For better protection, stop buying security products

by Stan Black, Chief Security, and Information Officer, Citrix

Do the security products you’re buying make you feel any safer? Are you fundamentally improving your security posture, or are you still just one hacker innovation away from disaster? If only questions like these were harder to answer.  In reality, the traditional approach to cybersecurity just doesn’t work. Point solutions add complexity. Hackers will always move faster than their targets. Constantly- changing digital environments add potential vulnerabilities every day—and a single compromised app can bring your whole business to its knees. We can’t keep using the same tired security strategy hoping to get different results. There has to be a better way to do this.

There is. Instead of throwing dozens of security products at thousands of individual apps and hoping for the best, we can take a better approach to cybersecurity. Make security frustrating for hackers—not users and IT

Traditional security takes a tool-by-tool approach to protection. Any user can tell you what this does to productivity; a high- friction security experience makes it harder to get work done at a time when innovation and agility have never been more critical for business success. The resulting patchwork security infrastructure also adds complexity and overhead for IT, slows threat detection, and makes it easier for attackers to find and exploit vulnerabilities.

Now consider a different approach.   Instead of fighting a losing battle to protect thousands of apps one-by-one, what if you built security into your infrastructure as a whole?  By changing the way services are delivered, you can get security out of users’ way, simplify life for IT, and achieve a much smaller, more easily defended attack surface—no matter how much change digital transformation drives in your environment.

It’s all about the pipes

One of the most appealing aspects of hacking is the huge return on the effort you can achieve. With 1,000 – 3,500 apps running in the average organization, many of them lacking the latest security patches, it’s never hard to find a soft target to exploit. Once you breach a single app, you’re in— and you can roam the enterprise environment at will. Life is good. Hacking would be a lot less fun and rewarding if a breach only affected that individual session. You might ruin that employee’s day, but that’s about it. For the rest of the organization, it’s still business as usual.

To understand how this can work, think of how water delivery works. Everyone in the community shares the same water main.  If there’s a crack, everyone downstream gets dirty water. But what if we replaced that shared main with a dedicated pipe for each customer? Then a single pipe means a single person gets dirty water while everyone else is unaffected. It’s a nuisance, not a community-wide crisis.

Now apply that model to the way we deliver IT services like apps, networking, and cloud. By giving each user their own dedicated, secure session—or pipe—we can limit the impact of a breach to that specific session and prevent it from spreading across the IT environment and organization. It’s a simple concept: we define user identity by role, not device or location. That individual identity determines the set of services each user receives. Because identities and services are assigned individually, one user’s compromised session can be terminated without affecting other users. It’s a bad experience for one person—not the whole business. Two people, actually; the hacker will be pretty frustrated as well.

Keeping it simple

Remember, part of our goal is to make security both simpler and more effective. Shifting focus from apps to infrastructure does both. Instead of worrying about thousands of unique and diverse points of entry— your apps—you can focus on creating the best pipe possible, test it thoroughly, and then roll it out across your organization.  As patches become available, a standardized pipe makes it easier to test before deployment; meanwhile, your individualized delivery infrastructure acts as a buffer to keep any breaches from infecting the whole network. That holistic approach means you’re dealing with one delivery infrastructure, not a constantly- growing, ever-changing set of apps and services. And you don’t have to worry about buying, configuring, and managing an endless stream of security point solutions.

It’s not hard to make the change from app-centric security to a secure delivery infrastructure. First, make sure you have consistent visibility across your infrastructure and take an inventory of the way services are delivered in your business. Then use this knowledge to figure out the best way to ensure end-to-end protection from services to the user.

For too long, hackers have held structural advantages that make cybersecurity tenuous at best, as well as costly, labor-intensive, and frustrating for users and IT alike. It’s time to stop playing this losing game of cat-and-mouse. By focusing on a secure delivery infrastructure, you can make breaches harder to accomplish, less rewarding for hackers, and less damaging for users and your business.

About the Author

Stan Black, Citrix SVP, chief security, and information officer Stan Black, CISSP, is the SVP and Chief Security and Information Officer at Citrix where he is in charge of the secure delivery of applications and data. A key component of that is creating a security strategy to deliver experience, security, and choice to customers and employees. That flexibility enables workers to be secure and productive from anywhere, anytime. Black and his global technology and security team, a combination of security and IT teams, stop 54 billion attacks per quarter. His organization also monitors the global threat landscape and manages incident response and physical security to protect the safety of Citrix employees. Black is a seasoned security veteran with more than twenty-five years of experience in cybersecurity, reducing business risk, threat intelligence, corporate data protection, infrastructure simplification, and crisis management. His experience has provided him the opportunity to deliver durable security and risk solutions to global 1000’s, countries and public agencies around the world.