My previous post introduced the four core aspects of risk management. Here, I’ll look at the first — risk avoidance. Risk avoidance is, arguably, the most important element of risk management. It starts with a thorough business impact analysis (BIA), which enables:
- Tighter alignment across the company to prevent security practices and policies from negatively affecting business efficiency.
- Greater knowledge of the organization’s functional and non-functional requirements, like what the organization is doing and what traffic to expect.
The four steps of a thorough BIA are:
- Asset inventory: “It’s impossible to secure something you’ve lost track of.”
- Asset valuation: “Are we putting a $10 lock on a $5 bicycle?”
- Determination of criticality: “Is there a disconnect between the operations/processes and the mission/function of the organization?”
- Identify risk appetite: “You can’t eliminate risk; you can only avoid, accept, transfer and mitigate risk.”
After completing a BIA, you can move toward risk avoidance. If a risk is too high and you can’t compensate for it with adequate controls, let the opportunity pass. Avoidance is the best approach if a risk exceeds the organization’s appetite for risk.
Risk Avoidance Shouldn’t Hamper Productivity
Risk avoidance is common. We’ve seen many organizations stay away from BYO models, certain types of devices, and remote access to apps, even though it affects employee productivity and business efficiency.
But to avoid risk, it’s important to identify accurately the conditions under which an unavoidable risk exists. For example, BYO models might not be as risky for business units that don’t access highly sensitive data. Or some devices might not be too insecure for users who are always expected to be within corporate territory. And remote access to most applications with the exception of a select few that contain customer/proprietary data does not compromise the security posture of the organization. This is where contextual access-based security policies can be used to granularly identify areas where risk avoidance is the right risk management approach.
The Citrix portfolio has several solutions that can help with risk avoidance by enforcing a conditional access perimeter around the users’ workspace to minimize the impact on business efficiency.
It’s common to see heightened restrictions around access to apps and documents that contain personal identifiable information, payment card industry data, and information covered by HIPAA. Customers often choose to separate out the environments that contain restricted information into application, network, and storage repository silos so they can block access to all users unless they fall under exceptional conditions.
For example, we have several customers who selectively restrict access to these apps, networks, and data if they fall under any of the following criteria:
- Using a BYO/unmanaged device: Identified by domain membership, device certificate, user group membership, etc.
- Logging in from an untrusted network/location: Identified by the IP address, geolocation map to place user’s IP address under a restricted location, presence of a blocked forward proxy (e.g. Tor), etc.
- Logging in from a restricted device type: Identified by the user-agent, browser type, etc.
- Device Protection Software attributes: Identified from the results of an endpoint analysis scan looking for the presence of AV software/Windows firewall, running processes, availability of files, AV software scan definitions, AV software versions, AV software scan timestamps, etc.
If a user doesn’t fall under any of these criteria, only then they are allowed to access resources to avoid the risk of information falling into the wrong hands.
After making sure organization-specific controls are applied to restrict access, these customers use Citrix Virtual Apps and Desktops to isolate the apps and desktops containing the restricted information, the networks where this information resides, and the documents/files that contain these data from the device accessing them regularly. To enforce risk avoidance, they create separate machine catalogs and delivery groups or even stores on Citrix StoreFront to apply restrictive access controls on this sub-section of apps, networks, and data.
Choice and Risk Avoidance Aren’t Mutually Exclusive
Even when data are available via the use of enterprise mobile apps or storage repositories, Citrix Endpoint Management and Citrix Content Collaboration solutions enable application of similar restrictions on sensitive data.
This is where customers realize the value of a single management point for all solutions that provide access to apps, networks, and data. Inconsistent control mechanisms can lead to a fragmented policy model across the organization, especially if IT manages policies across multiple point solutions that were deployed to address gaps in a narrow set of workflows. A Citrix Cloud-hosted management portal provides a unified management platform organizations can use to enforce centralized policies across a wide range of devices and solutions, including risk avoidance policies to restricted areas.
Manage Privileged Access at Every Step
Risk avoidance also covers access to administrative components where these security policies are created and managed. This is where role-based access control (RBAC) and privileged access management (PAM) become key to ensuring administrative privileges don’t fall into the wrong hands.
RBAC and PAM policies can be created across the solutions that make up Citrix Workspace. Customers who enforce these policies and couple them with multi-factor authentication strengthen their risk avoidance stance and can protect their most sensitive assets. For customers using Citrix Cloud, these policies can be enforced for admin access from the same place where IT admins manage policies for user access.
Complexity and Risk Are Synonymous
Finally, one of the best methods for risk avoidance to eliminate complexity by consolidating redundant solutions. SSL VPN is one technology that has a lot of overlap with many remote access solutions. Check out this blog post from my colleague that discusses the pros and cons of SSL VPN in today’s application landscape.
VPN extends enterprise networks over encrypted tunnels, providing remote access to apps, desktops, and data. But it creates a large attack surface. It’s possible to secure this surface, but it requires a matrix of ancillary security solutions like forward proxies, ACLs, layered firewalls, policy-based routes, VLAN separations, and more to truly plug all the holes (and it makes remote access more complex than required).
At enterprises that use VPN, there are multiple ways to access apps and data, even those that are mission critical, sensitive, or business critical. This means you must apply security policies consistently across multiple remote-access solutions. That results in a fragmented security policy mesh that multiple teams need to manage.
We’ve seen several customers replace SSL VPN with Citrix Virtual Apps and Desktops as their standard remote access method to eliminate risk. With support for SaaS and web apps using Secure Browser, Secure Web Gateway, Citrix Secure Workspace Access, and the availability of content on Citrix Workspace, it has simplified the secure delivery of all types of apps, desktops, and data even further, while giving admins a centralized platform for managing all applicable security policies that deliver a secure workspace experience.
I am hoping that this post helps introduce the key facets around risk management and why this is so important in the cloud world. In addition to that, we started to uncover the first of the key tenets of risk management by going into the details of how you can create designs that help with risk avoidance using Citrix solutions. Keep an eye out for future posts, where we’ll dive into risk transference, mitigation/attenuation, and acceptance.