Delivering corporate data securely. Delivering corporate data securely on employee ipads. A technical how-to guide. www.citrix.com



Similar documents
The complete solution for enabling BYO.

Enabling mobile workstyles with an end-to-end enterprise mobility management solution.

White paper. Microsoft and Citrix VDI: Virtual desktop implementation scenarios

Citrix Receiver for Enterprise Applications The technical detail

Citrix XenDesktop with FlexCast technology. Citrix XenDesktop: Desktop Virtualization For All.

Advanced virtualization management for Hyper-V and System Center environments.

Advanced Service Desk Security

Citrix XenClient. Extending the benefits of desktop virtualization to mobile laptop users.

Accelerating Microsoft Windows 7 migrations with Citrix XenApp

Executive summary. Introduction Trade off between user experience and TCO payoff

Comprehensive Enterprise Mobile Management for ios 8

BYO Rethinking your device strategy.

Enterprise- Grade MDM

How To Install A Citrix Netscaler On A Pc Or Mac Or Ipad (For A Web Browser) With A Certificate Certificate (For An Ipad) On A Netscaler (For Windows) With An Ipro (For

White Paper. Protecting Mobile Apps with Citrix XenMobile and MDX. citrix.com

Desktop virtualization and the branch office. Optimizing virtual desktops and applications to the branch office VDI.

Ensuring the security of your mobile business intelligence

Building a better branch office.

Secure Data Sharing in the Enterprise

Features of a comprehensive application security solution

Mobile Workforce. Connect, Protect, and Manage Mobile Devices and Users with Junos Pulse and the Junos Pulse Mobile Security Suite.

Virtual desktops: preparing the enterprise for growth.

ipad in Business Security

When enterprise mobility strategies are discussed, security is usually one of the first topics

AppFlow: next-generation application performance monitoring.

Citrix OpenCloud Access. Enabling seamless delivery of cloud-hosted applications.

Citrix ShareFile Enterprise technical overview

Maximizing Flexibility and Productivity for Mobile MacBook Users

Mobilize with Enterprise-Grade Security and a Great Experience

Deployment Guide ICA Proxy for XenApp

MDM and beyond: Rethinking mobile security in a BYOD world

Simplicity is power.

The fastest, most secure path to mobile employee productivity

Deploying iphone and ipad Security Overview

WHITE PAPER. Citrix XenDesktop. Cost savings with centralized virtual desktops.

Citrix ShareFile Enterprise: a technical overview citrix.com

Five reasons why you need Citrix Essentials for Hyper-V now

Solutions Brief. Citrix Solutions for Healthcare and HIPAA Compliance. citrix.com/healthcare

TCO Savings with Desktop Virtualization

The Benefits of Virtualizing Citrix XenApp with Citrix XenServer

DEPLOYMENT GUIDE XenApp, Avaya 1X Agent. Deployment Guide. Avaya 1X Agent. XenApp.

iphone in Business Security Overview

Deploy secure, corporate access for mobile device users with the Junos Pulse Mobile Security Suite

Enterprise mobility management: Embracing BYOD through secure app and data delivery

Citrix XenApp, MDOP, and Configuration Manager

NetScaler SQL Intelligent Load Balancing. Scaling the Data Tier with.

Citrix OpenCloud Access. Accelerate cloud computing adoption and simplify identity management.

Mobile app containers with Citrix MDX

Mobile Application Management with XenMobile and the Worx App SDK

Citrix GoToAssist Service Desk Security

2048-bit SSL. Best practices for implementing.

