Priceline, part of Booking Holdings Inc., is the leader in online travel deals. Priceline.com offers travelers smart, easy ways to save on hotels, flights, rental cars, packages, and cruises.
While Booking Holdings employs about 30,000 people, Priceline employs approximately 1,000 employees globally. Like other companies with a distributed workforce — including contractors for special projects — Priceline must enable secure access to applications and data on its corporate network. However, it needed a better option than a traditional VPN solution.
As Joe Dropkin, Principal Server Engineer for Priceline, explains, “Our mantra is to give workers the resources they need to be efficient. But we need to make sure they only access needed applications and data.”
Priceline provides remote workers with a laptop configured with all necessary Priceline software so they can gain VPN access to the corporate network. In the 15 years Dropkin has worked for Priceline, the company has used three different VPN solutions. The first was a full-tunnel solution, the second allowed a split-tunnel environment, and the most recent is a hybrid of the two.
While a full-tunnel solution makes all internal resources available, Priceline is seeing less need for such access as it increasingly moves to cloud-based applications. The split-tunnel solution limits access to only necessary resources. However, it can be easily manipulated, meaning remote users could potentially gain access to resources that should not be accessible to them.
The company also uses Citrix to grant access to certain applications. Unfortunately, this does not give users the freedom to choose the application they prefer to access needed data.
Dropkin subscribes to the philosophy that organizations should secure their data at the application layer in addition to at the gateway layer. “It’s not realistic to assume all users will take care of ensuring our data remains safe. I need to do what is necessary to prevent users from getting at applications and data that they should not access.”
As Dropkin weighed his options, he quickly ruled out a separate firewalled Citrix environment complemented by tools that enabled granular access control. “This would have been too costly. We would have to pay for each Citrix license, the access control tools, the Active Directory license, and for our network engineers to maintain firewall rules,” he says.
The vendor that Priceline uses for identity and access management did not plan to develop capabilities that enable access to both internal and external applications, but suggested Dropkin consider Enterprise Application Access (EAA) from Akamai.
A proof of concept enabled Dropkin to get a clear idea of how Priceline would benefit from EAA. In addition to appreciating that the EAA connection is proxied for users, Dropkin appreciated the ability to enable protection for the entire Priceline network — without needing agents on each network resource. He was also impressed that EAA uses outbound connections without needing to make inbound connections via a firewall. Finally, he found the ease of deployment appealing.
Previously, Priceline had to set up an external DNS name for every internal and external resource. Now it can handle this easily via the EAA admin console. “I can deploy a new application in mere minutes just by setting up a connector. And I can do this without bothering my colleagues in charge of DNS, infrastructure, and networking.” Dropkin can also choose whether remote workers should download the EAA client or use the online version of the solution.
With EAA, Priceline can now provide remote workers with streamlined access to internal resources. “We no longer need to equip each remote worker with a $2,500 laptop configured with our software. The lightweight Akamai client saves us on bandwidth by enabling us to avoid a full tunnel into our environment, while ensuring more secure access to necessary resources.”
In fact, Priceline is streamlining its Citrix environment and avoiding the need for other resources — such as physical servers and the operational overhead to maintain this environment — while greatly simplifying how it enables access. “I can assign each application to an Active Directory group, and our help desk can grant access to the right resources simply by adding users to the relevant group. Controlling the data instead of the users is far more secure,” Dropkin explains.
According to Dropkin, an unexpected benefit is using the Akamai network as a global load balancer. “We don’t need an additional load balancer service for our DNS names. Akamai will always find an available resource, and I no longer need to update DNS records when one of our resources is out of service,” he continues.
Going forward, Dropkin intends to provide all Priceline personnel with access to needed resources via EAA where appropriate. “We are moving toward a Zero Trust model where we focus on making sure each person can access the right — and necessary — resources in a timely manner. With Akamai EAA, we are making that vision a reality,” Dropkin concludes.
Priceline, part of Booking Holdings Inc. (NASDAQ: BKNG), is a world leader in travel deals. Priceline offers exclusive discounts on hotels, flights, rental cars, cruises, and packages. We offer more than a million lodging properties, helping travelers find the right accommodations at the right price. We negotiate great deals every day, and put our best pricing on the Priceline app. With free cancellation for many rates, 24-hour customer assistance and the option for both pre-paid and pay upon arrival reservations, Priceline helps millions of travelers be there for the moments that matter. For us, every trip is a big deal.