Akamai defends web apps in the cloud

The company's new Web Application Firewall managed service is aimed at reducing the risk from massive, distributed application-layer attacks
Written by Matthew Broersma, Contributor on

Akamai has launched a cloud-based firewall service for web applications, designed to defend datacentres against the growing complexity and scale of application-layer attacks.

The company's Web Application Firewall (WAF) managed service, introduced on Monday, is hosted on Akamai's EdgePlatform, a network of more than 55,000 servers. It is designed to filter out and trap the most common exploit types, including SQL injection and cross-site scripting (XSS) attacks. The service is intended to complement technologies that protect the network layer, Akamai said.

It blocks only the best-known types of attacks from entering datacentres, using the scalability of Akamai's computing resources to reduce the amount of traffic that a business's internal security systems must filter.

"We've defended customers from application-layer attacks on the magnitude of over 100Gbps, demonstrating that massive distribution at the edge is critical as malicious activity grows in size and complexity," said Akamai chief security architect Andy Ellis, in a statement.

The service meets the Payment Card Industry Data Security Standard (PCI-DSS) requirements for web application security. That means it can help websites that accept credit-card payments comply with the standard, according to Akamai.

WAF is based on the open-source ModSecurity project, which supplies request filtering and other security features for HTTP servers.

The service can be used to protect web applications based on a company's own infrastructure. It can also help defend those hosted on cloud services, where infrastructure is shared by multiple customers, the company said.

"When leveraging shared computing resources, it is vital that your application does not become compromised by an attack directed at another enterprise," said Akamai chief scientist Tom Leighton.

Akamai is not alone in arguing that cloud-based infrastructure presents new risks for the companies that use it. In October Trend Micro updated its flagship Deep Security product to protect cloud-based servers.

Sun's UK chief technology officer said earlier this year he was working with major British public and private organisations to set up a cross-sector forum specifically aimed at resolving cloud-computing security issues, including issues around compliance with PCI-DSS.

Editorial standards