About 10 years ago, Google pioneered a security model called BeyondCorp to separate application access from network access, with a heavy emphasis on user authentication and device validation. This model replaced their corporate VPN, and the design was based on viewing security inside the network versus outside in.

This model was popularized further when content-delivery network Akamai experienced a nation-state-sponsored attack around 2010 and began to design something similar. Google did the industry a favor by calling their zero-trust model BeyondCorp. It reminds us that all organizations need their own zero-trust model based on their own assets, applications, data, business drivers, user profiles, and risk profiles.

The zero-trust security model is not a single technology — it’s an evolving set of security paradigms. It draws on strong authentication, orchestration, analytics, encryption, scoring, and file-system permissions. A core tenet of a zero-trust model is privileged access management (PAM), where users have just-in-time access and just-enough access (JIT+JEA) to complete a given task. This ties user experience directly to security.

Here at Citrix, we’ve always emphasized a people-centric security approach, and it’s core to our solutions. The evidence is in how the “anytime, anywhere, any device” message has extended to “any cloud” and continues to be central to the solutions we design.

In this two-part blog series, I’ll cover how Citrix solutions can help pave the path for your journey toward getting closer to enforcing a true zero-trust security model within your organization.

Define Your Own Zero-Trust Security Model

You cannot buy a zero-trust security model from a vendor. It must be designed to suit your organization’s specific requirements. But this doesn’t mean you have to start from square one (and buy new IT assets). You may already own solutions required for this redesign; you just have to rethink the enforcement of the governing policies that define user access of organizational systems (apps, data, desktops, devices, etc.).

Considering the trend of transitioning to hybrid multi-cloud architectures, it’s important to understand your organization-specific risk exposures, keeping in mind the traditional network perimeter lines are gradually being blurred.

How can Citrix help?

Do you use Citrix Virtual Apps and Desktops and Citrix ADC to deliver web and non-web apps? If so, you’ll want to look hard at nFactor authentication for conditional authentication and SmartAccess and SmartControl policies (session policies on Citrix ADC and access filters on Citrix Studio) for conditional access so you have a situationally aware access mechanism for all your Citrix users. In enforcing a zero-trust model, the ability to “inject” a separate secure, monitored jump point between user and data is critical. Citrix Virtual Apps and Desktops delivers exactly that: You can design zero-trust while supporting legacy apps.

If you’re moving a subset of your resources to the cloud and are going to be in a hybrid-cloud scenario, make sure the policies defined on premises are consistent with the policies defined for your cloud environment. This is where Citrix Virtual Apps and Desktops service on Citrix Cloud could help simplify policy enforcement across your hybrid multi-cloud environment. This is also where Citrix ADC, which offers the same functionality across on-premises and cloud-hosted form factors, could be your greatest aide in enforcing a consistent set of configurations across your hybrid multi-cloud environment.

If you’re adopting SaaS applications, make sure governance policies are consistent with on-premises apps. Citrix Secure Workspace Access, Citrix Secure Browser service, and Citrix Gateway service can help you to enforce data exfiltration protection policies (control clipboard, printer access, watermarks, etc.) on SaaS, internet, and intranet web apps that are consistent with those applied for virtual apps and desktops.

Know Your Users

It’s impossible to enforce a zero-trust security model without understanding how your users interact with your systems. You must understand the user experience, and you’ll have to redefine it based on the policies you define when you create your own zero-trust security model.

You’ll have to broker communication among your security and application owner teams to combine centralized governance policies with application-specific security policies, while keeping user experience at the center. This will also help ensure the business drivers that required the use of the apps in the first place are still met as you embrace a new zero-trust world. Proper risk management measures and user categorizations are important steps in this process.

As you approach a zero-trust model, it’s also important to pay attention to MFA in its truest sense — as validation of “what you have, what you know, and what you are.” A zero-trust model adds “what you have access to.” From a zero-trust perspective, MFA also is a step in the direction of achieving passwordless authentication (possession based + user verification).

How can Citrix help?

Citrix ADC allows integration with most, if not all, existing authentication protocols. In an enterprise environment, it’s best leveraged for MFA as an identity broker that authorizes and grants, as well as restricts and blocks, access to resources requested by the user.

Citrix Workspace customers can eliminate passwords and authenticate using biometrics thanks to the integration of Citrix Workspace with IAM solutions that offer this functionality. Microsoft recently released support for FIDO2-based sign-in with Azure AD. And because Citrix Workspace already integrates with Azure AD, this offers yet another option for customers to move toward a passwordless future, mitigating risks associated with poor password management and enabling a more secure alternative to passwords.

In this process, you’ll have to revisit the Flexcast models chosen to deliver the apps, desktops, and data for your Citrix Virtual Apps and Desktops environment. You might want to consider adding access filters defined on Citrix Studio at the Delivery Group level, based on risk scoring and the redefined user categories.

If you had been delivering a large set of web apps by publishing a browser, you might want to consider driving more efficiency by delivering those apps using Citrix Secure Browser service and/or Citrix Secure Workspace Access.

Can your users access files and folders across multiple storage locations (network drives, OneDrive for Business, SharePoint Online, Google Drive, etc.) using a multitude of methods (local client, web browser, VPN, FTP, etc.)? If so, you should consider restricting these access methods and simplifying the experience and make it consistent by leveraging Citrix Files as your content aggregator.

Additionally, Citrix Analytics offers a dashboard to help you understand user-specific baselines as well as changing user behavior, device trust and network conditions (context aware and conditionally accurate). This helps you to preemptively adjust security policies to changing conditions while offering just-in-time protection using closed loop analytics, a core tenet of the zero-trust security model. This enhanced visibility and automated policy enforcement is essential to ensuring preemptive identification and continuous assessment of threats and securing your end-user apps, desktops, files and devices, while keeping performance and user productivity from suffering.

What’s Next?

In this post, I wanted to help you to understand the zero-trust security model, to introduce the two fundamental steps for creating a framework that’s unique to your organization, and to explain how Citrix solutions can help. The second post will cover the next two steps to approaching a zero-trust security model for your organization by covering how you’ll need to revisit your security architecture and what you’ll do to assign trust to users and devices. I’ll also go into details on how Citrix solutions can help. Stay tuned!