Citrix XenVault: Enterprise Safe in a Custom Environment

    In any medium or large company, the organization of employees is approximately the same: a desktop computer, an account on the corporate network, and user rights that are limited to the taste of the system administrator and senior management. True, instead of a standard desktop, a laptop is increasingly being issued: the price difference is not fundamental, but the fuss with boxes is much smaller. But here there is another danger: the laptop may be lost, and the documents stored on it may end up with competitors, in the press or (it is not known which is worse) on the popular torrent tracker.

    In any case, the same problem is solved: how to give the employee enough freedom, but at the same time maintain the required level of security? Citrix solves this problem by moving the work environment to the server. Indeed, in this case it becomes and it does not matter at all which computer the employee connects to the virtual desktop with. This is how the Bring Your Own Computer concept was born: you don't have to provide laptops at all for employees. Instead, you give them a certain amount, and they independently choose a computer according to their criteria.

    An attractive solution, but it is not without flaws, if you do not forget about security. Of course, when using virtualization technologies, the user does all the work on the server, and nothing is saved on the laptop. But sooner or later, the employee will have a desire to work “offline”, for which you need to drag a couple of working documents onto your laptop. Citrix XenVault technology can help ensure secure access to operational data .


    The user must be trusted.



    Providing the necessary level of security for corporate data, one must not forget about the employees themselves: they also need to work in these conditions. Therefore, data protection should be as transparent as possible, and XenVault is the best solution from this point of view. Unlike XenClientwhich makes the work environment accessible offline, but requires bare-metal software installation, XenVault is much easier to use. In fact, this is part of the Citrix Receiver client , a standard program for connecting to a virtual desktop from any device.



    XenVault technology provides for the creation of a virtual disk in the client operating system, which will subsequently store operational data. This drive is encrypted using the 256-bit AES key, and the security policy determines which programs will gain access to it. In a typical case, programs from the virtual environment can access the virtual disk. In a more advanced version, you can provide limited access to the disk through the "Explorer". The process of creating a protected disk can be seen in this video:



    Offline access

    Thus, an employee of the company can work most of the time in a virtual environment, but retains access to certain files even when the computer is disconnected from the network. Installing a more complex solution (for example, XenClient) is not required for this, the necessary functionality is already built into the standard Citrix Receiver client. But the conditions for access and storage of data on a user PC are determined by the corporate security policy. In case of theft, data on the protected virtual disk simply cannot be opened, but just in case, Citrix develops a “poison pill” method, thanks to which encrypted data will be automatically destroyed the first time a missing laptop is connected to the Internet or after a certain time.

    Citrix's plans also include the automatic implementation of additional security policies on the user's computer. In particular, work is underway to block the clipboard when working with protected documents, as well as on a system for quickly synchronizing local working data with the server.

    Admin side

    XenVault is an optional component of the Citrix XenDesktop desktop virtualization solution. This plugin became available in Feature Pack 2, and was released simultaneously with Citrix XenClient. This is quite logical, since both XenClient and XenVault in different ways solve the same problem of securely storing corporate data on a user machine. By default, virtual applications delivered using Citrix Receiver or Microsoft App-V have access to data on the user machine.

    On the server side, a dedicated server (Merchandizing Server) is used to configure and deliver the plug-in, through which security policies are defined. The following basic settings are available:

    - The ability to save the password locally is determined. If enabled, the protected area opens automatically after the Citrix Receiver successfully starts.

    - Set the minimum number of characters in the password.

    - You can enable the mandatory use of complex passwords. In this case, the password
    must fulfill three of the four conditions: uppercase letters, lowercase letters, numbers, special characters.

    Merchandizing Server also manages a virtual disk lock policy, backing up keys to enable the recovery of encrypted data on a client device in the event of a password loss. You can also set the data to be forced to block when there is no connection to the corporate server for a certain time. In this case, the user will receive advance warnings about possible blocking for 2 and 1 day, as well as 12 hours, 2 hours and 10 minutes. And finally, as a last resort, it is possible to force the deletion of data from a client device when connecting to a server. Users of commercial versions of XenDesktop - VDI, Enterprise or Platinum can work with the XenVault plugin.

    Also popular now: