The traditional borders and boundaries of the Internet are breaking down. New web services, APIs, microservices, clouds, mobile devices, messaging, and sensors are pushing this transition even faster.
Exposing these services via firewalls and VPNs is becoming more costly and ultimately untenable with our mobile workforces and fluid organizational relationships. Imagine a herd of cats and try to put a fence around them. What if you were asked to gather up all the orange kittens to go through the gate?
Rather than confine our data and information behind more walls and boundaries, what if we were to use the atomic element of security -- Identity -- to be the new gatekeeper?
We here at Ping have moved the bulk of our on-premises applications outside the VPN since the launch of PingAccess last year. Since we have the full platform of PingOne, PingFederate, PingAccess and PingID at our disposal, our approach to moving applications to Borderless Identity is simple:
![pingaccess-diagram.png]()
- Identify Applications: "Need to Know, Need to Access" applies here. Also, regulatory compliance requirements are a consideration. We found almost all applications are good to move.
- Identify Access Requirements: Design and configure PingAccess policies protecting the application.
- DNS and Firewall Changes: Add your new app.company.com as a CNAME alias to pingaccess.company.com. Ensure PingAccess can access any API or Web ports for protection.
- Change any hostname and certificate settings in the application to point to the new hostname.
Change hostname in PingFederate connection settings, add hostname redirect validation setting as needed. Ensure PingID is enabled. - Test that all new links are working.
- Add new link to PingOne dock.
- Remove VPN as needed, ensuring end users go through the new links.
Some pitfalls to avoid:
- Any session timeouts set by the application or network devices are set higher than timeouts the closer you get to PingAccess
- Hostname resolution works everywhere
- Network time is synchronized
- Old bookmarks can be handled by PingAccess content and url rewriting feature
We can usually knock this out in an hour or two, the longest part being firewall changes and any application restarts to update the hostname/certificates.
The benefits are huge:
- More Secure: Groups no longer have access to everything behind the VPN, just the applications they need.
- Saves Time: Firewall / VPN maintenance.
- Saves Money: Some applications had a cloud and on-premises license.
- Quick Access: On mobile devices.
- New Partners: No problem. Just add a new policy.