Safeguard Protected Health Information With Citrix ShareFile

GoToMyPC Corporate Security FAQs

Citrix Access Gateway

Better virtualization of. XenApp and XenDesktop with XenServer

ShareFile Enterprise technical overview

Extending Microsoft Hyper-V with Advanced Automation and Management from Citrix

Trend Micro Cloud Security for Citrix CloudPlatform

Citrix MetaFrame Password Manager 2.5

Top Three Reasons to Deliver Web Apps with App Virtualization

Secure SSL, Fast SSL

RSA Adaptive Authentication and Citrix NetScaler SDX Platform Overview

Citrix desktop virtualization and Microsoft System Center 2012: better together

McAfee Enterprise Mobility Management

Best practices for implementing

Provisioning ShareFile on Microsoft Azure Storage

Secure remote access

iphone in Business How-To Setup Guide for Users

Symantec Mobile Management for Configuration Manager 7.2

Staying Ahead of the Hacker Curve Turn-key Web Application Security Solution

Mobility and cloud transform access and delivery of apps, desktops and data

GoToMyPC reviewer s guide

Securing mobile devices in the business environment

10 best practice suggestions for common smartphone threats

Endpoint protection for physical and virtual desktops

Endpoint protection for physical and virtual desktops

AppSense User Virtualization

Why you need. McAfee. Multi Acess PARTNER SERVICES

Citrix Password Manager 4.1

Taking Windows Mobile on Any Device

Bring your own device freedom

Securing end-user mobile devices in the enterprise

ios Security Decoded Dave Test Classroom and Lab Computing Penn State ITS Feedback -

Symantec App Center. Mobile Application Management and Protection. Data Sheet: Mobile Security and Management

Windows 7 easier with Citrix XenDesktop.

Ensuring the security of your mobile business intelligence

Advanced virtualization management for Hyper-V and System Center environments

IBM Endpoint Manager for Mobile Devices

Transcription:

Delivering corporate data securely White Paper Delivering corporate data securely on employee ipads A technical how-to guide www.citrix.com

Executive summary A growing challenge for IT is the requirement to provide executives and employees who bring personal Apple ipad Tablets into the enterprise with an immediate need for access to corporate applications from anywhere. IDC estimates that more than 50 million media tablets will ship worldwide in 2011 and that by 2015 more than 120 million media tablets will ship worldwide. IDC estimates that by 2015, 10 percent of worldwide media tablets will ship into the commercial channel, representing purchases by enterprises and other organizations but excluding those tablets purchased for personal use but ultimately also used for enterprise applications. Apple noted on its most recent Investor Update call that 80 percent of Fortune 100 companies now have some level of deployment or testing for enabling ipad support in the enterprise. In many cases, executives brought personal ipads into the enterprise and demanded access to their full business desktops and corporate applications. By all accounts, the number of ipads entering the enterprise is projected to increase exponentially during the next 12 18 months. For IT organizations charged with protecting the security of the company s data and key applications, this trend creates a new concern. The ipad is one of the fastest category-defining product introductions in history and the rapid proliferation of ipads has surprised many in the enterprise, particularly IT security organizations. They have had to respond swiftly to address the wave of ipad devices entering the enterprise. This white paper describes, from an IT perspective, the issues that arise when allowing ipads into the enterprise network and the steps IT must take to maintain control. This paper outlines the security considerations, risk mitigation options and the architecture required to support the ipad as a device accessing sensitive enterprise data. The paper also outlines how Citrix Receiver can enable ipad usage within the enterprise by giving users secure access to their business desktops and corporate applications. Citrix Receiver supports central management of applications, which in turn provides the enterprise control over corporate data from the datacenter to any device and addresses many of the security concerns faced by the IT organization. Citrix technology is front and center in enterprise mobility, enabling employees to use their ipads to work and play anywhere, with corporate security protecting sensitive enterprise data. Introduction While ipads in the enterprise bring many benefits, they also create several new concerns about protecting security and access to corporate applications. These include: Increasing user demand With the consumerization of IT, executives and other employees are demanding access to their work resources using ipads and other devices that enable mobility and productivity. These users don t understand the technical issues or security concerns that prevent IT from providing immediate access. 2

Delivering corporate data securely White Paper Proliferation of unmanaged devices Most organizations application, networking, systems and security architectures are not designed to support the ipad or any other unmanaged device on the enterprise network. Traditional infrastructure and security models assumed end-to-end ownership and device control, so IT fears security breaches and loss of control of the infrastructure as new, privately owned devices connect to corporate networks. Rapid business change The business climate has changed substantially in recent years. Traditional project cycles, budget priorities, connectivity and access to information have all evolved rapidly. Security must evolve to meet the changing needs of both users and the business. To balance regulatory security requirements and end-user demands for more functionality, organizations need a new IT architecture that focuses on data control instead of depending on device ownership for control. The good news is that by enabling a security architecture centered on data control, IT can solve longstanding security problems and protect sensitive data regardless of access method, device, network, ownership or location. Unmanaged and employee-owned devices challenge traditional security policies Leading organizations are considering BYO (bring your own) initiatives, which encourage employees to bring their personal devices to work in order to increase productivity and user satisfaction. BYO initiatives also free IT from the burdens of device ownership and management while giving users the freedom to choose personal device(s) such as the ipad to optimize their productivity. A recent Citrix survey showed 72 percent of consumer devices, such as the ipad were first brought into the enterprise from either end-users or executive level employees. Additionally, 64 percent of respondents work with three or more devices on an average day and more than two thirds use their own personal devices while at work. Figure 1 below shows the rise in use of unmanaged devices within the enterprise, and the ipad is likely to exacerbate this trend. Figure 1 Unmanaged device use on the rise [Source: The ipass Mobile Workforce Report, Nov 2010] 3

BYO sounds like an attractive proposition until you factor in security. Unmanaged devices represent a threat to enterprise networks, which is why many organizations have been concerned about outsiders plugging unauthorized devices into trusted enterprise networks. Organizations have also been wary of the potential damage that could result from malicious insiders and security mistakes made with sensitive data inside a trusted network. With mobile devices accessing networks, security policies have to come to terms with a shift in the concepts of inside and outside. Many users now connect to corporate systems over networks that are not under enterprise control, such as those in airports, hotels, coffee shops and at home. With data more mobile than ever, organizations need a new concept of data boundaries that transcends traditional network boundaries. Allowing ipads and other unmanaged devices onto the network requires a new way of thinking about security. The system must seek to establish trust and verification for all sensitive data access, instead of immediately granting access based on whether IT owns the device or whether it s plugged into an internal network. A trust-but-verify security model where all devices and users are considered as outsiders supports the needs of internal and external users and best protects truly sensitive data. The challenge of this model is to provide a seamless user experience in a cost-effective way. How the ipad is different from a PC, from a security perspective A security architect tasked with securely allowing ipads in the enterprise has to approach the issue from the standpoint of data protection not from the perspective of current and familiar control measures. For example, insisting on mapping existing control measures such as antivirus, personal firewall and full disk encryption would mean denying the ipad access to the network, because the ipad does not support any of these control measures at this time. However, the ipad differs substantially from a PC, from both a usability and security perspective. It even appears to have several security advantages that could potentially remedy some of the security challenges of PCs. Compare the PC security model and mitigations alongside the ipad in a simple model as shown in Figure 2, and you ll see that the control measures PCs require may not be necessary for ipads. Reference the ipad security architecture overview section of this document for more information. Figure 2: Security measure comparison of traditional PC and ipad: Security measure PC ipad Device control Add-on Add-on Local anti-malware Add-on Unavailable Data encryption Add-on Native Data isolation/segregation Add-on Native Managed operating environment No Yes Application patching User-managed Native Access to modify system files Requires administrator Unavailable 4

