In 2012, the UK Government launched 10 Steps to Cyber Security guidance, and now around two thirds of the FTSE350 are using it. It was simplified and updated in 2015.
As you would expect, the 10 Steps involve people, process, and technology – and include everyone from the board to individual users. Today, I want to discuss how Citrix supports each of the 10 Steps.
Let’s take a look.
Information Risk Management Regime
The first rule: don’t build on sand. Organizations need trustworthy security products that enforce security standards.
For more than 10 years, Citrix has invested in independent product security evaluations. This process is an important and essential investment – as many highly regulated industries require compliance for FIPS and Common Criteria. Customers from every industry benefit from our investment in these security standards. This investment also includes aligning Citrix products to match other security frameworks such as PCI DSS.
Next, a curious fact: organizations that are so prompt and effective in applying patches, can be so much less diligent in securing the system configuration in the first place. But errors in system configuration can be just as devastating as failing to apply patches.
XenMobile provides a single place to control secure configuration: not just for mobile devices, but for mobile applications. The advice sheet from the UK Government guidance calls out application whitelisting and execution control for particular attention.
For desktop devices, whitelisting can certainly be trickier than on mobile devices, due to complex legacy applications. Of course, if you use XenApp and XenDesktop to host these legacy applications, the scale of the problem is much smaller. As a practical note, if you are using Microsoft AppLocker for whitelisting, you’ll also need to know the AppLocker rules for XenApp/XenDesktop itself (this detail is covered by the Citrix Common Criteria evaluated configuration; this is a rather specialized configuration, so we are looking at generalizing this for broader use). For general secure configuration guidance for XenApp and XenDesktop, see here.
The advice sheet is divided up into sections that address policing the network perimeter and protecting the internal network. Even in the days of the borderless enterprise this is a helpful and practical distinction.
But this advice sheet doesn’t mention the security technologies for protecting today’s segmented, layered, and virtualized corporate networks. Network segments need to be structured into layers (the Government calls them “enclaves”). Gateways and networks themselves may be virtualized, with the control planes also virtualized.
Look at the Citrix XenApp and XenDesktop Security Guidance for a sample layered deployment. For the network perimeter with virtualized networks, make NetScaler Gateway your first stop.
Managing User Privileges
When thinking about identity and access, remember the saying: “opportunity makes the thief”. If users are given privileges, expect those privileges to be used, whether intentionally or not. So, give people just what they need, and no more. This applies to administrators as well as users; define administrative roles, and grant privileges to roles. Most administrators don’t need to be full administrators, and certainly not all the time.
Consider using Citrix Ready Security Partner privilege management products for third-party applications that need privileges, but don’t have their own privilege management capabilities.
Because administrators need to be privileged, and can potentially bypass security controls, they also need to be monitored. For administrators, logs, events, and alerts are always relevant (see the Monitoring step below).
User Education and Awareness
This means everyone – including security specialists themselves. Security is a complex and fast-moving field, so encourage security specialists to validate their security skills through a formal certification scheme.
Also look for these same security skills certifications when selecting a Citrix partner who understands your business. These skills will smooth the secure deployment of your systems.
Incidents will happen – be prepared. This means planning beforehand what kind of evidence you will need to collect and analyze to identify and remedy the root cause of an incident.
Some of the evidence you will be collecting anyway, via regular network monitoring (under the Monitoring and Network Security steps), and as user activity logs (under the Managing User Privileges step).
Consider using advanced features such as the Session Recording capability of XenApp and XenDesktop to collect and log evidence you may need, in case of an incident. This feature was previously known as SmartAuditor, and is now available for XenDesktop too.
This step covers antivirus, content filtering, and firewalls. It is not new. It is not exciting. But it is important.
Look for malware prevention products in the Citrix Ready Security Partner program that are tested and optimized for Citrix compatibility and stay tuned for new announcements.
Please be aware that some of the advice you’ll see on the Internet about anti-virus and XenApp/XenDesktop configuration is out-of-date or misleading. Get the right advice from the Citrix Support Knowledge Center and your Citrix partner.
Monitoring must be fine-tuned only to collect logs, events, and alerts that are relevant to satisfy the organization’s monitoring policy. Avoid the temptation to keep everything that you can, rather than only keeping what you need. Once you have a prioritized set of desired outcomes, then focus on what you don’t need to analyze, to filter out the noise.
Security monitoring shouldn’t be treated in isolation from other monitoring capabilities – fault monitoring, performance monitoring, and so on. Anomalies detected by one can have a root cause in another – an obvious example being a denial-of-service attack detected by performance monitoring.
The advice sheet for this step recommends a centralized collection and analytics capability. However, security analytics must put relevant information in the hands of those who will take prompt action. (In government jargon, “put fusion nodes next to action nodes”.) This means that security analytics must be carefully tuned to match the application domain and the expertise of those who manage it. Additional tools add complexity, so this capability needs to be integrated.
This is why NetScaler Security Insight provides this capability by:
- Identifying configuration patterns and highlights inconsistencies that may weaken your security posture
- Parsing your mountain of NetScaler logs looking for issues that may be dangerous—going beyond anomaly detection for true context-sensitive reporting
- Highlighting any issues with PCI compliance, to make the audit process that much easier to work through
Removable Media Controls
This step highlights the reputational damage and financial loss from the compromise of sensitive information. This topic may no longer generally be headline news, but the risks are just as great. Rogue USB keys are still scattered by attackers looking for hapless victims.
The good news is that there is less and less business need for removable media; the 10 Steps states that removable media should only be used as a last resort. There are better alternatives. Services such as ShareFile deliver data when it is needed; XenApp and XenDesktop allow applications and their data to be used remotely. Today, the risk is more from removable media being used for personal information and malware being introduced via that route.
So, look for a solution that segregates and protects personal and business data into separate containers, controls where the data is stored, and limits the use of removable media.
Home and Mobile Working
This means protecting data at rest, as well as data in transit.
The guidance is to minimize the amount of information stored on a device to only that which is needed to fulfill the business activity – and to encrypt the data at rest, in transit and in use.
Put more bluntly, ransomware can’t attack data that isn’t stored, transmitted, or used insecurely.
You can use ShareFile to avoid keeping data on the device. For the data that you do store on the device, use XenMobile to encrypt it. If the information needs to be accessed but not stored, use XenApp and XenDesktop to reduce the risk further. To protect data in transit, use NetScaler Gateway as an application-specific VPN.
The advice sheet mentions the risk of loss or compromise of a device in international locations and recommends remotely disabling a device that has been lost (see the XenMobile device decommissioning capability). Think carefully about the range of risk scenarios that may apply to your business.
The advice sheet also refers to the UK Government End User Device guidance, which was developed separately. This is a detailed topic of its own, so watch out for more Citrix news on this.
Reading this UK Government guidance, you might be surprised to see one topic mentioned only in passing – and that’s the cloud. The reason? It’s covered in separate guidance, which we’ll return to on a later occasion.
This post presents just a sample of the security controls within the 10 Steps.
For more detail, see Citrix product documentation, and also the links below to the Government advice sheets for each of the 10 Steps.
Using virtualization to implement the 10 Steps guidance with XenApp and XenDesktop simplifies deployment and management. Please refer to the Citrix XenApp and XenDesktop Security Guidance for details and a sample deployment.
Follow the links below for more information: