Whack-a-mole (noun);
“An arcade game in which players use a mallet to hit toy moles, which appear at random, back into their holes. Also used with reference to a situation in which attempts to solve a problem are piecemeal or superficial, resulting only in temporary or minor improvement.”
For some who work in IT and security, whack-a-mole can sound a lot like their day-to-day jobs. Whether the IT issues at hand are seemingly harmless or unnervingly problematic, IT has a variety of tools to whack issues away.
But what if, instead of adding tools to get rid of mole-like issues, IT could cover up the holes from which they tend to pop up? Why not protect what needs to be protected and cast aside what doesn’t?
Now the question is, what do we think needs to be protected and how? But before we start to identify our core assets, let’s consider what mallet-like security products are currently in play.
How IT Enforces Security Today
Customers typically use multiple proxies and security solutions for accessing applications deployed locally in a data center, applications that are consumed as SaaS through a browser, or native mobile apps. There are separate solutions deployed as proxies controlling access to the internet, device management, and more. These solutions, from multiple vendors, have separate sets of security policies, separate analytics engines, are siloed from each other, and might not provide the same depth in security. And, as we say, “You are as strong as your weakest link.” One product that is not integrated and does not provide the needed granularity in controls can break your entire network and expose it to both external and internal threats. Some of the security issues that result from creating an infrastructure full of point products are:
- There is no (or limited) integration across multiple vendor products.
- A product that inherently trusts a device, a URL, or a whitelisted application (all of which can be malicious) can expose an entire network to threats.
- In a heterogenous environment that has products that are not integrated, it is impossible to create a risk profile of a user and take preventive actions.
- The addition of “cloud” obsoletes the “traditional perimeter security” as the virtual boundary of an enterprise now includes localized branch sites, centralized private data centers, and multiple public clouds where apps and workloads reside.
To implement this consistency, all the products should follow a norm and a common standard. This new framework not only helps achieve a common business outcome, it also ensures a much better end-user experience and delivers greater security value.
For implementing this framework and for a successful security strategy, we need to start thinking of ways to reduce the vulnerable attack surface by consolidating security products that are more user and app centric as opposed to location and parameter centric. This will make an environment simple, yet secure. Zero trust helps resolve a lot of these issues. But, before we get into the solution, let’s take a step back and revisit zero trust.
(Click to view image larger.)
What is Zero Trust?
Zero trust is the concept that trust between people and access must be constantly earned. Zero trust is not a product or a solution. Rather, it is an approach or framework that IT can use to enable secure access for all applications, from any device, by not only establishing trust between the device and an application only at the time of login, but also by continuously evaluating trust at every touchpoint.
Starting with a “default deny,” access is only granted after verifying an entity by user and device credentials as well as other factors, including time, location, and device posture. This posture can be evaluated during the session and an end user can be reauthenticated if there’s an anomaly detected in any locations in the enterprise environment.
(If that sounds familiar, it’s because Citrix has been doing contextual access policies for a long time. More on this later.)
What’s the Big Deal?
For years, access management was as simple as granting access to in-network devices and protecting data centers that stored corporate data. Given that employees are accessing various application types (many of which are not on premises due to cloud adoption) from outside the network and on personal and corporate-owned devices, access management has become a lot more complex. Having multiple single sign-on (SSO) or access-management products in an environment increases the complexity and expands the attack surface, creating vulnerabilities across every instance of authentication and authorization processes.
Zero trust mitigates the complexity around these factors by removing assumed trust and confirming it every step of the way. In simpler terms, we need to have solutions in place that not only provide access policies at the time of authentication, but throughout the session, across all type of applications deployed anywhere on a cloud, on premises, or delivered through SaaS. For an end user, security should be invisible and omnipresent regardless of locations. For IT, security should be granular, contextual, and continuous.
How Do I Achieve Zero Trust?
