Information technology has evolved, and so has the way we engage with it for work. With the proliferation of remote work, connected devices, cloud computing systems, and access points — how can we keep users safe without impeding their productivity?

The consensus is that a perimeter-based security approach is no longer adequate to protect organizations from modern cyber-attacks. There has been rising pressure in IT to adopt a zero trust security model, and companies are rearchitecting their security stack to abide by its principles.

But with all the different tools and solutions on the market geared toward zero trust, how can we be sure that what we are implementing is having the desired effect? To help on this front, the Cybersecurity and Infrastructure Security Agency (CISA) put together the zero trust maturity model that defines what an optimal implementation of a zero trust architecture looks like across five pillars: identity, device, network, application workload, and data. In this blog post, we will look at how Citrix can help your organization achieve zero trust maturity in line with this model.

Pillar 1: Identity

The endpoint device is the new office, and our users are the new security perimeter. We are now seeing access to applications and sanctioned resources originating from multiple locations and devices. As result of this shift in how we work, identity has become increasingly important to properly enforce the zero trust principles of least privilege and just-in-time access. Traditional methods of username and password, or static MFA, for authentication are no longer considered optimal. CISA recommends using a combination of factors to explicitly verify users with dynamic MFA utilizing global identity across cloud and on-premises systems while analyzing user behavior in real time for continuous protection.

Citrix Secure Private Access, with its adaptive authentication service, can be used to support flexible authentication scenarios and advanced endpoint scans to help with getting closer to an optimal zero trust model. Users are not automatically given access to resources simply because they have logged in with correct credentials. Rather, their security posture is always assessed and verified. No matter which user persona is attempting to log in (internal, external, third-party contractor, etc.), adaptive authentication recognizes the identity of the individual and challenges them with the appropriate authentication method from any number of globally distributed identity stores that are relevant to the user.

In addition to Citrix Secure Private Access, Citrix Analytics for Security can be leveraged for user entity behavioral analysis to assess, detect, and prevent risk in real time. User requests for resources will be run through a risk analysis engine where machine learning techniques are used to identify anomalous behavior and take corrective action autonomously. The analytics service allows for centralized visibility across the Citrix stack while providing tooling for extending data and insights to SIEM platforms such as Splunk.

Pillar 2: Device

A device is any piece of hardware that can connect to the network and could include IoT, mobile, laptops, servers, and workstations, both BYO and corporate-owned. In a zero trust world, devices must be inventoried and secured to prevent unauthorized devices from accessing resources. To satisfy this, policy enforcement should be pushed to the edge where device compliance and integrity are assessed as part of the access control decision process. In doing so, we place focus on the endpoint, which allows for services and resources to be made available more directly through a single access point, reducing attack surface and complexity of administration.

In the device pillar, a move toward optimal maturity means constantly monitoring and validating device posture upon access request to resources that integrates real time analytics. With Citrix’s adaptive authentication service and its advanced endpoint analysis (EPA) scans, security teams can configure granular policy, based on OPSWAT and system definitions, to assess the security posture of devices attempting access based upon the trust requirements of the organization.

Not only is the outcome of this explicit verification process evaluated on each resource request, it is also sent to our Citrix Analytics for Security platform, where real-time analysis uses device posture as a factor in building user risk scores. Risk scores can be fed back into the authorization process as a parameter for granting access to resources with various security controls.

Pillar 3: Network

According to the CISA model, a network refers to “an open communications medium, including internal networks, wireless networks, and the internet, used to transport messages.” In a zero trust context, organizations should look to establish a network segmentation architecture that more closely aligns with the inherent needs of application workflows. To optimize this pillar, networks should incorporate micro-perimeters for ingress and egress as well as internal micro-segmentation for resource communications. All the traffic needs to be encrypted but also needs to allow for analysis via a machine learning-based threat protection system. In doing so, applications and data can be made available directly to the end user, no matter the location (remote, internal, branch office, etc.).

Citrix Workspace app provides a consolidated access point for all IT sanctioned resources — IT-managed apps within DaaS, IT-managed apps outside of DaaS, public SaaS, and websites. Real-time dynamic policies can be applied to the user based on identity and device to enable contextual access to resources, creating micro-perimeters on an individual-by-individual basis. Users are proxied to the desired resource utilizing an encrypted tunnel at the application level with just enough access to remain productive but also segmented in a way that is low risk for the organization.

Pillar 4: Application Workload

The goal here is to provide secure resource delivery to all types of applications and workloads — internal systems, computer programs, and services, both on premises and cloud-based. Access to these resources should be based on identity, device, compliance, location, and other attributes.

To provide an optimal security posture for these resources, zero trust principles must be extended to the workload to ensure appropriate levels of protection. Organizations should look to implement policy that continuously authorizes access while providing real-time risk analysis across all the user group communities. With integrated threat protections applications can be made available to the users directly over the internet thus improving user productivity and performance.

On the other hand, the threat surface increases, which makes the case to extend zero trust principles not only to the access, but also to the development of applications. Organizations should make use of CI/CD pipelines and integrated security testing during each step of the application lifecycle to provide a high-level of security assurance.

To ensure secure application delivery, admins can leverage Citrix’s adaptative access and smart access polices to make context-aware security decisions for application authorization, which reduces the associated risks while enabling access to users. With these Citrix technologies, organizations can provide granular-level access to applications and workloads based on the context. In this case, context refers to users or groups; desktop or mobile devices; geo-location or network location; device posture; and user risk score.

Citrix enables application access over the internet through a centralized point of entry, and does so in a way that is flexible for the end user’s work style. Because policy enforcement follows the user and device, organizations can choose to provide access via a variety of delivery methods. This could be the Citrix Workspace app, Citrix Workspace for web, Citrix Secure Access Agent, or direct access to the workload (agentless access). Behind the scenes, Citrix Analytics for Security is monitoring for anomalous user behavior across the entire Citrix portfolio from session start to finish. This allows for the platform to build a user risk score that can be fed back into the loop for evaluation by the adaptive access policies.

Pillar 5: Data

As we continue along the journey toward an optimal zero trust architecture, strategic data protection and classification becomes paramount for the most critical assets. Data takes many forms throughout its lifecycle (rest, in motion, use, and destruction), which provides a tricky landscape to protect. As such, multiple solutions are needed to provide layers of integration. Regardless, the focus here is to develop a robust system for data categorizing, inventorying, tracking, and tagging. Access to the data is granted dynamically and securely by utilizing encrypted communications with just-enough and just-in-time access. In the background, continuous assessment of user interaction with data is performed to provide insight for risk-based determinations.

Citrix Content Collaboration provides organizations with a cloud-based service that enables secure exchange of high-value data. Throughout the data lifecycle, Content Collaboration uses TLS to protect assets as well as a keyed-hashed messaged authentication code (HMAC) to authenticate user interactions and ensure integrity of intra-system communications. Granular access controls can be configured to protect assets, as well, and Citrix Analytics for Security can leverage Content Collaboration as a data source to detect anomalous user behavior with the data. Breaches, risky file activity, and other indicators can be identified and responded to in real-time via closed-loop autonomous actions (disabling of users, expiring links, view-only mode, etc.).

What’s Next?

As you look to improve the zero trust maturity of your organization, it is important to remember that a modern approach to security requires multiple layers of integrated solutions. More traditional technologies, such as VPN and static MFA, provide insufficient protection when it comes to ensuring a secure environment for your users and high value data. Implementing a ZTNA solution, like Citrix ZTNA solutions, gives users access to all IT resources in a way that unifies your security posture while providing insights and automated protections to keep cyberthreats at bay.