Axis Security: Simplifying Secure Access for the Modern Enterprise

By John Grady, Senior Analyst
January 2021

Abstract

Traditional approaches to application access have not evolved to meet the modern enterprise environment. The adoption of cloud, the shift to remote work, and the expansion of application ecosystems have served to complicate secure application access. To ensure simplicity, flexibility, and security, organizations should consider cloud-based, zero-trust focused access solutions to connect employees, contractors, and partners to the applications they use to be productive. The Axis Security Application Access Cloud provides an agentless-first, cloud- centric approach to zero-trust application access.

Traditional Secure Access Approaches Have Difficulty Addressing the Distributed Enterprise

The number of applications used in today’s enterprise has exploded. In fact, 62% of those surveyed indicate their organization supports at least 250 business applications.¹ Though some of these applications may still be located in an on- premises data center, they are increasingly likely to be delivered via software-as-a-service (SaaS) or hosted in a public cloud. Additionally, employees, partners, and contractors are often accessing these applications from outside the corporate network, further complicating the dynamic. This trend has certainly been accelerated by the pandemic, but most enterprises anticipate that employees will continue to work at least part-time outside of corporate locations even after the crisis subsides. Specifically, 79% of IT decision makers anticipate more work-from-home flexibility moving forward.²

Historically, remote users have accessed corporate applications through a virtual private network (VPN). When applications resided in the corporate data center and a limited number of employees were only rarely accessing those applications remotely, this made sense architecturally, if not from a security perspective. Over the years, many companies have added virtual desktop infrastructure (VDI) and cloud access security brokers (CASBs) to secure access to the different types of applications across their organization. However, this disjointed approach cannot effectively address today’s distributed environment for several reasons, including complexity, security, performance, and cost (see Figure 1).³

Complexity. The VPN model is difficult to scale to external users such as partners, contractors, and newly acquired companies, especially in a time-efficient manner. Additionally, while VPN, CASB, and especially VDI can introduce complexity in their own right, navigating the deployment, configuration, and management of these tools when used simultaneously for secure access only exacerbates the issue. Managing the licenses, infrastructure and endpoint requirements, as well as integrations with visibility, workflow, and response tools across these access solutions can lead to inefficiencies and ultimately ineffectiveness.

Security. VPNs provide broad network-level access, potentially allowing users to access much more than just the intended application—a model that does not align with the zero-trust strategy many organizations have begun to embrace. While adding CASB and VDI may provide more granular control, maintaining policy and visibility consistency across multiple secure access tools is difficult and can ultimately reduce the level of security effectiveness.

Performance and user experience. The VPN model requires remote user traffic to be backhauled to on-premises appliances, only to be routed back out to the cloud, which can introduce latency and impact performance. When used in conjunction with VDI, the user may be forced to access different applications using different methods—for example, connecting through a VPN gateway for Salesforce access, and using a VDI workspace for internal applications, rather than directly accessing all applications natively and transparently.

Cost. During the initial shift to remote work, the stress put on on-premises appliances including VPN concentrators, firewalls, and intrusion prevention systems forced some organizations to increase capacity or ration access, resulting in either unanticipated capital expenditures or poor user experiences. The appliance-centric nature of VPNs also makes it an expensive model to maintain. Adding VDI for remote access use cases only increases cost and complexity, with both a virtual desktop infrastructure and a VDI-associated network access gateway to provision and scale. Organizations using multiple tools are likely to spend more on both procurement and operations. In all cases, the costs associated with traditional approaches can be significant.

Figure 1. Top Secure Access Challenges

What are the biggest issues your organization faces with regard to securing employee access to corporate applications and resources? (Percent of respondents, N=376, three responses accepted)

Source: Enterprise Strategy Group

Secure Access Should Be Cloud-delivered, Simple, and Zero-trust Focused

With both users and applications increasingly residing outside of the corporate environment, centralizing secure access in the cloud represents an attractive approach to address the challenges previously discussed. Rather than relying on appliance-centric VPNs, or multiple access tools, modern secure access solutions leveraging the scalability of the cloud provide organizations with consistency, flexibility, and agility.

Centralizing secure access for most enterprise applications across both the data center and public cloud provides a consistent policy engine and unified visibility across a broad set of user access behaviors to optimize detection, investigations, and response. Additionally, shifting from a hardware-based architecture to a SaaS- based architecture provides more resiliency for organizations to scale access capabilities up and down as needed to support more employees, more third parties, or more applications, without having to deploy additional appliances.

To address the different types of applications using different protocols, and different types of users accessing those applications, the ability to support both agentless and agent-based approaches has become an increasingly important requirement. While an agentless approach is often the priority to reduce endpoint clutter, simplify the user experience, and support third-party access, an agent may be necessary for access to TCP/UDP applications, thick client applications, or when end-to-end encryption is required. Solutions that provide coverage across both models can help organizations meet a broader set of their secure access needs through a single tool.

Finally, secure access solutions must integrate with existing enterprise tools and workflows. Native capabilities for visibility, monitoring, and response are important as part of any secure access solution, but the reality is that many enterprises have existing toolsets and workflows for SIEM, SOAR, and EDR that have been refined over time. Secure access solutions that can provide centralized visibility across applications on their own as well as integrate with the SOC tools already deployed provide additional flexibility for enterprises.

