Third-Party and Remote Enterprise Application Access Needs to Evolve

This month we share a guest blog article on enterprise application security from technology partner Akamai, highlighting the challenges of dealing with third party access to applications hosted in data centres and hybrid cloud environments.

As we know, enterprises have come a long way from the days when a few remote users needed access to a handful of applications. Now, applications can live in data centers, in AWS, in Azure – in reality, anywhere on the Internet in the public cloud.

Enterprise application security fig 1

But here’s the thing: Not all users have or need access to the same apps. So IT teams have to take into account the combinations of user and application groups and implement the right controls to ensure that the right users are only able to access the apps they are allowed to access. As you can imagine in a mobile, cloud and application first world that can be quite the challenge.

The easiest way for IT to solve the access problem is to expose enterprise apps to users directly on the Internet. Now any user can get to any enterprise app, which sounds great, but in reality is often a really bad idea.

The reasons are that all access control logic now needs to be baked into the application, and most enterprise apps aren’t really all that cutting edge. We are not talking about a consumer facing ecommerce or banking app for example.

Also because the app is now exposed to the Internet, it is vulnerable to all the attacks we know and love ranging from DDoS to SQL injection, etc. Also if you have more than one app, you need to make sure there is protection in place for all of them.

Enterprise application security fig 2

But ultimately the bigger issue with this approach is that most security teams would never let the IT or app teams do this for enterprise applications. From an Akamai perspective if an enterprise does want to go down this route we are in a great position to help with our web performance and security solutions such as Ion and Kona Site Defender. However, a lot of enterprises will not want to take this approach.

But as we saw earlier enterprises are turning inside out. And this leaves us with the question if anyone is even left inside. Mobile workers access internal enterprise apps from their devices connected to the internet. Third-parties, partners & even vendors, need access to these internal apps from across the globe. And taking advantage of the agility of the cloud means running apps in an environment that is inherently outside.

Enterprise application security fig 3

The question for IT teams used to be how to securely give users access to the Internet. Today everyone is on the outside of the enterprise and the central question for IT teams is how to securely give users access from the Internet.

That means that users are outside the firewall. This is what has driven us as an industry to open up firewalls and let stuff in. But as you can imagine that kind of defeats the purpose of the firewall, so that’s why it is generally fronted by network access controls.

Network access controls are great at identifying who is trying to get into the network, but they have limited understanding of which enterprise application the user is trying to get to. So you really still need application level access control.

Also network and application access controls may consist of a number of appliances that need to be deployed by IT. Everything from load balancers, single sign-on solutions, monitoring solutions, and on, and on. As you can imagine configuration, management and maintenance can become an issue pretty quickly.

VPNs usually also require clients to be installed on the endpoint, which can be cumbersome and can cause various issues. In fact if we look at the traditional way of providing access we see that it can be quite complex. Based on research of 200+ IT and security decision makers 75% of enterprises touch up to 14 components when providing third party access to enterprise apps behind the firewall.

This often includes touching Application Delivery Controllers (ADCs), Virtual Private Network (VPN) appliances, identity management systems and application monitoring solutions.

But it’s not just about complexity. It is also about enterprise application security. The bottom line is traditional access solutions can increase risk. Even though all these traditional access technologies are in use, enterprises continue to be exposed to a variety of security risks, particularly lateral movement across the enterprise network. We have all read about data breaches which cost a number of execs their job all because a hacker managed to get his or her hands on the network access credentials of a contractor.

Access to enterprise applications via the Internet on employee and third-party devices that are not entirely controlled or managed by the enterprise even further increases risk and operational complexity.

So why is that?

Well once a user has network access, he or she can find their way to other applications and resources. And if those applications don’t implement access controls the right way, that user may be able to get access to more apps and resources than they are allowed.

Enterprise application security fig 4

This is exactly what happened in a number of instances. A bad guy stole credentials from a partner. The bad guy, once he had network access, was able to move laterally within the network and find other systems like the point of sale system. He was in the trusted zone so why not give him or her full access?

We will cover the zero trust model, and why it matters, in a future post. In the meantime it is worth taking a look at the zero trust model overview.

A solution to enterprise application security from Akamai

Zero trust is where Akamai Enterprise Application Access (EAA) comes in. EAA is a simpler, more secure way of accessing enterprise apps behind the firewall.

Enterprise Application Access can help enterprises streamline secure access while improving their security posture, by providing clientless, application specific remote access. EAA will only provide authorized, secure access to specific applications, but nothing else on the network.

This ultimately creates an air gap between private enterprise applications and infrastructure, and the Internet – which minimizes the attack surface and makes enterprise infrastructure invisible to the public.

All that is required is an HTML5 compliant web browser, the Akamai Platform, and the Akamai Enterprise Connector in the datacenter or virtual private cloud (VPC). The Enterprise Connector supports most hypervisors and containers and integrates with the enterprise’s identity store (e.g. Active Directory) and mutually authenticates with the Akamai Platform over TLS. This means that there is no local Enterprise Connector management and there are no inbound open tunnels or ports to the enterprise. All that is required are the standard outbound HTTPS ports that enable the Enterprise Connector to dial-out to the Akamai Platform when required.

Enterprise application security fig 5

At the same time the user authenticates, using multi-factor authentication (MFA) if required, through the browser over TLS with the Akamai Platform and the enterprise’s identity store, hence supporting single-sign on (SSO). Once securely authenticated Akamai simply stitches together the two TLS sessions over the Akamai Platform to provide access only to the authorized applications on the enterprise network, and nothing else.

In turn an enterprise application hosted behind the firewall is now accessible to remote workers and third parties, with SSO and MFA support, through a web browser or mobile application, without exposing the entire enterprise network and mitigating unrestricted lateral movement across applications on the network.

Also, customers can enable secure access to applications in any location. For example if the app is in an AWS VPC, all the customer needs to do is to drop a connector in that environment, either as a container of VM. That makes it easy to migrate enterprise applications to the cloud and make them available on mobile.

So why are Akamai customers so interested in Enterprise Application Access?

To start with EAA is delivered as a service. So there’s no more appliances to deploy at the network edge, no need for network segmentation in the data center, and enterprises can be up and running in under 30 minutes.

Also because customers don’t need more appliances, they can deploy faster, and need a lot fewer people to solve a very complex problem. That ultimately means significantly lower operating expenditures.

EAA also empowers enterprises to close off their firewalls and to hide their applications from the Internet. That is a better security model than anything out there. Zero open inbound ports on your edge firewall and zero trust in the network.

Lastly the Akamai Enterprise Connector works in any public cloud environment, so enterprises can freely deploy enterprise apps in AWS, Azure, Google app engine, or wherever, and can consume those apps from anywhere on any device with an HTML5 compliant browser.

Bottom line – Enterprise Application Access is a better way to provide simpler and more secure access to enterprise applications behind the firewall.

If you would like to find out more about providing secure access to cloud apps or the Akamai Enterprise Application Access solution, please get in touch with the activereach sales team.

This article was first published by Akamai on 10th February 2017, on the Akamai UK blog.