First, a little background as an introduction: I am currently a Lead Sales Engineer and have been with Citrix for two and a half years. I have been working with Citrix technologies since 1998, designing and integrating CAG, NFUSE, and other solutions from which the Citrix Workspace has evolved.
I want to discuss VPNs for a few reasons. First, VPNs have long been a trusted and popular solution for securing remote access to company resources. Second, while it has been trusted and popular it may not always be the best fit for supporting and securing today’s changing workforce. The idea of a “full VPN”* for all is like only having a hammer in your toolbox. Third, the multiple flavors of VPNs are essential to consider alongside other technologies when enhancing remote access, supporting BYO, managing partner and supplier access and rolling out MFA.
*To be clear when I refer to “full VPN”, I am referring to an end to end IPSec VPN tunnel. A full VPN is based on an enterprise trust model where the endpoint is trusted and all network traffic is flowing across the tunnel – as opposed to SSL VPNs, Per App VPNs and MicroVPNs that enable more specific connectivity and security options.
When approaching the “To VPN or Not VPN” discussions I typically start with the considerations below.
- Trust Model: If you control and trust the whole network and VPN ecosystem from end-to-end, a full VPN is a solid option. If you do not control or can’t control the whole ecosystem, a full VPN introduces the risks of lack of visibility and control.
- Third Party/Consultant access needs: For external partners, suppliers, BYO users and third party staff, using a full VPN introduces risk, as you likely do not have total control of the connection from end to end. (I cover ways to reduce risk and enhance user experience without a VPN connection while providing contextual security later in this blog.)
- Changing Application Landscape: If your application set includes SaaS apps, cloud-based resources or hosted web applications, a full VPN is likely not a feasible option. Routing traffic back through your datacenter for cloud access is counterintuitive to a cloud journey.
- Adaptability/User Productivity– With the changing workforce, application landscape and changing datacenter strategies-cloud journeys, does a full VPN still make sense? How can a full VPN adapt to these changes? Legacy security models struggle to adapt and provide great security with the added task of not hampering the user. If using a full VPN is inefficient for a user, they will likely find a way around – introducing risk – or, they may choose to only do work in the office, thereby reducing efficiency and productivity.
To help customers evolve their security models and decide where to “VPN or not VPN”, we developed discussion tracks to discover where they are in this changing landscape and to develop an efficient, effective and adaptive security model. These begin with virtualization as a core tenet of enterprise security strategy, incorporate distributed apps and data, and factor in mobile and cloud app trust models.
Centralized access to Virtual Apps is just the start
- Moving applications and data inside a corporate datacenter or cloud helps you secure them better by disallowing corporate intellectual property to exist on the endpoint.
- It also allows us to implement a FOLLOW approach rather than a FORCE approach as it allows the user to be productive from multiple devices as they need without restrictive requirements before connecting.
- However, I am surprised at the number of customers using full VPN tunnels to give their workforce access to Citrix Resources — the hammer in the toolbox. This means that even if it is an untrusted device, the endpoint will become a full participant on the network. In the case of a privileged or administrator level user, this poses a high security risk. If an administrator’s remote endpoint is compromised — with a full VPN tunnel — access is wide open for the attacker. Malware could easily execute over the tunnel and propagate to others systems bringing your business down.
In my consulting days, one of the first steps in enhancing security was to publish all of the needed administrative tools via Citrix Virtual Apps and Desktops and use Citrix Gateway as the access method. This allowed the administrators and myself to have access remotely to the tools we needed while keeping my “consulting rig” off of their network via ICA Proxy. This was also easily extended to facilitate third party access to resources as needed for projects and supporting vendors, consultants and auditors.
Trust is key, but more is needed.
- If you trust your network end-to-end from endpoint to resource, having full VPN as part of your strategy makes sense. But….
- Trust involves more moving parts than just the VPN tunnel. Since that endpoint becomes a full participant in the network, there needs to be constant verification of proper security tools. (Firewalls, IDS/IPS, AV tools and others) This leads to management complexity which leads to risk with multiple tools to manage and maintain..
I recently worked with a customer that determined the effort to maintain the security posture on corporate owned laptops was getting too costly from both software and management perspectives. Their business model also includes independent contractors that need access from non-corporate owned devices which they could not control. I worked with them to see the value of virtualized apps behind Citrix Gateway ICA proxy from both an efficiency and security standpoint. Verifying required endpoint security measures with EPA scans and sending only the pixels — not the actual application code and data — to the endpoint enhanced security and had a measurable impact on IT costs.
VPNs anchor users..
- Traditional VPNs anchor the users to their specifically configured devices. Modern workforces are changing into highly mobile, device-flexible teams. Therefore, traditional security approaches are changing (or need to change). IT can no longer FORCE the user into certain security models. IT needs to have security models that FOLLOW the user. Traditional VPN access models limit user flexibility and often impede productivity.
- VPN access does not allow for contextual based security. Contextual-based security models allow IT to apply security based on WHO the user is, WHAT the user is trying to access, WHERE the user is, WHEN the user is connecting and WHY they need access. This allows access to resources to be risk appropriate, allowing specific resource access where the situation is acceptable and either denying access, delivering content virtually, or redirecting to an approved experience to meet security, compliance and privacy requirements. And, this is all automated for end users.
Going back to the customer referenced above, by using the Citrix Gateway ICA Proxy, they are able to leverage Smart Access policies and ensure only trusted devices are allowed to perform specific functions like cut/paste or print on a per-app basis. They are also able to allow different levels of application or resource access based on who the user is. Rather than give full unrestricted VPN access to an admin, even on a trusted device, they are able to limit what the administrators have direct access to when remote. This shrinks the attack surface lowering risk. When ICA Proxy is not sufficient, Citrix Gateway allows IT to provide full SSL VPN tunnels, based on the WHO, WHAT, WHERE, WHEN and WHY contextual security model.
