Damage Control: Making what’s visible in Citrix/Terminal Servers invisible
The Citrix XenDesktop™ and XenApp™ solutions, and Windows Terminal Servers, are commonly used to provide remote access to network resources. They are typically located between the internet and the internal network, providing an entry point into internal servers—something that makes them an attractive target for hackers.
Citrix/Terminal Servers provide highly valuable functionality for session-based access from the server to the network, which must be very open to allow for all the differing user profiles and use cases. The challenge is that all traffic from every user using a Citrix/Terminal Server is seen on the network as coming from a single IP address, which might represent dozens of different user types, all with various levels of clearance.
For a traditional firewall, this means that an access rule is necessary to allow the server to access every resource that any user on that server could need. In practice, these access rules often become a permit all for the Citrix/Terminal Server. This open door to the network represents a significant security risk.
What cyber criminals can’t see, they can’t compromise.
Taking the recent Anthem breach and many other notable breaches that were the result of stolen credentials into account, it’s safe to say that nothing is out of reach. Accepting that Citrix/Terminal Server access will be compromised is the most proactive cybersecurity strategy you could take. Here’s why: hackers are, simply, the best at what they do. Research supports his theory: incident response provider Mandiant recently reported that 97 percent of organizations have been breached at least once.
Citrix/Terminal Server access rules allow users sharing an IP address to access every resource on a network segment. Once inside the network a cyber criminal who possess stolen credentials, can “see” applications and services, whether authorized or not. Enterprises need to move away from IP-centric architectures to a role-based security model, dynamically provisioning access depending on the user’s role and contextual attributes.
Once past denial, and on to acceptance, an organization can fully embrace a practical Citrix/Terminal Server security plan by focusing on minimizing risk. While the majority of cybersecurity spending historically has gone toward building up a perimeter, limiting the amount of damage intruders can do after they’re in is a powerful paradigm shift in a CXO’s strategy.
It’s time to flip cybersecurity strategies on their head.
The focus now becomes about user access and entitlements, including tight user-based controls around network access from virtual desktops. Enterprises must move away from IP-centric architectures to a role-based security model that maintains the distinction between individual users connecting through a Citrix or Windows Terminal, then dynamically provisions access on the network and application level depending on the user’s role and contextual attributes.
Dynamic access control considers factors such as, “Is the user on a laptop at home, or on an unrecognized tablet on an unsecure Wi-Fi network?” “Should access be granted in the latter case to sensitive data?”
Disruptive solutions allow organizations to limit the damage that can be done by cyber attacks (via privileged account and third-party users) by using identity and context to dynamically secure access to individual resources—essentially making the rest of an enterprise’s infrastructure invisible. They prevent the exposure of sensitive and confidential information to only allow an individual to access what they are authorized to access. This not only prevents someone from authenticating into a network if something seems amiss, but can also limit any damage a bad actor can take if they get in with stolen credentials.
This concept is taking hold at places like Coca-Cola, Google and others. It’s IT’s job to ensure that every enterprise, regardless of their size or resources, can reap the same benefits. In order to truly protect corporate data and resources, tighter user-based controls around network access from virtual desktops is critical.