media delivery and manage your Akamai solutions. 

This is achieved by providing tools and resources that help you effectively use the Akamai Edge Platform and the Akamai Developer toolbox as well as integrate Akamai easily into your digital ecosystem.

What is DevSecOps?

Before I dive deeper into the Akamai Security solutions and how you can manage these with Akamai Developer tools, I will first give a brief overview of what DevSecOps is and what value it can bring to your organization.

DevSecOps is an extension from DevOps. A proper DevOps implementation can bring many results to your organization: a more efficient way of working between teams and squads that are developing and maintaining applications. However, when DevOps was launched in the early 2010s, it left out a huge part of the organization, namely the Security teams. The DevSecOps movement is aiming to rectify this by ensuring that Security is engrained in the process from the get-go. Ensuring that all teams involved think about and implement Security measures at every step in the development and operations process.

From a typical development lifecycle perspective, this includes that security checks and penetration tests are incorporated as early as possible in the development lifecycle, typically the design phase to ensure that the application is up to the security standards required.

With the increased industry focus on security, data privacy, availability, and data breaches, organizations and governments can impose high fines on organizations that are subject to data breaches and fail to take security measures for their applications and customer’s data.

devops

A proper DevSecOps implementation can help organizations to ensure that the entire DevOps lifecycle integrates Security in each phase. 

  • In the code phase, proper mechanisms are written to protect against security vulnerabilities, for instance, the top 10 OWASP (or Open Web Application Security Project). Think about input validation for instance.

  • In the build and package phases, security controls can be integrated as part of an organization’s security audit and checks.

  • During the test phase, outside of functional and regression testing, you can add penetration testing to ensure security vulnerabilities are caught before the release of an application or a new version thereof.

  • In the release and configure phases, additional infrastructure, and other technology vendors can come into play. With many organizations relying on Akamai Security solutions to augment the security posture of their organization, for instance by relying on Web Application Firewalls, Bot Management, Anti-DDoS Protection, it becomes critical to add this infrastructure in your DevSecOps lifecycle.

  • In the monitor phase, it is important that you can rely on actionable data at each stage of your DevOps lifecycle. The ability to monitor and mitigate security threats in real-time are critical. Many organizations today rely on a SIEM tool (also known as a Security Information and Event Management tool) or even have a dedicated SOC (or Security Operations Center) actively monitoring any security threat in the organization.

Security is a critical part of any organization and ensuring that applications, data, and infrastructure are protected against outside and inside threats is a shared responsibility of anyone that is part of the organization. The DevSecOps movement aims to instill staff to be more security-savvy and help to integrate traditional security teams closer to the Development and Operations teams in an organization.

I hope that this gives a better understanding of DevSecOps and how organizations can benefit from adding the Sec into DevSecOps. If you are interested in more information on DevSecOps, I highly recommend the countless of excellent resources and publications available online.

What options are available?

To achieve Akamai-as-Code with the Akamai Security solutions, I have dedicated tools available for you. Let’s focus on the main tools that are beneficial to you in your DevSecOps journey.

  1. Application Security API / CLI / Terraform: With the Application Security API, which is also available in the form of a wrapper with an Akamai CLI package or Akamai Terraform Provider, you have the ability to manage all the required CRUD actions for your security configuration if you are using solutions such as Kona Site Defender, Web Application Protector or Bot Manager. I will have a deep dive on all the functionality in a later section.

  2. Property Manager API / CLI / Terraform: Each of these Akamai Security solutions also requires an Akamai delivery configuration which can be fully managed with the Property Manager API.

  3. Ancillary features API / CLI: Several ancillary features such as managing Certificates, SiteShield maps, and Network Lists are available with their dedicated API endpoints or CLI packages. 

  4. SIEM API and SIEM connectors: The SIEM API allows you to send the security events that Akamai sees directly into your SIEM tool and achieve Akamai-as-Data.

  5. Identity Cloud APIs: The Akamai Identity Cloud solution comes with a comprehensive stack of API functionality that allows you to manage your identity workflow and login/authorization/authentication capabilities.

  6. Zero Trust APIs: The Enterprise portfolio can be managed with the Enterprise Application Access and Enterprise Threat Protector APIs.

All of this functionality will be shared in more detail with additional tutorials, demos and code examples in the upcoming sections on https://developer.akamai.com.

The functionality will grow over time, based on the roadmap set forth and also with potential acquisitions. This would be a good time to share that Akamai Developer is committed to supporting you in the best way possible. If you have use-cases or requirements that you would like to see supported I recommend getting in touch with either your account team or the Developer Advocates at Akamai.

Getting started with the Application Security API

If you are looking to get started with the Application Security API, I have prepared a Postman Collection with all the possible requests easily collected.

Postman is a great user interface to interact with APIs including the Akamai Application Security API. With built-in collections and environments, it is easy to get started. Click on Import and select or drag-and-drop your Akamai Application Security API Postman files. This will import both the Environment containing all the variables and the Collection containing all the requests.

You can find this collection on GitHub: https://github.com/akamaimike/akamai-api-postman-collections 

Using the Application Security API requires an active Akamai API Client with valid credentials and read-write permissions with the Application Security API.

What's next?

If Akamai Developer is brand new to you, I highly recommend to read the Getting Started with Akamai Developer or watch the Akamai Developer Foundations training course which includes tutorials on using the tools mentioned above.

The full API catalog is available on https://developer.akamai.com/api.  All the API functionality is described there with recommended workflows on managing your Akamai Security as Code.

You can also find more information about the Akamai Developer tools on the official Akamai GitHub: https://www.github.com/akamai. Here, you can find repositories with the tools, code examples and installation instructions that can help you on your Akamai Developer journey.

If you enjoy video content - tutorials, demos and webinars, I invite you to take a look at the Akamai Developer YouTube: https://www.youtube.com/akamaideveloper. Here you can find additional content in video format that can also help you greatly on your Akamai Developer journey.

As always, thank you very much for your time reading this blog and I hope you continue on your Akamai Developer DevSecOps journey. 

Happy Akamaizing! 

Watch the Video 

Watch the video below to get even more details on DevSecOps.