What can we expect to achieve from utilising a CDN (Content Delivery Network)? What features should we expect to gain from an ideal CDN?
What Are the Benefits of a CDN?
CDNs carry a significant portion of the world’s Internet traffic. Akamai handles for example around 30% of the world’s traffic. They have to be ubiquitous in presence and mitigate the toughest challenges of delivering content over the Internet.
So why are CDNs so necessary? Why is it that everyone, from small and medium content companies, to the world’s large corporations rely on CDNs to provide a seamless web experience to their end users?
As the size and complexity of Internet content has increased over the past decade, the CDN has played an important role in enhancing the user experience, reducing costs, improving security, and managing traffic.
CDNs have become an essential tool to successfully conduct business online for one main reason: The Internet was not originally designed to do all of the things that it does today. One example being commerce. It simply wasn’t built to handle the demands of massive amount of data, live high definition video, flash sales, and large downloads that people expect today.
In specific terms, CDN technology should provide the following primary benefits to a business:
-
Performance
-
Availability
-
Security
-
Intelligence
Performance
What does performance mean? It means connected content delivered at speed. It’s the difference between a click giving you immediate access to new content, and a click then a seven second wait while a page loads or a video buffers.
How does it work? When requested content is cached (pre-saved) by a CDN’s servers, end users will get that content by connecting to the nearest CDN server rather than waiting for their request to go directly to the origin. This results in a significant performance improvement for the end user. For example, let’s say that Fashion House X (FHX) from Milan, Italy, releases its new line-up for online orders. Fashion lovers in New York, Paris, Rio De Janeiro, and Tokyo all go online to make their orders. If FHX isn’t using a cloud content management system, the request from each end user must go all the way to Milan and back. However, if FHX uses a CDN and has pre-loaded its content across the CDN, each user can access the new content from servers directly in their city, saving their data hundreds or thousands of miles in round-trip time.
What if the content isn’t already in cache? When a CDN server does not have the content in its cache, it is able to traverse the length and breadth of the Internet using its programmed knowledge of the inter-connections between itself and its companion CDN servers. This helps it overcome the challenges of peering between multiple ISPs, lost packets due to network outages, and the time lost in DNS resolution. Advanced CDNs also have other specific technologies to deal with dynamic, or uncacheable, content.
All of this means that via a CDN, content providers can deliver fast, quality web experiences to all their end users; no matter what location, browser, device, or network they’re connecting from. Webpages render faster, video buffering time is reduced, users stay more engaged, and content providers get more business.
Availability
Availability means that content remains accessible to end users under stress situations such as excessive user traffic, intermittent spikes, and potential server outages.
When traffic loads peak at millions of requests per second, even the most powerful origin web servers would be put to the test. Without a CDN, all of this traffic has to be absorbed by a content provider’s origin infrastructure. This can cause the origin to fail, resulting in a terrible end user experience and lost business. That’s when CDNs, with their massively distributed server infrastructure, are of immense value. Advanced CDNs, with their highly distributed architecture and massive server platforms can absorb tens of Terabytes of traffic and make it possible for content providers to stay available to larger user bases than otherwise possible.
As an example, let’s return to Fashion House X (FHX) in Milan. FHX’s brand is beloved by millions of fashion lovers, and their new line-up generates a lot of excitement. At the moment of launch, fashion lovers from all over the world go online to FHX’s website at the same moment. If FHX is not using a CDN, all of those users would hit their origin server at the same time, causing it to fail. However, if FHX is using a CDN, all of that traffic will be served across the CDN’s hundreds of thousands of servers, keeping FHX’s origin from failing and delivering a quality experience to fashion lovers across the globe.
Security
As the volume of high-value data and transactions on the Internet continues to grow, so do the forces of attackers looking to exploit it – and these forces are costing organisations money. According to a report by the Ponemon Institute of Cyber Crime, in 2015 businesses around the world suffered average losses of $7.7 million due to cybercrime. Along with crimes committed by malicious insiders, DDoS and web-based attacks were found to be the costliest.
