You’re probably familiar with the idea of a computer network resembling a castle with tall walls, a single front gate, and a moat. But as we all know, that’s a poor way to secure modern IT infrastructure. With thousands of access points, the presence of third-party vendors, and a streams of employees and contractors joining and exiting companies, an organization’s network today looks more like a large, modern city with many points of entry. And protecting that city requires a contemporary approach to security.

How can organizations shift from perimeter-based cybersecurity approaches to the dynamic strategies required to meet the complex, ever-changing needs of a modern organization? Because of the expansion of the attack surface, accelerated in part by the pandemic, organizations must be agile and learn to pivot rapidly to stay secure. In this blog post, we’ll look at some top IT security trends, as well as strategies and tools you can leverage to defend against potential threats and keep your “city” safe.

Zero Trust and Remote Work

With the continued spread of COVID-19 and decreased spending on on-prem infrastructure, the focus in 2022 remains on the remote worker. Organizations are looking to ensure their people have secure access to the tools and data they need to be productive. As a result, cloud platforms and as-a-service adoption continue to grow, with companies emphasizing security to achieve their acceptable level of risk. That’s why they’re turning to zero trust security. With a zero trust approach, you can design a solution to help you mitigate threats that come with remote work and cloud, all while protecting your assets.

Though zero trust architectures vary, they have three principles based on NIST tenets:

  • Explicit and continuous verification: Authentication and authorization should be enforced before access and driven by dynamic policy before and during a session, based on behavioral and environmental properties.
  • Least privileged access: Grant access to IT resources on a per-session basis, limited by just-enough-access policies to minimize risk but not impede productivity. Access microsegmentation becomes an integral part of the architectural approach to mitigate lateral movement threats and justifies the rise of privileged access management (PAM). With such an approach, you can prevent unauthorized access, remove privileges as needed, and manage remote access appropriately.
  • Minimize blast radius: Segmentation zones that extend the rule of least privilege to the network and hosts by defining security zones can minimize unwanted access to sensitive apps and data, reducing lateral movement and shrinking the attack surface to contain the blast radius of a breach. In an optimal world, an organization would encrypt traffic end to end but still have insight into all resources, networks, and communications to improve threat detection and response. This often becomes a point of contention, though, these can add challenges around visibility.

In this Citrix Tech Zone article, we cover the guidelines and pillars of zero trust as well as the Citrix approach to zero trust architecture, which highlights a transition from a perimeter-security model to one that is resource-based and uses a holistic, VPN-less framework. Citrix Workspace is uniquely positioned to deliver a unified stack on zero trust, and with Citrix Secure Private Access and Citrix Secure Internet Access, you can grant users access to all IT resources (VDI, SaaS, web, internet, and more) while adhering to the zero trust principles we describe above.

Cybersecurity Mesh: Extending Zero Trust Network Principles

Your users are no longer working only from inside your offices, and traditional network perimeters are far less effective when company resources can be accessed outside your organization’s walls. Because networks today are defined by the individual and the device, not physical boundaries, you must rethink your approach.

Zero trust is a security model that continuously verifies endpoints and users, rather than trusting by default. Integrating security tools into a cooperative ecosystem using a composable and scalable cybersecurity mesh enables us to extend zero trust principles to justify the investment. Vendor consolidation of core components such as adaptive access, content control, security configuration, and more to cloud services decreases costs and makes adoption of this robust architecture attractive. Incorporating individual perimeters enables you to manage all access points via a centralized point of authority thus affording you the ability to grant and track various levels of access for any part of the network. It simplifies your operations and enables IT to focus on business objectives.

Now that anywhere is the new office, users need secure access to apps, data, and content from a variety of devices. Citrix Workspace and Citrix Secure Private Access deliver a user-centric approach to protecting corporate assets. You get a suite of cloud technologies that provide strategic policies and enforcement for risk mitigation, while your employees get a platform that helps them to do their best work, wherever they are and on whatever device they’re using.

Ransomware Looms Large

An unfortunate truth about ransomware is that it pays off for malicious actors. With more than 80 percent of US organizations experiencing a ransomware style attack in 2021, experts predict more of it (and more sophisticated attacks) in 2022. With the projected rise of ransomware-as-a-services (RaaS) and access-as-a-service (AaaS), organizations cannot let their guard down.

In this white paper, we discuss ways you can protect your organization from ransomware. Using technologies for access control (MFA, least privilege principles); secure mobility (remote browser isolation, hardened email clients); risk management (frequent patching, educating and testing employees, coupled with vulnerability assessments and regular pen testing); and business continuity (enterprise data sync and sharing services, robust backups) will help prevent breaches from occurring and help you to maintain the availability of data, even during an attack.

Securing Your Supply Chain

As companies invest more into diversifying their development through supply chain processes, the potential to exposing all parties involved to more security risk increases. The supply chain model is great for rapid development, but also poses issues that can be easily overlooked when several vendors are involved. You must continuously assess the resiliency of your vendors’ solutions because a single weak link in your supply chain might be all a malicious actor needs to attack. It is important to ask, “Do the vendors I work with provide regular feedback on assessments that support a good security posture for all those involved?”

Diving a bit deeper, each phase of the supply chain lifecycle (design; deployment and production; distribution; acquisition and deployment; maintenance; and disposal) poses its own set of vulnerabilities. Some common types of supply chain attacks include:

  • Compromising software building tools
  • Hijacking updates
  • Undermining code signing
  • Compromising code packaged into hardware and/or firmware
  • Pre-installing malware onto devices

To help avert such attacks on your supply chain lifecycle, NIST suggests establishing a C-SCRM (Cyber Supply Chain Risk Management) approach to help avert such attacks on your supply chain lifecycle. One that spans the entire business and utilizes both technical and non-technical techniques. According to NIST, the key practices are:

  • Integrate C-SCRM across the organization
  • Establish a formal C-SCRM program
  • Know and manage critical components and suppliers
  • Understand the organization’s supply chain
  • Closely collaborate with key suppliers
  • Include key suppliers in resilience and improvement activities.
  • Assess and monitor throughout the supplier relationship
  • Plan for the full lifecycle

Following these practices can help you to prevent and mitigate vulnerabilities and exploits in your software supply chain.

What Next?

One thing’s for certain in the world of IT security in 2022: Nothing’s certain. You should always be ready for change. But look at change as a way for your organization to take practical steps to avoid becoming victim to a cybersecurity attack. And think about the following questions and how they relate to the current state of IT security at your organization:

  • In this work-from-home culture, are your employees protected anytime, anywhere, and any place?
  • Are your zero trust security policies capable of extending beyond the perimeter of the datacenter to external networks and unsanctioned IT resources?
  • Do you have the necessary visibility and protection measures to mitigate risk brought on by third-party vendors and services?

Remember, a combination of technologies (trust broker, zero-trust proxies, app execution and desktop containerization) and techniques (micro-segmentation, software defined perimeter) are vital for rearchitecting workflows to satisfy the fundamentals of zero trust. A castle-and-moat approach isn’t enough and puts you at risk. Attacks are getting more complex, and you need to deploy an agile, adaptable security strategy to help keep your organization secure.

Learn more Citrix’s secure access solutions and about zero trust.