In today’s modern work scenarios, where users can work from anywhere at any time, changing the mindset when accessing digital workspaces and applications is mandatory. For a higher degree of security, the concept of Zero Trust reminds us to „never trust, always verify. “ While every vendor refers to this principle, the question arises: what does „always“ mean?
In the following, you’ll learn what we at deviceTRUST understand when discussing „always“. The focus will be remote scenarios like Azure Virtual Desktop, Citrix, VMware Horizon, etc.
Conditional Access in different flavors
Vendors like Microsoft, Citrix, and VMware offer native conditional access functionality.
Entra Conditional Access, for example, is „Microsoft’s Zero Trust policy engine taking signals from various sources into account when enforcing policy decisions. Conditional Access policies at their simplest are if-then statements; if a user wants to access a resource, then they must complete an action.“ In our context, it’s relevant to note that Microsoft’s „Conditional Access policies are enforced after first-factor authentication is completed.“1What is Conditional Access in Microsoft Entra ID? – Microsoft Entra ID | Microsoft Learn
Citrix’s approach concerning Conditional Access is kind of similar. With „Device Posture“ Citrix offers a cloud-based service. This „helps admins to enforce specific requirements that the end devices must meet to gain access to Citrix DaaS (virtual apps and desktops) or Citrix Secure Private Access resources (SaaS, Web apps, TCP, and UDP apps). […] Device Posture service enforces zero trust principles in your network by checking the end devices for compliance (managed/BYOD and security posture) before allowing an end user to log in.“ 2Device Posture (citrix.com)
When you look at VMware Horizon, there isn’t a doorkeeper. You’ll need to opt for the more expensive Workspace ONE for conditional access functionality.
„Always“ isn’t always „always“
As with many things in life, also Zero Trust, respectively the „always“ part in it, depends on the respective definition.
In two out of seven tenets of zero trust, the National Institute of Standards and Technology (NIST) 3https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf defines „always“ like this:
- „Access to individual enterprise resources is granted on a per-session basis.“
- „All resource authentication and authorization are dynamic and strictly enforced before access is allowed.“
Following this guideline, you don’t need any additional functionality to meet your Zero Trust ambitions. On the other hand, if you want to achieve a higher degree of Zero Trust, you might want to have a closer look at what „always“ could mean differently to the typical industry mindset.
Imagine a user starts a remote session, and something changes during the session runtime. What if the firewall at the device is being deactivated? What happens if the Wi-Fi changes from a validated network to the hotspot of a mobile device?
With Microsoft Entra ID Conditional Access, you can grant or deny access to AVD when logging on to the RDP client.
- Conditional Access takes place before applications or desktops are started. Entra ID Conditional Access does not control access at startup and afterward.
- The users can work with the virtual desktop or the published application as long as they are logged on. If the device health on the end device changes in the meantime, Microsoft’s native Conditional Access functionality will not notice this.
- With Entra ID Conditional Access, it is not possible to control what is available on a desktop that has been started. This means that individual applications cannot be permitted or prohibited.
The same is true for Citrix’s „Device Posture“:
- „Device posture scans are done only during pre-authentication/before logging in“ 4Device Posture (citrix.com)
To cut a long story short: If the guest has dressed correctly and has been granted access, there’s no way of saying goodbye if he/she doesn’t behave correctly in the club.
ALWAYS deviceTRUST – continuous validation and remediation
If you type the word „always“ into a dictionary, you’ll find synonyms like „constantly“, „continuously“, or „at all times“. It is precisely in this context that we understand the word „always“.
This means our „Contextual Security“ collects the contextual properties in real-time, AND the associated actions based on them also take place in real-time.
Referring to the above examples, you could achieve the following with deviceTRUST:
- If the firewall at the device gets deactivated, we can instantly block the entire session.
- If the WiFi changes (maybe the user is leaving his validated home office), we can directly remove a (business-critical) application.
The following short videos give you a first impression of what deviceTRUST looks like (based on an AVD session – the same is true for Citrix, VMware Horizon, and co):