I sat down again with John Payne, Akamai's Chief Architect of Infrastructure and Security, as well as Keith Hillis, Director IT Risk & Security. We spoke about enterprise security compliance, and how Enterprise Application Access (EAA) exceeds Akamai's requirements and simplifies the process for auditors.
Compliance is the bare minimum. Strong security exceeds compliance. Ensuring that Akamai users' remote access to the application only goes through Akamai's designated path is now a standard. Being able to follow the user stream when anyone logs in is now of utmost importance, but historically had been difficult to execute, and troublesome to provide audit data for. As an example, Oracle, Siebel, and SharePoint access all have different logging mechanisms and ways to be audited. If Akamai can log into the EAA management portal to see them all, that is a large time savings and simpler standard to report or even troubleshoot.
Seeing that a user accessed various applications over a given time turns out to be a handy compliance tool. Any approved auditor can be granted access to EAA logging and what has transpired. Keith used the words "auditing gold." Correlating security all in one place makes Akamai's architecture team and their auditors' jobs less time consuming and painful.
It has not always been so easy. Going back a few years, Akamai's infrastructure team gave the ability for a DBA to log into a jump box and manipulate various servers and databases. To meet PCI and SOC 2 requirements, Akamai needed to augment this strategy to meet and exceed compliance standards. Also, Akamai doesn't want users having direct access to the application server itself. John and Keith thought about a simple and effective way to resolve this - through a proxy. It turned out that EAA, a proxy itself, made this effort much easier without having to design from scratch internally!
Segmenting out secure remote access, not having the user connect directly to a database, and always having application logic was the exact solution the architecture and security teams were looking for, adding appropriate levels of authentication. Another advantage for Akamai's own internal standards was to ultimately roll out company-wide 2fa. For the apps that do not support this natively - and there are plenty - EAA can add it without changing the application.
Areas that Keith and John needed to address were in PCI Chapter 6 - specifically, developing and maintaining secure systems and applications, PCI-required segmentation, and SOC compliance. EAA had features that exceeded these needs, for example:
- The ability to grant and remove access rights from a central management portal
- The audit trail capability
- If Akamai employees themselves don't like the way an application presents itself, EAA allows Akamai to fill in the gaps, front-ending some of those aspects without needing a major overhaul of the applications
The infrastructure and security teams after evaluating and testing EAA found that it proved to be an excellent solution to meet and exceed compliance standard.