DOCSLIB.ORG

Protecting Mobile Apps with Citrix Xenmobile and MDX

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Protecting Mobile Apps with Citrix Xenmobile and MDX White Paper Protecting Mobile Apps with Citrix XenMobile and MDX citrix.com White Paper Protecting Mobile Apps with Citrix XenMobile and MDX Mobility is a top priority for organizations as more employees demand access to the apps and data that will make them productive. Employees want access from any mobile device, including their own personal devices. In addition, the apps that people need to get their jobs done have expanded beyond mobile email to include Windows, web and native mobile apps, both in the cloud and in the datacenter. Often, these apps are broadly distributed across different locations. However, allowing users to access all of their apps and data from untrusted devices raises significant security and network scalability concerns. Depending upon their level of mobile adoption, enterprises have traditionally turned to either mobile device management (MDM) solutions to manage the devices. However, with the adoption of BYOD, most companies now require, Mobile Application Management (MAM) to protect application data. Enterprise Mobility Management (EMM) is the combination of MDM and MAM. While there are many Enterprise Mobility Management (EMM) provides that provide MAM capabilities, vendors take different approaches to protecting application data. Some require device enrolment. This approach, particularly for BYO users is very intrusive as it requires the use of a device passcode. Citrix’s EMM solution, XenMobile offers comprehensive MAM capabilities that no other EMM vendor can match in terms of features and scalability. As an example, some vendors offer a subset of XenMobile’s Mobile Application Management (MAM) policies or require such extensive re-writing of an application that they become difficult to implement and maintain. In addition, unlike many EMM vendors, XenMobile does not require the device be under management to protect application data. Citrix’s MDX Technology powers XenMobile’s MAM. This paper will provide more details related to Citrix XenMobile and MDX. citrix.com 2 White Paper Protecting Mobile Apps with Citrix XenMobile and MDX XenMobile and Multilayered Protection In order to deliver secure, optimized, high-performance apps to any user at any location, EMM solutions also require the right network infrastructure. EMM solutions must take into account data protection at every single layer including rest on the device, data in transit over public networks, or data residing on servers sitting behind the firewall. Only Citrix XenMobile combined with Netscaler, the world’s leading application delivery solution, provides a comprehensive, multi-layered mobile security solution that allows IT to deliver apps and data to any device with a secure and high performance user experience. XenMobile includes and tightly integrates with many industry leading technologies like ShareFile for Enterprise File Share and Sync and NetScaler for connectivity. XenMobile leverages NetScaler to not only connect securely to resources behind the firewall but also to provide enterprise- ready features like GSLB and SSL Offloading freeing up resources on the XenMobile server that directly relate to higher scalability and allowing for easy intra-site HA and multi-site DR. Finally, XenMobile is controlled all from a single console allowing easy access to MDM and MAM policies, apps and reporting. Figure 1: Multiple Layers of Protection citrix.com 3 White Paper Protecting Mobile Apps with Citrix XenMobile and MDX Figure 2: End-to-End Data Protection How XenMobile protects data at rest The mobile application management (MAM) capabilities in Citrix XenMobile enable complete management, security and control over native mobile apps and their associated data. The Worx App SDK, a simple and powerful SDK that “Worx-enables” any mobile app, leverages Citrix MDX app container technology to separate corporate apps and data from personal apps and data on the user’s mobile device. This allows IT to secure any custom developed, third-party or BYO mobile app with comprehensive policy-based controls, including mobile DLP and the ability to remote lock, wipe and encrypt apps and data. Unlike many of the competitors in this space, XenMobile not only includes an extensive policy library (over 60 policies—see Appendix) but also includes app-level encryption. Other vendors force the use of device level encryption to protect data at rest, which requires the device PIN code to be set. XenMobile can separately encrypt data stored within any MDX enabled app without requiring a device PIN code or the device being under management to enforce the policy. Using the Worx App SDK, IT can: • Separate business and personal apps and data in a secure mobile container • where they can be secured with encryption and other mobile DLP technologies and can be remotely locked and wiped by IT • Enable seamless integration between “Worx-enabled” apps while also controlling all communication so IT can enforce policies, such as ensuring that data only is accessible by Worx-enabled apps citrix.com 4 White Paper Protecting Mobile Apps with Citrix XenMobile and MDX • Provide granular, policy-based controls and management over all HTML5 and native mobile apps, including an application-specific micro VPN for accessing an organization’s internal network, preventing the need for a device-wide VPN that can compromise security Figure 3: Example MDX App Restriction Policies Beyond device and application policy control, the best way to safe guard data at rest is encryption. While most EMM vendors choose to simply enable the device’s default encryption mechanism, Citrix has taken an extra step and added an additional layer of encryption to any data stored in a “Worx-enabled” app. The MDX App SDK utilizes FIPS 140-2 compliant AES 256- bit encryption with keys stored in a protected Citrix Secret Vault. MDX enables IT to require strong authentication and endpoint analysis before even permitting users to download and install applications on their devices. Once these apps are installed, Worx Home, a mobile app that provides access to desktops, apps and data, ensures that the desired policies are continuously enforced, always keeping IT in control of the enterprise content on users’ devices. citrix.com 5 White Paper Protecting Mobile Apps with Citrix XenMobile and MDX How XenMobile protects data in transit MDX provides an application-specific VPN access to a company’s internal network via the Citrix NetScaler Gateway feature. When a user tries to access a company’s internal network remotely, an app-specific VPN tunnel is created for each of the enterprise mobile apps in use. Consider the situation where an employee wants to access the following resources within the secure enterprise network from a mobile device: the corporate email server, an SSL-enabled web application hosted on the corporate intranet and documents stored on a file server or Microsoft® SharePoint®. MDX enables access to all these enterprise resources from any device through an application-specific MicroVPN. Each app has its own dedicated MicroVPN tunnel. MicroVPN functionality does not require a device-wide VPN that can compromise security on untrusted mobile devices. As a result, the internal network is not exposed to malware or attacks that could infect the entire corporate system, and corporate mobile apps and personal mobile apps are able to co-exist on one device. MDX with MicroVPN technology fills a significant gap left by traditional secure remote access technologies. In transit encryption methods and capabilities are defined using NetScaler and are typically configured as a SSL 3 or TLS connections utilizing FIPS 140-2 compliant AES 256-bit encryption. NetScaler can also be configured to provide SSL off-loading from the final destination source for greater scalability. While all EMM vendors offer some capability of moving packets to and from behind the firewall, none can compete with XenMobile and NetScaler in terms of speed, scalability and enterprise readiness. Other EMM vendors utilize simple and non-scalable Windows or Linux based applications to route mobile packets and to terminate “per-app VPN” connections. NetScaler is the most scalable - offering hundreds of thousands of simultaneous FIPS 140 encrypted sessions and can easily scale further by simply adding additional appliances. None of the other EMM vendors offer enterprise level features like load balancing or SSL off-loading; requiring additional appliances to be purchased for these capabilities. To offer even stronger levels of security, IT can configure MDX enabled apps with an “Alternate NetScaler Gateway.” This alternate gateway may require different levels of authentication depending on where the user and app are connecting. For example, if the user is running the app from a non-corporate WiFi connection, the app can be configured to utilize this alternate gateway. The gateway can be configured to require the user to utilize a two-factor token in addition to their normal AD username/password. This flexibility in connection allows IT to configure apps to require stronger authentication mechanisms when connecting from non- corporate networks. In addition to security features, the MicroVPN also offers data optimization techniques including compression algorithms to ensure A) only minimal data is transferred and B) is done in the quickest time possible, improving user experience—a key success factor in mobile project success. citrix.com 6 White Paper Protecting Mobile Apps with Citrix XenMobile and MDX Figure 4: Example MDX Policies for Authentication and Access How XenMobile protects the infrastructure behind the firewall Security inside the company network is just as critical if not more so than on the mobile device. Citrix takes a number of measures to protect the mobile management infrastructure. The primary components of a XenMobile solution include NetScaler and the XenMobile Server (XMS). Citrix has an independent security team that is not part of the XenMobile product group. This group continually performs penetration tests, evaluates the product source code (much like an external entity would) and flags security concerns. Concerns are prioritized with various severity levels of critical, high, medium and low.
Load more

Recommended publications
  • Secure Mobile Collaboration with Citrix Xenmobile and Sharefile
    White Paper Secure Mobile Collaboration with Citrix XenMobile and ShareFile citrix.com White Paper Enterprise Mobility Management Mobile devices and BYOD have brought unprecedented agility to the enterprise, allowing users to collaborate, access information and get serious work done any time, from almost anywhere on the planet. Along with this mobile user freedom and agility, however, have come unprecedented security challenges. Mobile devices and BYOD have brought unprecedented agility to the enterprise, allowing users to collaborate, access information and get serious work done any time, from almost anywhere on the planet. Along with this mobile user freedom and agility, however, have come unprecedented security challenges. Any time users store sensitive enterprise information on their laptops, smart phones or tablets, they subject it to theft or exposure if those devices are ever lost, stolen, or connected over insecure WiFi networks or the Internet. When users mix personal and work lives on the same device, they risk insecure personal applications and mixed personal and work data leading to sensitive data loss and theft. This could happen either advertently or inadvertently, when, for example, users send corporate information in personal emails or browse infected Web sites that introduce malware into the corporate network. When mobile users take advantage of consumer file sharing services such as DropBox and Box, they take a risk as well, as these services were not built with enterprise management and security in mind. Even those that have enterprise features are not as manageable and tightly integrated with enterprise mobile security solutions as they should be. Conversely, if IT imposes draconian security policies and monitors personal mobile devices and data it risks impeding employee productivity and agility.
    [Show full text]
  • Citrix Xenmobile Service Security
    White Paper Citrix XenMobile Service Security Citrix.com Table of contents Introduction . 4 Cloud Benefits . 5 Cloud Security . 5 Security Concerns . 6 Overview . 7 XenMobile Service . 8 Architecture . 8 Environment Security . 9 Logical Security . 9 Access controls . 10 Data access controls . 10 Network access controls . 10 Operating system access controls . 11 Change control and business continuity . 11 Personnel security . 12 Compliance . 13 Data Encryption . 13 Physical Security . 13 UEM . 14 Enrollment . 14 Authentication . 15 Client Management . 16 Citrix Cloud . 17 Services . 18 Benefits . 19 Cloud Connector . 20 Citrix.com | White Paper | Citrix XenMobile Service Security 2 Table of contents Cloud Platform Provider . 22 Microsoft Azure . 22 Azure Transparent Data Encryption . 23 Azure Security Center . 24 Azure Active Directory (AAD) . 24 Network Security Groups . 24 Availability Sets . 25 Physical Security . 25 Azure Portal . 25 Azure Activity Logs . 25 Amazon Web Services . 26 Resource Locations . 26 Domain Controllers . 27 NetScaler Gateway . 27 Data . 28 Exchange . 28 Intranet Web Sites . 28 ShareFile StorageZones . 28 XenMobile Client . 29 Device Security . 29 App Security . 30 MDX Container . 30 Partners Container Solutions . 32 Productivity Apps . 32 Network Security . 34 Summary . 35 About the Authors and Contributors . 35 Citrix.com | White Paper | Citrix XenMobile Service Security 3 Introduction Enterprises are moving to Citrix Workspace to support their digital transformation efforts to utilize its breadth of services in a consolidated and secure environment. The Citrix Workspace simplifies the management of information systems by centralizing management while unifying applications, data and desktops into a digital workspace. Enterprise are under attack and protecting their digital workspace is an essential requirement.
    [Show full text]
  • Citrix Service Provider Reference Architecture on Microsoft Cloudos
    White Paper Citrix Service Provider Reference Architecture on Microsoft CloudOS Leveraging Citrix and Microsoft Capabilities to Deliver Applications, Desktops, and Data as a Service citrix.com White Paper Citrix Service Provider Table of Contents Executive Summary 4 What’s New in This Reference Architecture 5 Citrix Solutions Lab Implementation 5 Introduction and Scope 6 Citrix Software Integration with Microsoft Technologies 7 Core Architectural Concepts and Features 8 A Multi-Tenant DaaS Architecture 10 Extensions to the Citrix Service Provider Reference Architecture 11 Architectural Modules 11 Infrastructure Module Deployment Considerations 14 Building a Cloud Infrastructure on Microsoft Technologies 14 Implementing the IaaS Module 14 Physical Provisioning and Infrastructure Components 15 Network Boundaries and VLANs 16 Active Directory and Organizational Unit Considerations 19 Virtual Provisioning 23 Application Provisioning 24 Deploying Application and Desktop Workloads 25 Software Architecture for XenDesktop 7.1 25 Deploying Hosted Application Workloads (RDS) 26 Configuring Trust 30 Active Directory Integration with App Orchestration 32 Secure Access and Acceleration Using NetScaler 33 Deploying Server and Client VDI Workloads 34 Dashboards and Cloud Service Management 38 Citrix App Orchestration 39 Citrix CloudPortal Services Manager 41 Integrating CPSM with App Orchestration 46 Performance Monitoring and Management Tools 47 Conclusion 49 Appendix A: Multi-Tenancy Design Considerations 50 Isolation Models for Multi-Tenancy 52 Appendix
    [Show full text]
  • Reference Architecture for Mobile Device and App Management
    WHITE PAPER | Mobility Reference Architecture for Mobile Device and App Management Using Citrix XenMobile MDM and the Mobile Solutions Bundle to create a unified mobile solution www.citrix.com Contents Overview ......................................................................................................................................................... 4 Mobile Solutions Bundle ................................................................................................................................... 4 XenMobile Device Manager (MDM) .......................................................................................................... 5 XenMobile SMG ........................................................................................................................................ 5 XenMobile SharePoint DLP ..................................................................................................................... 5 CloudGateway ................................................................................................................................................ 5 AppController ............................................................................................................................................. 5 Access Gateway .......................................................................................................................................... 5 StoreFront ..................................................................................................................................................
    [Show full text]
  • Citrix Secure Email Deployment Guide White Paper
    Citrix Secure Email Deployment Guide White Paper Citrix secure email deployment guide Facilitating email collaboration citrix.com Citrix Secure Email Deployment Guide White Paper 2 Introduction Intelligent mobile devices are a growing component of daily business activity. In fact, more tablets and smartphones are sold each month than PCs and laptops. The average business information worker uses three devices every day, one of which they typically own. The BYOD trend will certainly continue; by 2015 it is estimated1 that the number of portable devices in the enterprise will be three times that of laptops and desktops. Their cost, portability and exclusive WiFi connectivity, however, leaves them particularly vulnerable to theft, data leakage, and WiFi snooping. Apps are a particular point of concern. In a survey by Nielsen2, smartphone users were found to have installed an average of more than 40 applications. Most apps have permission to send data to the Internet. Yet, smartphones and tablets have an undeniable business value. That value, however, needs to be balanced against the risks associated with their use. Uncontrolled use of mobile apps, including built-in iOS and Android mail clients, allows local storage of emails and associated attachments that could result in loss or exposure of confidential information. A non-password protected device or well- timed theft would allow a thief to impersonate the owner. For these reasons, many companies place restrictions on the use of mobile devices and apps and the most paranoid companies even forbid their use. Several alternatives, each with some level of security and convenience, are available to IT departments to secure access to email and associated information.
    [Show full text]
  • Citrix Systems
    ISSN (Online) 2278-1021 IJARCCE ISSN (Print) 2319-5940 International Journal of Advanced Research in Computer and Communication Engineering ISO 3297:2007 Certified Vol. 7, Issue 3, March 2018 Citrix Systems Meshal F. Aldhamen Public Authority and Applied Education, High Institute of Telecommunication and Navigation, Computer Department, Kuwait. Abstract: Citrix Systems, Inc. is an American multinational software company that supply server, application and desktop virtualization, networking, software as a service (SaaS), and cloud computing technologies. It was founded in Richardson, Texas in 1989 by a group of ex-IBM developers. The name Citrix is a combination of Unix and Citrus since its founder Ed Iacobucci moved the company from southern Florida to its new headquarters. Ed Iacobucci served as chairman until his departure in 2000. Citrix solutions are based on virtualization and cloud computing technologies that can grant various benefits and great efficiency in CPU utilization, green IT environments with low power consumption, central control, more availability, reduces project timelines by eliminating hardware procurement, improves disaster recovery capabilities, more central control of the desktop, and improve outsourcing services. Keywords: Citrix Systems, XenServer, Cloud Suite, NetScaler, Virtual Desktops. INTRODUCTION There have been numerous prominent instances of security breaches and attacks. There is no indication of this relenting, embracing the need to consider security at the design phase, to constantly screen and go along to security threats and to get ready and bolster the environment in like manner. Security intricacy increments with the rise and utilization of more sorts of devices (cell phones, tablets, and web-empowered devices) and extra network systems, (for example, 3G/4G, Wi-Fi, and Bluetooth).
    [Show full text]
  • Xenmobile Security
    White Paper XenMobile Security Security is a top priority at Citrix. This whitepaper is meant to delve into the technical details of the security around the Citrix XenMobile solution and each of its components. Details include how Citrix implements secure mobile device management, mobile application management, mobile content management and more. citrix.com White Paper XenMobile security Table of Contents Foreword 3 Critical mobility requirements 5 Mobile device management with XenMobile 6 Device operating system features 6 Jailbreak/rooted status 7 Geo-location policies 7 Per-application encryption and policies 9 XenMobile architecture 9 Component description 10 NetScaler Gateway 11 Device manager 12 App controller 13 Citrix productivity apps 15 WorxMail 15 WorxWeb 15 Worx Home 15 XenMobile encryption and security 16 How is my data protected at rest? 17 How is my data protected in transit? 18 Micro-VPN 18 How is my data protected at HQ? 19 User enrollment 21 Device enrollment 21 APNS 22 iOS initial enrollment flow 23 Additional security features 25 IT automation 25 Application execution prevention 26 Web services 26 Automated actions 26 Auditing capabilities 26 Denial of service protection 27 PKI integration and distribution 28 References and appendices 28 citrix.com 2 White Paper XenMobile security An enterprise needs to take a holistic view to its mobility needs and ask the following questions: • What are the immediate problems I need to solve? • What are the issues I might need to solve in the future? • Can I afford to take a ‘piecemeal’ approach to mobility or do I need a strategy that will solve my immediate and long term requirements as mobile adoption grows within the organization? Mobility is a top priority for organizations.
    [Show full text]