Support for Zero-trust Tenets

Interest in zero-trust continues to grow as organizations seek to modernize their security program, reduce the attack surface, and limit the blast radius when the network does become compromised. In fact, 63% of organizations report they have implemented zero-trust tenets to one extent or another in their environment.⁴ A significant focus of zero-trust has been modernizing application access. To support a zero-trust model, organizations must ensure that connections between entities and resources are made on a one-to-one basis and continually validated with deep context relative to the user, device, location, and other criteria. For example, while a user may generally have access to a particular application, the variables of their connection at a point in time (such as the time of day, geolocation, or device being used) may warrant limiting the functionality of the application. This could include limiting the user to read-only access or preventing downloads to protect corporate data.

Centralizing access controls can help ensure consistency and, as a result, improve security. Yet at the same time, a zero- trust strategy requires more than a single tool to implement, making the ability to integrate with other solutions even more important. For example, telemetry from unified endpoint management (UEM) and endpoint protection platforms (EPP) can be used to determine device health; integration with identity providers (IdP) is critical to ensure strong authentication and proper authorization; user and endpoint behavior analytics (UEBA) can provide context into user risk; and data loss prevention (DLP) tools can incorporate the sensitivity of the data being accessed into the policy decision.

While zero-trust represents a strategic approach to security requiring more than a single tool, the ability to centrally enforce granular access policies to applications regardless of their location or the location of the user requesting access is a good starting point on the zero-trust journey. Ultimately, through a cloud-centric approach to secure application access, organizations benefit from improved user experiences, faster deployments, broader coverage across application types and locations, reduced complexity, and stronger security.

Ultimately, through a cloud- centric approach to secure application access, organizations benefit from improved user experiences, faster deployments, broader coverage across application types and locations, reduced complexity, and stronger security.

Enter the Axis Security Application Access Cloud

Axis Security was founded in 2018 and is headquartered in San Mateo, California, with research and development located in Tel Aviv, Israel and has secured a total of $49 million through Series B funding. The company publicly launched from stealth in March of 2020 with an innovative solution for secure access that addresses many of the challenges previously discussed. Prior to exiting stealth, the company engaged with large enterprise CISOs, including many in the Fortune 500, to qualify the application access issues facing organizations and inform the Axis Security product architecture. As a result, the company already boasts a number of Fortune 500 customers, in addition to users outside the large enterprise space.

The Axis Security Application Access Cloud provides centralized application access, control, and policy management, regardless of user location or device. It is composed of the Axis Cloud and optional application connectors that can be deployed across both data center and public cloud instances. The container-based connector communicates outbound to the Axis Cloud, isolating the application from public view and limiting access to the application layer, which is discretely controlled by the Axis Cloud. This makes the application invisible to those who do not have the requisite access and prevents attacks via port scanning, malformed packets, or other DDoS vectors, supporting a zero-trust model of application access.

The solution requires no network changes, serving instead as an overlay on top of the existing network infrastructure. This helps simplify deployment and prevents network breaches from impacting applications. Because the solution works at the application layer, policies can be written to dictate partial access to prevent downloads, provide read-only visibility, or limit database access. Context such as IP address, location, time of day, user history, and other variables can all be used as part of the policy construct.

The solution is agentless first, meaning that although an agent is not required, one is available for specific use cases. Axis supports agentless access for applications using HTTP, RDP, and SSH, as well as databases and git. Axis supports thick client and TCP/UDP applications (including VoIP and peer-to-peer applications) as well as use cases requiring server- initiated connections, isolated network segment access, or end-to-end encryption. Integrations with device and asset management solutions are available to provide device posture assessment, identity providers for authentication and authorization, as well as with SIEM tools for analytics and SOC workflow. Additional integrations on the Axis Security roadmap include security orchestration and response, DLP, and UEBA. The Application Access Cloud centrally and continually monitors user activity, providing visual session recording as well as user and application risk analysis.

The Bigger Truth

While the pandemic has highlighted the shortfalls of existing approaches to secure access, the reality is that the market has been poised for a transition for some time. Security is often forced to play catch up with the broader IT environment, and secure access has been no different. Despite massive changes to enterprise application strategies, until recently, organizations continued to use the same security tools as when the corporate environment revolved around the data center and campus network. The need to scale application access to a suddenly remote workforce represented the tipping point for a number of organizations. As a result, the modern enterprise requires a centralized, cloud-delivered, zero-trust focused secure access solution, which Axis Security delivers through their innovative Application Access Cloud.

Secure Your Enterprise in Minutes

SCHEDULE A DEMO

DOWNLOAD PDF REPORT

This ESG Showcase was commissioned by Axis Security and is distributed under license from ESG.

¹Source: ESG Master Survey Results, Trends in Modern Application Environments, Dec 2019.

²Source: ESG Master Survey Results, Technology Impact of COVID-19: IT Decision Maker (ITDM) View, May 2020.

³Source: ESG Master Survey Results, Transitioning Network Security Controls to the Cloud, Jul 2020.

⁴Source: ESG Master Survey Results, Network Security Trends, Mar 2020.

All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.

Enterprise Strategy Group | Getting to the Bigger Truth™

Enterprise Strategy Group is an IT analyst, research, validation, and strategy firm that provides market intelligence and actionable insight to the global IT community.