Risk mitigation is when an organization takes steps to decrease the likelihood and/or the impact of risk by applying controls/countermeasures. Here, contextual access control to company resources is required to ensure business efficiency is not negatively impacted. Citrix offers solutions that provide conditional authentication, authorization, and access to applications, networks and data. In my post on risk avoidance, I covered some ways we can identify the conditions under which access may need to be restricted/avoided and policies can be enforced to reduce the threat surface.

Contextual Risk Mitigation Is Key

One of the most common use cases for leveraging Citrix Virtual Apps and Desktops is to ensure isolation between the local device and the data center or cloud that hosts the application and desktop workloads. This restricts data from being exfiltrated from within the virtual application or desktop out to the local device. Not only does this protect confidential data if the device is lost/stolen, the user is back to being productive quickly and, likely, at a minimal cost because a lower-end endpoint device is enough to provide access to virtual apps and desktops.

This can get complicated, though, if the interactivity with the virtual app or desktop needs to be further limited. A blanket policy of blocking users with BYO or suspected lost/stolen devices only hinders business efficiency.

We have several customers that enforce multi-factor authentication for contractors or even remote employees accessing applications, networks, and data from untrusted devices, network locations/geolocations, and other untrustworthy conditions. However, this proves inefficient for all employees accessing the same resources from managed, company owned devices located within their offices. In this case, conditional authentication and authorization policies for risk mitigation are helpful in balancing security and productivity.

Many customers choose to block clipboard, local printer, local drive, and peripheral access if a user is found to belong to a restricted group, if a device is found to be unmanaged, compromised or not adherent to organization’s security policies, or if the user is operating from an untrusted/blocked network/geolocation. These types of SmartAccess and SmartControl policies can be configured to restrict the interactivity between the local device and the SaaS application, intranet website or virtual application or desktop.

By enforcing these granular security policies, organizations can lock down the application or desktop experience if the conditions under which they are accessing sensitive applications, networks, and data aren’t sufficient.

For example, if keyloggers are found on the local desktop accessing an enterprise web, SaaS, virtual application or desktop, and even files, admins can grey out the interaction with Citrix Workspace. Admins can also enforce a watermark on the session to dissuade screen captures or photos of screens taken from mobile devices.

Conditional Access to Balance Productivity and Risk

For mobile phone users, some customers have chosen to deploy policies that block camera and enforce full VPN tunnels from managed devices. Users without company-owned devices can still access enterprise mobile applications and productivity apps. But admins can limit the interaction with local apps and file repositories by enforcing a microVPN tunnel and applying application restriction policies. Even access of files and documents marked as sensitive by a DLP solution and accessed from a physical computer, virtual app/desktop, or a mobile device can be restricted by applying information rights management policies using Citrix Content Collaboration.

Customize Security Based on Applicability

Web application firewalls (WAF) that are primarily signature based are great for protection against zero-day attacks but are often inadequate for mitigating unique, application-specific risks. Your WAF solution should enable you to apply application flow- and data flow-specific customizations to fully plug all the holes in a web application. Citrix ADC offers a WAF that leverages a hybrid-security model combining the benefits of industry wide known signatures. But it also enables admins to customize policies that make the WAF configuration unique to the organizational needs, as well as the application and data flow. Citrix ADC also integrates with Citrix Application Delivery Management (and Citrix ADM service) to provide visibility across the entire hybrid multi-cloud web app estate in a single pane of glass and offers additional Security Analytics using Citrix Analytics service.

Risk Mitigation Requires Reliability

Network reliability is one of the most critical aspects of risk mitigation when enforced within a business continuity/disaster recovery context. Enterprise customers have opted to deploy expensive MPLS links and, in some cases, even dual-MPLS links to protect against network failure between data centers and branch locations. Significantly more expensive, MPLS links render a higher degree of security to these network connections and, arguably, more resiliency to network connections between data centers and branch locations due to their use of SLAs.

However, SLAs don’t protect against data loss. This has resulted in the emergence of an SD-WAN market that helps combine multiple links across the internet — ADSL, 4G, MPLS, and more — enforcing site-to-site IPsec tunnels for secure transmission of data across the virtual path.

In the context of risk mitigation, Citrix SD-WAN can help organizations classify applications and prioritize the delivery of these applications across links based on their priority. Citrix SD-WAN offers better security integration with third-party firewall (such as Palo Alto) and CASB providers (such as ZScaler), in addition to integrating with the Azure backbone for optimizing the delivery of SaaS apps like O365 while reducing backhaul. For example, at a healthcare organization, it is more critical to deliver EMR/EHR applications over an MPLS link while VoIP applications are OK to deliver over a less reliable internet link when there is bandwidth contention.

In addition to this, Citrix SD-WAN also allows packet duplication across multiple links so organizations can reliably deliver VoIP across all available links to avoid losing data over VoIP during brownouts and higher than usual latency/packet loss on single links. And with HDX being a proprietary protocol, different types of content can be delivered over different types of links based on the priority of the content and availability and resiliency of the links. For example, if a print job takes up most of the available bandwidth within an HDX session, organizations can deliver interactions with the virtual app over a more reliable link with more available bandwidth to avoid contention with print jobs and mitigate the risks associated with losing access to applications critical to business operations.

If You See Something, Do Something About It

If suspicious activity is detected, users can be logged off their sessions, forced to upgrade their AV definitions, forced to enroll into MDM, have their accounts suspended, and more. IT admins can do this in response to alerts they receive when users violate an organization’s security policies or proactively by defining rules as a response to violations.

Citrix Analytics uses closed-loop feedback mechanisms that rely on machine learning to provide added visibility into user activities and enables building of risk profiles. These risk profiles are created based on each individual user’s behavior across their access to SaaS, web, mobile, virtual applications, and desktops, as well as files/documents accessed from Citrix Workspace.

Citrix Analytics captures events from the use of Citrix solutions and from Microsoft Security Graph to deliver a holistic view of users’ risky behavioral patterns. Citrix Analytics allows admins to see the trends in users’ usage patterns and common violations to either proactively correct their risky behavior or provide feedback to the security team on policies that may need to be updated as workflows evolve.