Transcript of a sponsored discussion on the heightened role of security in the age of global cloud and mobile delivery of apps and data.

1. Expert Panel Explores Heightened Role of Security for
Cloud and Mobile Apps Delivery
Transcript of a sponsored discussion on the heightened role of security in the age of global cloud
and mobile delivery of apps and data.
Listen to the podcast. Find it on iTunes. Get the mobile app. Sponsor: Citrix.
Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're
listening to BriefingsDirect.
Our next innovation thought leadership panel discussion focuses on the
heightened role of security in the age of global cloud and mobile delivery of
apps and data. As enterprises and small to medium-sized businesses
(SMBs) alike weigh the balance of apps and convenience with security -- a
new dynamic is emerging.
Security concerns increasingly dwarf other architecture considerations. Yet
advances in thin clients, desktop virtualization (VDI), cloud management
services, and mobile delivery networks are allowing both increased security and edge
applications performance gains.
To learn more about end-to-end security for apps and data, please join me in welcoming our
panel. We're here with Stan Black, the Chief Security Officer at Citrix. Welcome, Stan.
Learn about the Citrix Security Portfolio
of Workspace-as-a-Service, Application Delivery,
Virtualization, Mobility, Network Delivery,
and File-Sharing Solutions
Stan Black: Thank you very much for having me.
Gardner: We're also here with Chad Wilson, Director of Information Security at Children's
National Health System in Washington, DC.
Chad Wilson: Hi, thank you.
Gardner: Whit Baker joins us, the IT Director at The Watershed in Delray Beach, Florida.
Whit Baker: Thank you so much for having me.
Gardner: And we're also here with Craig Patterson, CEO of Patterson & Associates in San
Antonio, Texas. Welcome, Craig.
Craig Patterson: Thank you very much.
Gardner

2. Gardner: And lastly, we have Dan Kaminsky, Chief Scientist at White Ops in San Francisco.
Welcome, Dan.
Dan Kaminsky: It’s an honor and a pleasure.
Gardner: Stan, let’s start with you. A first major use case of VDI was the stateless client. All the
data and apps remain on the server, locked down, controlled. But now data is mobile, and we're
all mobile. So, how can we take security on the road, so to speak?
How do we move past the safe state of VDI to full mobile, but not lose
our security control?
Black: Probably the largest challenge we all have is maintaining
consistent connectivity. We're now able to keep data locally or make it highly extensible, whether
it’s delivered through the cloud or a virtualized application. So, it’s a mix and a blend, but from a
security lens, each one of those of service capabilities has a certain nuance that we need to be
cognizant of while we're trying to protect data at rest, in use, and in motion.
Gardner: I heard you speak about bring your own device (BYOD), and for you, BYOD devices
have ended up being more secure than company-provided devices. Why do you think that is?
Caring for assets
Black: Well, if you own the car, you tend to take care of it. When you have a BYOD asset, you
tend to take care of it, because ultimately, you're going to own that, whether it’s purchased for
you with a retainer or what have you.
Often, corporate-issued assets are like a car rental. You might not bring it back
the same way you took it. So it has really changed quite a bit. But the
containerization gives us the ability to provide as much, if not more, control in
that BYOD asset.
Gardner: This also I think points out the importance of behaviors and end-user
culture and thinking about security, acting in certain ways. Let's go to you, Craig. How do we get
that benefit of behavior and culture as we think more about mobility and security?
Patterson: When we look at mobile, we've had people who would have a mobile device out in
the field. They're accustomed to being able to take an email, and that email may have, in our
situation, private information -- Social Security numbers, certain client IDs --on it, things that we
really don't want out in the public space. The culture has been, take a picture of the screen and
text it to someone else. Now, it’s in another space, and that private information is out there.
You go from working in a home environment, where you text everything back and forth, to
having secure information that needs to be containerized, shrink-wrapped, and not go outside a
Black

3. certain control parameter for security. Now, you're having culture fight utilization. People are
accustomed to using their devices in one way and now, they have to learn a different way of
using devices with a secure environment and wrapping. That’s what we're running into.
Gardner: We've also heard at the recent Citrix Synergy 2016 in Las Vegas that IT should be able
to say "yes," that it's an important part of getting to better productivity.
Dan, how do we get people to behave well in secure terms, but not maybe say "no"? Is there a
carrot approach to this? Is there an encouragement approach to people thinking about better
security postures?
Kaminsky: Absolutely. At the end of the day, our users are going to go ahead and do stuff they
need to get their jobs done. I always laugh when people say, "I can’t believe that person opened a
PDF from the Internet." They work in HR. Their job is to open resumes. If they
don’t open resumes, they're going to lose their job and be replaced by someone
else.
The thing I see a lot is that a lot of these software-as-a-service (SaaS) providers
are being pressed into service to provide the things that people need. It’s kind
of like a rogue IT or an outsourced IT, with or without permission.
The unusual realization that I had is that all these random partners we're getting,
have random policies and are storing data. We hear a lot of stuff about the
Internet of Things (IoT), but I don't know any toasters that have my Social Security number. I
know lots of these DocuSign, HelloSign systems that are storing really sensitive documents.
Maybe the solution, if we want people to implement our security technologies, or at least our
security policies, is to pay them. Tell them, "If you actually have attracted our users, follow these
policies, and we'll give you this amount of money per day, per user, automatically through our
authentication layer." It sounds ridiculous, but you have to look at the status quo. The status quo
is on fire, and maybe we can pay people to put out their fires.
Quid pro quo
Gardner: Or perhaps there are other quid pro quos that don't involve money. Chad, you work
at a large hospital organization and you mentioned that you're 100 percent digital. How did you
encourage people with the carrot to adhere to the right policies in a challenging environment like
a hospital?
Wilson: We threw out the carrot-and-stick philosophy and just built a new highway. If you're
driving on a two-lane highway, and it's always congested, and you want somebody to get there
faster, then build a new highway that can handle the capacity and the security. Build the right on-
and off-ramps to it and then cut over.
Kaminsky

4. We've had an electronic medical record (EMR) implementation for a while. We just finished up
rolling out to all of our ambulatory spaces for electronic medical record. It's all delivered through
virtualization on that highway that we built. So, they have access to it wherever they need it.
Gardner: It almost sounds like you're looking at the beginning bowler’s approach, where you
put rails up on the gutter, so you can't go too far afield, whether you wish to or not. Whit Baker,
tell us a little bit about The Watershed and how you view behavior. Is it rails on the gutters,
carrots or sticks, how does it go?
Baker: I would say rails on the gutters for us. We've completely converted everything to a VDI
environment. Whether they're connecting with a laptop, with broadband, or their own home
computer or mobile device, that session is completely bifurcated from their
own operating system.
So, we're not really worried. Your desktop machine can be completely loaded
with malware and whatnot, but when you open that session, you're inside of
our system. That's basically how we handle the security. It almost doesn't
require the users to be conscious of security.
At the same time, we're still afraid of attachments and things like that. So, we
do educational type things. When we see some phishing emails come in, I'll
send out scam alerts and things like that to our employees, and they're starting to become self-
aware. They are starting to ask, "Should I even open this?" -- those sort of things.
So, it's a little bit of containerization, giving them some rails that they can bounce off of, and
education.
Gardner: Stan, thinking about other ways that we can encourage good security posture in the
mobility era, authentication certainly comes to mind, multifactor authentication. How does that
play into this keeping people safe?
Behavior elements
Black: It’s a mix of how we're going to deliver the services, but it's also a mix of the behavior
elements and the fact that now technology has progressed so much that you can provide a user an
entire experience that they actually enjoy. It gives them what they need, inside of a secure
session, inside of a secure socket layer, with the inability to go outside of those bowling lanes, if
they're not authorized to do so.
Additionally, authentication technologies have come a long way, from hard tokens that we used
to wear. I've seen people with four, five, or six of them, all in one necklace. I think I might have
been one of them. Multifactor authentication and the user interface are all pieces of information
that aren't tied to the person's privacy or that individual, like their Social Security Number, but
it’s their user experience enabling them to connect seamlessly. Often, when you have a help-desk
Baker

5. environment, as an example, you put a time-out on their system. They go from one phone call to
another phone call and then they have to log back in.
The interfaces that we have now and the multifactor authentication, the simple authentication,
the simplified side on all of those, enable a person, depending upon what their role is, to connect
into the environment they need to do their job quickly and easily.
Gardner: You mentioned user experience, and maybe that’s the quid pro quo. You get more user
experience benefits if you take more precautions with how you behave using your devices.
Dan, any thoughts on where we go with authentication and being able to say yes and encourage
people to do the right thing?
Learn about the Citrix Security Portfolio
of Workspace-as-a-Service, Application Delivery,
Virtualization, Mobility, Network Delivery,
and File-Sharing Solutions
Kaminsky: I cannot emphasize how important usability is in getting security wins. We've had
some major ones. We moved people from Telnet to SSH. Telnet was unencrypted and was a
disaster. SSH is encrypted. It is actually the thing people use now, because if you jump through a
few hoops, you stopped having to type in a password.
You know what VPNs meant? VPNs meant you didn't have to drive into the office on a Sunday.
You could be at home and fix the problem, and hours became minutes or seconds. Everything
that we do that really works involves making things more useable and enabling people. Security
is giving you permission to do this thing that used to be dangerous.
I actually have a lot of hope in the mobility space, because a lot of these mobile environments
and operating systems are really quite secure. You hand someone an iPad, and in a year, that iPad
is still going to work. There are other systems where you hand someone a device and that device
is not doing so well a year from now.
So there are a lot more controls and stability from some of these mobile things that people
actually like to use more, and they turn out to also be significantly more secure.
Gardner: Craig, as we're also thinking about ways of keeping people on the straight and narrow
path, we're getting more intelligent networks. We're starting to get more data and analytics from
those devices and we're able to see what goes on in that network in high detail. Tell us a little bit
about the ways in which we can segment and then make sort of zones for certain purposes that
may come and go based on policies. Basically, how are intelligent networks helping us provide
that usability and security?

6. Access to data
Patterson: The example that comes to my mind is that in many of the industries, we have
partners who come on site for a short period of time. They need access to data. They might be
doing inspections for us and they'll be going into a private area, but we don't
want them to take certain photos, documents and other information off site
after a period of time.
Containerizing data and having zones allows a person to have access while
they're on premises, within a certain "electronic wire fence," if you will, or
electronic guardrails. Once they go outside of that area, that data is no longer
accessible or they've been logged off the system and they no longer have
access to those documents.
We had kind of an old-fashioned example where people think they are more secure, because they
don't know what they're losing. We had people with file cabinets that were locked and they had
the key around their neck. They said, "Why should we go to an electronic documents system
where I can see when you viewed it, when you downloaded it, where you moved that document
to?" That kind of scared some people.
Then, I walked in with half their file cabinet and I said, "You didn’t even know these were gone,
but you felt secure the whole time. Wouldn’t you rather know that it was gone and have been
able to institute some security protocols behind it?"
A lot of it goes to usability. We want to make things usable and we have to have access to it, but
at the same time, those guardrails include not only where we can access it and at what time, but
for how long and for what purposes.
We have mobile devices for which we need to be able to turn the camera functions off in certain
parts of our facility. For mobile device management, that's helpful. For BYOD, that becomes a
different challenge, and that's when we have to handle giving them a device that we can control,
as opposed to BYOD.
Gardner: Stan, another major trend these days is the borderless enterprise. We have supply
chains, alliances, ecosystems that provide solutions, an API-first mentality, and that requires us to
be able to move outside and allow others to cross over. How does the network-intelligence factor
play into making that possible so that we can say, yes, and get a strong user experience
regardless of which company we're actually dealing with?
Black: I agree with the borderless concept. The interesting part of it, though, is with networks
knowing where they're connecting to physically. The mobile device has over 20 sensors in it.
When you take all of that information and bring it together with whatever APIs are enabled in the
applications, you start to have a very interesting set of capabilities we never had before.
Patterson

7. A simple example is, if you're a database administrator and you're administering something
inside the EU, there are very stringent privacy laws that make it so you're not allowed to do that.
We don’t have to make it that we have to train the person or make it more difficult for them; we
simply disable the capability through geofencing. When one application is talking securely
through a socket, all the way to the back end, from a mobile device, all the way into the data
center, you have pretty darn good control. You can also separate duties; system administration
being one function, whereas database administration is another very different thing. One set
doesn't see the private data; one set has very clear access to it.
Getting visibility
Gardner: Chad, you mentioned how visibility is super important for you and your
organization. Tell me a bit about moving beyond the user implications. What about the
operators? How do you get that visibility and keep it, and how important is that to maintaining
your security posture?
Wilson: If you can't see it, you can’t protect it. No matter how much visibility we get into the
back end, if the end user doesn't adopt the application or the virtualization that we've put in place
or the highway that we've built, then we're not going to see the end-to-end
session. They're going to continue to do workarounds.
So, usability is very important to end-user adoption and adopting the new
technologies and the new platforms. Systems have to be easy for them to access
and to use. From the backend, the visibility piece, we look at adopting
technology strategically to achieve interoperability, not just point products here
and there to bolt them on.
A strategic innovation and a strategic procurement around technology and partnership, like we
have with Citrix, allows us to have a consistent delivery of the application and the end user
experience, no matter what device they go to, and where they access from in the world. On the
back side, that helps us, because we can have that end-to-end visibility of where our data is
heading, the authentication right upfront, as well as all the pieces and parts of the network that go
into play to deliver that experience.
So, instead of thinking about things from a device-to-device-to-device perspective, we're
thinking about one holistic service-delivery platform, and that's the new highway that provides
that visibility.
Gardner: Whit, we've heard a lot about the mentality that you should assume someone is in your
network. Monitoring and response is one way of limiting that. How does your organization
acknowledge that bad things can happen, but that you can limit that, and how important is
monitoring and response for you in reducing damage?
Wilson

