Partner content: Akamai - How to balance user experience with protecting your business assets

Web applications, and the APIs that power them, are creating new customer experiences, streamlining data sharing and allowing for new business innovation.

However, their proliferation has also added a new dimension to enterprise security.

In Akamai’s 2023 State of the Internet report, application and API attacks surged by 49 per cent from Q1 2023 to Q1 2024, with 108 billion API attacks observed in this period. This surge was driven by the increased adoption of applications and APIs, which significantly expanded organisations’ attack surfaces.

It’s natural to want the best protection possible, but organisations have to make sure they are balancing security with good customer experience. If security tools create friction, users are likely to stop using services, or try to bypass security controls, putting data at risk. This isn’t to say companies should settle for weak protections, but instead make sure they understand the impact certain security choices have on their users.

Christine Ferrusi Ross, Director of Product Marketing at Akamai said:

“You have to understand the way a customer journey happens, say on an e-commerce website, to really understand if you are in fact helping or hindering that journey. You can implement security in a way that slows that journey down or frustrates the user on that journey or you can implement security in a way that actually makes that journey better. A good example is forcing the customer to login and authenticate every time they visit the site. But that’s very frustrating to customers, causing them to visit less frequently or eventually even stop visiting a site completely.

“Smart organisations want solutions that don’t just stop the bad but can actually facilitate the good. A customer of ours implemented a solution that can identify malicious bots and account takeover attempts. [The solution] removes those threats but also allows them to trust that the person logging in is who they say they are without constantly reauthenticating. They keep that person on the site longer and they can give that person a better experience.”

Users have come to expect seamless experiences from the applications they interact with, so having a security tool that does not interfere with this, without compromising on security, is key.

Another factor security teams are contending with is a growing attack surface. With the rise in remote working, employees are accessing the network from a variety of locations using a variety of devices, so identifying malicious activity is more complex:

“The attack can come from anywhere. So in application security we are protecting the threat landscape or the digital estate of our customer. Part of the data that we collect is what device is being used? Is that device being used in the same location that it usually is being used? Is it on the same network? If you are, for example, using a mobile phone that is normally used on Verizon’s network and now all of a sudden that's not on Verizon, and maybe it's showing up as being in Brazil even though you're in London.

“It can detect the device ID itself. It can detect the network that it's on. It can detect the location of that device. It can detect what time the device is logging in. Which is great because then it can look for the anomaly to say these things aren't adding up. It could lock the attacker out or it could also just add in extra authentication if the signals aren’t completely clear it’s an attack. For example, maybe you're travelling in Brazil and some of the device’s signals like location and network are different, but some are the same. So it doesn't want to decline the login outright, so instead it will issue a challenge so the legitimate user can still get in and an attacker will get blocked.”

Ross said that because Akamai has a global connected cloud, it has the ability to gather more data about the context around security events:

“Because of the Akamai Connected Cloud that the actual traffic travels on, we have more data about not just security events, but life events. We understand how people live their lives online and that gives us visibility into normal everyday human behaviour online so that we can use that to determine what is an anomaly. People normally have certain patterns. There is a circadian rhythm to the way that people interact with certain websites.”

She explained that different approaches are needed depending on the industry:

“Financial services companies, for example, typically have most of their traffic during business hours. You're on your lunch break and you're checking your app or you're transferring money. But typically people don't log in to their banking app at three o'clock in the morning. So a huge spike in traffic for a bank at 3am local time would be a little weird. But a traffic spike at midnight for a gaming company may not be weird at all.”

There has been much conversation about the application of AI to security. AI tools can identify and respond to security anomalies, as well as having the power to analyse large volumes of data, allowing for faster remediation.

Many organisations have shown interest in how it can be implemented, but many are still early on in their adoption or may be unsure where to start.

“You can create a smaller model that is very specific to the domain area that you are working in so that you get faster results that don't take as much compute power and don't cost as much money to run,” said Ross. “Pick the right AI for the problem that you're trying to solve. And then there's the more experimental work where our security researchers and our data scientists are always testing detections that use AI and machine learning, and then if they find that an experimental model works really well, they'll deploy that into the actual products.”

She explained that Akamai has incorporated AI into its bot and abuse products:

“Akamai has used machine learning in our bot and abuse products for years. There's a lot of depth to what our data scientists understand and how they can deploy models that not just work when you first deploy them, but actually use the AI to self-heal or auto tune. AI can detect the pattern changing. If you tell it to look for something and it detects that, but then something is changing in the behaviour – if it happens once it’s an anomaly but the system can also learn that the change is the new normal.

“Another example is we have machine learning models that can apply just to one customer. So when you think about the vast volume of traffic on the Akamai network, we're talking about trillions of transactions all the time. We see over 40 billion bots every day. When you're looking across all of your customers, it may look like normal traffic, but if you look at one customer who is having a problem, now you've got a magnifying glass just on one tiny little piece of the world that you're looking at. All of a sudden the pattern pops out and you can see what the attacker is trying to do here, and you can stop it.”

Overall, Ross said that security depends on not only protecting your organisation, but evaluating the security of your whole ecosystem and the APIs used to connect it:

“The best thing that you can do to protect yourself and your customers and your partners is to make sure that you are protecting your digital estate. I think particularly APIs because they are typically the way that you connect to your partners. You want to be able to protect the inbound and the outbound. Maybe an attacker got into the API that you use all the time to connect to partners and it’s perfectly legitimate. But then an attacker gets access and is now using that API to try and do something malicious. You have to protect yourself from that kind of attack using multiple different methods while still making sure you’re not harming your revenue potential or customer experiences.”

This Article is sponsored by Akamai