- BYO by definition means an untrusted device — and allowing full VPN connectivity to an untrusted device is unadvisable at best, a security nightmare at worst.
- More businesses are seeing the value in allowing users to use their device of choice as it can boost productivity and employee satisfaction while reducing enterprise endpoint and access costs.
- Many businesses also use third-party companies to handle items such as payroll, benefits and help desk support. This is similar to BYO and since the users are not part of their company, controlling and securing the endpoint becomes an issue. Giving full VPN access to these users introduces a lot of risk and is a target for change in most of my customers..
I have worked with several customers on BYO initiatives where the IT staff still gets hung up on managing the endpoint because of security concerns related to Antivirus, security patching and the like. I point out with Citrix Gateway, the untrusted device never becomes a node on the network and Smart Access policies can be used to block local drive access, preventing copying of an infected file to a corporate file share. In addition, virtualization eliminates the direct network socket connection between endpoints, apps and file shares, further reducing the attack surface for malware. By leveraging Citrix Gateway, BYO initiatives become more manageable. Citrix’s own BYO culture embraces this.
- Mobile devices introduce another challenge for security, as they mainly operate on untrusted networks. Full VPN clients also tend to drain battery life, can erode privacy as personal information is sent over the corporate VPN – and generally make for a cumbersome user experience.
- Per-App VPN and Micro-VPN capabilities are further reducing the need for full VPN connectivity per device allowing for seamless access to secure corporate data. User experience is enhanced as the need to configure and launch a VPN client is removed.
When I was a consultant, I worked with several customers that were developing their mobile strategies along with targeted applications for their workforce.The ability to wrap an application in a secure container and leverage a MicroVPN with Citrix UEM and Citrix Gateway provided a secure solution that fit their strategy. They saw rapid increases in user productivity and customer satisfaction as their workforce could quickly fulfill customer requests by using any device available to them without having to go back to a laptop with full VPN.
Make the endpoint a low value target.
- Intrusions, breaches, compromises or hacks all start somewhere – and usually with an endpoint.
- With today’s mobile workforce using untrusted networks in coffee shops, hotels and airports, the endpoint is exposed to more threats.
- Because applications and data are stored on the endpoints, they are a HIGH VALUE TARGET. Even with disk encryption, passcodes and other security measures, the value of the data justifies a wrong-doers efforts in cracking them. Think of a doctor’s laptop, a financial adviser’s laptop or laptops your sales staff uses. Data loss could be financially devastating and personally embarrassing.
- Do you have Executives traveling to “untrusted” countries where data can be seized easily?
- What if we can decouple the endpoint from applications and data and make those endpoints low value targets? Would using a Chromebook allow your security teams to sleep easier at night when Executives travel to those “untrusted” countries?
When I first came to Citrix, I had a customer ask me to help find a good solution for their executives that travel abroad. Because they were an existing Citrix Virtual Applications and Desktops customer, we quickly embarked on a Chromebook test. Because the Citrix solution set provides compatibility with the widest array of devices, Chromebooks were used to provide secure access for the executives as they traveled. The secure nature of the Chromebook along with virtual access to all security-sensitive resource made the international traveler’s endpoint a low value target.
The new application landscape requires new layers of security.
- The Journey to Cloud is becoming more important for companies as they search for efficiencies, possible cost savings and competitive advantages. Of course, clouds introduce different types of applications, access methods and identity entities.
- How do you control cut/paste, print or ensure confidential information is kept safe in a SaaS Application? How about Web Applications? How do you allow seamless access to SaaS apps and secure authentication?
These new applications and unfettered access via the internet require more effective layers to control security. Most if not all of the customers I work with are faced with the challenges of providing secure access to SaaS apps and with securing mobile apps. And they feel that direct access to these providers is often lacking many enterprise security controls — along with required visibility.
With the recently announced Citrix Workspace app and Citrix Workspace platform, IT security teams can gain control of SaaS and Web apps and provide better security for the Enterprise. Citrix Workspace provides seamless SSO access to applications, regardless of application type. With Citrix Workspace, contextual security can be applied to Web and SaaS apps, allowing us to FOLLOW the user and apply the WHO, WHAT, WHERE, WHEN and WHY security model. Our Senior VP of Engineering, Jeroen van Rotterdam, explains it nicely in his blog post — Citrix Workspace: Embedded Browser vs Secure Browser Service vs Secure Browsing. I am in several discussions with customers who are excited to gain control of their SaaS apps and Browser Strategies.
Before you accuse me of being a VPN hater, I believe a varied security toolbox is a must and that full VPN connectivity has a place in your security model where it makes sense (and the end-to-end trust model supports it). Citrix technologies can facilitate a policy driven decision based on the 5Ws of Access above to allow a SSL VPN, giving you contextual based security for your remote VPN users.
Lastly, I need to thank our Chief Security Strategist, Kurt Roemer, for encouraging me. I have had the pleasure of presenting with Kurt at several customers and the topic of VPN or no VPN seems to be one we regularly have. There’s much to discuss on this topic, so please engage us with your comments and questions.
Thanks for reading what I have to say. I hope I have sparked ideas for how you can approach remote users, security and user experience to allow the Future of Work to happen now.
Citrix TechBytes – Created by Citrix Experts, made for Citrix Technologists! Learn from passionate Citrix Experts and gain technical insights into the latest Citrix Technologies.
Want specific TechBytes? Let us know! email@example.com