The leader in mobile workspaces, providing virtualization, mobility management, networking and cloud services to enable new ways to work better. . Learn more

Cloud-hungry businesses need data centre security – even outside of the data centre

Controlling user access privileges has always been essential to enterprise security, but today's cloud and mobile-driven computing environments make that control hard to maintain. Thankfully, combining time-honoured remote access technologies with increasingly intelligent – and portable – business policies offers new promise for those struggling to extend internal security measures to outside IT services.

That extension has become essential as CSOs struggle to maintain control over what are increasingly becoming “islands of applications and data”, says Phil Caleno, senior manager for networking with Citrix.

“The first step in security was always to build a wall around your data centre and protect everything inside it,” he explains.

“Most of the consumption of apps and data used to happen within a trusted zone, and the security infrastructure tended to sit at the edge of the data centre. But now that things are picking up and moving out to the cloud, we're building islands of applications.”

Linking those islands will require a strong identity and access management (IAM) framework, particularly as increasing use of cloud services fosters stronger demand for flexible and effective application security.

The road to flexibility. Evolving and accepted standards, such as Security Assertions Markup Language (SAML), are gaining currency as way of providing portable access credentials that can be applied across those islands. Yet IAM frameworks will need to become more flexible as users not only bring their own devices but bring their own identities too – relying on services like Facebook to manage their identities in a way that can also be extended to enterprise services.

These elements are just part of the overall picture that will increasingly see cloud-based applications accessed by users on mobile devices – all of whom need to be authenticated using the same rigour as has historically been enforced on users of on-premises applications.

A key enabler for this has been the virtualisation of functions such as remote desktop delivery, which was previously handled by companies that installed large numbers of dedicated thin-client servers in their data centres. These could then be managed and upgraded centrally, retaining control of the users' workspaces while enabling delivery to a broad range of devices.

While it has long been heavily utilised by private and public-sector organisations of all sizes, however, this form of delivery offered relatively low granularity: access control, and control over the information flowing to and from the virtual desktops, was limited.

That architecture supported a multiplicity of users, but required an extensive commitment of back-end resources that anchored the services well within the corporate network. Yet with cloud-based service delivery now well entrenched within customers, Citrix has moved to divorce the desktop delivery services from their earlier hardware requirement – implementing them instead within virtual machines that can run in the cloud just as easily as on a local server.

This shift has revolutionised the delivery of desktops, but further innovation was required to ensure that internal access controls can be extended to desktops even when they are running on systems outside the enterprise.

This control has come in the form of the Citrix NetScaler Application Delivery Controller (ADC), a comprehensive application security platform that complements the delivery of online workspaces with rights and access management that allows organisations to maintain control over their applications no matter where they're running – or where they're accessed.

NetScaler enables allowed organisations to build business policies that manage users' access to applications – and those applications' access to company resources. But in recent years, Citrix has moved to give NetScaler even more flexibility so that its controls can travel outside of the data centre to enforce control over cloud-hosted workspaces.

Security inside and out. The ability to build and enforce security controls around the behaviour of specific applications, rather than just specific workspaces as in the past, means businesses can more effectively block attempts to manipulate cloud and Web-based applications.

Although it was originally popular with large-scale service providers, NetScaler's high granularity has made it increasingly popular with enterprises of all types as conventional firewalls come up short in fighting new methods of online attack.

“The problem with traditional firewalls,” Caleno says, “is that they necessarily allow everyone can make connections on TCP ports 80 and 443 – HTTP and HTTPS – on a public web site. But a traditional firewall doesn't understand the difference between an interaction that you want a user to have with your application, versus one that you don't.”

Policies can set limits on HTTP parameters and tie them in with persistent the identities of legitimate users. For example, the ADC can detect if a legitimate user is logged in but that user – or someone that has stolen his credentials – is attempting to circumvent security controls by passing invalid parameters to the Web applications.

“A Web application firewall understands that this behaviour breaks a business rule because it can read HTTP,” Caleno explains.

“When a user or applications steps outside of the boundaries of the corporate security policy, it can be blocked and reported – and sent to a threat analytic system to work out whether it's just someone playing, or someone trying to steal data en masse.”

Since one of the biggest fears of potential cloud adopters is losing control over access to their data, the ability to prevent such theft – and to act upon it when it's attempted – will be endemic to ensuring that future data protection accommodates past, present and future architectures for desktop and application delivery.

Thanks to a flexible design that extends NetScaler's protections to any device where a Citrix remote desktop is running, enterprises can build a business policy once and then use NetScaler's propagation to enforce that policy on on-premises and cloud-based users with exactly the same effect.

“We add value not just to the network specialists, but also for the application teams and security specialists,” Caleno says. “They can build out one application security policy so one device can touch many applications – and you don't have to write mitigation code into the environment.”

“By offloading that security logic,” he continues, “they can apply blanket policies to protect all of their applications, then drill down into particularly sensitive parts of applications where you might want to tighten the screws a little harder.”

Using an ADC to manage application rights and user capabilities will allow businesses of all sizes – from five-person SMBs up to large enterprises and service providers – to keep up with the steady crawl of their application environment away from the data centre, all the while maintaining the same level of control that they have long enforced inside of it.

“The effect of this is that security policies now have less room for interpretation,” Caleno says.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cloud-hungryit servicesCitrixApplication Delivery Controller (ADC)data centre securityPhil CalenoData CentreSecurity Assertions Markup Language (SAML)dentity and access management (IAM) frameworkCitrix NetScaler

More about ADCCitrixCSOEnex TestLabFacebookNetScaler

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts