Controlling user access privileges has always been essential to enterprise security, but today's cloud and mobile-driven computing environments make that control hard to maintain. Thankfully, combining time-honoured remote access technologies with increasingly intelligent – and portable – business policies offers new promise for those struggling to extend internal security measures to outside IT services.
That extension has become essential as CSOs struggle to maintain control over what are increasingly becoming “islands of applications and data”, says Phil Caleno, senior manager for networking with Citrix.
“The first step in security was always to build a wall around your data centre and protect everything inside it,” he explains.
“Most of the consumption of apps and data used to happen within a trusted zone, and the security infrastructure tended to sit at the edge of the data centre. But now that things are picking up and moving out to the cloud, we're building islands of applications.”
Linking those islands will require a strong identity and access management (IAM) framework, particularly as increasing use of cloud services fosters stronger demand for flexible and effective application security.
The road to flexibility. Evolving and accepted standards, such as Security Assertions Markup Language (SAML), are gaining currency as way of providing portable access credentials that can be applied across those islands. Yet IAM frameworks will need to become more flexible as users not only bring their own devices but bring their own identities too – relying on services like Facebook to manage their identities in a way that can also be extended to enterprise services.
These elements are just part of the overall picture that will increasingly see cloud-based applications accessed by users on mobile devices – all of whom need to be authenticated using the same rigour as has historically been enforced on users of on-premises applications.
A key enabler for this has been the virtualisation of functions such as remote desktop delivery, which was previously handled by companies that installed large numbers of dedicated thin-client servers in their data centres. These could then be managed and upgraded centrally, retaining control of the users' workspaces while enabling delivery to a broad range of devices.
While it has long been heavily utilised by private and public-sector organisations of all sizes, however, this form of delivery offered relatively low granularity: access control, and control over the information flowing to and from the virtual desktops, was limited.
That architecture supported a multiplicity of users, but required an extensive commitment of back-end resources that anchored the services well within the corporate network. Yet with cloud-based service delivery now well entrenched within customers, Citrix has moved to divorce the desktop delivery services from their earlier hardware requirement – implementing them instead within virtual machines that can run in the cloud just as easily as on a local server.
This shift has revolutionised the delivery of desktops, but further innovation was required to ensure that internal access controls can be extended to desktops even when they are running on systems outside the enterprise.
This control has come in the form of the Citrix NetScaler Application Delivery Controller (ADC), a comprehensive application security platform that complements the delivery of online workspaces with rights and access management that allows organisations to maintain control over their applications no matter where they're running – or where they're accessed.
NetScaler enables allowed organisations to build business policies that manage users' access to applications – and those applications' access to company resources. But in recent years, Citrix has moved to give NetScaler even more flexibility so that its controls can travel outside of the data centre to enforce control over cloud-hosted workspaces.
Security inside and out. The ability to build and enforce security controls around the behaviour of specific applications, rather than just specific workspaces as in the past, means businesses can more effectively block attempts to manipulate cloud and Web-based applications.
Although it was originally popular with large-scale service providers, NetScaler's high granularity has made it increasingly popular with enterprises of all types as conventional firewalls come up short in fighting new methods of online attack.
“The problem with traditional firewalls,” Caleno says, “is that they necessarily allow everyone can make connections on TCP ports 80 and 443 – HTTP and HTTPS – on a public web site. But a traditional firewall doesn't understand the difference between an interaction that you want a user to have with your application, versus one that you don't.”
Policies can set limits on HTTP parameters and tie them in with persistent the identities of legitimate users. For example, the ADC can detect if a legitimate user is logged in but that user – or someone that has stolen his credentials – is attempting to circumvent security controls by passing invalid parameters to the Web applications.
“A Web application firewall understands that this behaviour breaks a business rule because it can read HTTP,” Caleno explains.
“When a user or applications steps outside of the boundaries of the corporate security policy, it can be blocked and reported – and sent to a threat analytic system to work out whether it's just someone playing, or someone trying to steal data en masse.”
Since one of the biggest fears of potential cloud adopters is losing control over access to their data, the ability to prevent such theft – and to act upon it when it's attempted – will be endemic to ensuring that future data protection accommodates past, present and future architectures for desktop and application delivery.
Thanks to a flexible design that extends NetScaler's protections to any device where a Citrix remote desktop is running, enterprises can build a business policy once and then use NetScaler's propagation to enforce that policy on on-premises and cloud-based users with exactly the same effect.
“We add value not just to the network specialists, but also for the application teams and security specialists,” Caleno says. “They can build out one application security policy so one device can touch many applications – and you don't have to write mitigation code into the environment.”
“By offloading that security logic,” he continues, “they can apply blanket policies to protect all of their applications, then drill down into particularly sensitive parts of applications where you might want to tighten the screws a little harder.”
Using an ADC to manage application rights and user capabilities will allow businesses of all sizes – from five-person SMBs up to large enterprises and service providers – to keep up with the steady crawl of their application environment away from the data centre, all the while maintaining the same level of control that they have long enforced inside of it.
“The effect of this is that security policies now have less room for interpretation,” Caleno says.