Delivering corporate data securely White Paper The threats against sensitive data today IT teams must protect and secure sensitive data at all times. With more personally owned and managed mobile devices tapping into corporate IT resources, data security becomes highly dependent on situational information, such as security of the device, location, user, network and the applications being used. Malware is a familiar and critical threat, encompassing additional risks including viruses, Trojans, spyware, root kits and other attacks that are top-of-mind concerns for IT. However, malware is not the primary or the only challenge to mobile data security. Any data use policy that allows access to sensitive data by unmanaged and highly mobile endpoints, such as the ipad, will need an enhanced security architecture to protect against all these threats. Security teams must protect against all of the following high-level threats: Data exfiltration The unauthorized movement of data outside the control environment and general data loss. Data tampering The unintended or unauthorized modification of data. Data unavailability The unavailability of data when needed. These security issues correspond to business concerns about confidentiality, integrity and availability of resources. Organizations must protect against any attack that would compromise these business priorities. Control measures begin with a well-planned security architecture, and extend to specific configuration steps to protect individual data elements. ipad security architecture overview Figure 3 illustrates the ios architecture and shows the location of the security services. The ios security APIs are located in the Core Services layer of the operating system and are based on services in the Core OS (kernel) layer of the operating system. Applications on the iphone call the security services APIs directly rather than going through the Cocoa Touch or Media layers. Networking applications can also access secure networking functions through the CFNetwork API, located in the Core Services layer. 5

Figure 3 ios security architecture overview [Source: Apple developer documentation] Sandboxing to protect application and data security Apple states that the ios sandboxes every application during installation, and keeps it sandboxed. The ios restricts each application, its preferences and data to a unique location in the file system. An application running in ios can see only its own keychain items. An application even one that has been compromised by an attacker cannot access another application s preferences or data and so cannot read or modify the data and preferences of other applications. As a result, an attacker cannot use the compromised application to take control of the device or attack other applications. Platform security In ios4.3, Apple introduced the following security-specific measures: Randomized IPv6 address (as described in RFC 3041) thwarts the ability to track the device across connections. ASLR (address space layout randomization) makes exploits more difficult to execute. While ios 4.3.3 has been jailbroken on other platforms including iphone 4 and the original ipad, the ipad2 has not been successfully jailbroken, due to platform security improvements. 6 How the ipad protects sensitive data The ios model shifts traditional IT security responsibilities from the organization using ipads to Apple itself. This centralization could confer security advantages compared to PCs. Apple controls the ipad environment, application availability, application patching and a native device and development environment security model.

Delivering corporate data securely White Paper However, familiar control measures such as antivirus protection cannot be installed on the ipad. Organizations must consider the efficacy of specific ipad security measures in the context of their own requirements and seek the recommendations of their own enterprise security architects. For more information on potential security threats and how the ipad counters them, review Figure 4 below. Figure 4: Threats and corresponding ipad security measures (with virtualization) Threat Threat vector ipad security measure Data exfiltration Data leaves organization Print screen Screen scraping Copy to USB key Loss of backup Email Data stays in the datacenter App/device control App/device control No USB key capability Encrypted backups Email not cached locally Data tampering Modification by another application Undetected tamper attempts Jail-broken device Application/data sandboxing Logging Jailbreak detection Data loss Loss of device Unapproved physical access Application vulnerabilities Limited data on device Device encryption Application patching Malware OS modification Application modification Virus Rootkit Managed operating environment Managed application environment Architecture 1 Architecture 1 While the ipad architecture is hardened against malware, PC-based viruses can be passed through infected documents. It is recommended that anti-malware capabilities are available for all host environments that the ipad connects to, especially email. ipad with Citrix Receiver How Citrix Receiver helps protect sensitive data Citrix Receiver enables access to enterprise data while the data remains secure in the datacenter where applications are centrally hosted. Keeping data in the datacenter is essential to a strong data control environment and allows security measures such as anti-malware to be enabled and consistent for any device whether owned by the enterprise or by the user. Organizations can leverage Citrix Receiver along with Citrix XenApp and Citrix XenDesktop on the ipad to allow access to enterprise data, corporate applications and business desktops. The included file manager makes it easy to work directly with enterprise directories and files. Citrix Receiver also integrates with Citrix Access Gateway for strong authentication and SSL encryption of network traffic. 7

