As we discussed previously, almost every activity a business undertakes involves risk. Organizations can only avoid, transfer, minimize, mitigate, or attenuate the risk. Residual risk is what’s left after you’ve managed risk appropriately and applied countermeasures and controls. The security team’s task is to reduce residual risk until it falls within the organization’s risk appetite. Accepting this residual risk is the final facet of risk management — risk acceptance.
Organizations need visibility into risky behavior so they can adjust policies and apply countermeasures to reduce residual risk. This gets complicated in a cloud computing world. Cloud customers are often restricted by their visibility into a cloud provider’s environments, which is often limited by the type of cloud deployment service model.
Security incident and event management (SIEM) solutions can help you get this visibility. But it isn’t always easy when a cloud customer has adopted a combination of IaaS, PaaS, and SaaS solutions in a hybrid cloud, which is often the case for enterprise customers. SIEM solutions are great for visibility into applications, networks, and data flows, but they often reveal little about user experience.
Threats often come from malicious cyberattacks, users downloading malicious internet content, information leakage, and unrestricted privilege escalation; more than 40 percent of these originate from internal users. SIEM solutions are great at identifying anomalies and abnormalities in an organization’s applications, network and data usage, but their dashboards display trends from normalized data.
The devil is really in the details. An organization’s security team needs to pay close attention to their individual users’ risky behavioral patterns and not just normalized trends to accept and reduce residual risk.
Security Is a Moving Target
This is where our customers realize the value of Citrix Analytics, which helps security teams find the “needle in the haystack.” We discussed Citrix Analytics in the context of risk mitigation earlier, but it is just as applicable to risk acceptance.
Understanding the common themes that emerge from visibility into individual users’ risky behavioral patterns is critical to adjusting security policies and redesigning user workflows. It ensures timely updates to your organization’s security policies so you can avoid accepting more risk than necessary. It’s also important for creating an audit trail and collecting forensic evidence in the case of a security incident.
We’ve had some customers that had accepted the risks associated with allowing clipboard access between the local and mobile devices and virtual applications and desktops as well as mobile applications to improve user productivity.
However, with the right monitoring and visibility solutions in place, they identified several violations where sensitive data was being exfiltrated to locally installed apps and documents via the clipboard. The organization would have been able to identify this added risk much earlier on via Citrix Analytics. They would have been able to adjust their security policies to match their risk appetite and minimize their residual risk.
Minimize Residual Risk with Continuous Assessment
We’ve seen an increase in microservices built on containers like Kubernetes, Mesos, Docker, and others. There, developers deploy reverse proxies of their choice, almost always using an open source ADC that is limited in functionality and fails to adhere to the organization’s security standards.
This was accepted as a risk when identified at several customers because these decisions, made in silos, are easy to fall off a security analyst’s radar. However, as these microservices become increasingly critical to the apps and carry sensitive and proprietary information about an app’s inner workings, it’s just as important to re-evaluate the associated risks as a cost of achieving improved app development agility.
This type of risk acceptance can be fine to a degree, but when it creates a critical security loophole via a blindside (for example, policies to protect north-south client-to-application traffic but not east-west microservices traffic), it may pose a significant danger to important business operations. Citrix ADC, deployed as a L7 reverse proxy to enforce security standards across the organization for protecting north-south client-to-application traffic, is also available as a full-featured ADC on containers called CPX to protect east-west application-to-application traffic.
What if the reverse proxy used for protecting the microservices traffic is L4 only and an L7 attack vector was designed to go undetected at the client-to-application tier? This creates a vulnerability in the overall security posture of the application. It’s why Citrix ADC CPX was designed as a L7 ADC and why a L4 ADC, by itself, is not enough to protect microservices traffic.
Citrix Application Delivery Management can be used to monitor and manage all the Citrix ADCs deployed in the environment. A standard set of security policies such as enforcing a minimum standard of ciphers, managing SSL certificates in a timely manner, applying redirections to enforce end to end SSL, etc. can also be applied toward containerized apps to properly protect microservices and in accordance with organization standards. This is yet another example on how to minimize the residual risk associated with IT operations and accept only the risk that falls outside of the risk appetite.
Summary
Organizations must continuously monitor their risk management framework, while regularly adjusting security policies according to changing landscape and business priorities to better balance user experience with security. In our blog series, which has covered risk management, risk avoidance, risk transference, risk mitigation, and now risk acceptance, we’ve shared examples from real customers and how you can apply Citrix solutions to meet your organization’s unique risk management needs.
Get the latest information on the Citrix approach to security, privacy, and compliance and learn how we support and protect our customers in the Citrix Trust Center.
