Akamai Diversity

The Akamai Blog

Securing Your Direct Internet Access Connections

With the rapid uptake in SaaS applications and the ease of moving enterprise applications from the data center to the cloud, many global companies are transforming the way they connect branch offices. In the past, the conventional approach was to connect all of your locations over an MPLS Wide Area Network (WAN) and then send all branch traffic over that to a regional HQ or even a single global HQ. At that central location, the traffic was controlled and managed using numerous on-premises hardware appliances. Traffic for data center applications was sent to the data center and web traffic that was for SaaS applications or the public web was routed back out to the Internet, then back to the branch via the central location. This hairpinning of traffic was inefficient and could often cause slow SaaS or web access for branch users.

But now, with more traffic destined for SaaS applications and the public web, enterprises are increasingly adopting the Internet as the corporate network. Instead of sending SaaS or web traffic over the WAN, Direct Internet Access (DIA) simply sends that traffic out over a standard broadband connection. An alternative approach is for the enterprise to deploy an SD-WAN. 

If the branch needs to access data center apps, that traffic is still routed over the WAN connection, but the reduction in traffic allows a smaller pipe to be used which reduces network costs. And users experience significantly better performance due to the elimination of that hairpinning of traffic.

This change in the way traffic is routed also requires enterprises to rethink how they inspect and secure the traffic that is sent straight to the internet. Historically, many global enterprises have inspected and secured traffic using either enterprise firewalls or -- more typically -- secure web gateways (SWGs) deployed centrally. Enterprises often try to replicate the centralized security stack at each branch location, but this can prove to be complex, time-consuming, and costly.

An example: we recently spoke to a global manufacturing company with nearly 30 locations. They had gone down the route of upgrading firewalls and endpoint solutions at each location to deliver security and enforce their acceptable use policy (AUP) when they transitioned to DIA connectivity.

However, they quickly found that this caused a huge amount of work as each location's policies had to be managed separately, leading to inconsistencies and potential security gaps. Moreover, this approach led to a big uptick in user problems which, in turn, caused more help desk tickets for the security team to deal with. Finally, the cost of this approach was too high and negated the potential cost savings that had been one of the key drivers for DIA. 

Now, with Akamai's Enterprise Threat Protector, the company has a single policy that can be updated and deployed globally in minutes to enforce their AUP and to block malicious traffic. The solution has also reduced the number of calls to the help desk about blocked content and broken sites and apps.

Enterprise Threat Protector is a cloud-based Secure Internet Gateway that can be configured and deployed globally in less than 30 minutes. It uses DNS as the on-ramp to the Internet, blocking malicious traffic, allowing safe traffic to proceed as normal, and sending risky traffic to a cloud proxy for URL inspection and payload analysis. It's a perfect fit for organizations looking to secure DIA traffic, without the complexity and costs associated with on-premises hardware appliances.

To find out more about how Enterprise Threat Protector can help you quickly secure your DIA traffic, please read this use case.