I frequently write about patching updates, believing its important for customers and the wider business world to keep their machines as updated as possible. But until now, I've never written about the direct role Akamai plays in smoothing the patch management process along.
This is a post about origin offload and how it keeps the patch downloading sites of various companies from getting crushed beneath the weight of heavy demand when the fix arrives.
First, an observation: The normal traffic pattern for a patch site is very small during most days of the month. But there's a massive spike of activity when a patch or update is first released. Everybody tries to download patches at the same time. For a software vendor without Akamai, this means that in order to support a worldwide patch rollout, they need massive amounts of web server infrastructure. That's impractical to say the least, since most of that infrastructure wouldn't be used most of the time.
To better explain our role, I went to Akamai CSIRT Director Michael Smith, who started with a banking analogy. He noted that in the days before direct deposit and ATM machines, your average bank would be snarled by car and foot traffic when people went to withdraw cash on payday. Direct deposit and ATMs all but eliminated that phenomenon by spreading around the resources by which people could get their money.
Direct deposit and ATMs, he said, are forms of origin offload. The bank is the origin, and by offloading that traffic among resources distributed around the world and across the Internet, traffic jams are mostly eliminated.
In the case of patch management, the software vendor's web server is the origin. Instead of a bank dispensing cash, the given company dispenses patches.
"We sit in between a website's users and our customers' web servers. When the user makes a request for the patch, they send those requests first to our servers." he says. "When a person requests a patch, they're going to us. Instead of everyone jamming the main supplier's site for patches, Akamai helps distribute the load for them. We deliver content from the edge, where our servers are deployed inside the user's ISP, which means fewer requests directly to the patch provider's site."
Though we typically think of origin offload -- and for OS patches and anti-virus updates we will see up to 99 percent origin offload -- as a tool for our customers to save on bandwidth, server licenses and hardware, there's also a security component.
The less traffic that goes directly to an origin, the less there is to monitor. There's less traffic to inspect with IDS, fewer firewall and application logs to sift through and less data being held in a SIEM.
More importantly, we only send requests to the origin that are for dynamically-generated pages specific to the user -- exactly the kind of traffic that is security-relevant and that you want to inspect.
Not only do you save money on infrastructure at the origin, but it also greatly increases the signal-to-noise ratio of any kind of security monitoring that you are doing.