Cloudflare vs Akamai: SD WAN & SASE Cybersecurity Comparison

• While Cloudflare is not what many would think of as a traditional SD-WAN solution, Cloudflare’s portfolio of ‘Magic’ network-as-a-service products solves many of the same problems as SD-WAN. Using Cloudflare Magic WAN service, you can use APIs to define an interconnected corporate network that lays over various service providers or last-mile carriers without maintaining legacy network infrastructure equipment like VPN concentrators, and without designing and deploying legacy architectures like MPLS.
• Additionally, Cloudflare has physical points-of-presence in 250 cities across 100 countries and direct interconnection to over 10,000 networks, including major internet service providers and cloud service providers around the world. This means there’s a high likelihood that any given organization can directly connect to Cloudflare’s network from one or more existing peering points or co-location facilities to improve performance and reduce internet bandwidth requirements.

• Like Cloudflare, Akamai would not be considered a traditional SD-WAN provider, but they do offer several point solutions to solve similar problems to those addressed by traditional SD-WAN solutions. One of Akamai’s primary focus areas is content delivery, which means its important for them to provide solutions that make moving data between customers and applications as quickly and efficiently as possible. Like Cloudflare, they don’t provide last-mile connectivity. However, while Cloudflare aims to serve as foundational infrastructure for all of your network interconnectivity, most of Akamai’s products have a content-delivery spin.
• Akamai offers a portfolio of products to optimize bandwidth utilization and traffic performance between datacenters or downstream from applications to customers. Akamai Direct Connect (in fact, one of its taglines is ‘Improving Reliability at the First Mile) leverages the expansive presence of their global network edge to facilitate direct connections from video providers, and their Global Traffic Management product provides intelligent load balancing as-a-service.

• Cloudflare position themselves as a provider of cloud-based infrastructure and L3-L7 network services. To do this, they need maximum interoperability so they can interconnect anything and everything. Therefore, their platform is designed to be as open as possible, and to leverage technologies and industry-standards which are prevalent across most cloud platforms.
• Cloudflare offers multi-cloud solutions to provide connectivity, visibility, and consistent application of security policies for infrastructure that spans across multiple public cloud environments. Their multi-cloud solution documentation lists seamless integrations with Amazon AWS, Microsoft Azure, Google Cloud Platform, and IBM Cloud Services - but most Cloudflare products and services can be used with any cloud platform.
• Additionally, Cloudflare’s Bandwidth Alliance, which is currently comprised of 19 cloud providers including those previously mentioned, jointly provide solutions to reduce egress costs from S3 storage in AWS.

• As a leader in content delivery, Akamai need to provide multi-cloud interoperability and the ability to handle content which originates in any public or private cloud environment. Like Cloudflare, through the use of open architecture and industry-standard technologies, most of their products and services can be used on almost any cloud environment. However, they specifically advertise direct connectivity with many regions for the big three public clouds: Amazon AWS, Microsoft Azure, and Google Cloud Platform.
• Akamai advertises these direct interconnects with AWS, Azure, and Google Cloud Platform as they would allow customers with environments in these public clouds to leverage Akamai’s content delivery network to reduce egress costs from their public cloud environment.

• Cloudflare’s ‘Cloudflare One’ product is advertised as a complete SASE (secure access service edge) solution, which in their words “provides consistent security and speed everywhere on earth”. There’s definitely truth to this - they do offer network interconnect services with zero-trust security built-in, as well as solutions for secure connectivity, and application and content delivery anywhere on the internet.
• Cloudflare One leverages technologies including SWG, CASB, and RBI from across their product portfolio to deliver a relatively complete SASE offering, but it does lack completeness in some components from Gartner’s SASE architecture - namely XDR/MDR and DLP (Cloudflare’s SWG can provide limited DLP capabilities, but it’s definitely not a bespoke DLP solution). However, Cloudflare mitigates this gap in their offering through partnerships with leading endpoint security providers including SentinelOne, CrowdStrike, VMWare Carbon Black, and Tanium.

