Enhancing Remote Access Security Using AWS Verified Access with Avalon

Avalon aims to enhance clinical outcomes by helping health-plan and lab providers improve care through predictive analytics on digitalized lab results. The company has been using AWS and the Zero Trust model since the beginning. “Avalon was built with security first in mind, and we stick to this principle in everything we do,” says Eric Ellis, associate vice president of enterprise cloud technology at Avalon.

Business users and employees need secure remote access to reports for business and financial purposes. However, with the number of resources required for and the complexity of Avalon’s previous VPN solution, setting up new perimeter networks could take days. Avalon stores protected health information (PHI) using Tableau Server, an AWS Partner Solution. To support the Zero Trust model, Avalon siloes its business applications and Tableau Server. When trying to access resources, employees and business users had to sign in to different workspaces and VPNs and remember different passwords for each context.

Avalon needed to maintain strong security, streamline how users access reports and PHI, and uphold the Zero Trust framework. The company wanted users to have browser-based access on the edge instead of logging on to different cloud solutions. It began researching AWS solutions in May 2023 and adopted AVA in June. “We saw that not only could we use AVA to provide secure access to PHI, but we would also save the cost of trying to find another VPN solution, and we wouldn’t have to build additional infrastructure for other functionalities,” says Ellis.

In September 2023, Avalon deployed AWS Verified Access (AVA) to production, utilizing Okta, an independent provider of enterprise identity management and an AWS Partner. Previously, users experienced issues with VPN access to Tableau and problems with report downloads, leading to questions from the business about why the server couldn't be placed on the edge. At that time, we lacked a method to enforce zero trust network access. As business demand grew, we researched ways to provide zero-trust access on the edge for a sensitive data system.

Upon discovering AWS AVA, we eagerly set up a proof of concept (POC). We configured our existing Okta platform to use OpenID Connect to connect through AVA via our firewall to Tableau. This kept Tableau invisible to the general internet and provided the zero-trust network access we needed for our security design.

The result was a success! Users were thrilled with the improved experience, and report delivery was expedited. Both IT and Security's credibility increased significantly, and the accomplishment of integrating Tableau with AVA was applauded by leadership at the next all-hands company meeting. Ellis noted, "Utilizing AVA allowed Avalon to achieve all our goals while keeping PHI data secure."

Using AVA, Avalon’s employees access business reports by entering the application’s specific URL in the browser and logging in once through Okta. Such that, external users can access PHI from a browser without using a VPN. AVA supports modern protocols, such as OpenID Connect with Okta and OAuth, for authenticating users. When a user visits a Tableau URL to access Avalon’s data, AVA authenticates them by connecting to OpenID Connect with Okta. After verifying that the user has the proper permissions and is in an approved security group, AVA forwards them securely to Tableau. Finally, Tableau confirms with Okta that the user is signed in before it presents any data.

Avalon has also implemented single sign-on to make access even more convenient for users. “We’ve greatly improved the user experience since adopting AVA,” says Ellis. “We’re expanding our services and offering something that we couldn’t before.” Avalon has achieved all this while maintaining industry compliance. The company has annual audits that check more than 700 controls, and it fulfills the requirements of healthcare industry regulations.

As an extra layer of security, Avalon runs a firewall behind AVA. The company used to log hundreds of thousands of attempts to break through the firewall each day. But since implementing AVA, it sees significantly fewer attempts to reach the firewall. That’s because if a person doesn’t have the correct identity and access management permission, AVA immediately blocks access. “By using AVA, we’re protecting our on-premises resources that are being accessed through the web,” says Juan Suarez, Cloud Security Engineer at Avalon. “We have a centralized gatekeeper to these resources, and we can control access.”

Avalon has also streamlined the process of setting up remote connectivity to applications, which used to take a day or more. Now, engineers can do this in about an hour. And the company has increased the number of users that can access data from a browser. After onboarding 50 business users to AVA by February 2024, Avalon expects this number to grow quickly. “We’ve made Zero Trust a lot simpler and quicker to implement by using AVA,” says Ellis. “We’re doing things that we’ve never done before, like putting a reporting server such as Tableau on the edge so that users can display it in a browser.”

While Avalon implemented AVA, they engaged AWS Enterprise Support, which provides a comprehensive suite of resources, including proactive planning, communication channels, and 24/7 expert support. “Avalon has been an AWS enterprise customer for over 10 years. AWS Enterprise Support was absolutely key to the success of our implementation of AWS Verified Access. They provided subject matter expertise that helped us through any issues or questions we had while implementing and we can feel secure with this new design.” says Ellis.

Avalon has increased the number of employees and business users who can access data from a browser. Next, the company plans to migrate more applications, such as event management, file transfer, and business intelligence, to AVA.

“By using AVA, we’ve enhanced our security,” says Ellis. “The ease of use, level of security, and versatility of AVA are absolutely amazing.”