According to Akamai’s own State of the Internet / Security Report the number of both DDoS attacks and web-based exploits (SQL injection, cross-site scripting, and local or remote file-inclusion attacks) are the most common as well. These attacks are also increasingly launched in conjunction using a DDoS to divert attention while causing more serious damage with other exploits. In both types of attacks, it is often difficult to distinguish bad traffic from legitimate traffic, and strategies continue to evolve rapidly over time, requiring significant dedicated security resources in order to stay up to date on mitigation strategies.
Given the increasing volatility of the Internet threat landscape, helping to secure websites is a critical CDN requirement. Today’s most advanced CDNs, such as Akamai, have made information security a core competency, providing unique cloud-based solutions. CDNs should protect content providers and users by mitigating against a wide array of attacks without malicious entities ever compromising delivery and availability.
Intelligence
As carriers of nearly half of the world’s Internet traffic, CDN providers generate vast amounts of data about end user connectivity, device types, and browsing experiences across the globe. They can expose this data to their customers, thus giving them critical, actionable insights, and intelligence into their user base. In the case of Akamai, this includes Real-User Monitoring and Media Analytics to measure end-user engagement with web content, and Cloud Security Intelligence to keep track of online threats.
Introduction – What is caching?
Caching is at the heart of content delivery network (CDN) services.
Caching is what a web browser does locally on a computer or device. Caching is the storing of files and objects (image files, text, documents) on local storage, where they can be rapidly repeatedly accessed locally without having to fetch the content repeatedly from the webserver (origin)
A CDN moves your website content (called the origin – as it’s where the original content originates) to powerful caching proxy servers located all over the Internet, optimised for accelerated content distribution to browsers.
Caching works by selectively storing website files on a CDN’s cache servers, where they can be quickly accessed by website visitors browsing from a geographically nearby location.
Traditionally CDN’s cached basic files and objects. Also known as static files. A majority the contents on a website consist of static pre-formatted files that are not expected to change over time (or for different users or different locations). These files are the ideal candidates for caching, (as opposed to dynamic files, which are generated on-the-fly based on information from a database). Examples of static files are, template images, video, music, JavaScript, CSS Files.
What can CDN caching do for your website?
The pressure to deliver great online experiences is higher than ever. Across sites and apps, 53% of visits are abandoned if a mobile site takes more than 3 seconds to load, and 49% of users expect a mobile app to respond within 2 seconds or less. What’s more, 50% of online transactions involve multiple devices. To realise digital success, businesses must always deliver a great experience on every form factor and device, or risk reduced customer satisfaction, brand perception, and revenue opportunities.
Reduction of bandwidth costs – by delivering content from CDN cache proxies removes the need for the origin to directly serve the content significantly reducing bandwidth costs associated with serving content to lots of browsers across the world. For most sites, bandwidth costs can be reduced by as much as 50% to 80%, depending on the percentage of cacheable content.
A globally distributed network of cache proxy servers can improve user experience. CDNs bring your website content closer to all visitors relative to their location and the location of your webserver having this content delivered from a local server significantly improves access speed to the browser and therefore user experience is improved.
CDNs have traffic capacity far in excess of most enterprise data network capabilities. Whereas a website may be easily disrupted by unexpected traffic peaks or distributed denial of service attacks (DDOS) CDN cache servers are highly resilient and secure. As a result, they are stable during peak (flash sales for example) traffic spikes.
How does a caching CDN server work?
Cache servers (what we used to call proxies twenty years ago when CDN’s were first considered) are the infrastructure of a CDN’s network data centres, which are strategically (and deliberately) situated around the globe where people are (also known as eyes). These points of presence (PoP) are carefully selected based on traffic patterns of individual regions. Very active locations of the world with high volumes of users may have several data centres. On the other hand, remote locations with few users may have only one PoP to cover a large geographic region. Of course, these facilities have a real cost for the CDN providers.
Traditionally CDNs were built in datacentres to provide a symbiotic relationship for telecoms carriers. It was cheaper for carriers to use CDNs themselves to reduce the cost of transferring data (web browsing traffic being the highest volume use) than it was to deploy higher and higher speed links between cities. CDNs needed high capacity Internet circuits to build their network of CDN servers. So, they needed each other. So CDN’s often were given free rack space in datacentres around the world in exchange for providing CDN services back to the carriers. So, the CDN networks evolved.
