One of the biggest security challenges posed by the sudden lockdowns during the global pandemic has been figuring out how to swiftly arrange remote access for workers traditionally tied to office connectivity.
In many instances, the crucible of the quarantine era for security departments has accelerated security road maps, pilot programs, and early deployments of mobile-friendly controls that previously were only made available to select populations of enterprise users.
Such was the case at Priceline. Prior to COVID-19, the travel-booking website giant had been slowly moving its connectivity model to what its security leaders called the "coffee-shop model," where employees and contractors would be able to work from wherever they were.
"It can be from Starbucks, your home, grandma's house – if you've got connectivity, then you should be able to do your work," says Joe Dropkin, cybersecurity and technology program manager at Booking Holdings, the management company that owns Priceline and other brands, including Kayak, OpenTable, and Booking.com. "Not only is that good for the employees, but it's also good from a security posture because we can say that the access from the outside is equivalent to the access from the inside, in that there is no access without all of the proper authentications and authorizations."
The drive toward the coffee-shop model was so users could come and go freely between offices without going through contortions to verify permissions and authorization to the corporate assets they needed to do their work. Dropkin had been working for several years on moving the company to this model, even before when he worked directly for Priceline and not its holding company.
One of the first steps in the process was for the company to eliminate desktop computers and issue laptops to all corporate users. The next initiative was to find a flexible alternative to its traditional virtual private network (VPN), which offered both full- and split-tunnel modes but didn't give Priceline enough control over which specific types of assets certain user groups would be granted based on their roles at the organization.
Dropkin and his team set their sights on secure remote-access technology. Not only would enforcing least privilege become easier, but it would also simplify the process of granting access to consultants and other third-party users since it only involved the installation of a web client on their existing machines. The unattractive alternative was to issue them expensive corporate laptops with dedicated VPN clients.
After doing its due diligence, in June 2018 Priceline chose to go with Akamai Enterprise Application Access (EAA) technology, particularly because of its ability to proxy user connections. Priceline was still phasing in user groups and lines of business, so when the lockdowns started earlier this year, there were still plenty of situations where it leaned on a VPN to connect users to corporate assets.
"We had call centers with access to a legacy application that we allowed through a private VPN tunnel from their call center, but they did not have any type of remote access to their call center when the pandemic hit," Dropkin explains. "They sent all of their workers home with their corporate desktops – yes, that's what I said – and now we needed to basically provide the same type of access."
This was a more complicated scenario than when working with a consultant, which is usually a one-to-one relationship or involves just a small group of users through a sponsor at corporate.
"Now we're talking about hundreds of people at a call center that we have no direct relationship with who are connecting to our network on unmanaged, unchecked machines," Dropkin says.
By expanding its existing investment in secure remote access, Priceline was able to quickly rejigger those connections and enable some 700 call-center representatives to access the legacy application – and only the legacy application – through the use of EAA. The switch happened quickly, with very little downtime, and made the case for broader use of secure remote access to both Priceline and other Bookings Holdings firms.
Dropkin says Priceline has "accelerated" its priorities for the technology to replace VPNs outright – not only for convenience and security, but also as a cost savings since the multiprotocol label switching (MPLS) lines needed to connect call centers via VPN are not cheap. Meantime, Bookings Holdings has also started using EAA, and Dropkin is helping other brands explore their options where appropriate.
"In my new role of trying to get everybody on the same page, I've had discussions with the other brands, and we are in the middle of assessing needs and understanding their current capabilities," he explains. "The hardest thing for any corporation is to remove an infrastructure product that isn't broken, and getting your application owners to accept there is a better [and more secure] way of doing this."