Virtualization Technology News and Information
Citrix: The Slow Death of Generic Security


What do Virtualization and Cloud executives think about 2012? Find out in this series exclusive.

The Slow Death of Generic Security

Contributed Article by Kurt Roemer, Chief Security Strategist, Citrix Systems, Inc.

We've all experienced it - security measures that seem cookie-cutter, irrelevant and invasive.  It's called...generic security.

In the past, generic security was manifested in the quest for standardization and control. When IT was tasked with an objective, such as implementing security best practices or complying with regulations specified by HIPAA and PCI, it was easier to configure controls to apply across the environment. This generic layer of security resulted in security that was akin to the children's story of The Three Bears:  security was often too hard or too soft - and rarely "just right."

Generic security gets in the way of business. Generic security doesn't adequately protect highly sensitive data. Generic security is expensive. Generic security needs to go. Here are two predictions specific to the gradual death of generic security in 2012:

Mobile put a PIN in the heart of security - it's time to take it out.

Depending on the situation, we need more or less than a PIN to be appropriately secure. It just amazes me how many corporate secrets are protected by a simple user-selected device PIN these days :-(. Intellectual property that should be considered private can be unlocked and easily shared with anyone at any time using just four numbers.

By the same token, that PIN becomes a nuisance rather than a benefit in certain situations. For example:
  • when it restricts the device owner from accessing public content;
  • when it becomes a personal safety issue for drivers by constantly nagging to be entered into a moving car's GPS navigation system;
  • or, when the same PIN that opens the device for a child's game app on a device also gives that child access to a parent's corporate email.

What if a "Require PIN" setting could be applied to specific apps or screens, similar to how location services is controlled today? And, a complimentary "Require Passcode" setting could be used to restrict access to highly sensitive data and for enterprise information stored on a personal device using stronger credentials, such as multifactor authentication or biometric data. These capabilities could be further leveraged by enterprise apps and by Mobile Device Management (MDM) solutions.

Prediction:   Vendors will be pressured to rethink device PIN schemes.

Best Practices?  The monsters you know are not the real monsters.

When devices, applications, websites and data are being successfully attacked everyday, it's obvious that the victims weren't focusing on the true threats. Security professionals were taught that if you focus on threats mitigated by Patching, Antivirus, SSL and Tokens (notice that this conveniently spells out the acronym PAST), everything would be OK - and secure. Note that these are all essential security technologies - but none can be relied on by itself and must be complemented by further security layering, configuration and practices. Unfortunately, even up-to-date and professionally maintained systems have increasingly fallen victim to stealthy malware, zero-day attacks, and occasionally Advanced Persistent Threat (APT). And, what if a system admin knows that there's a zero-day exploit for their favorite browser, database, or PDF reader but can't do anything about it until the vendor releases a patch? 

What's needed is a sandbox to further contain risk. Browsers and other oft-attacked apps would run in the sandbox, without access to filesystems, the Windows registry or having unbridled access to the network. The sandbox would be used for apps that present business risk (such as financial systems), as well as direct risks to underlying technologies. Using application and desktop virtualization, app and worker capabilities can be further restricted to disallow the use of cut/copy/paste/print/save/email in a specific situation, further mitigating the threat to sensitive data and reducing risk. Combined with centralized control over authentication, antivirus, encryption, Data Leakage Prevention (DLP), data tokenization and redaction (just to name a few) - protection of sensitive data can be made even more specific and powerful. And, without having to reach out directly to every endpoint for every copy of apps and data, IT can respond much faster if a security issue does sneak through.

Virtualization can also protect individuals. For employees who work within a company that uses virtualization technology, a worker's risk in using sensitive data while mobile is lowered because most content accessed by the device is housed remotely in the datacenter and any local content can be wiped immediately by IT if the device is lost.

Prediction:  Virtualization will be used in more creative ways to isolate and sandbox risks to both the individual and the enterprise.


About the Author

Kurt Roemer is chief security strategist, Citrix Systems, Inc., and a member of the CTO Office. In this role, Roemer leads security, compliance and privacy strategy efforts for Citrix products. As a member of the Citrix CTO office, he sets the technical direction for security. Roemer is a seasoned information security veteran with more than 20 years of experience in networking, applications and the evolving Web services infrastructure markets. He has designed, implemented and assessed solutions and policies for Fortune 1000, mid-size and government organizations worldwide. Roemer is a CISSP and is a frequent speaker at industry conferences. Prior to joining Citrix, Roemer held roles as chief technology officer and chief security officer at NetContinuum, and headed up information technology practices at Micron Electronics, NetFRAME and Hewitt. Roemer has spoken at a wide variety of leading global security and business conferences, and has appeared as a security-issues expert on CNN, NBC, Fox Business News and the Fox News Channel.
Published Wednesday, December 14, 2011 6:35 AM by David Marshall
Comments - Virtualization Technology News and Information for Everyone - (Author's Link) - January 4, 2012 7:06 AM

I'd like to personally welcome each and every one of you to the start of 2012! As we begin what will certainly prove to be a fantastic new year, I wanted to make sure to thank all of the loyal member's and readers of Once again, with the help

Untitled Document - (Author's Link) - February 25, 2012 7:31 AM
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<December 2011>