Citrix Secure Email Deployment Guide White Paper Citrix secure email deployment guide Facilitating email collaboration citrix.com Citrix Secure Email Deployment Guide White Paper 2 Introduction Intelligent mobile devices are a growing component of daily business activity. In fact, more tablets and smartphones are sold each month than PCs and laptops. The average business information worker uses three devices every day, one of which they typically own. The BYOD trend will certainly continue; by 2015 it is estimated1 that the number of portable devices in the enterprise will be three times that of laptops and desktops. Their cost, portability and exclusive WiFi connectivity, however, leaves them particularly vulnerable to theft, data leakage, and WiFi snooping. Apps are a particular point of concern. In a survey by Nielsen2, smartphone users were found to have installed an average of more than 40 applications. Most apps have permission to send data to the Internet. Yet, smartphones and tablets have an undeniable business value. That value, however, needs to be balanced against the risks associated with their use. Uncontrolled use of mobile apps, including built-in iOS and Android mail clients, allows local storage of emails and associated attachments that could result in loss or exposure of confidential information. A non-password protected device or well- timed theft would allow a thief to impersonate the owner. For these reasons, many companies place restrictions on the use of mobile devices and apps and the most paranoid companies even forbid their use. Several alternatives, each with some level of security and convenience, are available to IT departments to secure access to email and associated information. This guide discusses several typical deployments that use Citrix products, with tradeoffs. The most secure of them, that uses the Citrix WorxMail client and Citrix NetScaler Gateway, will be discussed in some detail. This guide is intended for use by IT architects and network engineers, but others will benefit from an understanding of the Citrix solutions. WorxMail easily integrates with existing Microsoft® Exchange® 2007 and 2010 infrastructures. No expansion of Exchange servers is required and only small configuration changes are required. Email access alternatives Basic email access The most straightforward approach to email access is shown in Figure 1. Basic protection of the Microsoft Exchange environment is accomplished through basic protection mechanisms, such as those provided by Microsoft’s Forefront Threat Management Gateway or Citrix NetScaler Gateway. These gateways provide basic security services, such as firewall, anti-malware, and denial of service protection. The pros and cons of this type of email access are shown in Table 1. 1 Business Insider, “The Future of Mobile”, 2012. 2 http://blog.nielsen.com/nielsenwire/?p=31891 citrix.com Citrix Secure Email Deployment Guide White Paper 3 Datacenter Native Email Client Microsoft TMG 3G/4G/Wi-Fi Microsoft Exchange Citrix NetScaler Gateway Figure 1: Basic email access Pros Cons • No client configuration—native email • ActiveSync traffic is not encrypted— clients are used may be intercepted • Exchange server is protected against • No protection for client’s Internet attacks downloaded data • Minimal datacenter configuration • No control over which clients can connect to Exchange • No control over client’s applications —apps may be used to forward confidential information Table 1: Basic email access—pros and cons Controlling client devices Additional control can be obtained through the use of Citrix XenMobile MDM Edition as shown in Figure 2. Mobile device management is supported by the XenMobile Network Controller (XNC) component that is installed on the security platform: Microsoft TMG or Citrix NetScaler Gateway in this example. XenMobile MDM provides role-based management, configuration, and security for both corporate and employee-owned devices. Upon user device enrollment, IT can provision policies and applications to devices automatically, blacklist or whitelist client apps, detect and protect against jailbroken devices, and selectively wipe a device that is lost, stolen or out of compliance. Users can use any device they choose, while IT can ensure compliance of corporate assets and secure corporate content on the device. This effectively limits and secures the client devices. The pros and cons of this solution are shown in Figure 2. citrix.com Citrix Secure Email Deployment Guide White Paper 4 Datacenter Native Email Client Microsoft TMG with Citrix XenMobile Network Controller Microsoft Exchange 3G/4G/Wi-Fi Citrix NetScaler Gateway with XenMobile Network Controller Citrix XenMobile Device Manager Figure 2: Controlling client devices Pros Cons • Access to Exchange Server is limited • ActiveSync traffic is not encrypted— to approved clients may be intercepted • Dangerous apps can be blacklisted • Downloaded data on client is accessible to non-blacklisted • Exchange Server is protected against applications Internet attacks • Downloaded data on client can be wiped remotely Table 2: Controlling client devices—pros and cons Scalable secure access A high level of security can be accomplished through the use of Citrix XenMobile in conjunction with NetScaler Gateway and the WorxMail client, as shown in Figure 3. XenMobile prepares the WorxMail client’s applications. The client uses Citrix secure ticketing authority (STA) or microVPN encrypted tunnel to access the NetScaler appliance, which encrypts and controls downloaded content. STA offers a better user experience through the use of a secure ticket that authenticates the user over a longer period of time. In this topology WorxMail uses the STA mode of authentication with the NetScaler Gateway. XenMobile serves as the ticketing authority. Whereas a microVPN connection will prompt the user for explicit authentication, a STA connection can be silently re-authenticated through ticket renewal3. NetScaler Gateway4 is a powerful application delivery platform that accelerates and controls access to the enterprise Exchange servers and other Internet services. NetScaler can be installed on a virtual server, or as an independent appliance for higher capacity. The pros and cons for this alternative are shown in Table 3. 3 The STA-based approach is currently available for WorxMail on Android-based devices. A version for iOS-based devices is coming soon. In the interim, a microVPN-based setup can be used. 4 http://support.citrix.com/proddocs/topic/netscaler/ns-gen-netscaler-wrapper-con.html citrix.com Citrix Secure Email Deployment Guide White Paper 5 Datacenter Citrix WorxMail Client Microsoft Exchange STA or Citrix NetScaler MicroVPN 3G/4G/Wi-Fi Gateway Citrix XenMobile Figure 3: Scalable secure access Pros Cons • Access to the Exchange Server is • NetScaler appliance or VM running limited to approved clients NetScaler is required • Exchange Server is protected against • Additional, minor configuration Internet attacks requirements • Downloaded data on client is encrypted, access controlled and can be wiped • Large numbers of users can be safely controlled Table 3: Scalable secure access—pros and cons This alternative is sometimes compared to other solutions that connect users through an intermediate, third-party operated network operations center (NOC). With no significant benefits over data center resident solutions, NOC-based solutions present recurring costs, loss of control, and ability to make quick changes. WorxMail overview Citrix WorxMail is an ideal mobile solution, one that enables IT organizations to manage secure email access for company-owned and personal mobile devices. When properly installed and configured, WorxMail becomes the only means by which mobile devices can access email. WorxMail is a component of the Citrix Worx Mobile Apps5 solution that establishes a closed, secure environment where data on mobile devices can only be used by apps that have been approved and prepared by IT. All communications between the mobile device and the enterprise’s servers is encrypted and only authorized and authenticated users are allowed to talk to the Exchange server. 5 http://www.citrix.com/products/worx-mobile-apps/overview.html citrix.com Citrix Secure Email Deployment Guide White Paper 6 Citrix XenMobile is a key element of this solution. It leverages the Citrix Worx App SDK and Citrix MDX Technologies to establish a managed, secure environment for the execution of mobile device applications. With MDX Technologies, corporate apps and data reside in a container, separated from personal apps and data on the user’s mobile device. This allows IT to secure any custom developed, third-party or BYO mobile app with comprehensive policy-based controls. Three key technologies are at work: • MDX Access: provides granular policy-based management and access controls over all native and HTML5 mobile apps. • MDX Vault: separates business mobile apps and data from personal apps on mobile devices in a secure business container. • MDX Interapp: controls the communications between mobile enterprise applications to ensure that data only moves between MDX-wrapped applications. Mobile users access their email, calendar and contacts through the WorxMail intuitive interface. Attachments are held encrypted on the mobile device in the MDX Vault and may only be accessed from approved apps. Confidential data stored on Citrix ShareFile servers may also be safely attached to emails. WorxMail can be deployed to the entire workforce because