Encryption in Citrix Receiver protects configuration data, screen bitmaps and the user workspace. Citrix Receiver utilizes ios functionality to encrypt data stored on the device, in memory, during execution and to transmit through Wi-Fi and 3G/4G network interfaces. Citrix Receiver security measures Citrix Receiver for ios 4.3 or later includes several new features that impact security. The most notable of these are: Full encryption Encryption for the entire application (not only the connection data) and encryption of data on the hard disk when the application is not running. Citrix Receiver runs in an encrypted memory space and encrypts data over all networks, including Wi-Fi and 3G/4G. Strong authentication Citrix Receiver for ios enforces strong authentication for access to sensitive resources using: RSA SecurID SMS-based authentication Integration with Citrix Access Gateway Multitasking Multitasking allows an application, such as Citrix Receiver, to run in the background while the user switches to other applications. This enables many security features. For example, a user establishing a session through Citrix Receiver can switch to a strong authentication application to copy a one-time password (or token) used as part of the secure login process. If a particularly sensitive and/or valuable transaction requires multi-factor authentication, users can supply those credentials while still in a Citrix Receiver session. Multi-factor requests may even use the camera as an authentication or verification source. Citrix Receiver can also run in the background while a user takes a call or works on another application. While Citrix Receiver is running in the background, any established sessions remain active, allowing users to switch quickly between applications without having to log in again to Citrix Receiver resources. With third party security providers, an organization can set up policies to restrict the ability to switch between applications, such as specifying and whitelisting which applications may be used while Citrix Receiver is active. 8

Delivering corporate data securely White Paper Best practices for ipad security Security guidelines and configuration For security and data protection, Citrix recommends the following user and administrator guidelines when using Citrix Receiver for ios and ios4.3.3 or later. Recommended user actions: Apply software updates when new releases are available. Don t jailbreak your device within enterprise environments. Utilize a passcode lock to protect access to the ipad or iphone. Set Require Passcode to Immediately. Set Erase Data to ON. Enable Auto-Lock and set to one minute. Press the power button on the top of the iphone to lock the phone whenever it is not in use. Log out of Citrix Receiver when finished working with truly sensitive data. Encrypt backups and control the location of backups. Configure wireless to Ask to Join Networks. Verify the location of AirPrint printers before printing sensitive documents. Configure Find My iphone 2 and utilize it to wipe a lost or stolen device. Report a lost or stolen device to IT so they can disable certificates and other access methods associated with the device. Consider the implications on your privacy before enabling location-based services and limit usage to trusted applications. Protect access to your itunes AppleID account, which is tied to sensitive data. Ensure that the Gallery is not accessible when the device is locked. 2 The Find My iphone (or ipad or ipod touch) feature is now free to use without a MobileMe SM subscription and helps you locate your missing device.* The Find My iphone app is a free download on the App Store SM and lets users easily locate a missing device on a map and have it display a message or play a sound. Users can even remotely lock or wipe data from a lost device to protect privacy. 9

Recommended administrator actions: Enable security measures such as antivirus to protect the data in the datacenter. Specify a session timeout through Access Gateway. Specify whether the domain password can be cached on the device, or whether users must enter it every time they request access. Determine the allowed Access Gateway authentication methods from the following options: No authentication Domain only RSA SecurID only Domain + RSA SecurID SMS authentication Responsibilities of ipad users The ipad natively supports Microsoft Exchange and other email environments. The ios Mail application does not allow email to be managed, moved or deleted locally for Microsoft Exchange accounts, so requiring online access through Citrix Receiver does not change connectivity requirements. Use of native email, while convenient, can raise security concerns when users store sensitive corporate data on an unmanaged device. Similarly, users can access Outlook Web Access (OWA) directly from the Safari. In attempts to work around IT restrictions, users have also forwarded email from enterprise accounts to HotMail, GMail, Yahoo! Mail and other email accounts. ipad users need to take responsibility for protecting sensitive information in corporate email. Citrix Receiver allows users to work with their email systems, while facilitating secure access, through the following features: Sensitive email data stays in the datacenter. Email security controls (such as antivirus and antispam) run in the datacenter. Session interruption does not result in data loss. Encrypted emails are decrypted only within the datacenter. Email encryption keys are not required on the device. A follow-me desktop allows access to email and other applications. 10

