I wanted to start this post by revisiting my five-part Security Design Decisions blog series, which you can find here and is linked throughout this blog. Its purpose was to explore the need for a robust security framework, which still holds true today.
Designing a strong and effective security framework requires making a host of decisions around each of the layers listed below.
Humans are considered the most significant threat to information security. Identifying user groups is the primary step before moving into design or deployment of any Citrix solution. Enterprises must perform an in-depth assessment of user workflows to define which resources each user group requires access to.
These identified user groups should be fed into the Citrix delivery method, which drives key decisions including between server OS (multi-user) and desktop OS (single user) workloads and between persistent and non-persistent. Generally, multi-user workloads are more cost-effective but inherently riskier than single user workloads, as both high-value and high-risk personnel can co-exist on the same system.
By applying the principle of least privilege, we can categorize users before assigning them to a group so that different security measures can be applied to different user groups. It is important to avoid providing “super” administrator roles to any users and adhere to separation of duty guidelines.
Read my 2017 post on User Layers here.
The access layer is like a great wall that stands between users and the resources they need. This layer is the first line of defense and it cannot be weak — your security is only as strong as your weakest link.
The first step here is to identify the employees, partners, clients, or vendors who require access and further categorize them as described in the User Layer section. The next step is to identify the resources we intend to safeguard from potential risks associated with access.
We live in a hypermobility environment where users can access resources from anywhere, at any time, and using any device. Mobility has expanded the threat landscape, and the enterprise now must assume that internal and external access are equally risky considering the spread of personal device usage within the enterprise environment. The Citrix ADC MPX or SDX series have all the right ingredients to mitigate security threats and risks for both internal and external access. For example, Citrix Web App Firewall can be leveraged to protect the environment against internal or external threats such as denial of service (DOS), cross-site scripting (XSS), and other security-related attacks.
Finally, how are users authenticated? Traditional passwords are no longer an effective means to protect the enterprise environment, as users are considered their own worst enemies when it comes to password management. One solution is to use multi-factor authentication (MFA). Although more complex, it is a strong deterrent, as our own Hector Lima explains here.
Read my 2017 post on Access Layers here.
The resource layer is used to provide virtual application and desktop services. Virtualizing applications and desktops is a secure means to deliver resources to users. But without proper controls in place, the user session can be “jailbroken” to gain a foothold in the environment. By applying a segregation model, we can categorize and separate types of users and applications based on their sensitivity level. Sensitivity level is determined by three elements:
- The types of data (high value or low value) being accessed;
- Each user’s value and risk to the organization; and
- Each application’s value and risk.
The next step is to identify the type of policy needed to control the resource delivery and develop it by addressing the following questions:
- What is the policy controlling?
- Where and when will the policy be applied?
- How will the policy impact the end-user experience?
Finally, secure the server and desktop VDAs by removing unused services, uninstalling unused applications, applying Citrix and Microsoft updates, and installing an anti-virus agent, host intrusion prevention system (HIPS), host intrusion detection system (HIDS) and data leak prevention tools. In short, establish and enforce a minimum VDA hardening baseline policy.
Read my 2017 post on Resource Layers here.
As the command center, the Control Layer is the most critical component that requires protection — a lot can go wrong if a malicious user takes control. Four strategies can be applied to secure this layer. First, apply multilateral security by dividing the Control Layer into access controllers, delivery controllers, infrastructure controllers, shared storage, and network connectivity. The purpose of applying multilateral security is to reduce the failure domain and containerize any malicious activity within a silo, preventing it from overflowing into the next one.
The second strategy is to manage the vulnerabilities of critical infrastructure servers. All the components that directly or indirectly relate to this layer need to be proactively monitored for potential vulnerability. All an attacker requires is an exploitable vulnerability to gain access to the environment and perform a malicious act.
The next strategy is managing the overall Citrix infrastructure configurations. Improper configuration or an inability to configure the correct options can expose the environment to various types of threats from inside and outside the enterprise realm. A thorough configuration management process should be in place to ensure protective actions are taken, such as changing or disabling default account passwords, which can be easily obtain by performing a quick search on the internet.
The final piece in the Control Layer strategic plan is access management. The administrator’s role should be specific to job scope and avoid privilege creep. It is also important to restrict service account permissions as they can enable a malicious user to launch an attack using a privileged account.
Read my 2017 post on Control Layers here.
The hardware layer is the foundation of the overall security framework. Failure of security control in the Physical Layer can ripple through the layers built on top. We need to start by securing physical access to the environment with measures such as employee access cards, barricades, locks, biometrics, turnstiles, log books, and more. Next is environmental monitoring, which includes a CCTV command center staffed by security personnel. Third, it is critical to continuously monitor temperature and humidity of the data center and ensure that fire, smoke, and CO2 alarms are functional and tested.
A key part of this layer is physical control over human resources by implementing separation of duty, carefully selecting and authorizing administrators to access the physical environment, performing thorough background verifications, having employees sign a nondisclosure agreement, and, finally, scheduling periodic security awareness and policy training.
Aside from these physical access and personnel controls, we need to implement security controls on the virtualization stack, such as the hypervisor. While virtualization offers many benefits, it also introduces specific threats such as VM sprawl, hypervisor attacks, inter-VM attacks, data co-mingling, and instant-on gaps. These can combine with existing guest operating system concerns, such as hyper-jumping, inter-VM attack, hypervisor attack, VM sprawl, data co-mingling, and instant-on gaps.
Read my 2017 post on Physical Layers here.
The Citrix Consulting Security Practice can help you with your design and hardening needs. Feel free to reach out or read more about our security practice.
— Sameer Sharma, Senior Consultant