Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Securing the cloud endpoint

Kurt Roemer, Chief Security Strategist, Citrix | Nov. 7, 2016
For cloud’s sake, let’s reduce our security dependence on browsers

This vendor-written tech primer has been edited to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

In the quest for securing the cloud, one key aspect is often left out of the discussion: the security impact of the cloud endpoint – most notably the imperiled browser.

As enterprises and individuals increasingly move computing to the cloud, security at the endpoint has been an escalating concern. Taking matters into their own hands, many enterprise consumers are going “direct to cloud” – avoiding enterprise IT practices that would otherwise protect endpoints, connectivity and data. Meanwhile, IT executives that once viewed cloud-based shared computing and storage infrastructure as their least trustworthy option now see the cloud as the safest choice.

And, while there’s increasing evidence that the cloud can provide real security benefits over on-premises solutions, there is a dark side:  If your company has moved infrastructure, apps and data to the cloud for security – the endpoint browser is now your weakest link.

Cloud security involves provider services, networking, applications, data and the cloud endpoint. The cloud endpoint consists of all the components the user interacts with, including hardware, peripherals and the ubiquitous browser interface.

As I noted in a recent blog post, "Like it or not, today’s enterprise security landscape is heavily endpoint and user-dependent. The actions and inactions of users, coupled with unmanaged networks and questionable device states combines to make endpoint security a frustration of trust.” That’s especially true for cloud-based applications that are accessed from unmanaged systems in untrusted locations while using arbitrary browsers and security settings.

Common enterprise practice is to configure and roll out a single and all-powerful browser at the endpoint, with this standard browser supporting the needs of all applications. Plugins that include Flash, integrations with local and remote file systems, certificate chains, private keys and all other needs have been factored in for local and remote application access. The problem is that this standard browser is over-configured for everyday tasks, allows for excessive access, and presents excessive risk. The exploitation of browser platform and plugin vulnerabilities, malicious active content and phishing attacks teach the painful lessons of browser insecurity everyday across the world’s web, SaaS and cloud-based services.

For cloud’s sake, let’s reduce our security dependence on browsers.

To begin, configure browsing to be specific to purpose. By publishing the browser specifically to the needs of an individual application or a distinct class of usage and cloud application, there are several core benefits. The specific browser version that works best with the cloud application is available to all users for consistency. The browser is hardened – with only the security extensions, frameworks and required settings for supporting a specific use case. These use cases range from mission-critical applications to administrative portals and social media browsing.


1  2  Next Page 

Sign up for CIO Asia eNewsletters.