Duration 38:12
16+
Play
Video

Citrix Synergy TV - SYN115 - Secure app and workspace delivery in a hybrid multi-cloud world

Darshant Bhagat
Senior Director, Product Management & Strategy at Citrix
  • Video
  • Table of contents
  • Video
Citrix Synergy Atlanta 2019
May 22 2019, Atlanta, GA, United States
Citrix Synergy Atlanta 2019
Video
Citrix Synergy TV - SYN115 - Secure app and workspace delivery in a hybrid multi-cloud world
Available
In cart
Free
Free
Free
Free
Free
Free
Add to favorites
247
I like 0
I dislike 0
Available
In cart
Free
Free
Free
Free
Free
Free
  • Description
  • Transcript
  • Discussion

About speakers

About the talk

Topic: IT

Hybrid cloud deployment success depends on the effectiveness of your networking and security strategy and how you manage complexity. In this session, we will teach you top use cases and real-world security architectural considerations to optimize and secure your apps, data, and workspaces.Note: This session will be available for on-demand viewing post-event on Citrix Synergy TV.

Share

Hello everybody. How are you doing this morning? Hopefully ever wake I think I see eyeballs. Not too much drinking last night, right? 00:04 My name is Robin manke Cassidy and I'm with our networking and Security Group here. It's the truth and my colleague with me today is 00:13 responsible for the application security portfolio as part of the Citrix ATC formerly known as netscaler butterfly 00:23 and new things that are coming up with our application security 00:32 for workspace. Hybrid cloud. So first of all, you probably saying this if you feel like tweeting, please help yourself 00:42

if you can do ab security since 1:15, you know in Citrix Synergy, that would be awesome. 00:51 So what we're going to go over today is where security delivery transformation is happening. I 01:00 hate using the word transformation cuz I think it's overused today and then some one of our existing solutions that we have in place and some new 01:10 Security Solutions that we're bringing online here quite shortly. So first of all, let's talk about the threats that are out there. 01:18

So this is from the National Institute of Standards and Technology 92% of the vulnerabilities that are out there have nothing to do with 01:28 your network. It has everything to do with the applications and how people are accessing them and the threats in the vectors around that that's a huge 01:38 number. So as you're thinking about how you're deploying your application, this is a key component that you need to be thinking about. 01:48 An applications are changing as you guys probably know if it hasn't hit your organization yet. It will be in the near future. Everything 01:59

is moving towards API. So how applications are going to communicate to each other how it gets to resources those types of things are moving towards 02:08 music API almost exclusively. So as you can see from statistics Care organizations have already 02:17 experienced application breaches. I'm not sure. There's anyone in the world that has it or hasn't discovered that they already are. 02:27 And many people are not really confident with how they're doing their security protection today on their application, 02:37

you know, there's a lot of different point solutions that people put in place but they don't communicate together. You can't get a full 02:46 picture of what's really going on but makes it a little bit more difficult organizations feel that web apps are their highest security risk 02:56 and they are if you think about the applications that you're putting in place today, most of them are either web-based or staffbase. So it's it's not 03:06 also how you manage your the application security but you know, there was a session that I did yesterday. It's also how your users connect to those 03:15

And organizations 26% are doing little to nothing for their application security. They put it in place. They put a a load balancer in front 03:26 of it and and they just go to business. You're not actually thinking about the full security component fit that needs to be put in place. So I talked 03:36 a little bit about this already, but our traditional applications in our data center on Prim have changed how many people won 03:46 are using Cloud hosted data center services are you've moved a bunch of your resources to provide already? Or thinking about it. 03:55

That's almost everybody in the room. Okay. So this is the future right? There are industries that will never or you know, in late stages 04:05 move their stuff out. But this is the reality of our world and as we move to the cloud there are new vectors that you need to take into consideration. 04:15 When you put your applications out there, for example, cloud-native applications using microservices in containers. There's a 04:23 whole new world there that you need to consider how the communication happens between and how that security how do you making sure that security is in 04:33

place to make sure that the right applications are making the right API call and you're not accepting calls from somebody you shouldn't be connecting 04:42 from So I forgot I wanted to ask one of the question how many people in the room are in kind of networking 04:50 load balancing that side of the house. Okay, and how many of you do Works be an application development? 05:00 Okay, so I'm going to turn it over to. Prashant, thank you. 05:11 So you don't ever think about going to hybrid multi-cloud. We know we talked about how some of the applications are on Fram. Some 05:23

