Customers can deploy API Security using the native connector, which makes it seamless to integrate with Akamai Connected Cloud. API Security also has node connectors that support popular platforms (i.e., any CDN, API gateway, or cloud environment).
Protect your APIs from business abuse and data theft
API Security gives you full visibility into your entire API estate through continuous discovery and monitoring. It conducts a risk audit of every discovered API, identifies common vulnerabilities, and uses behavioral analytics to detect threats and logic abuse within this fast-growing attack surface.
Continuous deep API discovery generates an updated API inventory and risk audit
Big data AI and behavioral analytics detect and alert for anomalies in your API estate
Automated responses via written policies push actions to your inline components, such as Jira, texts, or emails
Proactively query data for threat hunting or investigate alerts by viewing API activity using entity timelines
The analyst firm evaluated 26 API security vendors and named Akamai a Product, Market, Innovation, and Overall Leader.
API Security is a vendor-neutral API threat protection solution that does not require the use of other Akamai solutions. It complements existing Akamai API security solutions and ensures customers get comprehensive protection as attacks on APIs have become much more sophisticated, requiring new detection techniques and automated responses.
Customers can deploy API Security using the native connector, which makes it seamless to integrate with Akamai Connected Cloud. API Security also has node connectors that support popular platforms (i.e., any CDN, API gateway, or cloud environment).
API Security and App & API Protector are two different solutions that Akamai offers to protect your business.
App & API Protector discovers and mitigates API threats for all your web apps and APIs that are run through Akamai Connected Cloud. It is capable of blocking any in-line traffic containing potential threats to your business.
API Security is platform-agnostic and provides comprehensive discovery and visibility to all API endpoints enterprise-wide. It provides granular behavioral analysis of API activity and determines specific responses that you should take to mitigate newly exploited API traffic.
When deployed together, App & API Protector and API Security work in-line and offer the most comprehensive and continuous visibility into APIs. They allow you to discover, audit, detect, and respond to API concerns across your full estate. Moreover, the integration between API Security and App & API Protector will enable the most robust and simple implementation of API Security.
API Security integrates with your existing data sources, including popular API gateways, cloud providers, container and mesh environments, reverse proxies, CDNs, web application firewalls (WAFs), case management tools, security information and event management (SIEM), and security orchestration automation and response (SOAR) tools.
The API Security threat hunting managed service, API Security ShadowHunt, expands your security team with expert analysts skilled in API threat hunting and is ideal for understaffed teams or those lacking API security expertise.
Although not a typical 24/7 managed Security Operations Command Center service, Akamai’s threat hunters work when you need them as an extension of your team to detect and report on the most clandestine and obfuscated attacks hiding in your API traffic. Our API Security ShadowHunt team provides immediate notification of any threats in your API estate with a full summary of the incident and remediation recommendations. Monthly reports, including periodic Emerging Threat Reports that suggest actions, are also provided.
API Security monitors and protects both east-west and north-south traffic, reviewing all the APIs across your enterprise for anomalies that could indicate a security risk.
Prior to shipping API activity data to the API Security platform, it is tokenized to replace sensitive information, which can only be de-tokenized back to the original values by you.
API Security highlights APIs that make sensitive data accessible and automatically labels sensitive data by type (e.g., PII, email), making it easy for you to sort through lists that can be overwhelming at times. It also allows you to create your own label categories (or data classifications) and conventions for both APIs themselves and alert types. This will ensure that API and security teams speak a common language that aligns with your business objectives and security concerns.
API Security is platform-agnostic and works in all environments, including those that are complex and have multiple CDNs, WAFs, gateways, and widely distributed APIs across the enterprise (both north-south and east-west). API Security provides enterprise-wide visibility into your API behavior, regardless of where they are discovered.
API Security covers all the OWASP API Top 10 vulnerabilities.
Without a complete view into historical data, which a data lake provides, it’s impossible to truly understand what happened with an API pre- and post-alert and to understand how the anomaly may be affecting other APIs. Without this in-depth historical insight that API Security offers, it’s impossible to conduct proper due diligence, which can lead to missing threats that are hiding in your data, wasting resources trying to identify the root cause, and more. API security solutions that cannot provide you this contextual history are simply nothing more than alert tools.
