I interviewed Chris Mayers for this topic.  Chris has been with Citrix since 1998, and in his role as principal security architect at Citrix, Chris has both internal and external responsibilities for promoting security, developing security strategies and advocating the secure enterprise.  Based in Cambourne, Cambridge, Chris’s job takes him all over Europe and to the USA, where he can be found advising CIOs and CSOs, presenting White Papers at industry conferences and working to develop Citrix technology to ensure it continues to protect the ‘perimeterless’ enterprise.

Here is Chris:

Q: Chris, first can you explain what we mean by “Strong Authentication”?
A: Strong Authentication is multiple factor authentication.  The classic definition is something you know (such as a password), coupled with something you have (such as a token or smartcard) or something you are (biometric data.)  For remote access using Web Interface, Citrix recommends that customers always use strong authentication rather than just passwords.

Q: That makes sense.  Why wouldn’t everyone use strong authentication for remote access?
A: Everyone should use strong authentication, but there are choices, so it’s a question of balance.  Security requirements are balanced against cost and user acceptance.   The number of users who actually need remote access, and the applications they are using must be evaluated.  There may be less expensive ways to secure remote access to simple applications such as email – using Smart Access or XenApp capabilities.

Q: What kind of cost would a customer be looking at for implementing strong authentication?
A: The good news is that the purchase price of second factor devices has come down in recent years.  A security token, for example, costs only a few dollars now.  Unfortunately there are additional costs, such as fulfillment to the user, and administrative and help desk costs; these need watching.

Q: What about user acceptance, why is that an issue for customers?
A: Well, users are required to either carry an item with them for access (something they have) or use biometrics (something they are.)  End users must be involved in this process – authentication is not something administrators can do for them.  So, users may view this as inconvenient.
One interesting way around this is dual-purpose: combine strong authentication on an item the user can use for other tasks.  There are several solutions based on mobile phones, USB tokens (which can be used generically as well), and smartcards (which can be used for digital signature and encryption as well as authentication).

Q: Counting on users is always risky  How do you recommend IT deal with this?
A: The trick is to manage risks and have a calculated backup plan.  For example, if tokens or smartcards are used for strong authentication, and the user loses, damages or forgets the item, you might enable the help desk to temporarily allow a password to access the account remotely.  That way, even if a user intentionally “forgets” the item, there is no excuse to avoid work!

Q: What about biometrics – that way the user doesn’t have to remember a device?
A: Biometrics are great for unlocking things, like laptops and doors.  The big danger for the remote access use case is that the biometric data can go over the network.   The issues with this are nasty – stolen biometric data can be much more damaging than stolen credentials (biometrics don’t change like passwords do.)

Q: Does Citrix provide strong authentication solutions?

A: No, but Citrix has numerous partners – check out Citrix Ready.