are really moving towards and others are still Bible apps that are internally deployed either on Prime in hosted data center 05:33 or even the Cloud public cloud infrastructure-as-a-service and platform-as-a-service components and ask that proliferation of 05:43 deployment models happens. And of course like Robin mention the app architecture that changing themselves from traditional to microservices. 05:52 The complexity and how to manage, you know security and risk across this apartment models significantly Rises. And then you 06:03

heard about that on the networking level. But really if you look at the latest your hacks are data breaches that are happening there 06:13 all almost always at the application layer. So somebody had you know that the the black just one which was I think the Equifax hack happened because 06:22 somebody did not patch their server in the back end with an Apache struts vulnerability is pretty common. Right? It's either you are missing some of 06:32 the components they don't they're not attached to the latest and greatest they have availability that is exposed or somebody's you know Bad actors. 06:41

I just paid or non-state actors are trying to get through and you know, I don't know password friend cuz call credential stuffing or password thing 06:51 attacks for Bots. They might be trying to get access to data using things like SQL injection and others on your bail application 07:00 denial of service attack. On your application felt so there are multiple types of attacks that happened either using 07:09 Bots using trying to do an authorized access and lastly as more and more of these apps are moving towards an API Centric 07:19

word. Your API by definition is really kind of in some ways machine-to-machine communication and windows environment. How do you 07:29 make sure that those apis and secure? And each of these scenarios and deployed as facing to your customers 07:39 like outside public-facing or you're that bad that's deployed in the workplace environment. Like we saw gray them off into 07:49 Visionworks place yesterday with a lot of different webs watchful eyes fast and internal damage by baps the all our problems in the workplace. And so 07:58

as long as you haven't even an internal app that is published in the workspace. You want to make sure that in in in this area of malware or ransomware 08:08 you want to make sure that you're in town hall facing apps employee facing apps are also secured. So when will you think about those challenges let's 08:18 go walkthrough. How 6abc and all of the security functions can help and so this is just, you know, a series of things that we 08:28 have listed are all the different tool sets all the different features that's available today in helping you protect your public-facing 08:38

or internal web apps and apis so starting with in a layer three layer for You want to make sure that you have DDOS protection 08:48 like that. There are multiple layers of DDOS protection, but on 680 see we have a robust in a set of DDOS protection features more 08:58 than 35 of them overall in putting Florida Tax reflection attacks of different things right 09:08 certified learfield live for Fireball. So we have had a CLS for a while 09:15 and these are now certified to be used as a firewall internally, but not of the perimeter firewall what typically if you want to 09:24

segment a network for in a specific application specific compliance requirements and play Ophelia for Network segmentation is good enough. You can use 09:34 Leo female 451 insecticide. Is it so 09:43 that again Making sure from an authentication authorization standpoint. We have a gamete of Integrations and a gamete of different feature 09:52 set there and then we'll dig deeper into the four things of it in the next set of four slides. 10:02 One thing I wanted to mention is on the your SSL TLS layer going to be on later today at 4 to SSL and TLS. We have 10:14

a set of you know, known for best price performance in the market, but not just that we have a set of robust features that we also support TLS 1.3. 10:24 We were the first ATC in the market to support the latest telephone. Respect as a as a beta as well as SGA. So, you know, 10:34 we always in the Forefront in the hotel and by the way, we have optimized and we 10:44 find out SSL stack. It's not the same openssl stack. So you don't over the last few years have seen a lot of one of these, not to tell you he has to 10:54

tell me to is not good enough now move to TLS 1.1 1.2 in each of those scenarios because we had refined our thing, you know, that's what they'll back 11:02 much better. We didn't have the exact. We had some but then you know certainly was much better than what other vendors had to go through. 11:12 As part of City CDC premium. We also have you know, you've had this is a web application firewall for for a while now, like we're 11:25 more than three thousand customers worldwide what actively using Citrix bath to protect against application later tax or 11:35

meet compliance requirements like PCI. I mean if you have PCOS if you absolutely need to deploy a bath and if you have something to say to see 11:45 especially as a premium license you already own it, but you already have the capability to do it and more. What I'm finding is 11:53 even Point Journal apps security operations teams are requiring that you deploy web application firewall and 12:03 you have a full-featured fully functional that application firewall release signatures for it every 12:11

