Citrix’s Chief Security Architect on how to avoid misconfiguration

Sameer Sharma, Sr. Consultant for Cloud Architecture and Security at Citrix, recently highlighted five of the top cloud security risks. In his post, he provides high-level guidance for each cloud security risk, one of which is misconfiguration.

In August 2019, the Cloud Security Alliance released The Egregious 11, the third iteration of its Top Threats to Cloud Computing report. Misconfiguration and Insufficient Change Control is a new entry, which indicates that the CSA thought this threat was important enough to mention the same incident twice, in both of the first two blog posts.

In this post, we will further detail how misconfiguration risk can be efficiently managed by planning security before deployment, not as an afterthought. Planning ahead can greatly reduce misconfiguration risk at low cost and with moderate effort — a vital activity for such an important threat.

Five Practices for Overcoming the Security Misconfiguration Challenge

1) Know your security posture and map it to a security baseline

Your organization’s security posture and priorities are shaped by your organizational objectives and governance demands. In other words, you cannot simply look up the corresponding security baseline that matches your security posture. Some government organizations can still do this, but worldwide (even in government) this is less common. Instead, it is good practice to draw your own straight line from your security posture to the appropriate security configuration.

If you are a regulated organization or you have already selected a security framework, this security baseline may already be documented in some detail. For example, if you are a government organization, a Common Criteria configuration may be a close fit. Or, if you’ve selected the CIS Controls, the CIS Benchmarks are your security baseline.

Every security baseline will need some adjustments for your particular environment. The crucial point is to minimize the adjustments, record why you made them, and then avoid changing them.

2) Apply the modified security baseline to all components

To benefit from consistent coverage, it is important to carry out the configuration for all the components of the service, including the on-premises components. Broadly speaking, IaaS (infrastructure-as-a-service) components, virtual machines, and on-premises physical machines can share the same security baseline, though physical machines will need extra security baseline settings.

PaaS (platform-as-a-service) components are more diverse and need to be planned individually.

3) Automate the configuration process

For a production deployment, you must automate the configuration process. This not only enforces the security baseline, it avoids the risk of basic security configuration errors such as access control being turned off completely. This may involve automating security configuration at two levels: the service itself and the workload within the service. If you have a particularly complex environment, using many third-party cloud services in multiple clouds, you may consider using a specialized cloud security configuration offering.

4) Scan the configuration and know how to interpret the results

Automation isn’t just about getting the configuration right — it’s also about checking it. Most organizations use a security scanner. As well as detecting potential vulnerabilities, it can also detect some misconfigurations. As a simple example, the popular Qualys SSL Labs server test service can detect some web server SSL and TLS misconfigurations. Other SSL/TLS scanners are available.

However, some organizations just look at the overall SSL server test score. To correct any misconfiguration, you need a security specialist to interpret the results.

Having the right skill set to interpret the results is a common challenge and applies to all scanner results, not just SSL/TLS. Organizations run a security scanner, generate a report, and are then not sure what to do with the results. To tackle this challenge, partner with a vendor that documents the security settings that apply to your deployment and who explains how to interpret the results from common security scanners. For example, Citrix provides documented Microsoft IIS security settings in the security deployment guidance for StoreFront, in addition to listing common security scanner findings and interpretations.

5) Stay up to date with configuration guidance and understand the changes

Security guidance does change over time. The Qualys SSL Server Test service described above does change regularly — both the tests and the scoring criteria. These changes reflect broad industry consensus on security configuration. More generally, security scanners are frequently updated to check for new potential vulnerabilities.

While security scanners are important tools, it is crucial that organizations do not solely rely on these tools to keep track of new configuration guidance. Security scanners will only warn you about today’s issues, not upcoming changes. Stay in touch directly with the security guidance from your cloud-service providers and supporting consultants. They will give you advance warning of important changes, so you can avoid disruption.

Now that you understand good practices to overcome the security misconfiguration challenge, you will enable your organization to deploy innovative, secure cloud-based technology.

Topics

Products

You might be interested in

Cybersecurity for financial services

Stay Informed.
Subscribe Today.

Citrix 2024 roadmap: Protecting business-critical apps and data

Mitigating Credential Risks with Citrix Technology: A Comprehensive Approach

Cybersecurity for financial services

Citrix 2024 roadmap: Protecting business-critical apps and data

Mitigating Credential Risks with Citrix Technology: A Comprehensive Approach

Introducing Seamless Profile Sync with Remote Browser Isolation

Evolution of Cybersecurity in Healthcare: Insights from a CIO

Surfing Through 2023: Navigating the features from the Citrix Enterprise Browser’s second birthday release!

Announcing the General Availability of new enhancements for Citrix Secure Private Access on-premises

Unveiling the power of Citrix Enterprise Browser’s integration with Citrix Analytics Service for Security

Citrix Device Posture service is now available for IGEL OS!

The Citrix Master Class series is back!

Connect your Mac desktops with HDX & DaaS! Citrix VDA for macOS is Public TP, join and enjoy!

Feature matrix comparison among Linux VDA LTSR releases

What’s new with HDX in the 2402 LTSR

Now Available: Citrix Virtual Apps and Desktops 2402 Long Term Service Release

Take your Citrix journey to the next level with the Citrix Administrator Academy

Citrix Public Sector April 2024 Update!

Unlocking New Possibilities with Intel GPUs in Citrix Environments

Citrix Autoscale: Unlock better user experiences, maximize resource utilization, and achieve better cost management

Manage Plug-ins across devices with Global App Configuration Service

Modernizing technology in financial services