AKAMAI WHITE PAPER. Enterprise Application Access Architecture Overview

Similar documents
INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

TechValidate Survey Report: SaaS Application Trends and Challenges

Survey: Global Efficiency Held Back by Infrastructure Spend in Pharmaceutical Industry

Today s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps

REVISED 6 NOVEMBER 2018 COMPONENT DESIGN: VMWARE IDENTITY MANAGER ARCHITECTURE

Introduction. The Safe-T Solution

Access Denied! Decoding Identity Aware Proxies

TIBCO Cloud Integration Security Overview

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

ARCHITECTURAL OVERVIEW REVISED 6 NOVEMBER 2018

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

HySecure Quick Start Guide. HySecure 5.0

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

O365 Solutions. Three Phase Approach. Page 1 34

BIG-IP V11.3: PRODUCT UPDATE. David Perodin Field Systems Engineer III

App Gateway Deployment Guide

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

SecureFactors. Copyright SecureFactors Corp ver 1.0a

SaaS. Public Cloud. Co-located SaaS Containers. Cloud

Securely Deliver Remote Monitoring and Service to Critical Systems. A White Paper from the Experts in Business-Critical Continuity TM

Introduction With the move to the digital enterprise, all organizations regulated or not, are required to provide customers and anonymous users alike

Hybrid Identity de paraplu in de cloud

SECURE, FLEXIBLE ON-PREMISE STORAGE WITH EMC SYNCPLICITY AND EMC ISILON

Deploying Tableau at Enterprise Scale in the Cloud

SAP Security in a Hybrid World. Kiran Kola

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

DATACENTER MANAGEMENT Goodbye ADFS, Hello Modern Authentication! Osman Akagunduz

Enabling Public Cloud Interconnect Services F5 Application Connector

Liferay Security Features Overview. How Liferay Approaches Security

Overview of Akamai s Personal Data Processing Activities and Role

Third Party Cloud Services Its Adoption in the New Age

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

PCI DSS Compliance. White Paper Parallels Remote Application Server

Docker Universal Control Plane Deploy and Manage On-Premises, Your Dockerized Distributed Applications

Pulse Secure Application Delivery

CogniFit Technical Security Details

StorageZones Controller 3.3

DIGITAL TRANSFORMATION IN FINANCIAL SERVICES

CIO INSIGHTS Boosting Agility and Performance on the Evolving Internet

Securing Amazon Web Services (AWS) EC2 Instances with Dome9. A Whitepaper by Dome9 Security, Ltd.

About This Document 3. Overview 3. System Requirements 3. Installation & Setup 4

SECURING AWS ACCESS WITH MODERN IDENTITY SOLUTIONS

AWS plug-in. Qlik Sense 3.0 Copyright QlikTech International AB. All rights reserved.

vshield Administration Guide

Akamai Bot Manager. Android and ios BMP SDK

Microsoft Azure for AWS Experts

Integration Patterns for Legacy Applications

HARNESSING THE HYBRID CLOUD TO DRIVE GREATER BUSINESS AGILITY

A Practical Step-by-Step Guide to Managing Cloud Access in your Organization

Veritas Desktop and Laptop Option 9.1 Qualification Details with Cloud Service Providers (Microsoft Azure and Amazon Web Services)

SteelConnect. The Future of Networking is here. It s Application-Defined for the Cloud Era. SD-WAN Cloud Networks Branch LAN/WLAN

Implementing Microsoft Azure Infrastructure Solutions (20533)

Passwords Are Dead. Long Live Multi-Factor Authentication. Chris Webber, Security Strategist

Security and Compliance at Mavenlink

APPLICATION & INFRASTRUCTURE SECURITY CONTROLS

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

Introducing. Secure Access. for the Next Generation. Bram De Blander Sales Engineer

The Emerging Role of a CDN in Facilitating Secure Cloud Deployments

Q&A TAKING ENTERPRISE SECURITY TO THE NEXT LEVEL. An interview with John Summers, Enterprise VP and GM, Akamai

ForeScout CounterACT. (AWS) Plugin. Configuration Guide. Version 1.3

Mitel MiContact Center Enterprise WEB APPLICATIONS CONFIGURATION GUIDE. Release 9.2

WEBSCALE CONVERGED APPLICATION DELIVERY PLATFORM

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

IBM Security Access Manager

AKAMAI CLOUD SECURITY SOLUTIONS

Puppet on the AWS Cloud

Check Point vsec for Microsoft Azure

SEVONE DATA APPLIANCE FOR EUE

VMware AirWatch Integration with F5 Guide Enabling secure connections between mobile applications and your backend resources

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

Introduction to ArcGIS Server Architecture and Services. Amr Wahba

SteelConnect. The Future of Networking is here. It s Application- Defined for the Cloud Era. SD-WAN Cloud Networks Branch LAN/WLAN