one to two weeks on all the new series that we find. It has all the classic OS top 10 funeral protections. But again, this is 12:21 easy to use easy to start off a we have learning as well for an application Behavior learning and based on that we can do a lot of the checks and 12:30 relaxation. So overall it's a fully functional fully-featured web application firewall. Not just that 12:40 as part of the DC DC Premium what we just announced yesterday is pretty soon. We'll have what we call but 12:49

management know how many a few understand. What is the problem with Bots? anybody Okay, so 12:59 if you think about the internet traffic more than 35% of traffic today on the Internet is automation Bots 13:09 if you put up a website and I'm out and we do this small extra tall extra Monero on our own website 13:18 and we put it past boot store. We put on application firewall in front of it. We 13:26 counted more than 10 attempts to scrape the website or get into the website by boss that were based out of Alaska 13:36

University of Michigan China lot of different places. So it's not just do it could be anywhere but these are infected machines iot 13:46 devices. Net owners and using to go and just Scrape website or just going thing website and do the different things. 13:56 They're trying to find the door that they can get through on within the next few days. Your laptop has been scanned and 14:05 feel people have been poking around already. So this is a pretty common problem. The other thing that people do is dead by Pat username password on 14:15

the dark web the take the whole list and tried against the well-known website because most people be used the username and password. So this is a 14:24 pretty common problem as well. And that's the business issues with box things. Like they'll try to scrape your website 14:34 or you're probably facing, you know property will try to scrape your content scrap prices. They probably want to hold inventory. So that is a very 14:43 interesting case where one of the airlines in Asia. I was having a hard time selling tickets and didn't know what was going on their prices were great 14:53

that everything was perfect. What they found out when was the automatic scripts that were holding on to the ementary? 15:03 So they are inventing would never actually hit the market. The automated script will keep on holding it when you if you're going to take it Master 15:12 P for 10 minutes and then you have to buy write that exact same thing is happening with the airline and that on 15:21 the airline so things happen as well in terms of what watts can do. This is a big big issue 15:31

out there today and and growing faster. So what we announced yesterday is a spot of surgically DC. We will have support for 15:41 what protection and bought management that'll be coming soon. Right? And so it'll help you defend against the loudest and 15:51 identified based on behavior of the device in the browser whether this is a real user human user or 15:59 this is an Automation and then based on your specification we can say is it a good automation or is this bad and it would be 16:09

like Google web crawler. You want to be indexed for search, right so bad boss and will be able to support on on both. 16:19 Any questions so far? I mean you need to think about this. It's it's they're 16:31 not just malicious necessarily but they could be competitors. They're out looking to see what your lowest prices are so they can go lower than you. 16:41 So it is not just a stop your business. It could be to affect your business. In other way. So bought the up-and-coming thing, 16:50

right and then the side effect of bots is you don't we we talked about how 35% plus of traffic coming to a website 17:00 is typically Bazar commission, which means you have infrastructure in the back end to support these but you're invested in computer 17:10 storage all the other things database. To support traffic that is not really helpful to you in running the business. So when you put on 17:19 what protection in front as a secretary scene in on the Lord answer itself now, you're also helping Optimizer interested in the back end. So there is 17:29

also a cost-benefit. It's not just about security and there's also a cost-benefit and then there's the business benefit when you have data privacy, 17:39 you don't have you no other competitors scraping things are doing denial of service attacks on on your inventors 17:46 that is plaguing almost every public facing website and not just that 17:52 if you're an internal web app that you know your workspace then somebody could come in with him. And that's that. Can be 18:02 attacked in the exact same manner as well. So The scale of your protection to defer when you have a public-facing consumer-facing property 18:12

versus when you have an employee facing property, but I think the risks remain the same almost the same. So you need to put all your 18:22 security checks and balances whether its internal employee facing website web app or a customer-facing leather. 18:31 The other thing that's going to be talked about API. So 6abc can be used to protect your apis as well. 18:42 We have all the classic function better. Typical API protection solution needs protection from DDOS protection from 18:52