• Akamai does not claim to have a complete SASE offering, but they do advertise their Akamai Intelligent Edge Platform as a foundation for organizations to build out their SASE architecture. It is true that an organization can leverages Akamai products and services to apply a zero-trust security model to multi-cloud interconnectivity, application optimization, and content delivery, and they’ve recently strengthened this argument through their acquisition of Guardicore (in a nutshell, Guardicore provides a micro-segmentation solution that helps apply zero trust security policies across multi-cloud environments). Akamai offer SWG (and the SWG provides DLP capabilities) and CASB solutions, as well as application, DNS, and DDoS protection solutions which are similar to Cloudflare offerings.
• Akamai’s portfolio lacks XDR/MDR as well as RBI - which Cloudflare only recently added to their portfolio. For XDR and MDR, cooperation with leading endpoint security solutions is possible, although they don’t seem obvious which may be because some of these are more like workarounds and less like integrations. That said, Akamai’s documentation describes configuration for working with Symantec Endpoint Protection, CrowdStrike, and VMWare Carbon Black.

• Support for secure remote access is one of the primary problems that Cloudflare solves. Cloudflare’s zero-trust Access platform uses their Argo Tunnel product to provide secure remote access to any application from anywhere on the internet - without the use of legacy solutions like VPN. Cloudflare Access can easily integrate with internal or external SaaS applications, or with on-premise applications using their ‘cloudflared’ agent to establish a tunnel from the application’s server directly to Cloudflare. Their documentation includes how-to guides for providing secure remote access to on-premise applications like remote desktop, intranet web servers, and SSH servers, although its open architecture and extensive developer documentation allows Cloudflare to protect any application.
• Cloudflare will broker secure remote access to integrated applications, enforce zero-trust security policies, integrate with multifactor authentication providers, and authenticate users against your chosen identity provider.
• Cloudflare Teams combines Cloudflare Access with their secure web gateway to provide threat protection, traffic inspection, and isolation for web traffic.
• And, anyone can take advantage of these services for up to 50 users for free using Cloudflare Teams.

• Akamai’s Enterprise Application Access and Enterprise Threat Protector products are designed to provide secure remote access for any application and any user, anywhere on the internet.
• Akamai’s Enterprise Application Access solution is similar to Cloudflare Access. It allows organizations to apply zero-trust network access policies and provide secure remote access to internal or external cloud-based SaaS applications, on-premise applications, or legacy applications using an agent for secure tunneling to Akamai’s infrastructure.
• Also like Cloudflare Access, Akamai’s Enterprise Application Access solution can enforce Akamai’s own multifactor authentication policies or integrate with 3rd party multifactor authentication or identity providers to provide secure access based on context-awareness and identity-awareness.
• Akamai’s Enterprise Threat Protector product is a secure web gateway that proxies and filters web traffic for threat protection, inspection, policy enforcement, and preventing leakage of sensitive data like personally identifiable information, patient healthcare information, or payment cardholder data.

Cloudflare isn’t a SIEM, but Cloudflare’s position on an organization’s network perimeter makes it an ideal log collector for SIEM ingestion and analysis. Cloudflare offers comprehensive logging features with standard log formats that can be ingested into SIEMs including Splunk and Sumologic, or they can be sent to 3rd party storage providers including Microsoft Azure blob storage, Amazon AWS S3 storage, DataDog, Google Cloud Storage, or almost anywhere else for other types of post-processing.

Like Cloudflare, Akamai’s position within an organization’s network infrastructure allows ideal access to useful log data for SIEM analysis. Akamai’s developer documentation describes SIEM integration with Splunk, as well as SIEM integration using CEF which is a standard logging format that can be ingested by most other SIEM platforms.

Cloudflare isn’t an endpoint security solution, but integration with endpoint security software can be complementary. For example, Cloudflare may be able to provide additional context to endpoint security software for threat detection, or endpoint security software may be able to take response actions (like blocking IP addresses or DNS names, for example) in Cloudflare. Cloudflare advertises partnerships with leading endpoint security products including SentinelOne, CrowdStrike, VMWare Carbon Black, and Tanium.

Like Cloudflare, Akamai is not an endpoint security solution, although integration with endpoint security software could provide security benefits. Akamai documentation describes configurations for working with Symantec Endpoint Protection, CrowdStrike, and VMWare Carbon Black. Although it doesn’t appear that existing integrations are very deep or feature-rich, extensive APIs exist for development of endpoint security integrations to suit most requirements any given organization may have.