Because zero trust is an approach and not a product, it’s not a matter of tearing something out and plugging something else in. Zero trust is achieved through an intentional implementation of a framework or a collection of products that have zero-trust principles built in, are integrated, and provide a collective approach to achieve the business outcomes. This removes the need to add redundant point solutions and the constant search for ways to reduce the threat surface. Access management, privacy by design, and adaptive authentication is a good place to start.
Why Citrix?
Going back to our “whack-a-mole” example, Citrix provides protection for all your business assets through Citrix Workspace, delivering an end-to-end solution based on a zero-trust framework. With the portfolio of products and the security services we provide today, zero trust is just an organic path for us to follow.
A lot of security vendors are talking about zero trust as a solution to today’s challenges, but not many provide complete protection of business and company assets. They offer mallets to hit the moles that keep popping up. Citrix, on the other hand, helps you plug the holes entirely even if your enterprise continues to expand globally. For example, we realize users have both business and personal lives, and they use the same device to access both their personal and business content. Today, a user is required to enroll their device with an MDM solution, which could create privacy concerns for employees using the same device to access personal assets.
Citrix focuses on delivering zero trust not to only address concerns around device and access security, but to also address the privacy concerns and end-user experience. While most security vendors can solve a zero-trust use case by enabling device enrollment with MDM, Citrix provides a zero-trust deployment by identifying and securing the information that needs protection.
Consider unmanaged devices. In this case, Citrix does provide end users with an app they can install on any device. This app, the Citrix Workspace app, creates a secure environment that protects all the assets contained within this app, without having to enroll a device with an MDM solution. It enforces contextual security policies for all kind of applications (SaaS, web, virtual, mobile), not only at the time of access, but throughout the user session.
Citrix Workspace with Citrix Gateway provides the ability to control the authentication mechanism to be used for a session based on factors like a user’s location and the risk profile of the user or device and provides support for FIDO2, passwordless, biometric-based, or regular OTP-based authentication mechanisms.
Once a user successfully logs in, Citrix Workspace monitors user activity across all applications and locations. Upon detecting an anomaly or any suspicious behavior, the system can take appropriate actions like reauthenticating a user, recording a user session, and protecting any user or business information from being stolen by a keylogger or a screen capture malware installed on the end user device.
In addition, Citrix Workspace also enables admins to define what users can access on the internet. It checks for security threats in real time and protects application access by continually evaluating each URL accessed from within Citrix Workspace, through an integrated web filtering engine. It also offers an isolated browser service for accessing whitelist and internet applications.
These capabilities enable Citrix Workspace to deliver a zero-trust deployment for all your application workloads. Using Citrix Workspace, customers don’t need to deploy third-party products for SSO, MFA, SSL VPN, web proxies and browser isolation. Better yet, when the virtual unified infrastructure comes with Citrix ADC and Citrix SD-WAN, the protection is complete and continuous, across any enterprise branches and extended to the hybrid multi-cloud. This not only enables a better user experience and better ROI, but it also provides granular and consistent security policies for getting an outcome based on zero trust.
Do I Need to Rip and Replace Anything?
The simple answer is no. Citrix understands its customers have made investments in infrastructure, like identity platforms, SIEM/SOC and web proxies, and is looking to integrate with third-party products in each of these verticals to allow for a seamless deployment for Citrix Workspace.
As an example, Citrix integrates with Microsoft Active Directory, Microsoft Azure AD, and Okta user directories and the contextual policies that come with these platforms. Look for announcements coming up in this area. For Analytics, Citrix integrates with Splunk, Microsoft Security Graph, Microsoft Sentinel, and more, and we’re looking to integrate with more vendors in this space. In addition, we are also looking to complete integrations with web proxies (SWGs) and policy engines, as well as third-party SD-WAN solutions.
Citrix is continuing to invest in zero trust, and it will be a focal point in the coming years. Keep your eye on the Citrix blog as we share how we’re continuing to invest in and innovate with our security offerings. And check out our post on why SSL VPNs are obsolete in the era of hybrid multi-cloud and simply do not make the cut for a zero-trust deployment.
Looking for more insights? Read the zero trust section of our Unified Security Guide.