box that we talked about but also things like enforcing authentication making sure that only the right Partners or the right in a 19:02 consumer standings how many times make sure that you are meeting that SLA 19:11 ability to Define and get insight into what Hobby Lobby Arabia is performing right because you need to meet certain SLA is 19:20 all of these things can be done using typically see if you can do on syndication. You can even loud those 19:29 apis to the right service point. So for example, let's say you have two or three different years of service for your partners. And you want without 19:39

them appropriate to the light service level you can use to check fantasy. And if you have protection and unicorn canvas routing policies to do that, 19:48 or if you want to deploy, you know, I temporarily next to you can do the exact same thing with such accuracy 19:57 as well. So lots of a robot that you can leverage for your website as well as a replies. I've been with 20:07 13. Oh that were just released as part of such a policy premium. We also have what we call forward proxy included as part of 20:16

That 80's license and what this means is you can now use Citrix ATC as an outgoing SSL interception 20:26 point so you better get apis and calling out or users are going out you can end for swipe Liz Blacklist URL filtering, 20:36 you know, all of those kind of things and make sure that your users are there apis and not calling command and control servers not going to for proxy, 20:46 right? You can enforce that and they'll give that's part of Pacific a disagreement as well with an added URL filtering database license that 20:55

subscription for the functionality DC Premium and making it really a 21:04 solution that you can use it. Multinational like your multiple tools to have and help you against a lot of different a 21:13 collector's suggestions. And I know everyone's probably thinking this in the back of the head cuz I know I am so if I'm turning on these 21:23 additional security capabilities, what is it doing to my ATC traffic-wise speed? Why is it going to snow all day if I turned every single 21:33

one of these on Technical question. So the short answer is this performance impact right? When you turn on more functions, 21:43 we have a detailed sizing guide both on our forward proxy as well as an application firewall, please, 21:53 you know, you can rest assured when you are trying to enable the feature you will get to understand what that might impact in terms of performance by 22:03 or do you need a license? Do you need a separate deployment? Whatever that might be in Austell seems can work with your clothes on getting that done. 22:13

My other question is so you know, we've got so many form factors. Do you know we got physical boxes? We've got virtual we've got bare metal. 22:23 Now, we've got containers are these capabilities across to all of the platforms or are we limiting it to certain has 22:33 so far and all the soccer forum factors, including an 22:40 electrical npxs TX VPX, which of the martial arts form factor. We just introduced in an ounce if your card is the 22:50 bare metal BLX form factor, which means it stronger than Linux process on any of your your Linux servers. It can be a UCS chassis for all that. We 23:00

share each of these factors has the exact same functionality and so you don't have to worry about whether you're deploying it in Azure or AWS or your 23:08 private data center. No matter what you're doing and very early playing it with You have the same functionality centrally-managed Central analytics 23:17 with a DM. Rackspace is now transitioning over to ATC. So if you're hosting your data 23:26 data center at all on Rackspace, this capability will be coming to you soon. 23:36

So in terms of 23:47 service 23:48 is available available in state of Tennessee for a while. Now if you're interested more in learning more about this capability your reach out to us. 23:59 We have a white paper that we can share with you and how to use to fix a DC as an API protection device as well. 24:08 Yesterday again is coming soon 24:15 is the ability to do API protection as well as security function in a kubernetes microservices environment. You 24:25 have teams that are in some ways working on microservices app development. Capital One 24:35

Couple maybe if you have things that I'm working towards developing apps in Microsoft vs environment almost all of them. My default are going to 24:45 turn to two bananas. So if you look away on its environment, you can use static Tennessee as a Gateway or 24:55 Ingress control with we call it dangerous device in 2 minutes environment that will help you run around and do all the things that you need to do 25:04 before traffic enter the kubernetes cluster. So it gives you the reason that it gives you the security it helps you enforce things like that. So PLS 25:13