Guide to Deploying NetScaler as an Active Directory Federation Services Proxy

Course Outline. Module 1: Microsoft Azure for AWS Experts Course Overview

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

Integrating AirWatch and VMware Identity Manager

THE STATE OF MEDIA SECURITY HOW MEDIA COMPANIES ARE SECURING THEIR ONLINE PROPERTIES

Syncplicity Panorama with Isilon Storage. Technote

THE SECURITY LEADER S GUIDE TO SSO

Technical Overview of DirectAccess in Windows 7 and Windows Server 2008 R2. Microsoft Windows Family of Operating Systems

#1 Enterprise File Share, Sync, Backup and Mobile Access for Business

Network Integration Guide Planning

AKAMAI WHITE PAPER. Security and Mutual SSL Identity Authentication for IoT. Author: Sonia Burney Solutions Architect, Akamai Technologies

SEVONE END USER EXPERIENCE

Security Guide Zoom Video Communications Inc.

Course 20533B: Implementing Microsoft Azure Infrastructure Solutions

Cisco HyperFlex and the F5 BIG-IP Platform Accelerate Infrastructure and Application Deployments

StorageZones Controller 3.4

REVISED 6 NOVEMBER 2018 COMPONENT DESIGN: UNIFIED ACCESS GATEWAY ARCHITECTURE

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

Document Sub Title. Yotpo. Technical Overview 07/18/ Yotpo

[MS20533]: Implementing Microsoft Azure Infrastructure Solutions

ShareFile Technical Presentation

CloudLink Amazon Web Services Deployment Guide

Security Information & Policies

Transcription:

AKAMAI WHITE PAPER Enterprise Application Access Architecture Overview

Enterprise Application Access Architecture Overview 1 Providing secure remote access is a core requirement for all businesses. Though VPNs have been around for 20+ years, traditional remote access has limitations and risks (see Figure 1), when you consider that enterprises now need to: Serve mobile users on mobile devices Deliver applications from a variety of global data centers and hybrid cloud environments Open up applications and data to an entire digital ecosystem of customers, partners, suppliers, contractors, etc. Remote Network Access Can Increase Risk App3 User Client Network Application App2 Hole in the Firewall Complex Configuration Client Software Lateral Movement Firewall Application App1 Figure 1 Traditional Remote Access Akamai has turned traditional remote access on its head, using a secure cloud to provide a new and better way to solve the pain for applications hosted in data centers and hybrid cloud environments. Approaching the problem in a fundamentally different way, Enterprise Application Access (EAA) (Figure 2) is a cloud service that delivers access to applications without providing remote users access to your entire network. With EAA, you get a centralized, managed solution that does not require external hardware or software. Managing and controlling remote access becomes simple and uncluttered, and with the elimination of complexity comes fundamentally better security. Easier, More Secure Access To Enterprise Apps App3 Enterprise App Access App1 User Enterprise Connector App2 NO Hole in the Firewall NO Complex Configuration NO Client Software NO Lateral Movement App4 Firewall Figure 2 Enterprise Application Access With EAA, a Cloud DMZ service, no one can get to applications directly because they are hidden from the Internet and public exposure. A unique dual-cloud architecture closes all inbound firewall ports while providing authenticated end users access to only their specific applications. EAA integrates data-path protection, identity access, multi-factor authentication, application security, and management visibility and control into a single service. EAA is an integrated, globally distributed service that eliminates the time and complexity of building an access solution out of component parts and EAA can be deployed in every kind of data center or hybrid cloud infrastructure in minutes to create a central point of access and control.

Enterprise Application Access Architecture Overview 2 The EAA Architecture There are three major components of the EAA architecture: EAA Edge, EAA Management Cloud, and Connectors. The EAA Edge provides the data path between the user and application as well as the data security, application performance, and optimization components. The EAA Management Cloud provides management, logging, reporting, and configuration. The EAA Edge and Management Cloud are based on a secure, multi-tenant architecture and are hosted in multiple regions. They utilize modern cloud-scale approaches with rigorous built-in security and DDoS protection. Both are redundant with automatic fail over and can expand elastically to adapt to traffic loads. The Management Cloud is common to all customers. Connectors are headless virtual appliances deployed behind the firewall in customer data centers or hybrid cloud environments. Connectors can also optionally be deployed as Dockers. Each Connector creates secure TLS sessions to EAA, enabling connectivity between users and applications. Each Connector is fully managed and configured via the EAA Management Cloud and is cryptographically unique. Multiple Connectors can be deployed for redundancy and scaling. Connectors are packaged for deployment in the following environments: VMware VSphere Amazon AWS (VPC or classic EC2) Microsoft Azure Microsoft Hyper-V Connectors have a number of functional capabilities: Proxy access to web applications. IBM Softlayer Google Compute Engine Openstack Docker Convert RDP and SSH sessions to HTML5 for presentation in the user s browser. Load balance (SLB) to multiple application servers with session or cookie stickiness. Communicate to local directory servers and integrate with enterprise Single Sign-on (SSO) mechanisms (e.g. Kerberos, NTLM, and ADFS). Collect statistics for management and performance reporting. Provide integration with local security functions (e.g., DLP) via ICAP. Connectors accept no inbound connections. They only initiate outbound TLS sessions to EAA and to the applications they are configured to communicate with. Because Connectors are proxy connections, they never directly connect users and the network. From a networking perspective, Connectors require: A firewall rule to allow outbound connectivity over port 443 (TLS/SSL) Reachability to enterprise application(s) being secured by EAA Reachability to enterprise directory services for user authentication

