Explore common questions and key information on Citrix security best practices and controls.
The Citrix Global Security Assurance Framework (GSAF) leverages the suite of information security controls found within the Industry Standards Organization (ISO) 27001 and 27002, National Institute of Standards and Technology (NIST) Special Publication 800-53, and Center for Internet Security (CIS) standards. The GSAF provides a consistent and unified approach to securing the assets of the corporation, while protecting the interests of the company, shareholders, customers and employees. Citrix’s Policy Review Board reviews GSAF policies and standards at least annually. Citrix GSAF policies and standards are available to all employees via the Citrix Intranet site.
Employees must accept and acknowledge understanding of the GSAF policies and procedures as well as potential implications of not adhering to them. It is the responsibility of every employee with access to corporate information and information systems to know what behaviors are expected and to conduct their activities accordingly. Citrix’s Code of Business Conduct and Acceptable Use Policy (AUP) inform employees of what is acceptable and expected behaviors and conduct.
To enable Citrix to deliver a consistent, scalable and secure cloud solution for Citrix customers, the GSAF program undergoes regular reviews, evaluations and reports of the maturity and continuous growth efforts and improvement of the program.
Reference: GSAF Program Summary (located in the Evidence Package)
Citrix has a SOC 2, Type 2 Audit report. It can be downloaded from the Citrix Trust Center under NDA (https://www.citrix.com/about/legal/security-compliance/soc-2-reports.html).
Citrix achieved ISO 27001 certification and it can be downloaded without NDA (https://www.citrix.com/content/dam/citrix/en_us/documents/about/certification-of-registration.pdf).
Additional 3rd party audit reports will be accessible to customers under NDA on the Citrix Trust Center (https://www.citrix.com/about/trust-center/).
All Citrix Cloud offerings are hosted with providers that possess SOC 1 (SSAE 16), SOC 2, ISO 27001, ISO 27018, FISMA, DIACAP, FedRAMP, PCI DSS Level 1, ITAR, and FIPS 140-2 audits or certificates.
Citrix employs a full-time Chief Information Security Officer (CISO), who oversees the Global Security Organization. Citrix’s Privacy team, headed by the Chief Privacy & Digital Risk Officer, is responsible for data privacy. The Citrix Internal Audit Group reports directly to Citrix's Board of Directors to maintain independence. These three teams work together to address data protection issues.
Citrix maintains a policy outlining the approach to managing access to Citrix facilities, systems, and data. A formal user access provisioning process is used to assign access based on least privilege. Access, including privileged access, is granted based on job function or role. Segregation of duties is part of the overall process of creating job roles and functions. New user access, new access for existing users, or user access change requests follow a formal request process and are tracked through the internal ticketing system. Management approves access prior to access being granted or changed. User accounts follow predefined naming schemas and password requirements.
Citrix requires user authentication and verification of identification prior to allowing access to production systems. Password parameters may include, but are not limited to:
Unique user IDs enforce accountability within the system components (operating system, application, and database). Role based access restricts access to particular functions, in compliance with the security principle of least-privilege. Citrix allows non-user accounts when needed to support business objectives (testing or service accounts).
Citrix performs quarterly reviews over user accounts and assigned permissions for key systems. New access to systems is reviewed and approved by management prior to being granted Access is granted on the basis of least privilege. As part of the termination process, user access is disabled/deleted in a timely manner.
Citrix has an Asset Management Policy, which addresses how hardware and software assets are managed at Citrix.
Citrix maintains a risk-rated inventory of the Citrix owned software and hardware assets. Assets in the inventory are assigned an owner, have rules for acceptable use, labelled, and are classified. The asset classifications are measured in terms of legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification.
Products that have reached the end of their life and are no longer supported by a vendor will be assigned a sunset date. The sunset date is when the product is scheduled to be removed from production and set far enough in advance to give management time to fund and plan for replacements.
Citrix has documented a formal Data and System Lifecycle policy which contains a data control matrix. This matrix defines the required security controls based on the type of data. The matrix covers data in motion and at rest. Destruction is addressed in the data retention and media disposal policies
Risk Assessments and associated rankings are included in the yearly Internal Audit plan that encompasses both compliance and operational risks that can impact Citrix. In addition, corporate assets and potential threats and vulnerabilities to those assets are identified. Any findings are mitigated per the risk assessment process. Recommendations that maximize the protection of confidentiality, integrity and availability to these assets are also provided. This program uses a collaborative and qualitative approach to identify and prioritize risks. Details of the process, including time frames, are Citrix confidential.
Citrix maintains a Physical and Environmental Security Policy and Program.
Physical access to Citrix facilities is controlled by a badge, and surveillance cameras monitor access activity. Visitors to the Citrix facilities must be signed in by an employee before a visitor badge is issued and must be escorted by the employee while on site. Administrative access to the badge access control system used to grant and revoke physical access to Citrix facilities is restricted to authorized personnel.
