Even as malware becomes ever more sophisticated, the success of an attack often hinges not on its code, but on the flesh-and-blood factor: the unwitting employee or contractor who opens the wrong email, clicks on the wrong link or visits the wrong web page. Artificial intelligence gets smarter every day and can help augment typical defense methods, but all the user education in the world can’t eliminate the kind of security hygiene lapses that can leave an organization in ruins.
The challenge is all the more daunting in a world where the cloud has erased the traditional notion of perimeter security. As users leave the office behind to connect over public wifi, consumer broadband and other unknown access points, you can’t count on the security of your own enterprise network as a front line of defense. It’s a matter of plain fact that the perimeter as we know it has shrunk, but it has multiplied. The next catastrophic phishing attack may already be lurking in your employee’s inbox as he opens his laptop in some Starbucks or airport lounge. How confident are you that they won’t inadvertently trigger its deadly payload?
A key way to mitigate the risk of phishing and malware is, in effect, to protect users from themselves (and protect your business at the same time). By taking a fine-grained, contextual approach to access control, you can keep data and apps out of harm’s way in scenarios where they may be at risk.
Here’s how it works. Citrix SmartAccess and SmartControl features let you set policies over exactly when and what to allow access to specific apps and their data: what user identities and roles, what types of network connections (or specific networks), what location, what devices with what compliance status. Before authorizing access for a given session, the Citrix NetScaler Gateway will run through this checklist to make sure no red flags come up. If the context checks out, no problem—access away! But if the context falls short of your policies, the user will have to wait for a safer opportunity—and the would-be hacker is out of luck.
To understand the power of contextual access, consider the kinds of questions that can now inform your security policy:
- Do we have applications that should be restricted to onsite-only usage, or even to specific physical zones within our office?
- Is there data that should never be exposed on the device of an international traveler?
- Exactly who should be authorized to work with sensitive financial or personal data on a mobile device? The CxO, sure—but what about analysts, data entry contractors, third-party auditors … this question becomes even more important with the impending arrival of the GDPR.
- What’s your comfort level for allowing access to specific apps and data over public networks, or on unmanaged devices?
- Which data does a given role actually need to get their work done in a given scenario? Do you want to take an additive or a subtractive approach to the access you allow?
That kind of granularity, based on real-world contexts and risk factors, gives you a tremendous amount of control to protect apps and data without overly restricting people’s ability to get their work done. Put another way, it means you can let people do the most possible without putting your business at risk—instead of having to make blanket statements like, “it’s never okay for anyone to work in an airport lounge” (ridiculous) or “okay, everyone can work in an airport lounge, but please be careful” (suicidal).
At Citrix, we are committed to being the industry leader in the secure delivery of apps and data. Through a combination of our deep understanding of our customer environments and our relentless drive to innovate around our core products, we are helping organizations around the globe to improve their overall productivity without sacrificing security. Earlier in 2017, we announced the Citrix Analytics Service – a component of which allows Citrix customers to track all aspects of user behavior and by leveraging advanced Machine Learning algorithms distinguishes normal employee behavior from that of a malicious attacker.
Combine this contextual access with centralized visibility, monitoring, reporting and auditing over network and user behavior, and you’re well protected from even the most absent-minded user.