Frankly speaking, I don't know what is pricing for IBM Datapower. Is it really only $1k per month?
I am pretty sure that it's a kind of good option for some enterprises. But most of our customer has high volume applications deployed in several datacenters, with CI/CD and DevOps approaches used. For them, hardware security boxes are almost impossible to use. What they are looking for is DevOps friendly tools that scale and orchestrated well with their application. That is why we're partners with NGINX to provide all the flexibility of our filter nodes.
Moreover, IBM thing will not help you to figure out security flaws in your apps and network perimeter. It will not provide you with details which of millions of malicious request you really need to care about as they are targeting existing security flaws.
I would like to get your feedback about this IBM product. Do you use for some time? It's not that popular among security community (at least, that part we usually talk with). If you give you access to test it, we'll show you some bypasses — unfortunately, there are dozens of them for almost all old-fashioned security solutions like this.
I work daily with it and work towards the solution implementer certificate. So take that info with a grain of salt and maybe as biased.
About your points:
Devops is possible. You got like three interfaces you could utilize. Json, soap and something called afp, if you count shh, that's also possible to automate with. You can load balance it, fail over, active, active, passive active, self load balance etc. There is also a Citrix, vmware and docker version. You can load balance incoming and outgoing traffic. I don't know what else you want?
You get near wire speed format, signing, authing etc stuff on the datapower. You can also add a hardware cryptography card for even more speed.
Datapower won't protect you from passwords like admin, admin. This needs and should be done on application level. But if you feel frisky you can implement a rule check on your own. In JavaScript if you like.
Where datapower shines is with three a and validation with a check against known attack vectors.
Let's say you want to prevent overloading your api with nonsense. Including none valid string formats ie they shouldn't be longer than 69 signs. And the while json request shouldn't be bigger than 2kb. You can do side calling. Ie checking external databases for validity. Throttle and or stop requests.
The datapower is extreme powerful. In terms of flexibility, speed and security.
There is a reason why one of our customers has 60 of them.
I am pretty sure that it's a kind of good option for some enterprises. But most of our customer has high volume applications deployed in several datacenters, with CI/CD and DevOps approaches used. For them, hardware security boxes are almost impossible to use. What they are looking for is DevOps friendly tools that scale and orchestrated well with their application. That is why we're partners with NGINX to provide all the flexibility of our filter nodes.
Moreover, IBM thing will not help you to figure out security flaws in your apps and network perimeter. It will not provide you with details which of millions of malicious request you really need to care about as they are targeting existing security flaws.
I would like to get your feedback about this IBM product. Do you use for some time? It's not that popular among security community (at least, that part we usually talk with). If you give you access to test it, we'll show you some bypasses — unfortunately, there are dozens of them for almost all old-fashioned security solutions like this.