Physical access to co-location data centers is also controlled. Data center access is logged, monitored, and tracked via electronic and CCTV video surveillance by security personnel. Physical access is restricted by use of electronically locked doors and separate caged areas within co-location facilities. Only personnel authorized by management have access to the co-location data center facilities. Visitors accessing a secured area must be escorted by an employee. Data centers are protected by security alarm systems and other security measures, such as user-related authentication procedures, including biometric authentication procedures (e. g., hand geometry), and/or electronic proximity identity cards with users’ photographs.
Authority to access the Citrix co-location data center facilities is reviewed on a semi-annual basis. Access change requests resulting from the review are submitted to the Security group or co-location facilities for processing. Physical security of the co-location centers, such as having security guards, biometric access, electronic access cards, fire retardants, etc. are the responsibility of the co-location data center. Controls of the co-location data centers are reviewed on a regular basis.
A Business Continuity Program Management structure is in place that includes a dedicated full-time team with a focus on Incident Response and Business Continuity. The dedicated Business Continuity staff responsible for the program are certified, involved in industry conferences and participate in events that facilitate continuous learning within the discipline. Regional Citrix liaisons are assigned and tasked with coordinating between the Business Continuity Management staff and local management within each region.
The Core Business Continuity Team is broken down into three smaller teams that are activated when a situation arises and for planning purposes. The Core Business Continuity Team mission is to provide overall direction/preparation and recovery efforts for the aspects of the organization that affect the underlying foundation of Citrix business operations.
A recovery strategy has been developed for our work campuses globally for all critical Citrix locations. Technology recovery for critical business units is provided via contracted services. A command and control center for coordination of events has been determined.
Table top exercises are conducted on a yearly basis to ensure plans are kept up to date and the team is familiar with the response and recovery processes.
Operational resilience strategies have been developed which utilizes Citrix’s US West datacenter to conduct production processing in the event of a disaster or major outage. Citrix operates four datacenters worldwide. All Enterprise applications are hosted in the corporate tier-IV datacenter located in Miami, Florida and delivered to business users globally via Citrix DaaS (formerly Citrix Virtual Apps and Desktops service). Regional datacenters host a small amount of distributed infrastructure and regional applications where necessary, which are also delivered using Citrix DaaS. Business critical data is replicated real-time to our US West DC. In the event of a disaster at our corporate datacenter, we are ready to failover all business-critical applications and seamlessly point end users to our highly available global Citrix DaaS environment.
Based on our global presence, Citrix uses the follow the sun framework for areas such as Tech Support and Customer Care. Utilizing this framework on a daily basis provides us with the ability to quickly reroute mission critical services to an alternate location.
An IT Disaster Recovery Plan has been developed and is tested on a quarterly basis. Quarterly exercises of the IT Disaster Recovery Plan have been conducted over the past several years, exceeding the industry norm of annual testing. These exercises involve the restoration of critical production processing using the DR Data Center.
Our Disaster Recovery Test Team is rotated with each quarterly test ensuring multiple personnel are adequately trained regarding our recovery processes. Change Management is tightly integrated with our Disaster Recovery Program resulting in exact duplicate environments.
Reference: Citrix Business Continuity Overview (located in the Evidence Package)
Table top exercises are conducted on a yearly basis to ensure plans are kept up to date and the team is familiar with the response and recovery processes. Hurricane scenario plans are in place for critical business units located at the Fort Lauderdale campus. Formal testing of these plans is conducted annually. The IT Disaster Recovery Plan is tested on a quarterly basis.
Citrix assesses all assets and business functions in real time through the Business Impact Analysis (BIA). To validate the recoverability of assets and business functions, quarterly technology drills and annual business function exercises are executed with issues tracked to closure. The BIA provides information necessary to develop Disaster Recovery and Business Continuity plans for each of Citrix’s locations globally. BIA results are analyzed and recovery strategies are developed, ensuring Recovery Time and Recovery Point Objectives are calculated based on risk and impact criteria.
Citrix’s Incident Response Plan governs Citrix’s response, documentation and reporting of incidents affecting computerized and electronic communication resources, such as theft, intrusion and misuse of data. The purpose of the plan is to ensure a rapid response to a suspected security event, and the timely investigation of the event in order to protect our customers, employees, shareholders and company reputation. The plan provides guidance to ensure Citrix meets its notification requirements and legal obligations to affected individuals, customers, government agencies and other entities.
Reference: Citrix Incident Response Plan Overview (located in the Evidence Package)
Citrix maintains an Incident Response Standard and has established an Incident Response Team (IRT). The Incident Response (IR) Team is led by Security with functional stakeholders as core team members. The Legal team manages Incident Communications and the Internal Communications Team is part of the IR extended team. Internal Communications and PR are the same team.