Once in place, cache servers act as a repository for website content, providing local users with accelerated access to cached files. The closer a cache server is to the end user, the shorter the connection time needed for transmission of website data. Specially designed hardware was built by the CDN providers to ensure the most rapid delivery of content to browsers. Speed was everything.
What are cache headers?
Web developers use HTTP cache headers to mark cacheable web content and set cache durations. (How long should the data be allowed to be cached by the CDN)
By using cache headers, you can control your caching strategy by establishing optimum cache policies that ensure the freshness of your content balanced with the need for the CDN to go back to the origin webserver and fetch the content again. This has a ‘cost’ and introduces delay of course.
As an example: “Cache-Control: max-age=3600” means that the file can be cached for no longer than an hour (60 minutes) before it must be re-fetched from the origin content again.
Manually tagging each file is prone to inefficiencies and was originally how websites were built to work optimally with the first generations of CDNs. Today CDNs allow you to forgo the practice by employing intelligent mechanisms able to override cache header directives when they are discovered to be suboptimal. These mechanisms enable the caching of dynamic content marked as uncacheable by default, even when freshness is not an issue.
Introduced with HTTP/1.1, headers handle a variety of cache functions. Cache Control is supported by all modern browsers and supersedes any previous generation headers (such as Expires).
Here are some examples.
-
Cache-Control: public – enables caching by public platforms such as CDNs.
-
Cache-Control: private – reserved for private information that is designated non-cacheable.
-
Cache-Control: no-cache – requires validation before caching.
-
Cache-Control: no-store – completely prohibits caching.
-
Cache-Control: public, max-age=[seconds] – sets a max limit (in seconds) for time that content can be cached before purging.
Cache control
Historically most CDN caching has been a manual process. Developers had to manipulate files individually. Modern CDNs however, are developing new processes to monitor, categorise and cache a wider range of content, saving you time and allowing for higher overall efficiency.
This learning-based approach relies on a CDN’s ability to track content usage patterns to auto optimise storage and delivery. One of the main benefits of intelligent cache controls is the ability to identify new cache opportunities for dynamically generated objects. These pieces of content, which are generated with each visit, may not be subject to change but are still deemed “dynamic” due to a technicality. Intelligent cache algorithms can auto identify dynamic content simply by observing usage patterns.
For example, when a CDN notices that the same HTML version of your product page is being served again and again, it labels it as static, even though it’s dynamically generated. From that point, the HTML object is deemed “cacheable” and is served directly from a CDN’s servers to improve page load speed and responsiveness. The algorithms, on the other hand, keep track of the object and constantly re-evaluate its status, marking it as dynamic as soon as it sees that it was modified. Doing this on scale can vastly improve website performance, with no impact to content freshness.
Akamai offer a more complete set of web content optimisations. For example
Asynchronous resource loading, JavaScript bundling, Browser optimisation, Aggressive GZIP (compression), Auto-minify, Local storage caching, Image optimisations (lossless, lossy and device appropriate image delivery), Session optimisation (basic prefetching)
Akamai offers all of these optimisations, and advances many of them considerably. Akamai offer more sophisticated prefetching, a more complete set of image optimisations, and have more features focused on reducing requests and minimising payload. This more extensive feature set, coupled with the scale of the Akamai platform, typically results in far better performance. This can be seen in head-to-head trial results against other CDN providers.
Essential cache options for a CDN.
Purging is instructing the CDN to no longer serve a file from cache.
Akamai can purge by File, all, directory (recursive/not), tags, file type. Akamai can purge with the ability to conditionally (e.g. if no login cookie then cache home page) and dynamically (e.g. partition the cache based on productID query string) cache content.
By doing a purge /images/default-logo.png you instruct the CDN to invalidate that cached image on all edge servers globally. After the purge has completed and a user requests the purged file, the CDN will send a (conditional) request to your origin. Your origin will then respond by sending the newer version of the file which the CDN will cache and serve to users going forward.
Even with the most intelligent caching, administrator control is still a requirement for optimal cache management. These are the three must-havecache control options:
Purge cache – gives you the ability to refresh cached files on demand. Note that some providers will only allow you to refresh the entire cache storage. Also, in some cases your CDN provider will limit the number of purges over a given time period. Or will charge for each subsequent purge. The effectiveness of a purging request is measured in the time it takes for it to propagate through the entire network. Bear in mind that the largest cache network will take longer than the smallest. But the largest CDN gives you the most coverage! So, a trade-off. For example, Akamai’s platform is 70 x larger than Fastly’s. With customised configuration and best practices applied, Akamai can achieve similar cache purge results to Fastly’s Instant Purge, namely, instant content refresh and synchronised content migration.
Always/Never cache – helps you manually override cache headers, tagging files that should be always served or never served from cache. This is an effective tool for cache management, especially when combined with bulk management options that allow you to apply these directives to entire groups of files (e.g., all JPG files in /template/images/ folder).
Cache for period – a refinement of the Always cache option, this allows you to set a specific period during which the object should be served from cache before refreshing. Accessible from the CDN dashboard, this allows management of specific files. This option is useful when used for bulk file management (for example., all JS files that are cached for three days).
Purge type
Is the object invalidated (expires in cache) or deleted (removed from cache)?
Purge time
Many CDNs do the purge (near) instantly but on some CDNs it may take several minutes.
Purge assurance
When has the purging of objects completed on all CDN POPs? Some CDNs provide a way to know, for every purge request, when the purge was actually completed.
Purge capabilities
Purge per file, purge all files, purge per directory (recursive or not), purge by file type or file extension, purge by tag or key. Do not assume every CDN has all of these capabilities.
Purge costs
Some CDNs (not Akamai) charge for purging if you go over a certain number of purges per month.
Serving stale content or the origin is offline
Content is stale if it has expired in cache. CDNs don’t hold objects in cache forever: an object has a TTL (Time To Live) and once the TTL is zero, the object has expired and is stale. The CDN must fetch from the origin first before sending the object to clients.
Imagine the CDN gets a request for /images/default-logo.png and the image has expired in cache. The CDN tries to get fresh copy from origin but the origin is unavailable. What should the CDN do? Send a timeout error or serve the cached, stale object?
Serve stale means the CDN serves an expired object from cache while the origin is unresponsive and/or returns an error. In most cases it’s better for the user to get a good but expired/old/outdated response from the CDN than getting a timeout or other error response.
Akamai can be instructed to serve stale content if the origin is unavailable.
Mobile device optimisation
Customers state that one of the major drivers behind buying a CDN are the mobile optimisation features they offer. We all know that mobile traffic can form 50% or more of a website traffic. Browser Specific Image Formats.
Features that a CDN should offer mobile devices include
· Custom Cache Key to identify device types
· Mobile Image Optimisations:
o Streamlining requests into a single connection
o Lazy-loading below the fold
o Asynchronously loading images: progressive image loading
o Sending reduced-sized images first and full resolution images later
o Applies both ‘lossless’ and ‘lossy’ image optimisations to remove unnecessary bytes from images.
· Native Mobile App Accelerator keeps connections alive between CDN edge and mobile app API.
· Mobile redirects
Site shielding
Origin shield is an extra caching layer between the CDN edge servers and your origin. The shield helps offload your origin and speed up cache miss responses. Another benefit of Origin shield is: if you want to whitelist IPs of the CDN in the firewall on your origin, you only need to whitelist a few IPs instead of many.
One (or multiple) of the POPs of the CDN will act as the shield. When a CDN edge server gets a request from a user and can’t satisfy the request from cache, the edge server will fetch the object from the shield POP rather than pulling from the customer origin directly.
Origin shield is not the same thing on all CDNs that have this feature.
Free
Does the CDN provide Origin shield for free or is it a paid add-on?
POP selection
Can any of the CDN POPs act as a shield or can you select from a limited number of POPs?
Multiple
Can you have multiple POPs act as a shield or just one?
CDN Compression – Introduction to Compression
When a client/browser sends a request to the CDN, it tells the server what types of compressed content it supports by way of the Accept-Encoding request header. The server will take this into account and send back compressed content if possible. Compression is great for performance and costs: less bytes over the wire results in better load times and less CDN costs. On average, compression reduces file size by 70% and can be as high as 90%.