Pfeiffer's Rite Aid helps you route or to the right services to all of those things are available today as part of the interested, right? It could be 25:22 either a container lights were formed or you could be your existing net Centric, Tennessee next killers. We have anal capabilities from work with 25:31 ball. And then what is coming soon is the ability to do API protection in October 9th. So when you have 25:41 services and apis exposed out of your kubernetes cluster out of your microservices to the rest of the data center on the world you can 25:51

end for a lot of the API protection mechanism that we just talked about. So you can enforce authentication you can make it seem less for developers to 26:01 use those templates. And so, you know, one of the key thing about it is that you don't that walks or off doesn't want to get in the way and with the 26:09 template and Whisper no solution that we have developed does not have to get in the way all day to do is to find a template and they're done with it 26:18 right for each of the apis that they want to expose. So that's that's something that we announced yesterday. It will be available soon between dysport 26:27

right now. any questions 26:36 and last but not least. We also have or the last year introduced functions in netscaler Secretary see 26:45 which allows you to do SSL offloading and there are two forms of this like this is important a lot of our customers in 26:54 the reverse floxacin the classic load balancer concept. They stop using IPS in front of the wraps because everything was encrypted and 27:04 takes a lot of money lot of scale to run IPS on each of the things that are coming in encrypted to be clipped electric again, and again, 27:14

Same thing with antiviral same thing with DLP. So what we have capability now in netscaler ATC premium is you can now 27:23 decrypt SSL traffic send it to either an IPS order next-gen firewall or a Navy or DLP 27:33 whichever one you choose and you know, it can be multiple of those so that we can do service chaining of all the different security function and then 27:42 send it back and flipped it and in the benefit of all this is that you now can actually get visibility that you had lost productivity 27:50

encrypted but more importantly you can do it cost-effectively. You don't have to scale your other security functions and buy bigger boxes and 27:59 buy more expensive IPS. You can use the IPS you had before you bought for the encrypted traffic problem. So this works both in the reverse process 28:09 or you know users going to your app. And this also works you can deploy Saturday to see in a follower proxy more 28:19 than users going out can also go to this and we can decrypt traffic to IPS and in other security devices 28:29

and this is really called something like an invisibility Appliance. So you can use Citrix ADC also the Nets at invisibility Appliance. So this is 28:38 something that has come over the last year and the latest release with v chapter 19 audio this month also improve things get 28:46 ready to copy traffic. We call it Port mirroring so you can beat the traffic mirror it to your ideas. You can meet her that HDPE traffic to 28:56 your gigamon or some recording device that you might need for compliance. And that way you don't have to again by beater boxes. You can just grab with 29:06

your existing investment. So that's that's something that's available again as part of the 50 Cities Premium. So all the security functions we talked 29:16 about so far right in when you get to ATC premium, which I don't have an STX by before you have it or you know, you you are on the other version to 29:24 buy a premium license and imported is a great way to buy a subscription then and make sure that you are you have the flexibility all the security 29:34 functions starting from web application firewall API protection. I want to call Contra inspection with TLS termination and scale 29:42

as well as Know what we talked about. All of these functions are part of the premium license and then you have it available as 29:51 a consolidation play on on 5036. The weather in San Fran in your data center or all of these functions work the same way in a 30:01 shortened AWS to give lot of customers were making the journey from on-prem to public cloud and they are using it 30:11 as a way to have a consistent deployment model invisibility across these clouds. So in order to support that 30:21

we have something called Citrix ATM application delivery manager. So this is a centralized controller single-pane-of-glass that allows you to manage 30:31 all your different instances all of the different deployment on promoting the cloud consistently right right management it so, you know 30:41 configuration deployment using Stine books because he's been used by books, but not just that it's also a lot of analytics and insights. So one of the 30:50 just give me two examples for ATM gives you Insight on performance and Security Board, you can give you insights on web transaction that can give you 30:59

insights on of course, you already know what place deployment as well with with icon-x inside of America Securities more specifically 31:08 one is the whole SL dashboard. So this dashboard is a great tool to help with auditing and meeting compliance with 31:18 this dashboard, you know exactly what ciphers what can affect Interruption Technologies Killen Al being used in your network. What certificates are 31:28 coming up for, you know expiration. What certificate do you need to focus on all the things I made easy with the simple to use dashboard and it's the 31:38

one place to go and when you have auditing requirements, you can just show this that's what it's a look at this with me have it right or leave your 31:48 meeting compliance encryption standards. And then from a verification firewall standpoint, we have an application security dashboard that 31:54 gives you a whole interview on what kind of attacks are coming in. How big is the attack how many of those attacks are being viewed? 32:04 Which apps are under attack most most where the clients are coming from and where they're coming from 32:15

a very quick view on all the things that are happening with your apps and who was being attacked or who won the attacking, you know, which apps are 32:24 being attacked and then of course you can drill down and get beaten logging into each and every incident using ATM and say, okay, you know, this 32:32 piss SQL injection. I'm getting it from this particular client. Let me look into it more ice all of us. Are there behind in the in the ATM? 32:42 So any any questions on you know the solutions the problem. No questions. 32:55