If Citrix determines that any data uploaded to Customer’s account for storage or data in Customer’s computing environment to which Citrix is provided access in order to perform Services has been subject to a Security Incident, Customer will be notified within the time period required by applicable law.
Citrix employees sign Non-Disclosure Agreements (NDA) which identifies Citrix confidentiality obligations.
Training is required upon hire and then biennial for privacy and security training. Employees must accept and acknowledge understanding of the Citrix Global Security Assurance Policies as well as potential implications of not adhering to them. It is the responsibility of every user with access to corporate information and information systems to know what behaviors are expected and accepted and to conduct their activities accordingly.
Citrix’s Code of Business Conduct and Acceptable Use Policy (AUP) inform employees of what is acceptable and expected behaviors and conduct. At the end of each course, a quiz is required to verify understanding of the training.
Refresher security training is required of employees on a recurring basis.
You can review Citrix Code of Business Conduct on our web site: https://www.citrix.com/content/dam/citrix/en_us/documents/about/code-of-business-conduct.pdf
Based on the sensitivity of the underlying job, various levels of background checks are performed on applicants prior to or following their employment.
Background verification checks on candidates for employment are carried out in accordance with relevant laws, regulations and ethics and are thereby proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
Citrix maintains a Supplier Relationship Management Policy, a Citrix Vendor Risk Management Standard, and a Citrix Supplier Security Standards. These documents list the technical and organizational measures and security controls that Citrix’s vendors and partners are required to adopt when (a) accessing Citrix or Citrix customer Facilities, Networks and/or Information Systems, or (b) accessing, processing, or storing Citrix Confidential Information.
These vendors are subject to annual review through the evaluation of attestation reports (when available), performance of site visits, or other procedures. Risks and exceptions are identified and assessed for impact.
For more information, please reference the Citrix Supplier Security Standards: https://www.citrix.com/content/dam/citrix/en_us/documents/about/citrix-supplier-security-standards.pdf
Citrix maintains a Systems Acquisition, Development and Maintenance Policy. As part of this policy, the Citrix Software Development Lifecycle (SDL) promotes a Secure by Design approach which includes security training, threat modeling, design reviews, code reviews, and penetration testing.
Citrix uses a suite of commercial and in-house developed testing tools. The Engineering Security Team’s testing includes, but is not limited to exploit development, cloud hardening tests, fuzzing, and manual/assisted source code reviews. Citrix Engineering additionally has an internal Red Team which assesses the product for CWE-Top-25 as well as OWASP-Top-10 as per its applicability on the target application.
The Citrix Patch Management Standard outlines the process for evaluating and applying patches and notes that changes to system software and critical software may require additional vulnerability testing to determine if there is any risk exposure. Security related patches or fixes are tested and applied following established change management process (testing, acceptance and final sign-off).
Citrix applies patches within 30 - 45 days of release date, inclusive of sufficient time to test the patch and ensure there are no issues with the release.
In the event of a zero-day or emergency patch, the patch is processed as an emergency change management ticket.
Citrix performs periodic internal reviews and assessments based on assessed risk, and will contract with independent parties to do so when as required by certifications and standards, and as appropriate. These reviews include IT controls assessments, vulnerability assessments, and penetration tests. Results are reviewed by qualified security personnel and remediated according to threat & vulnerability management processes.
Citrix uses qualified external assessors and an internal security testing team to perform threat modeling, vulnerability scanning, and penetration testing for the Citrix cloud services.
Each distinct Citrix cloud services currently adhere to its own individual testing and evaluation schedule. Our third-party tester prepares a separate attestation for each service
Each release of the Citrix cloud services requires security assessments by Citrix’s internal testing team prior to new releases. All of the valid findings from the external assessment have been remediated or the risk accepted.
Citrix Cloud manages the externally facing attack surface using processes such as monitoring, automation, and security testing. Cloud platform providers provide a significant number of native security capabilities as well including host-based and perimeter firewalls, intrusion detection and prevention systems, anti-DDoS capabilities, and centralized visibility using services like Azure Security Center. Further, the products, services, and components hosted within public clouds ship logs to Citrix’s security information and event management system (SIEM), which provides alerting and event correlation capabilities.
Firewall devices for Citrix are configured to restrict access to the Citrix environment by limiting the types of activities and service requests that can be performed from external connections.
Firewall rules follow an established standard that leverages least privilege permissions approach, among other leading practices. Access to specific entities within the network is restricted and exceptions are only authorized when necessary for a short (<24 hour) period. Automation polices any exceptions and removes them nightly as needed.
Citrix requires multi-factor authentication to access the network remotely. In addition, multifactor is required to log into the Cloud Consoles remotely. For remote access directly into production machines, a user requires the VPN configuration file, the VPN management username and password, and their Production systems username and password.