In the first part of our discussion on approaching a zero-trust security model for your organization, we laid a solid foundation by helping you to understand organization-specific requirements and to ready a framework for implementation. In this part, we’ll move toward taking definitive implementation steps by re-architecting and applying policies to assign proper levels of trust to devices and users. And as in part one, we’ll look at how Citrix solutions can help with these steps.

Revisit Your Security Architecture

Traditional IT security was limited to network segmentation using VLANs and firewall policies adjusted to control communication to and from these network segments. This evolved to micro-segmentation based on categorization of networks, apps, data, users, and more. Then, VPN made a lot of sense for securing your environment.

The rise of next-generation-firewalls brought the secure digital perimeter and the software-defined perimeter (SDP) to the forefront, supporting access to networks, apps, data, and more after authentication and proper authorization. The challenge? After the tunnel is established, neither do much to adjust the security posture based on transactional and behavioral changes when users start interacting with organizational systems.

Zero-trust proxies and containerization help to fill that gap and establish on-demand perimeters between the authenticated user and the application/desktops/data based on transaction and payload analysis. A combination of micro-segmentation, SDP, zero-trust proxies, and containerization is required for re-architecting user workflows that meet the requirements of a zero-trust security model.

How can Citrix help?

Citrix customers have leveraged Citrix Virtual Apps and Desktops as a zero-trust proxy using the HDX protocol for containerizing apps, desktops, and data into secure zones for more than 30 years. When a Citrix Virtual Apps and Desktops environment is designed with secure zones leveraging micro-segmentation, it further enhances the zero-trust formula for organizational security (see diagram below; click image for a larger view).

Bidirectional clipboard control, selective printer and drive mapping, and watermarking based on situational awareness and authentication posture are great ways to protect non-web client apps. Many customers use the same for web app delivery, as well using published browsers.

But this gets difficult for SaaS and internet-based app access. This is where Citrix Secure Workspace Access, Citrix Secure Browser service, and Citrix Gateway service with built-in web filters/proxies and enhanced security policies become essential elements in delivering a zero-trust security model. In addition to providing secure contextual access to Intranet, SaaS and virtual apps, the Citrix solution portfolio extends the enforcement of the zero-trust security model to data, devices, and networks, as well.

  • Citrix Files allows integration with DLP solutions that act as the zero-trust proxies for data going in and out of the users’ workspace.
  • Citrix Endpoint Management offers containerizing apps and data on managed devices across a range of operating systems that should cover the near-term and long-term needs of evolving organizations with an increasingly mobile workforce. CEM with microVPN (on-demand per-app VPN) allows enforcement of app-specific security policies for enterprise mobile apps delivered to devices with a multitude of form factors and operating systems.
  • Citrix SD-WAN can help with continuous analysis and securing of apps, desktops, and data traffic to and from data centers, branch locations and cloud-resource locations with granular policy-based control, depending on the classification and categorization of this traffic.
  • Citrix Analytics service allows for proactive changes to governance policies to adjust and enforce the zero-trust security model based on transactional and behavioral changes. Modern security architectures require new ways to understand and react to the robust nature of security threats. Citrix Analytics provides just that, using security policies, machine learning, and artificial intelligence.

Assigning Trust to Users and Devices

As enterprise perimeters get blurred with an increase in mobility and the transition to cloud, network-location awareness is simply not enough for trust assignment. Enhancing passwords using multi-factor authentication (MFA) and enforcing MFA based on the resource requested by the user are critical to understanding the security posture of the users. Enforcing MFA is not the end goal, but it does offer the means to the end, where enforcing a true zero-trust security model enables a passwordless future.

You need to be factor in criteria such as device enrollment into endpoint management, jailbroken vs. not jailbroken, domain-joined vs. not-domain joined, presence of AV software, up-to-date patching of AV and security hotfixes/OS/app versions, disk encryption levels, network and geo-location of devices, and more before determining the security posture of the devices. You could then use a combination of the security posture of the users and the devices to assign the trust level. Only then would the appropriate level of access be granted in a zero-trust security model.

When enforcing a device-centric security environment by layering on endpoint protection solutions, it’s easy to get carried away and end up increasing the cost of delivering endpoint security. But if your emphasis is on reducing the data exposure on the device, not only can you reduce the cost of enforcing zero-trust-security, you can also reduce the risk associated with delivering business critical and sensitive apps and data.

How can Citrix help?

Citrix Workspace acts as an identity broker, which provides our customers the flexibility to pick the IAM vendor of their choice based on where they are in their journey to offer passwordless authentication.

Citrix Workspace was designed to enable a “people-centric” approach toward security to limit the enterprise footprint from managed and unmanaged devices alike to avoid creating blind spots via shadow IT.

Using Citrix Workspace, users can access:

  • Web and SaaS apps via an embedded browser
  • Enterprise client-server apps via Citrix Virtual Apps or VDI from a locked-down environment with limited-to-no internet exposure
  • Internet access to enterprise-authorized apps via the Citrix Secure Browser service
  • Data only via virtual apps and desktops (then enforcing a zero-trust security model is simpler to manage and cheaper to own while reducing the opportunity for shadow IT to thrive)

While device-centric security solutions may be necessary for a subset of use cases, overemphasizing device security can hamper the enforcement of a realistic zero-trust security model.

Citrix Endpoint Management helps with enforcing device- and app-specific security policies at the delivery-group level. Citrix ADC allows endpoint analysis scanning of the devices to identify the risk posture of the device requesting access to resources (apps, desktops, data and networks) before challenging the user with varying levels of MFA using nFactor authentication. Only then does it grant access to selective resources based on organizationally defined trust assignments.

You might have to adjust HDX policies and GPO application based on the findings of the EPA scans across the Citrix Virtual Apps and Desktops environment, as well. This granular policy-based control, based on situational awareness and appropriate risk aware access, is unique to the solutions delivered via Citrix Workspace.

It’s a Journey, Not a Destination

Your job isn’t done once you’ve taken the steps I’ve recommended here and in part one. Properly enforcing a zero-trust security model requires continuous re-evaluation of trust assignments, business drivers, asset inventory, user behaviors, and more. You must have time-bound, privileged access management and visibility designed into the user experience and assets to enforce a zero-trust security model in a mature IT organization.

Citrix offers Citrix Director, Citrix Application Delivery Management, Citrix SD-WAN Center, and Citrix Analytics service to support consistent re-evaluation of your zero-trust security model.

At Citrix, we strive for continuous innovation to stay ahead of the changing security landscape. Like all other solutions in the market, Citrix solutions also wouldn’t provide a comprehensive coverage without integrations with auxiliary security solutions for enforcing a zero-trust security model within your organization. We flexibility with our solutions and continually innovate by adding new features, updated designs, and additional integrations with third-party security solutions. This flexibility enables organizations keep Citrix at the center of enhancing productivity and user experience without compromising their goal to achieve a consistent zero-trust security model.