Clear as mud. Okay in in summary, right Secretary's Day is is really 33:05 a kind of a tool chest for you. We have tons and tons of security features that you can use to secure your application, whether they are deployed in 33:15 front of you know, in in public place in customer-facing or employee facing environments and it really is a Touchback starting from Leo spelaea for 33:24 with DDOS and Lia Sinclair for firewall. They do web application firewall, you know SSL encryption standards. And then what the two new things that we 33:34

just announced yesterday with Bart management, which is becoming more and more problem and how you secure your API from the theater to action and 33:43 security standpoint. If I'm just starting to look at this. I see all of these different security components that we 33:52 now have in the ATC. And I wanted to start going down this path. I'm not going to turn them all on at once right? Is there do we have a recommendation 34:02 for you know, what's most important? What would you lookat next? How would you go and not every apps going to necessarily 34:12

need the same protections? Right? So I think play Ophelia for 34:22 firewalling and lead us protection SSL encryption as well as authentic. The 34:32 Next Step from there is to turn on web application firewall, especially for things basic things like SQL injection, you're unable to Signature 34:42 checks because we can now have signatures coming every week every two weeks. And that's the most basic thing you can do as a security hygiene for your 34:51 application right on uneven apis because trust me SQL injection the most common form of attack coming in the second. Most common form is cross-site 34:59

scripting right and then these are the things that you can very easily protect against the third one is buffer overflow, which means when your forms 35:09 people try to send him a lot more data than you think you need and pause buffer overflow cuz you're back in application to class and expose 35:16 data that you were not supposed to think that almost most basic you have to enable and then as what management comes into picture 35:26 you have you unable Bart management as a basic feature are a part of it is a female. Now 1 1 qualification is you don't need to turn on web 35:36

application firewall to use Bart management or vice a versa so you can decide to say I'm going to first take it off my boss management problem and see 35:45 what's going on on my website and then turn on web application firewall so you can do either way but most customers today. We have 35:54 to buy one and then graduate in two more advanced use cases 36:01 turn on the application firewall in the through 36:09 ATM watch the traffic that's that's coming through it to know where the security issues are before maybe going back and setting policy. Absolutely. 36:19

You can set policies that you say, you know, I'm just going to watch and log and not really take action or you can take action of lie 36:28 detector drop or whatever other things. Later on for alarm protection since we're going to be filtering up what the major danger items coming 36:38 through or traffic coming from I can actually set it more intelligent. That's alright. So 36:47 that's that's all thank you still we do have a couple of Please if you haven't seen someone 21 what's going on, 36:57

and in networking at Citrix, I highly suggest that we also have 237 which goes into ATM in more 37:07 detail about how you can manage all those different deployments as well as have the security side and 1/2 37:17 to 2 where they're actually going to go into how to troubleshoot common problem with your networking and and your application and please there's 37:27 one more. Can you go one more? We would love to get your feedback. Hopefully you learned a lot. There shot is a wealth of information about security. 37:37

So, please give us your feedback would love to hear it so that we can fine-tune for our next presentations next year. So, thank you guys so much for 37:47 your attention, and if you have any questions were going to be here for a few more minutes. So, thank you. Thank you. 37:56

Cackle comments for the website

Buy this talk

Access to the talk “Citrix Synergy TV - SYN115 - Secure app and workspace delivery in a hybrid multi-cloud world”
Available
In cart
Free
Free
Free
Free
Free
Free

Video

Get access to all videos “Citrix Synergy Atlanta 2019”
Available
In cart
Free
Free
Free
Free
Free
Free
Ticket

Interested in topic “IT”?

You might be interested in videos from this event

September 28 2018
Moscow
16
122
app store, apps, development, google play, mobile, soft

Buy this video

Video

Access to the talk “Citrix Synergy TV - SYN115 - Secure app and workspace delivery in a hybrid multi-cloud world”
Available
In cart
Free
Free
Free
Free
Free
Free

Conference Cast

With ConferenceCast.tv, you get access to our library of the world's best conference talks.

Conference Cast
505 conferences
19653 speakers
7164 hours of content