API security solutions need to be cloud-based because of the data needed to understand where and why API anomalies are occurring. On-premises solutions would not be able to store the volume of data needed to perform behavioral analytics and to keep a data lake to provide historical context into anomalies. The data would have to be dropped after inspection, which would only deliver an alert, but not provide any insight — making it virtually impossible to understand the root cause. API Security uses established detection and response techniques — and is a cloud-based SaaS solution that is platform-agnostic and delivers both behavioral analytic capabilities and a data lake that combine to offer a rich, visual, historical context that can be analyzed.
API Security integrated extended detection and response (XDR) principles into its design. XDR innovations advanced security in three important ways:
When implemented and adopted correctly, XDR has a transformational effect on security team productivity and effectiveness. The very nature of business-to-business or machine-to-machine API traffic suggests that XDR principles must be used, because with a vast quantity of traffic, only extended detection can detect needle-in-a-haystack API abuses.
Let Akamai experts hunt for threats in your APIs. API Security ShadowHunt is a managed threat service available with the solution.
Learn how Akamai API Security assists with these specific needs
A comprehensive and continuously updated inventory of all APIs in use across the organization is a crucial foundation of any API security strategy. On-demand or daily discovery is insufficient because of the severity of risks associated with API attacks.
Additionally, the ability to show and visualize the actual API behavior (API calls) is required to enable key stakeholders from security, development, and operation teams to view and understand how APIs are being used or abused, so they can communicate among teams and investigate cases.
API Security allows you to have automated and continuous discovery of APIs across different technologies and infrastructure. It also discovers newly deployed APIs and compares the discovered API properties with any existing documentation. Through a comprehensive risk audit, API Security identifies shadow APIs and delivers a risk score for each API service and endpoint. API Security detects all instances of known API vulnerabilities, such as those outlined in the OWASP API Top 10. It offers the ability to inspect the original API activity, call by call, and allows you to identify who the user is, what operation they used, what records they accessed or manipulated, what headers and parameters were used, and so forth, so if an alert occurs, the investigation is made easier.
Discovery is never a one-time process. Our always-on discovery happens around the clock and continuously finds new APIs and changes to existing ones. Security teams gain unparalleled visibility and are the first to know when developers deploy a new API or service.
As many enterprises have continued to evolve digitally, the proliferation of APIs has made their attack surface massive and difficult to understand. Yet it is critically important to protect the business from common, and evolving, security threats.
Some commonly seen examples of missed threats due to not understanding the API risk posture include:
An API vulnerability is a software bug or system configuration error that an attacker can exploit to access sensitive application functionality or data or to otherwise misuse an API.
The OWASP API Top 10 offers a useful overview of some of the most widely abused API vulnerabilities that organizations should attempt to identify and remediate.
API Security assists both developers and security teams by performing full risk audits on both development and production environments, even discovering shadow APIs before they hit production.
With API Security, you can prevent vulnerable and misconfigured APIs from hurting you by immediately notifying security, developer, and API teams of misconfigurations and vulnerabilities found during the risk audit. You can also easily understand if a partner has incorrectly set up your API, or if there are vulnerabilities in the code. Contextual and conditional alerts work within your existing workflow, such as automatically creating a Jira ticket, so you can quickly fix any problems.
Even perfect APIs can be abused. However, unlike web applications, APIs are designed to be used programmatically in many different ways, which makes differentiating legitimate usage from attacks and abuse extremely challenging.
APIs can be attacked and abused in many different ways, but some of the most common ways include:
Identifying and mitigating these and other API security risks requires security controls that are sophisticated enough to address this complex and fast-evolving threat landscape.
The API Security solution provides business context that cannot be gained by analyzing technical elements like IP addresses and API tokens alone. Using AI and behavioral analytics, API Security outputs business context and historical benchmarks that are navigable, enabling you to do a thorough analysis of what happened before and after an alert to identify a root cause. API Security also allows you to search APIs by specific entities, such as your users or partners, or even business process entities (e.g., invoice, payment, order, etc.), to make it possible to find anomalies that would otherwise go undetected.
Solving problems is what we live for. Reach out — even if you’re not sure what your next step is. You’ll hear back from an expert today.