Akamai Diversity

The Akamai Blog

Minimizing the Impacts of Stolen Credentials with Akamai Enterprise Application Access

With the acquisition of Soha Systems, Akamai's vision of bringing a simpler, more secure access approach to the enterprise is now available. We have blogged about this, most notably an excellent piece penned by Lorenz Jakober titled "Secure Enterprise Access Needs to Evolve".

If this is a new topic for you, the case for enterprises needing a new access model is:

  • VPNs, a staple of IT Networking for more than twenty years, have failed to evolve to meet today's remote access requirements.
  • Today, employees are mobile, and need to access applications hosted in different clouds and physical datacenters.
  • In increasing numbers, enterprise contractors, partners and customers - the global partner ecosystem - are also accessing "behind-the-firewall" applications. 
  • Using traditional VPNs to support these requirements brings increased complexity and support overhead to both IT and InfoSec teams. 

To address these requirements and concerns, Akamai launched Enterprise Application Access which provides secure access for remote employees and third parties without VPNs. Operationally, Enterprise Application Access locks down all inbound firewall ports and effectively hides applications from public Internet exposure while integrating and applying data path protection, identity access, application security and management visibility and control into a single solution. 

Secure enterprise access is rapidly evolving to be the new standard. This was evident at the RSA2017 conference where several vendors announced or featured their 'new' secure access products. Gone was the term "VPN", even for those vendors who were effectively repackaging traditional VPNs with a secure access moniker.

VPNs are not as secure as you think. When used with stolen credentials, enterprise and individual data is often compromised. And stolen credentials are a huge problem. DarkReading reports "a staggering 97 percent of the 1,000 largest companies in the Forbes Global 2000 list are at risk of attacks involving the use of stolen credentials belonging to their employees." Yahoo confirmed a state-sponsored attacker stole personal data of at least 500 million users. 500 million! Ouch.

While no product or service can totally prevent unauthorized system access when stolen credentials are in play, Enterprise Application Access--by design-- inherently reduces risk by:

  • Providing users access to only those applications which they are authorized to use. Unlike a VPN, which if improperly configured can provide a remote user with access to a broad range of network, IT and application resources, Enterprise Application Access users only get access to their apps, and nothing else. In the case of VPNs and stolen credentials, once inside a network an unauthorized user can install their own software, steal data and compromise systems and applications. With Enterprise Application Access, this specific 'horizontal lateral movement' risk would be eliminated because the user would not have access or visibility into the broader network.
  • Forcing users to authenticate using a second layer of secure access via Multi-Factor Authentication (MFA). Enterprise Application Access makes MFA available for all apps, without the need for any system development or coding. Enabling MFA is a simple one-click, painless process. Organization's using MFA with Enterprise Application Access greatly reduce an unauthorized user's ability to use stolen credentials to gain application access.

According to Verizon's 2016 Data Breach Investigations Report, there were 1,439 reported incidents with confirmed data disclosure. The report does not break out how many were remote access related. But what we can say with confidence is that Enterprise Application Access can minimize the breach impact for customers. By reducing attack surfaces to just a few apps, along with the simple implementation of MFA, enterprises can enjoy a simpler and more secure access experience to applications behind the firewall.

If you are interested in learning more reach out to your account team or contact us.