Facilitating Application Access Control
By Katie Teitler at TAG Cyber
(re-posted with permission)
Back in mid-March I was at my gym talking to one of the other regulars about the impending office shutdowns. Her company’s previous work from home policy was…No. Every time she or anyone at the company had to work from home, for a snow day or an appliance repair, for instance, the request had to be formally approved and it was considered an exception. Now, all of a sudden, everyone in the company was required to work at home, and the company wasn’t even remotely (pun intended) equipped to handle it. After about a week, the IT team was still grappling with the VPN provider and additional remote connectivity and access issues.
This conversation was just one of many similar conversations I had over the course of a week and a half with non-IT or non-security friends and colleagues (sound familiar to you, dear reader?). It was surprising and not surprising at the same time. Mostly, though, what it was was unfortunate. Weren’t digital transformation and consumerization of the enterprise supposed to have taken us to a place of anywhere, anytime access already? Yet, reams of companies were unprepared to flip the switch and facilitate remote work during an already super stressful period.
At the same time, companies were increasing their reliance on cloud apps—once employees could connect reliably and securely, they needed easier access to their applications. Access to applications is what makes businesses run. Unauthorized access to apps, whether through VPN or via the cloud, could lead to even more problems, and no company needed more problems at the start of the pandemic.
But abstracting away from the suddenly-entirely-remote situation earlier this year, the pandemic forced laggard companies to start thinking seriously about access and applications in a way that, maybe, should have happened a while ago. In the past five years, the security industry has seen a shift in focus within the control plane—moving away from network and up to application. And without a perimeter at which to gate applications, the applications themselves became the “perimeter” at which users, devices, and processes must authenticate and gain authorization. Thus we’ve seen the emergence of a slew of vendor solutions aimed at application access control.
Connecting users and private apps
One such company, Axis Security, a startup out of Tel Aviv, has its own approach to secure application access, which the co-founders, Dor Knafo, CEO, and Gil Azrielant, dreamt up after years working in both offensive and defensive security. “What we saw,” said Dor, during a recent briefing, “was a disconnect between users and applications. Private applications have become critical to business operations, but it’s still too complex for users to connect to them, especially now that everyone is working remotely and many employees and partners are using non-standard devices.”
He explained that the “old way” of connecting users and their devices to private applications (that is, custom apps), i.e, via VPNs and MPLS, was too kludgy; their goal as co-founders and inventors was to build a platform that is easy to deploy, simple to use, and secure from end to end. Predicated on a zero trust access methodology, Axis is an agentless solution that deploys as a cloud connector which serves as the touchpoint for the customer’s applications. When an employee wants to connect to an application, the request is routed through Axis where it is mutually authenticated and encrypted. In keeping with zero trust, the “secret sauce” is the platform’s contextual awareness of the request (e.g., location, device type, history, etc.), which can be extracted from the organization’s AD or identity provider, and protocols used to communicate with the application.
Every access request must be validated against a defined set of protocols for a connection to be authorized, after which, only access to the specific app is granted. This specificity contrasts with the VPN approach where, when a user connects remotely, they are connected to the company’s entire infrastructure instead of the discrete resource. By limiting which resources to which users have access, companies can reduce their risk of compromise from remote access (which continues to be one of the trickier aspects of security for many companies).
Protecting remote access
The primary use case Axis touts is third-party, secure partner or supply chain access, and their vision is to offer a platform that’s as easy to use as any consumer mobile web app—pick your poison: Instagram, Waze, Uber Eats, etc. This is a lofty goal, but one that is worthwhile; enterprises absolutely need easier ways for remote, authorized users to connect to web apps, and to ensure security of both the application and the end user device. Zero trust and all its principles apply. The remote access and application protection spaces are crowded, but the ease with which Axis can be deployed and used makes their solution worth a look.