Solution Category: Cloud Governance
Deployment Model: SaaS outside AWS
Go Live Production Date: May, 2018
Available On Marketplace: No
Citrix (NASDAQ:CTXS) aims to power a world where people, organizations and things are securely connected and accessible to make the extraordinary possible. We help customers reimagine the future of work by providing the most comprehensive secure digital workspace that unifies the apps, data and services people need to be productive, and simplifies IT’s ability to adopt and manage complex cloud environments. With 2017 annual revenue of $2.82 billion, Citrix solutions are in use by more than 400,000 organizations including 99 percent of the Fortune 100 and 98 percent of the Fortune 500.
Citrix operates large scale AWS deployment with over 100 AWS accounts and organizations. These accounts and subscriptions contain more than 1,000,000 configurable assets.
Citrix Cloud Security team relied on several open source frameworks to perform AWS compliance verification. Namely Cloud Custodian and Scout2. For AWS Compliance, Citrix created their in-house tool. As the cloud compliance program was maturing, certain challenges began to emerge.
- Each product division wanted to customize policies slightly to fit their risk profile
- Lack of exception handling process
- Some tools caused API throttling issues for production application during scanning
- Many compliance policies between AWS and other cloud providers were duplicate especially those that related to tagging policy.
Cloudaware Modules Deployed
- Cloudaware CMDB
- Cloudaware Compliance Engine
- Cloudaware Incident Management
Cloudaware is a modular, SaaS based cloud management platform. Our CMDB uses collectors which in turn leverage AWS Config, AWS CloudTrail and service specific API calls to build complete inventory of all customer AWS infrastructure. Citrix used automatically generated CloudFormation StackSets and AWS Organizations where possible to create cross-account IAM role which allowed Cloudaware CMDB collectors to start harvesting information about current state of Citrix AWS infrastructure and populate CMDB.
In addition to supporting AWS, Cloudaware CMDB also supports other cloud providers and provides integrations for on premises infrastructure. This allowed Citrix to create a single pane of glass for all of their infrastructure regardless of where it was hosted.
Particular area importance for Citrix was enforcing consistent tagging standards across their infrastructure. Using our Tag Analyzer which is part of the CMDB, Citrix was able to better understand and correct deviations in their tagging coverage.
Cloudaware Compliance engine is a collection of over 300 cloud configuration policies and is a superset of policies available from frameworks such as Scout2, CloudCustodian, CloudConformity and other commercial products.
Cloudaware Compliance Engine has several key differentiators from other similar solution available on the market.
- Extremely rich library of policies
- Multi-cloud policies
- Ability to author new and clone existing policies using Java programming language
- Customize policies for specific accounts, VPCs, etc.
- Ability to create policies that evaluate non-AWS attributes available in CMDB
- Reduce number of API calls made to AWS by collecting once and running evaluations against CMDB, not against AWS inventory.
- Integrate with 3rd party ticketing systems such as JIRA, ServiceNow, ServiceCloud, etc.
- Automate exception handling processes
Sample policy interface:
Cloudaware Incident Management allows customers to route policy violations to the appropriate teams.
This feature proved critical to Citrix because it has so many different engineering teams who use different ticketing systems. Cloudaware was able to route policy violations to the appropriate team and create tickets in in different JIRA instances, ServiceNow implementations, etc.
Incident Management module also provides sophisticated stateful integration with third party ticketing systems such as JIRA, ServiceNow, etc. and can not only open tickets but also close them and update them depending on the lifecycle of the violation. Citrix integrated Cloudaware Incident Management with its own in-house ticketing system using our outbound incident API. This allowed all the compliance engine policy violations to flow into Citrix’s systems of action.
- Cloudaware now automatically validates against over 300 compliance policies derived from AWS, industry and internal best practices.
- Each product division maintains shares base set compliance and governance policies while having the option of creating their own department specific policies.
- Each product division can have custom exception handling and routing logic.
- Reduced administrative overhead by allowing users consistent and low friction process to request exemptions e.g. some S3 buckets are meant to be public after all.
- Eliminated issues with AWS API throttling during compliance checks because checks are ran against CMDB that in turn leverages CloudTrail and AWS Config to minimize “Describe*” API calls.
- One policy can now be applied to resources both in AWS and other cloud providers
- Removed the need to maintain in-house AWS compliance tool.