Securing the cloud endpoint

For cloud’s sake, let’s reduce our security dependence on browsers

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

In the quest for securing the cloud, one key aspect is often left out of the discussion: the security impact of the cloud endpoint – most notably the imperiled browser.

As enterprises and individuals increasingly move computing to the cloud, security at the endpoint has been an escalating concern. Taking matters into their own hands, many enterprise consumers are going “direct to cloud” – avoiding enterprise IT practices that would otherwise protect endpoints, connectivity and data. Meanwhile, IT executives that once viewed cloud-based shared computing and storage infrastructure as their least trustworthy option now see the cloud as the safest choice.

And, while there’s increasing evidence that the cloud can provide real security benefits over on-premises solutions, there is a dark side:  If your company has moved infrastructure, apps and data to the cloud for security – the endpoint browser is now your weakest link.

Cloud security involves provider services, networking, applications, data and the cloud endpoint. The cloud endpoint consists of all the components the user interacts with, including hardware, peripherals and the ubiquitous browser interface.

As I noted in a recent blog post, "Like it or not, today’s enterprise security landscape is heavily endpoint and user-dependent. The actions and inactions of users, coupled with unmanaged networks and questionable device states combines to make endpoint security a frustration of trust.” That’s especially true for cloud-based applications that are accessed from unmanaged systems in untrusted locations while using arbitrary browsers and security settings.

Common enterprise practice is to configure and roll out a single and all-powerful browser at the endpoint, with this standard browser supporting the needs of all applications. Plugins that include Flash, integrations with local and remote file systems, certificate chains, private keys and all other needs have been factored in for local and remote application access. The problem is that this standard browser is over-configured for everyday tasks, allows for excessive access, and presents excessive risk. The exploitation of browser platform and plugin vulnerabilities, malicious active content and phishing attacks teach the painful lessons of browser insecurity everyday across the world’s web, SaaS and cloud-based services.

For cloud’s sake, let’s reduce our security dependence on browsers.

To begin, configure browsing to be specific to purpose. By publishing the browser specifically to the needs of an individual application or a distinct class of usage and cloud application, there are several core benefits. The specific browser version that works best with the cloud application is available to all users for consistency. The browser is hardened – with only the security extensions, frameworks and required settings for supporting a specific use case. These use cases range from mission-critical applications to administrative portals and social media browsing.

Next, extend the browser to support services that extend security functionality. Multi-factor authentication can be enabled to secure applications and reduce the dependency on simple passwords. Integrate content management, information rights management and ad blocking where appropriate. Don’t forget privacy – limit access to location data and personal info on endpoint. And provide these services isolated from other browser instances and in a one-time-use browser configuration whenever non-persistence benefits the security experience.

In addition, consider the benefits of virtualization of apps and data not just within the cloud provider, but all the way out to the endpoint. Virtualization enables the ability to control copy and paste in and out of specific apps and between apps, along with control over use of USB and specific peripherals.

Arbitrary links in email and other applications can be redirected to a one-time-use browser that is isolated from key resources, severely limiting the impact of malware.  Support for multiple browser frameworks, versions and app-specific configurations is enabled for specific use cases. Virtualization also supports minimal footprint endpoints such as Chromebooks, tablets, thin and zero clients for endpoint de-scoping and cost optimization. And the biggest benefit of all – data stays within the cloud and only a pixelated representation of data hits the endpoint while apps look and work the same!

It’s recommended that organizations use the cloud to provide full end-to-end security by publishing browsers for access across enterprise and cloud apps. With the deprecation of Flash and whole-scale move to HTML5, it’s a good time to update your organization’s web application and browser strategy – especially for the cloud endpoint.

The cloud endpoint is a new class of device and usage. Extend your endpoint strategy to include the cloud endpoint and the benefits of delivering virtualized browsers, apps and desktops to the cloud endpoint.

Citrix provides a complete and integrated portfolio of Workspace-as-a-Service, application delivery, virtualization, mobility, network delivery and file sharing solutions that enables IT to ensure critical systems are securely available to users via the cloud or on-premise and across any device or platform.

This story, "Securing the cloud endpoint" was originally published by Network World.

Copyright © 2016 IDG Communications, Inc.

7 secrets of successful remote IT teams