What does it mean for security when virtually every device in the enterprise connects to the cloud and people access apps and data on multiple devices and platforms? It’s one of the most urgent questions facing IT, and one reason I’m especially eager to participate in Black Hat USA 2017 in Las Vegas on July 26 – 27. The industry has reached an inflection point where it’s all too clear that traditional perimeter-based security simply isn’t effective anymore.
The time has come for a new security architecture designed for the way we work today while adapting to the future, and that’s what I’ll be talking about at Black Hat USA.
The disconnect between traditional security strategies and the reality of today’s workplace can be seen clearly in a recent global survey conducted by Citrix and the Ponemon Institute (The Need for a New IT Security Architecture: Global Study on the Risk of Outdated Technologies), in which 83 percent of businesses around the world reported the belief that they are most at risk because of organizational complexities. In practical terms, corporate security requirements often impede productivity by overly restricting employees’ ability to work when and how they want, on the device they want. In response, people resist or circumvent these policies or turn to shadow IT in search of a more modern, flexible and user-centric experience. In 2017, employees know— and IT must accept — that the future of work isn’t 9-to-5, and it isn’t confined to a conventional office or corporate devices.
Securing cloud endpoints
As more organizations, apps, and data move to the cloud, the cloud endpoint — including the browser — moves to the forefront of security. In many cases, this endpoint will be owned by the user. In this light, the first step toward securely supporting cloud endpoints is to evolve the concept of “trust,” as cloud endpoints (by definition) often operate outside of enterprise control. Instead of allowing only trusted corporate devices on the network, we must now be able to answer in real time the question, “What can this device be trusted to access in this specific situation?”
This points toward a more contextual and dynamically approach to security. Endpoint security policies must consider everyone initially as untrusted outsiders. Instead of being assumed, trust must be established through a consideration of situational risks based on the user’s current location, device, network, and the apps and data being used, as well as knowledge of their typical and current behaviors. By dynamically assigning and verifying the level of trust in endpoints and automating access to apps and data, users and enterprises can be appropriately protected across the increasing diversity of enterprise endpoints and usage situations.
Controlling application access and data usage
The same contextual approach used to secure access through cloud endpoints can also be used to control the way users can access and use apps and data. This capability is especially important given the diversity of potential usage contexts, extending from relatively low-risk scenarios like an enterprise app accessed within the corporate network, to SaaS and cloud-based apps accessed by home-based or third-party users over public networks. To prevent data exfiltration in higher-risk contexts, the organization may choose to restrict the ability to copy/paste data from one app to another to allow only specific data to be copied in or out, or to dynamically specify the save-to location for data to meet governance requirements and mitigate real-time risks. The use of peripherals such as printers, webcams and microphones can also be enabled/disabled per application. By extending control beyond the traditional datacenter to mediate user interactions with apps and data, IT can proactively secure, detect and mitigate risk with intelligence applied to each unique scenario.
The software-defined perimeter
Citrix already enables this contextual approach to cloud endpoint security in our digital workspace solutions, which create a software-defined perimeter that combines secured access to apps and data with contextual control, visibility, and behavior analytics across devices, networks and clouds. In this way, IT can allow people to evolve the way they work, transcending the constraints of physical desks and traditional work hours, without putting apps and data at risk.
I’m looking forward to many productive conversations around new security architectures at Black Hat. Visit our booth at the event from July 26 – 27 to catch a presentation by one of our security experts, talk with a product expert and see a demo. I’ll also be speaking at a conference workshop on “Architecting Cloud Networking: From the Cloud Endpoint to Predictive Analytics” on Thursday, July 27. I hope to see you there!