Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

6/22/2020
05:25 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Pandemic Accelerates Priceline's 'Coffee Shop' Remote-Access Strategy

The travel-booking giant had been slowly starting to transition away from VPN dependence. Then COVID-19 happened, and suddenly 700 third-party call-center workers were working from home.

One of the biggest security challenges posed by the sudden lockdowns during the global pandemic has been figuring out how to swiftly arrange remote access for workers traditionally tied to office connectivity.

In many instances, the crucible of the quarantine era for security departments has accelerated security road maps, pilot programs, and early deployments of mobile-friendly controls that previously were only made available to select populations of enterprise users.

Such was the case at Priceline. Prior to COVID-19, the travel-booking website giant had been slowly moving its connectivity model to what its security leaders called the "coffee-shop model," where employees and contractors would be able to work from wherever they were. 

"It can be from Starbucks, your home, grandma's house – if you've got connectivity, then you should be able to do your work," says Joe Dropkin, cybersecurity and technology program manager at Booking Holdings, the management company that owns Priceline and other brands, including Kayak, OpenTable, and Booking.com. "Not only is that good for the employees, but it's also good from a security posture because we can say that the access from the outside is equivalent to the access from the inside, in that there is no access without all of the proper authentications and authorizations." 

The drive toward the coffee-shop model was so users could come and go freely between offices without going through contortions to verify permissions and authorization to the corporate assets they needed to do their work. Dropkin had been working for several years on moving the company to this model, even before when he worked directly for Priceline and not its holding company.  

One of the first steps in the process was for the company to eliminate desktop computers and issue laptops to all corporate users. The next initiative was to find a flexible alternative to its traditional virtual private network (VPN), which offered both full- and split-tunnel modes but didn't give Priceline enough control over which specific types of assets certain user groups would be granted based on their roles at the organization.

Dropkin and his team set their sights on secure remote-access technology. Not only would enforcing least privilege become easier, but it would also simplify the process of granting access to consultants and other third-party users since it only involved the installation of a web client on their existing machines. The unattractive alternative was to issue them expensive corporate laptops with dedicated VPN clients. 

After doing its due diligence, in June 2018 Priceline chose to go with Akamai Enterprise Application Access (EAA) technology, particularly because of its ability to proxy user connections. Priceline was still phasing in user groups and lines of business, so when the lockdowns started earlier this year, there were still plenty of situations where it leaned on a VPN to connect users to corporate assets.

"We had call centers with access to a legacy application that we allowed through a private VPN tunnel from their call center, but they did not have any type of remote access to their call center when the pandemic hit," Dropkin explains. "They sent all of their workers home with their corporate desktops – yes, that's what I said – and now we needed to basically provide the same type of access."

This was a more complicated scenario than when working with a consultant, which is usually a one-to-one relationship or involves just a small group of users through a sponsor at corporate. 

"Now we're talking about hundreds of people at a call center that we have no direct relationship with who are connecting to our network on unmanaged, unchecked machines," Dropkin says.

By expanding its existing investment in secure remote access, Priceline was able to quickly rejigger those connections and enable some 700 call-center representatives to access the legacy application – and only the legacy application – through the use of EAA. The switch happened quickly, with very little downtime, and made the case for broader use of secure remote access to both Priceline and other Bookings Holdings firms. 

Dropkin says Priceline has "accelerated" its priorities for the technology to replace VPNs outright – not only for convenience and security, but also as a cost savings since the multiprotocol label switching (MPLS) lines needed to connect call centers via VPN are not cheap. Meantime, Bookings Holdings has also started using EAA, and Dropkin is helping other brands explore their options where appropriate.

"In my new role of trying to get everybody on the same page, I've had discussions with the other brands, and we are in the middle of assessing needs and understanding their current capabilities," he explains. "The hardest thing for any corporation is to remove an infrastructure product that isn't broken, and getting your application owners to accept there is a better [and more secure] way of doing this."

Related Content: 

 

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/30/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27652
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27653
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27654
PUBLISHED: 2020-10-29
Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp.
CVE-2020-27655
PUBLISHED: 2020-10-29
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
CVE-2020-27656
PUBLISHED: 2020-10-29
Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.