In a world of increasing security threats, IBM Cloud offers a variety of solutions to assist you in security and compliance. We have incorporated several IBM Cloud services into our Citrix-DaaS solution, enabling you to easily stand up a secure deployment out of the box. In managing your threat vectors, it is a good idea to have a single point of entry into your VPC. Additionally, having zero exposure to the internet and encryption helps prevent attackers from compromising your deployments. Centralized logging helps you track down issues in your environment quickly and effectively.

If you require stricter security and compliance standards within your Citrix DaaS deployment on IBM Cloud, you can use these IBM Cloud resources and features to customize your workload security:

• Bastion host: Provides a secure way to access remote instances within a Virtual Private Cloud (VPC).
• Client-to-site VPN: Provides client-to-site connectivity, which allows remote devices to securely connect to the VPC network by using an OpenVPN software client.
• Customer-managed encryption: Protects data while in transit from block storage to the host/hypervisor and while at rest in volumes.
• Access control list (ACLs): Used with security groups to restrict access to NIC port ranges.
• Log analysis: Uses IBM Log Analysis to provide logs all in one place.

Provision a bastion host

A bastion host is an instance that is provisioned with a public IP address and can be accessed via SSH. After setup, the bastion host acts as a jump server, allowing secure connection to instances provisioned without a public IP address.

Before you begin, you need to create or configure these resources in your IBM cloud account:

• IAM permissions
• VPC 
• VPC Subnet 
• SSH Key

To reduce the exposure of servers within the VPC, create and use a bastion host. Administrative tasks on the individual servers are performed by using SSH, proxied through the bastion. Access to the servers and regular internet access from the servers (e.g., software installation) are allowed only with a special maintenance security group that is attached to those servers.

For more information, see Securely access remote instances with a bastion host.

If you want to set up a bastion host that uses teleport, see Setting up a bastion host that uses teleport.

Create a client-to-site VPN for security

The VPN server is deployed in a selected multi-zone region (MZR) and VPC. All virtual server instances are accessible from the VPN client in the single VPC:

You can create your VPN server in the same region and VPC where your DaaS deployment resides.

• Creating a VPN server
• Setting up a client VPN environment and connecting to a VPN server

Depending on the client authentication you selected during VPN server provisioning, users can connect to the VPN server by using a client certificate, user ID with passcode or both.

Now you can connect to your DaaS VSIs from your local machine(s) by using private IP only.

Use customer-managed encryption to encrypt your data end-to-end

By default, VPC volumes are encrypted at rest with IBM provider-managed encryption. There is no additional cost for this service. For end-to-end encryption in IBM Cloud, you can also use customer-managed encryption where you can manage your own encryption. Your data is protected while in transit from block storage to the host/hypervisor and while at rest in volumes.

Customer-managed encryption is provided in VPC by using IBM Key Protect for IBM Cloud or IBM Hyper Protect Crypto Services (HPCS). The Key Protect or HPCS instance must be created and configured before the order flow within Citrix-DaaS. The Identity volume encryption selection on the Citrix-DaaS order UI is then used to encrypt each identity disk associated with your machine catalog inside Citrix Machine Creation Services (MCS).

Use access control lists to restrict port ranges

By default, Citrix-DaaS deployments create several security groups (SGs) designed to isolate access between NICs. For more information on SGs, see About security groups. There is no inbound access from the internet by default unless you choose to assign floating IPs (FIP). We recommend setting up VPN as described in this article over using FIPs. Security groups come with a limitation of 5 SGs per network interface card (NIC), which leaves some unnecessary port ranges open that can be further restricted by using access control lists (ACLs).

For more information about using ACLs, see About network ACLs. For information about Citrix-DaaS port ranges, see Technical Paper: Citrix Cloud Communication.

Use IBM Log Analysis to monitor logs for compliance and security

For most Citrix-DaaS deployments, centralized logging is important. Without centralized logging, you are forced to find logs for each individual component across several resources. For example, some logs are on the Cloud Connector VSIs (Connector Logs and Plug-in) and Domain Controller logs are on the Active Directory Server. If you are using Volume Worker, logs are split between IBM Cloud Functions and the worker VSIs that complete the jobs. Some of these logs are ephemeral and are not accessible if not being recorded by centralized logging.

Centralized logging is provided by using an IBM Log Analysis instance and can provide logs all in one place. IBM Log Analysis can either be provisioned with the Citrix-DaaS deployment or an ingestion key for an existing instance provided through a Terraform variable. Because centralized logging is extremely important for this product, it is enabled by default; optionally (with a Terraform variable), it can be disabled.

Conclusion

Several IBM Cloud services are incorporated into the Citrix DaaS solution, so you can easily stand up a secure deployment out of the box. You can configure stricter security within your deployment on IBM Cloud. Based on the business needs, you can customize the security precautions that you require to integrate with your deployment.