Most clients (browsers, apps) can handle Gzip compressed content and Gzip is by far the most common compression algorithm used today
· Compression reduces ~70% of file size of text-based objects (HTML, CSS, JS, etc), resulting in faster loading and reduced CDN costs
· Some CDNs can compress content on the fly on their edge servers, others can only serve compressed if the origin sent compressed to CDN
· All modern browsers support Gzip compression and will automatically request it
CDN → client
What is the behaviour of the CDN when sending objects to the client? Three possibilities:
· Resend from origin only: the CDN only sends compressed to the client if the customer origin server sent the object compressed to the CDN
· Compress on the edge only: the CDN fetches from the customer origin uncompressed and does the compression on the fly on the edge server
· Resend, or compress on edge: CDN fetches from origin compressed; if origin does not serve compressed, the CDN will cache the uncompressed file and do the compression on the fly before serving to clients
CDN ← origin
Can your origin serve content compressed to the CDN? This is important because some CDNs want to fetch compressed from origin and this speeds up cache miss responses. However, some CDNs always fetch uncompressed.
How can I tune my CDN performance even further?
For the most part, the CDN is responsible for the performance of your content delivery. The CDN controls its global server load balancers, caching servers and network to optimise performance for you.
However, there a fundamental thing you can do yourself to improve performance even more. Some of these things would be considered essential even without the use of a CDN !
Use high performance primary DNS
Don’t use the DNS service of your hosting provider or domain registrar just because it is included in your hosting package. Use a dedicated high scale DNS network like Akamai FastDNS. Their 250,000 servers offer DNS services and are DDOS protected.
Also, make sure to use high TTL values (Time-To-Live) on your DNS records, so Internet resolvers can cache the records for a long time.
Move your origin close to your CDN
If most of your users are in Europe, do not place your origin in a far-away location like California but in … Europe.
Keeping the latency low between CDN and origin is an effective way to optimise CDN performance for cache miss responses.
If you can’t host your origin close to the CDN, consider using an Origin shield. Origin shield is extra caching layer between the CDN edge servers and your origin. The shield helps offload your origin and speed up cache miss responses.
Have IPv6 connectivity
Facebook has done a lot of research into the impact of IPv6 on performance and concluded the effects are positive:
Accessing Facebook can be 10-15 percent faster over IPv6.
Can your CDN connect to your origin over IPv6? If yes, consider moving your origin to an IPv6-enabled hosting environment.
Tune your initcwnd
The initial congestion window parameter (initcwnd) on your origin server likely has a value of 10. This means the server sends out 10 packets in the first-round trip over a fresh connection.
A value of 10 is not bad and often the default for webservers today, but a higher initcwnd likely has a significant positive effect on TCP performance, resulting in faster content transfer between origin and CDN.
Some CDNs have a initcwnd of 10, other CDNs have a (much) higher value. Akamai can support 32 for example.
Keep connections alive forever
When the CDN needs to pull content from your origin, a TCP connection must exist between the two servers. Ideally, that connection is already there and can be reused, saving roundtrips and precious milliseconds to establish a fresh connection.
The CDN or the origin may terminate the connection. You have no control over how long the CDN keeps a connection alive, but you do control the keep-alive behaviour on your origin. So, don’t close the connection on your origin.
Reduce TLS connection time
Do you have a secure HTTPS origin? If yes, there are several optimisations you can do to improve CDN performance. To name a few: TLS False Start, TLS session resumption and TLS record size optimisation.
Or simply host your certificates in your CDN and get them to handle this. Offloading SSL to the CDN provides additional reduction over work for your origin.
Minimise byte size
Reducing the byte size or ‘weight’ of your content is very effective in speeding up content delivery performance. The less bytes transmitted, the faster your content arrives at your users.
There are many ways you can minimise byte size to enhance CDN performance compression is the most effective and often easiest to implement. Other options include image optimisation. Akamai Image Manager being a good example.
