Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

6/22/2020
05:25 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Pandemic Accelerates Priceline's 'Coffee Shop' Remote-Access Strategy

The travel-booking giant had been slowly starting to transition away from VPN dependence. Then COVID-19 happened, and suddenly 700 third-party call-center workers were working from home.

One of the biggest security challenges posed by the sudden lockdowns during the global pandemic has been figuring out how to swiftly arrange remote access for workers traditionally tied to office connectivity.

In many instances, the crucible of the quarantine era for security departments has accelerated security road maps, pilot programs, and early deployments of mobile-friendly controls that previously were only made available to select populations of enterprise users.

Such was the case at Priceline. Prior to COVID-19, the travel-booking website giant had been slowly moving its connectivity model to what its security leaders called the "coffee-shop model," where employees and contractors would be able to work from wherever they were. 

"It can be from Starbucks, your home, grandma's house – if you've got connectivity, then you should be able to do your work," says Joe Dropkin, cybersecurity and technology program manager at Booking Holdings, the management company that owns Priceline and other brands, including Kayak, OpenTable, and Booking.com. "Not only is that good for the employees, but it's also good from a security posture because we can say that the access from the outside is equivalent to the access from the inside, in that there is no access without all of the proper authentications and authorizations." 

The drive toward the coffee-shop model was so users could come and go freely between offices without going through contortions to verify permissions and authorization to the corporate assets they needed to do their work. Dropkin had been working for several years on moving the company to this model, even before when he worked directly for Priceline and not its holding company.  

One of the first steps in the process was for the company to eliminate desktop computers and issue laptops to all corporate users. The next initiative was to find a flexible alternative to its traditional virtual private network (VPN), which offered both full- and split-tunnel modes but didn't give Priceline enough control over which specific types of assets certain user groups would be granted based on their roles at the organization.

Dropkin and his team set their sights on secure remote-access technology. Not only would enforcing least privilege become easier, but it would also simplify the process of granting access to consultants and other third-party users since it only involved the installation of a web client on their existing machines. The unattractive alternative was to issue them expensive corporate laptops with dedicated VPN clients. 

After doing its due diligence, in June 2018 Priceline chose to go with Akamai Enterprise Application Access (EAA) technology, particularly because of its ability to proxy user connections. Priceline was still phasing in user groups and lines of business, so when the lockdowns started earlier this year, there were still plenty of situations where it leaned on a VPN to connect users to corporate assets.

"We had call centers with access to a legacy application that we allowed through a private VPN tunnel from their call center, but they did not have any type of remote access to their call center when the pandemic hit," Dropkin explains. "They sent all of their workers home with their corporate desktops – yes, that's what I said – and now we needed to basically provide the same type of access."

This was a more complicated scenario than when working with a consultant, which is usually a one-to-one relationship or involves just a small group of users through a sponsor at corporate. 

"Now we're talking about hundreds of people at a call center that we have no direct relationship with who are connecting to our network on unmanaged, unchecked machines," Dropkin says.

By expanding its existing investment in secure remote access, Priceline was able to quickly rejigger those connections and enable some 700 call-center representatives to access the legacy application – and only the legacy application – through the use of EAA. The switch happened quickly, with very little downtime, and made the case for broader use of secure remote access to both Priceline and other Bookings Holdings firms. 

Dropkin says Priceline has "accelerated" its priorities for the technology to replace VPNs outright – not only for convenience and security, but also as a cost savings since the multiprotocol label switching (MPLS) lines needed to connect call centers via VPN are not cheap. Meantime, Bookings Holdings has also started using EAA, and Dropkin is helping other brands explore their options where appropriate.

"In my new role of trying to get everybody on the same page, I've had discussions with the other brands, and we are in the middle of assessing needs and understanding their current capabilities," he explains. "The hardest thing for any corporation is to remove an infrastructure product that isn't broken, and getting your application owners to accept there is a better [and more secure] way of doing this."

Related Content: 

 

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-6287
PUBLISHED: 2020-07-14
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create a...
CVE-2020-6289
PUBLISHED: 2020-07-14
SAP Disclosure Management, version 10.1, had insufficient protection against Cross-Site Request Forgery, which could be used to trick user in to browsing malicious site.
CVE-2020-6290
PUBLISHED: 2020-07-14
SAP Disclosure Management, version 10.1, is vulnerable to Session Fixation attacks wherein the attacker tricks the user into using a specific session ID.
CVE-2020-6291
PUBLISHED: 2020-07-14
SAP Disclosure Management, version 10.1, session mechanism does not have expiration data set therefore allows unlimited access after authenticating once, leading to Insufficient Session Expiration
CVE-2020-6292
PUBLISHED: 2020-07-14
Logout mechanism in SAP Disclosure Management, version 10.1, does not invalidate one of the session cookies, leading to Insufficient Session Expiration.