Delivering corporate data securely White Paper Conclusion The ipad is enabling new usage models for the enterprise models that force organizations to adapt to the new security challenges of rising IT consumerization and changing demands on IT from the business. Citrix Receiver, one of the top free business applications in the App Store, enables ipad users to work and play from anywhere with full access to business desktops and corporate applications. With a centralized approach to security that protects sensitive enterprise data, Citrix Receiver and the ipad offer enterprises a new approach to security that can meet the needs of an increasingly mobile and virtual workforce. With Citrix Receiver, the enterprise can adopt a more effective and modern approach to IT security and confidently say yes to enabling either employee-owned or corporate-issued ipads across the entire organization. This document is not intended to be a complete guide to ipad enterprise security. Citrix recommends an overall strategy assessment which includes Citrix Receiver in addition to enterprise mobile device management security features. Citrix Receiver: download it for free today For a demonstration of Citrix Receiver capabilities, simply download Citrix Receiver for ipad from the itunes App Store. Additionally, you can try Citrix Receiver for your ipad or another mobile device such as the iphone with a Citrix hosted cloud environment and be up and running in minutes, whether or not your company runs a Citrix environment. Visit http://citrixcloud.net/. Version statement: This document is current for Apple ios 4.3.3 which was made available in May, 2011. Links and references Citrix Receiver for ipad Product overview Conceptual Whiteboard Enabling ipads within your organization Receiver for ipad documentation Join the ipadsatwork campaign Burton Group Comparing Security Controls for Handheld Devices, 2010 ipass Mobile Workforce Report, November 2010 IDC Worldwide Quarterly Media Tablet and ereader Tracker, January 18, 2011 Citrix User Survey, How Will You Work in 2011, January 2011 11

Worldwide Headquarters Citrix Systems, Inc. 851 West Cypress Creek Road Fort Lauderdale, FL 33309, USA T +1 800 393 1888 T +1 954 267 3000 Americas Citrix Silicon Valley 4988 Great America Parkway Santa Clara, CA 95054, USA T +1 408 790 8000 Europe Citrix Systems International GmbH Rheinweg 9 8200 Schaffhausen, Switzerland T +41 52 635 7700 Asia Pacific Citrix Systems Hong Kong Ltd. Suite 6301-10, 63rd Floor One Island East 18 Westland Road Island East, Hong Kong, China T +852 2100 5000 Citrix Online Division 6500 Hollister Avenue Goleta, CA 93117, USA T +1 805 690 6400 www.citrix.com About Citrix Citrix Systems, Inc. (NASDAQ:CTXS) is a leading provider of virtual computing solutions that help people work and play from anywhere on any device. More than 230,000 enterprises rely on Citrix to create better ways for people, IT and business to work through virtual meetings, desktops and datacenters. Citrix virtualization, networking and cloud solutions deliver over 100 million corporate desktops and touch 75 percent of Internet users each day. Citrix partners with over 10,000 companies in 100 countries. Annual revenue in 2010 was $1.87 billion. 2011 Citrix Systems, Inc. All rights reserved. Citrix, Citrix Receiver, XenApp, XenDesktop and Citrix Access Gateway are trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered in the United States Patent and Trademark Office and in other countries. ipad and iphone are trademarks of Apple Inc., registered in the U.S. and other countries. 0511/PDF

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information