Get help tuning your CDN
For customers without in-house CDN experts just turning on a CDN will give some benefit; however, working with a CDN’s team of experts can result in significant gains. As an example, a medium sized e-commerce company purchases a CDN and turns it on. It immediately provides 50% offload and a significant performance bump to their site. By utilising the CDN’s self-service tool set they are able to improve performance and achieve 75% offload. In the face of a major upcoming online sale, the company goes to its CDN partner like ITogether to ask for help. ITogether provide a team of experts to help, and together they are able to raise offload to 95%, relieving pressure on the customer’s origin and showing top performance during the peak traffic of its sales event. Between the self-service tools and partner expertise, this customer was able to make a significant return on investment.
What does Akamai offer on top of common CDN features?
As web content has increased in size and sophistication, the CDN is confronted with a variety of problems. Streaming media has caused page load times to slow considerably. Dynamic sites are using more sophisticated logic to display complex rendering that can’t be cached, and mobile devices are requesting content that is further away from origin servers and that hasn’t yet been optimised for these devices.
Comprehensive CDN capabilities
Akamai CDN solutions address the key challenges of the next generation CDN with:
-
Advanced web performance optimisation capabilities that improve mobile, web and CDN performance to enhance the user experience, increase conversions, and boost the bottom line.
-
High-quality video delivery solutions that can easily handle the explosion in online video and satisfy user expectations for quality and fast access.
-
Cloud and CDN security solutions that protect websites, web applications, and infrastructure without sacrificing website or web application performance.
-
Compliance solutions that help to maintain compliance with regulatory frameworks such as HIPAA, BITS and PCI standards.
-
Application delivery acceleration tools to deliver enterprise applications with the speed that global users require.
-
Highly distributed architecture that puts 85% of the world’s Internet users within a single “network hop” of an Akamai server.
-
Usability solutions that simplify technical interactions and expand self-service options for next generation CDN Services.
Gain insights
Akamai MPulse provides unparalleled insights with peerless performance to drive better experiences and improve your business. Apply performance optimisations automatically based on real user and application behaviour, powered by the best RUM (Real Time User Monitoring) solution in the market. Get granular visibility into how end users perceive performance and how third-party scripts are slowing you down. Using a 768byte javascript snippet (called a beacon) this is loaded from the website into the user browser to monitor the session.
HTTP/2 support – Akamai chairs the iETF group that defines the standard for HTTP/2. It offers the following benefits. Akamai has supported HTTP/2 since 2015.
-
Multiplexing and concurrency: Several requests can be sent in rapid succession on the same TCP connection, and responses can be received out of order – eliminating the need for multiple connections between the client and the server
-
Stream dependencies: the client can indicate to the server which of the resources are more important
than the others -
Header compression: HTTP header size is drastically reduced
-
Server push: The server can send resources the client has not yet requested
Image Management – Consumers demand fast and engaging digital experiences. Akamai Image Manager intelligently optimises both images and videos with the combination of quality, format, and size that is best suited for every device and browser and every network connection. Remove the costs and headaches associated with creating, storing, and managing derivative assets. Deliver all derivative renditions at the Akamai Edge for high-quality, engaging web and mobile experiences that are fast and easier to manage.
Global Load Balancing – The Application Load Balancer Cloudlet enables you to define several data center configuration scenarios to balance traffic among combinations of cloud and physical data sources, and quickly switch among them with the click of an activation button or API call. Requests for particular content can be directed to various data sources, by IP and geography or several http header attributes including: URL path, device characteristics, request method, and many more.
Traditional methods of load balancing that focus solely on DNS (layer 3) requests lack the flexibility and control to provide seamless load balancing for more modern application architectures that require HTTP layer (Layer 7) controls.
Akamai GLB (Global Traffic Management) GTM Service Variations
GTM Standard includes:
· Failover — directs requests to an alternate location when there is a failure at the primary site. The Failover solution can be used across disparate network carriers
· IP Intelligence — directs requests to a data centre based on geographic or IP rules
· Weighted — directs requests to data centres based on pre-set percentage splits
· Any combination of the above
GTM Premier includes:
· Every capability in GTM Standard AND
· Policy rules that trade-off between availability and performance
· Load feedback — based on real time communication with the customer’s premises, load policies can be modified depending on actual data centres’ performance
Cloud Test – Make sure your website and mobile apps can handle whatever customers throw at them. CloudTest lets you stress test your environment to ensure that your site or app is ready for any sudden spikes in traffic. ITogether help you design your test at any scale or stage of production and interpret the results. You’ll see what the problems are and where they originate, so you can fix them before they affect customers. It allows you to safely simulate your largest events in production with precise control, while producing a live analysis of what your site or app is capable of on your big day, and helping you drill down to the source of any performance bottlenecks.
Cloud Wrapper – Cloud Wrapper optimises connectivity between cloud infrastructures and the Akamai Intelligent Edge. It consists of a highly efficient custom caching layer that wraps around centralised cloud infrastructures. This reduces the frequency of user origin requests and the cost to distribute content from the cloud. Cloud Wrapper provides consistently high offload levels, even in the event of a traffic spike. As a result, public and private cloud origin infrastructures maintain a high level of service predictability and performance. And end users receive more consistent, high-quality experiences delivered from the Akamai Edge.
What Akamai cloud security features can we enable if we are an existing DSA/ION Akamai customer?
Once on the DSA or ION Akamai platform as an CDN customer it is very easy to enable security features. We have compiled a list of these here.
Kona Web Application Firewall (Kona WAF) or WAP. WAP – (Web Application Protector) is a cut down version of the Enterprise WAF service – Kona. They both tackle the same problem but WAP has a lower subset of features (for example only has one policy) whereas Kona has unlimited. Kona Site Defender provides broad protection for websites and applications from downtime and data theft caused by opportunistic and sophisticated web attacks, as well as Distributed Denial of Service (DDoS) attacks.
(Kona Add On) Client Reputation – Apply an additional layer of protection for your web applications on top of Kona. Client Reputation can increase the accuracy of your security decisions to better identify malicious clients. It uses a state-of-the-art, proprietary risk analysis engine that computes a risk score for every source IP address, customised for every customer. This custom risk-based scoring model is significantly more accurate than generic scoring. Client Reputation provides deep visibility into client activities and adds an additional, very sophisticated intelligence-based protection layer to our customers’ web application delivery.
(Kona Add On) Site Shield – Akamai Site Shield provides an additional layer of defense for critical websites and web applications. Site Shield cloaks websites from the public Internet, effectively removing them from Internet-accessible IP address space. This helps prevent attackers from directly targeting the application origin and forces traffic to go through the Akamai Intelligent Platform, where attacks can be detected and mitigated.
(Kona Add On) BOT Management – Bot Manager is designed to take the configured actions on bot activity at the edge server, forwarding only clean traffic to the origin. Supervised, unsupervised, and deep learning algorithms adjust to trends in legitimate and malicious traffic, and managed security services tune Bot Manager protections and respond to attacks. Bot Manager integrates with Kona WAF. Because bots are constantly evolving to evade current detection technologies, the risks and costs for organisations are continuous — requiring a new and innovative approach. Trying to manage via white list and black list simply doesn’t work. Bot Manager delivers advanced bot detection to spot and avert the most evasive threats, so you stay ahead of the evolving bot landscape and stop the most sophisticated bots at the edge ― keeping them away from your business.
(Kona Add On) APIs Kona Site Defender uses positive and negative security models to protect APIs from malicious calls. Kona Site Defender provides API-centric protections against DDoS and parameter-based attacks, allowing organisations to define their APIs to be protected, and configure protections and report on security events on a per-API basis.
DNS – Fast DNS is an authoritative DNS service that moves your Primary and Secondary DNS resolution to the public Internet cloud. Built on the Akamai Intelligent Edge Platform, Fast DNS is architected for performance and nonstop DNS availability, even through the largest DDoS attacks.
Identity Cloud – Akamai’s cloud-native Customer Identity & Access Management (CIAM) solution empowers fast-to-deploy single sign-on (SSO), registration, authentication, and preference management. Identity Cloud enables centralised profile access management on a flexible SaaS platform built to scale, perform, and comply with regulatory requirements around the world. It can handle complex consumer-facing use cases with millions of users.
0 Comments