More and more companies are looking at alternatives to VPNs due to the security risks associated with network level access. And increasingly, the goal is to eliminate network trust through a zero trust architecture - which is one of the primary reasons many of these organizations are deploying Akamai's Enterprise Application Access (EAA) and Enterprise Threat Protector solutions. However, for EAA in particular, another key driver and unique differentiator is the simplicity and flexibility that the cloud service provides when compared to alternative access technologies.
In this post I will go a bit deeper into why these infrastructure and security teams choose EAA to minimize the level of effort and resources required to securely deploy, manage, and maintain access to corporate applications and data. Below are the top 5 reasons:
1. Reduce Complexity & Simplify IT
Most access solutions require an administrator to set up and manage hardware or software in a DMZ environment. The admin then needs to consider the people, process and technology components required to maintain such an architecture. "People" includes personnel resources to configure, test, troubleshoot, upgrade and patch the appliances. "Process" covers the change control processes that need to be followed in order to open holes in the firewall or touch any devices on the production network as well the process and delay added when additional teams need to be involved. And finally, "technology" considerations revolve around redundancy/high availability, capacity planning, and replication to different environments. And global companies often have to deal with performance challenges for international users requiring either expensive WAN optimization devices in each location, or regional app deployments to minimize the latency. This all adds up which can lead to configuration changes, new apps, new user groups, upgrades, etc. that can take days, weeks, or even months in certain cases.
EAA dramatically simplifies this by providing on-demand scalability along with the agility and flexibility to make changes in minutes through a simple cloud portal. Nothing is required in the DMZ and no inbound holes in the firewall are needed because the hardened and headless EAA Connector VM calls from the inside out to the Akamai cloud. Service upgrades are also handled automatically by EAA, so there is no downtime or impact to user traffic. Finally, no application changes are required - just a simple DNS change to onboard applications to EAA.
2. Integrate With Existing Systems
EAA has been designed to work with existing systems to provide a seamless deployment into existing architecture, as well as the option to take advantage of Akamai's own integrated capabilities as outlined in the list below:
- User Directories - Use existing (e.g. AD, AD LDS, LDAP) or our integrated Cloud Directory
- Identity Providers - Use existing (e.g. Okta) or our integrated IdP
- Multi-Factor Auth (MFA) - Use existing (e.g. Duo) or our integrated MFA
- Server Load Balancing (SLB) - Use existing (point to the VIP on existing SLB) or use our integrated SLB
- Auth/SSO to On-Prem Apps - Auth bridging via NTLM, Kerberos, and HTTP headers
- EAA Connector VM Support - VMware, Hyper-V, Docker, AWS, Azure, Google Cloud Platform, etc.
- SIEM Integration - Via RESTful APIs (e.g. Splunk Connector)
In addition to the above integration options, the Akamai Platform provides the following capabilities allowing customers the flexibility to enable the components they need based on their specific use cases:
- Customizable login portal and user application home page
- Client and clientless support
- Performance acceleration
- Global traffic management
- Application security (WAF)
- DDoS mitigation
- Bot management
3. Simplify Access Across Many Different Use Cases
EAA is being used today for a wide variety of use cases, including application access for both employees and third parties (partners, contractors, customers, etc.). One goal for many of our customers is to eliminate VPN access for certain user groups. Specific examples include:
- Remote developer access to web apps and Windows/Linux environments
- Power user/administrator access to devices on the production network
- Employee access to corporate resources on their BYOD devices
- Field employee access to critical apps while at customers or on the road
- Sales associates accessing product catalog or POS apps
- Customer care agents accessing CRM apps
- IoT devices like servers or kiosks needing to communicate with centralized infrastructure
In addition, the apps being accessed can be anywhere: in the datacenter, on the production or PCI network, in the public cloud (e.g. AWS, Azure), or with SaaS providers.
4. Consolidate Access Platforms
Most infrastructure teams don't want to add another remote access solution to the mix, and EAA allows for the opposite: it helps consolidate platforms. Because EAA covers so many use cases (as noted above) it can be used over time to consolidate platforms like the following:
- VPN concentrators
- ADC/proxy devices
- App virtualization appliances
- Third party/vendor remote access solutions
- Privileged access management solutions
EAA also allows for an easy way to phase in users and applications over time via a simple DNS change, which means the above solutions can be organically phased out over time. Additionally, EAA has the ability to replace other services like ADFS (via our SAML IdP) and server load balancing appliances (via our integrated SLB capabilities).
5. Quickly Get To A Zero Trust Architecture
As noted in my first paragraph, our customers know that EAA (and ETP) help achieve a zero trust security model. This mindset is gaining traction as more and more security professionals realize that the traditional perimeter security model is breaking down. Some network and security teams start by turning to micro-segmentation of the network, which works by putting user groups and apps on their own VLANs and managing access between them. While this is great in theory, it is very difficult in practice due to the level of effort required to manage, maintain, and troubleshoot these access rules. This is especially difficult when considering how often changes are made to user roles and services/devices on the network.
EAA greatly simplifies this by isolating users from the apps and data. All traffic must go through the EAA proxy, which provides app-level authorization based on device and user identity. This allows an organization to cut off direct network access to these applications providing a very simple and effective way to get to a zero trust architecture. For more details on implementing a zero trust architecture, check out this great whitepaper that details the challenges of traditional perimeter security models, how the Zero Trust model can help, and how to transition over time to this new architecture.