Cloudflare’s web application firewall and secure web gateway products allow for file analysis which can include antivirus scanning or policy rules based on file contents.

Akamai’s Enterprise Threat Protector secure web gateway can enable file analysis for threat detection or policy rules based on file contents. Additionally, its advertised to leverage five different malware detection engines for more accurate file classification and enhanced zero-day detection.

Cloud workload protection is another one of the primary problems that Cloudflare solves. Cloudflare’s portfolio includes a cloud access security broker (CASB) as well as Cloudflare Access, which can provide context-aware and identity-aware zero-trust access to cloud resources. Additionally, Cloudflare’s web application firewall and multi-cloud access control functionality enable the use of zero-trust network access policies to deliver segmentation between cloud workloads.

Although Akamai doesn’t advertise its Enterprise Application Access product as a CASB, it solves similar problems by protecting cloud-based resources through enforcement of zero-trust network access policies.

Additionally, Akamai’s ability to protect cloud workloads is dramatically enhanced by its acquisition of Guardicore, given that Guardicore is a purpose-built micro-segmentation solution for protecting multi-cloud environments.

Cloudflare isn’t a vendor risk management tool, but its ability to provide zero-trust network access for any resource to anyone, anywhere on the internet makes it ideal for securing 3rd party access. Additionally, its logging capabilities allow it to provide evidence to support 3rd party vendor risk audit activities.

Like Cloudflare, Akamai isn’t a vendor risk management tool. Also like Cloudflare, products like Akamai Enterprise Application Access can help organizations enforce zero-trust network access policies when providing vendors with access to their IT assets, and reporting capabilities can support audit activities.

Cloudflare’s solutions for zero-trust network access are designed to reduce insider risk by preventing insider threat activities such as lateral movement. Additionally, its secure web gateway’s ability to inspect traffic originating from internal assets can help organizations reduce risk of insider threats by detecting unusual or unauthorized insider behavior.

Like Cloudflare, Akamai’s secure web gateway supports insider risk management activities and insider threat detection by enabling traffic inspection for detection of potential insider threat activity.

Cloudflare’s identity governance and access management features are extensive, and they are designed for integration with a variety of enterprise identity and access management systems and tools. This allows organizations to leverage their central identity provider of choice for providing Cloudflare services with identity-awareness and context-awareness while making decisions to allow or block traffic.

Akamai’s identity governance and access management features are also designed for use in the enterprise. They offer integrations with most identity providers and other identity and access management tools that an organization may have, and they also provide some of their own identity and access management functionality in their Akamai MFA product.

Cloudflare’s web application firewall and their new API Shield product are ideal for securing IoT services that may need to secure automated API access from IoT devices anywhere on the internet. Additionally, Cloudflare’s TLS Client Authentication ensures a mutually secure connection between IoT devices and services.

Akamai’s Intelligent Edge Platform can enable IoT security by faciliting a secure edge to which IoT devices distributed across the internet can securely connect. Additionally, Akamai recently acquired Asavie, which is a security solution designed to deploy and enforce consistent IoT security policies.

Cloudflare is not a vulnerability management solution, although their extensive APIs can enable development of integration for an organization with a use-case.

Like Cloudflare, Akamai is not a vulnerability management solution, but integration capabilities exist to enable complementary integration with a vulnerability management solution if a customer had a use-case.

Cloudflare is designed to be a platform which is part of an organization’s foundation or infrastructure, which means that it’s not designed for anyone to spend a lot of time working within Cloudflare applications. As such, instant communications aren’t as important for Cloudflare as they would be in other network or security operations tools which are actively used by analysts.

Like Cloudflare, Akamai is designed to be an infrastructure platform which serves as a foundation for the applications which people use every day. Therefore, instant communications within Akamai applications would not serve any great benefit.

Cloudflare advertises compliance with ISO 27001, ISO 27701, SOC 2 Type 2, PCI DSS 3.2.1, and BSI Qualification for DDoS Mitigation. Additionally, it advertises compliance with privacy frameworks including GDPR and HIPAA.

Akamai boasts a very mature compliance program and advertises compliance with ISO 27001, ISO 27002, FedRAMP, PCI DSS, SOC 2 Type 2, NIST, Privacy Shield, MAS, PSD2, IRAP, and local privacy laws.