Enterprise Application Access Architecture Overview 3 How EAA Works When initially deployed, Connectors phone home by establishing an outbound, mutually authenticated TLS session to the EAA Management Cloud. The Connector then pulls its configuration and updates from the Management Cloud. Connectors establish outbound TLS sessions with EAA and are utilized as needed per policy to provide a Layer-7 path for users trying to access their applications. To prevent attacks or session hijacking, Connectors restart outbound sessions periodically. When a user attempts to access an application, the user s browser initiates a TLS session to the EAA Edge. The EAA Edge terminates this TLS session, authenticates the user to the directory associated with the application (optionally adding 2-factor or multi-factor authentication), and matches the user against their access policy. The EAA Edge can authenticate users to the following Directories and Identity Services: Active Directory (LDAP), including support for Kerberos. SAML Identity Providers (Okta, Ping, OneLogin, etc.). Open ID Connect implementations (e.g., Google Directory). EAA Internal IDP (Identity Provider) - Customers have the option to leverage EAA as their directory source as needed. After the user is authenticated, the outbound session from the Connector and the inbound session from the user s device are stitched together in the EAA. The Connector further proxies this user-to-connector session to the application (i.e., creates a 3rd session), thereby provisioning a dynamic, end-to-end path for the user to interact with the application. EAA s deep integration with on-premise directories, data security, and SIEM tools can be extended into cloud environments. For example, access to applications running in Azure can be authenticated to an on-premise Active Directory server in the data center, and access logs can be streamed to an on-premise Splunk appliance. Centralized Security and EAA applies centralized security and access-control policies for both data center and hybrid cloud environments. Key to the architecture is that EAA lies directly in the user s data path and is the only entry point for users gaining access to critical enterprise resources. EAA determines access rights for users as well as the specific applications they are authenticated to use. EAA is a highly secure approach for application access because it moves the attack surface away from the application. Because the Connector only dials out from the customer s infrastructure, inbound access to the customer s infrastructure environment is removed, and the customer s infrastructure is no longer directly accessible or visible from the Internet. Unauthorized access is further minimized by authenticating users outside your infrastructure. Two-factor and multi-factor authentication are available for fortified access control. EAA also shields your infrastructure and protect applications from Internet attacks, including DDoS and botnets. To ensure optimal performance, EAA uses LZ-based payload compression, TCP optimization, and load balancing to ensure end users experience LAN-like response times. Furthermore, EAA leverages channelization strategies to reduce TCP connection setup latencies that can impact the end-user experience. An end-user s experience while accessing applications through the EAA is fast and seamless. Instead of using a cumbersome VPN client, end users gain access to applications through any browser or mobile app; they simply enter their credentials username, password, and optional multi-factor authentication to identify themselves and are dynamically provisioned access to private enterprise applications.

Enterprise Application Access Architecture Overview 4 Enterprise Application Access: Putting You Back in Control EAA removes the chronic pain suffered by IT teams associated with managing third-party access. It is easy to deploy, provision, change, and monitor. EAA removes all the complexity: no device software, no software upgrades or updates, and no additional hardware. User management difficulties from on boarding to off boarding is a breeze. As a central point of entry and control, EAA provides a single management pane for detailed audit, visibility, control, and compliance reporting. The result is painless, secure remote application access. As the global leader in Content Delivery Network (CDN) services, Akamai makes the Internet fast, reliable and secure for its customers. The company s advanced web performance, mobile performance, cloud security and media delivery solutions are revolutionizing how businesses optimize consumer, enterprise and entertainment experiences for any device, anywhere. To learn how Akamai solutions and its team of Internet experts are helping businesses move faster forward, please visit www.akamai.com or blogs.akamai.com, and follow @Akamai on Twitter. Akamai is headquartered in Cambridge, Massachusetts in the United States with operations in more than 57 offices around the world. Our services and renowned customer care are designed to enable businesses to provide an unparalleled Internet experience for their customers worldwide. Addresses, phone numbers, and contact information for all locations are listed on www.akamai.com/locations. 2016 Akamai Technologies, Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited. Akamai and the Akamai wave logo are registered trademarks. Other trademarks contained herein are the property of their respective owners. Akamai believes that the information in this publication is accurate as of its publication date; such information is subject to change without notice. Published 12/16.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback