Akamai Hits $1B Milestone in Security Revenue: A Major Value Driver for CDN Services
Recently I published data on CDN pricing for video delivery and software downloads that focused on the commodity elements of content delivery, versus premium services like security that represent a major value driver, and high-margins, for CDN vendors. With all CDNs having just reported Q2 earnings, Akamai hit a major revenue milestone for the company, and for the industry, announcing they have achieved a $1 billion run rate on an annualized basis, for their cloud security business.
Security threat vectors continue to expand in number and type. The scope of solutions to defend against the most common attacks now includes not only DDoS protection and web application firewall capabilities, but also API protection, bot management, third party formjacking protection, content piracy protection, customer identity and access management, secure application access, and secure web gateway. With attacks and data breaches dominating news stories, a comprehensive security strategy is no longer optional and customers continue to see new applications and use cases where they need to deploy a wide range of cloud security solutions.
Lately, several cloud providers and CDNs have mitigated record setting DDoS attacks, proving that big DDoS hits are still a significant threat. There are many ways customers are adding DDoS protection, both on-prem and cloud based, but looking at these large attacks and as ThousandEyes highlighted in a DDoS attack against GitHub, it’s important to understand the bandwidth limits of a DDoS mitigation solution to ensure they actually keep the site online if you’re targeted. With the massive surge in online traffic during the pandemic, looking into the capacity of a solution provider, the customers on their platform, and how they have architected their solution to avoid disruption if one of their customers is attacked, are critical to vendor selection in this area.
Verizon recently reported that web application attacks doubled since last year, and another growing security service for CDNs is offering web application firewall (WAF) products. Selecting a WAF vendor can be particularly challenging, as Jaspal Jandu, the group CISO at DAZN highlighted, “The challenge is finding skilled security professionals who understand the need to balance business opportunities against the risks of a rapidly changing world.” The issue with WAF solutions is that some providers offer a basic solution that requires customers to code rules themselves. This is challenging if the customer doesn’t have a group of security experts who also understand their business logic because a high degree of false positives disrupts business, whereas a high degree of false negatives can lead to compromises, fines, and brand damage. When it comes to web application and API protection, it pays for customers to ask their vendor about the availability of proprietary rulesets, curated rules, and the availability of services to tune rules to suit their business.
But there is an even more pervasive threat to digital businesses that stems from increasingly sophisticated bots. Researcher Troy Hunt recently loaded his 10 billionth stolen credential to haveibeenpwnd. His site and research point to the fact that credential abuse and account takeover are an increasingly lucrative criminal enterprise. During the launch of Disney+, I saw first-hand how you could easily buy stolen accounts from third-parties openly advertising them for sale on Twitter.
Experts highlight that bots, and especially low-cost, turnkey bots that come with out-of-the-box evasions to solve CAPTCHAs, or load large databases of proxy servers to stump basic WAF protections make this a very difficult problem to solve. Simple IP blocking or rate limiting cannot protect against purpose-built all-in-one bots like AIO bot that are designed to evade detections. This explains why CDN providers and others have been snapping up a lot of bot detection companies and building out their mitigation capabilities. Last year we saw Barracuda acquire bot mitigation technology from InfiSecure; Adjust acquired bot detection specialist Unbotify; Distil acquired bot detection company Are You A Human; Imperva Acquired Distil Networks; Radware Acquired ShieldSquare; and Goldman Sachs Merchant Banking Division invested in ClearSky Security.
I continue to see CDN companies compete for video and software download traffic share as customers add to and shift their multi-CDN architectures, especially as they expand video services internationally. But increasingly, the ability to deliver comprehensive and effective security solutions has long since become a key differentiator. Additionally, while the CDN market tends to be more fluid with regards to pricing changes, we can expect that pricing for security services will likely maintain a value-centric premium for some time to come. In a recent survey I conducted of 238 cloud security customers, asking about their deployment architecture, spend per year, preference for bundling security with other cloud/CDN services, pricing changes and transition from on-prem to cloud, the data showed almost no decline in pricing year-over-year. Overall, pricing for cloud security solutions is quite stable.
There are a lot of ways vendors can show differentiation amongst competitors in product functionality and customization and most importantly for vendors, the margins on cloud security solutions are very healthy. In the case of Akamai they don’t disclose margins for just their cloud security business, but I estimate it to be in the 80-85% range. At $1 billion in revenue, Akamai is well ahead of the pack by a big order of magnitude. While Cloudflare said they expect to do $404M-$408M in revenue this year, I estimate the percentage of their revenue that’s tied to cloud security solutions, to be in the $80M-$100M range. With Akamai being 10x that in security revenue, this milestone shows the magnitude of their continued dominance as the market leader for cloud security solutions among CDNs. The company has done an incredible job at growing their revenue over the past five years and the rest of the business continues to benefit from the high-margins their security product line produces.