8. Baker: In our case, we have several layers of user experience. Through policy, we only allow
certain users to do certain things. We're a healthcare system, but we have various medical
personnel; doctors, nurses and therapists, versus people in our corporate billing area and our call
center. All of those different roles are basically looking only at the data that they need to be
accessing, and through policy, it’s fairly easy to do.
Gardner: Stan, on the same subject, monitoring and response, assuming that people are in, what
is Citrix seeing in the field, and how are you giving that response time as low a latency as
possible?
Standard protocol
Black: The standard incident-response protocol is identify, contain, control, and communicate.
We're able to shrink what we need to identify. We're able to connect from end-to-end, so we're
able to communicate effectively, and we've changed how much data we gather regarding
transmissions and communications.
If you think about it, we've shrunk our tech surface, we've shrunk our vulnerable areas, methods,
or vectors by which people can enter in. At the same time, we've gained incredibly high visibility
and fidelity into what is supposed to be going over a wire or wireless and what is not.
We're now able to shrink the identify, contain, control, and communicate spectrum to a much
shorter area and focus our efforts with really smart threat intelligence and incident response
people versus everyone in the IT organization and everyone in security. Everyone is looking at
the needle in the haystack; now we just have a smaller stack of needles.
Patterson: I had a thought on that, because as we looked at a cloud-first strategy, one of the
issues that we looked at was, "We have a voice-over-IP system in the cloud, we have Azure, we
have Citrix, we have our NetScaler. What about our firewalls now, and how do we actually
monitor intrusion?"
We have file attachments and emails coming through in ways that aren’t on our on-prem firewall
and not with all our malware detection. So, those are questions that I think all of us are trying to
answer, because now we're creating known unknowns and really unknown unknowns. When it
happens, we're going to say, "We didn’t know that that part could happen."
That’s where part of the industry is too. Citrix and Microsoft are helping us with that in our
environments, but those are still open questions for us. We're not entirely satisfied with the
answers yet.
Gardner: Dan, one of the other ways that we want to be able to say yes to our users and increase
their experiences as workers is to recognize the heterogeneity, any cloud, any device, multiple
browser types, multiple device types. How do you see the ability to say yes to vast heterogeneity,

9. perhaps at a scale we've never seen before, but at the same time, preserve that security and keep
those users happy?
Kaminsky: The reason we have different departments and multiple teams is because different
groups have different requirements. They have different needs that are satisfied in ways that we
don't necessarily understand. It’s not the heterogeneity that bothers us; it’s the fact that a lot of
systems have different risks. We can merge the risks, or simultaneously address them with
consistent technologies, like containerization and virtualization, like the sort of centralization
solutions out there.
People are sometimes afraid of putting all their eggs in one basket. I'll take one really well-built
basket over 50,000 totally broken ones. What I see is, create environments in which users can use
whatever makes their job work best, and go ahead and realize that it's not actually the fact that
the risks are that distinct, that they are that unique. The risk patterns of the underlying software
are less diverse than the software itself.
Gardner: Stan, most organizations that we speak to say they have at least six, perhaps more,
clouds. They're using all sorts of new devices. You have just come out yourselves to allow
Raspberry Pi at less than a $100 to be a viable Windows endpoint. How do we move forward and
keep the options open for any cloud and any device?
Multitude of clouds
Black: When you look at the cloud, there is a multitude of public clouds. Many companies
have internal clouds. We've seen all of this hyperconvergence, but what has blurred over time are
the controls between whether it’s a cloud, whether it’s the enterprise, and whether it’s mobile.
Again, some of what you've seen over the past two days has been how certain technologies can
fulfill controls between the enterprise and the cloud, because cloud is nimble, it’s fast, and it's
great.
At the same time, if you don't control it, don’t manage it, or don't know what you have in the
cloud, which many companies struggle with, your risk starts to sprawl and you don't even know
it's happened.
So it's not adding difficult controls, what I would call classic gates, but transparency, visibility,
and thresholds. You're allowed to do this between here and here. An end user doesn't know those
things are happening.
Also, weaving analytics into every connection, knowing what that wire is supposed to look like,
what that packet is supposed to look like gives you a heck of a lot more control than we've had
for decades.

10. Gardner: Let’s go down for our last topic, the notion of better analytics coming off of our
systems. Chad, for you and your organization, how would you like to get that visibility in terms
of an analytic dashboard, visualization, and alerts? What would you like to see happen in terms
of that analytics benefit in that network coming to your aid?
Wilson: It starts with population health and the concept behind it. Population health takes in all
the healthcare data, puts it into a data warehouse, and leverages analytics to be able to show
trends with, say, kids presenting with asthma or patients presenting with asthma across their
lifespan and other triggers. That goes to quality of care.
The same concept should be applied to security. When we bring that data together, all the various
logs, all of the various threat vectors and what we are seeing, not just signatures, but we're able
to identify trends, and how folks are doing it, how the bad guys are doing it. Are the bad guys
single-vectored or have they learned the concept of combined arms, like our militaries have? Are
they able to put things together to have better impact? And where do we need to put things
together to have better protection?
We need to change the paradigm, so when they show their hand once, it doesn't work anymore.
The only way that we can do that is by being able to detect that one time when they show their
hand. It's getting them to do one thing to show how they are going to attack us. To do that, we
have to pull together all the logs, all of the data, and provide analytics and get down to behavior;
what is good behavior, what is bad behavior.
That's not a signature that you're detecting for malware; that is a behavior pattern. Today I can do
one thing, and tomorrow I can do it differently. That's what we need to be able to get to.
Getting information
Gardner: Last word, anyone on these analytics and the ability to get information from the
intelligence on the network?
Patterson: I like the illustration that was just used. What we're hoping for with the cloud
strategy is that, when there's an attack on one part of the cloud, even if it's someone else that’s in
Citrix or another cloud provider, then that is shared, whereas before we have had all these silos
that need to be independently secured.
Now, the windows that are open in these clouds that we're sharing are going to be ways that we
can protect each one from the other. So, when one person attacks Citrix a certain way, Azure a
certain way, or AWS a certain way, we can collectively close those windows.
What I like to see in terms of analytics is, and I'll use kind of a mechanical engineering approach,
I want to know where the windows are open and where the heat loss went or where there was air
intrusion. I would like to see, whether it went to an endpoint that wasn't secured or that I didn't
know about. I'd like to know more about what I don't know in my analytics. That’s really what I

11. want analytics for, because the things that I know I know well, but I want my analytics to tell me
what I don't know yet.
Gardner: I'm afraid we will have to leave it there. You've been listening to a BriefingsDirect
discussion focused on the heightened role of security in the age of global cloud and mobile
delivery of apps and data.
We've heard how security concerns increasingly dwarf other architecture considerations,
particularly when we take into consideration behavior and the ability to provide a strong and
beneficial user experience.
We've learned how the advances in thin clients, desktop virtualization, cloud management
services, and mobile-delivery networks are allowing for both increased security and edge apps
performance gains.
Learn about the Citrix Security Portfolio
of Workspace-as-a-Service, Application Delivery,
Virtualization, Mobility, Network Delivery,
and File-Sharing Solutions
So, please join me now in thanking our guests, Stan Black, Chief Security Officer at Citrix; Chad
Wilson, Director of Information Security at the Children's National Health System in
Washington, D.C.; Whit Baker, IT Director at The Watershed in Delray Beach, Florida; Craig
Patterson; CEO of Patterson & Associates in San Antonio, Texas, and Dan Kaminsky, Chief
Scientist at White Ops in San Francisco. Thanks to you all.
And a big thank you too to our audience for joining the Citrix-sponsored business innovation
thought leadership discussion.
I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator. Thanks
again for listening, and do come back next time.
Listen to the podcast. Find it on iTunes. Get the mobile app. Sponsor: Citrix.
Transcript of a sponsored discussion on the heightened role of security in the age of global cloud
and mobile delivery of apps and data. Copyright Interarbor Solutions, LLC, 2005-2016. All
rights reserved.
You may also be interested in:
• DevOps and Security, a match made in heaven
Catbird CTO on Why New Security Models are Essential for Highly Virtualized Data
Centers
• Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cyber
Security Across Application Lifecycles

12. • Standards and APIs: How to Build Platforms and Tools to Best Manage Identity and
Security
• Cybersecurity is a Necessity, Not an Option, in the Face of Global Security Threats, Says
CSC
• Expert Panel: As Cyber Security Risks Grow, Architected Protection and Best Practices
Must keep Pace