There have been numerous questions around when to use the Encrypted Data plug-in. What about whole disk encryption? What about XenClient? To answer those questions, I will cover why we created this plug-in and what customer need is being fulfilled.
The whole focus of this plug-in has been towards enabling IT to allow contractors and employees to leverage devices that IT would not need to manage in entirety. Using contractors as an example, today when a company brings aboard contractors the standard procedure is to supply them with corporate owned assets. That means part of the obstacle to getting contractors on board is IT procuring or finding computers for these contractors.
Why not request that the contractors bring their own devices? Because then IT has a data management challenge for these non-corporate devices. How does IT ensure data is restricted and protected on those devices? Or that the data does not drift off with the device when the contractor term expires? The same challenge exists for Bring Your Own Computer (BYOC). How to manage the data for devices not directly under IT’s control? There is going to be challenges exerting the needed control IT must have to protect the data on these non-corporate computers.
Well, IT could encrypt the hard drive on these contractor or BYOC devices. But now IT is going to have to own management of those computers because if they encrypt that disk drive, they’ll have to support that device. If the encrypted disk is locked or deleted, that owner is going to bring it to IT and say get it back to where it was when I started. What are the chances there was a backup on this device? Otherwise all the personal data is lost or locked as well. Who would want that responsibility because I am fairly sure IT does not want it. Because if IT is going to own supporting that computer, they might as well provision it so they can maintain their standard image and define the policies of usage on that device. Now we are back where we started.
So enter the Encrypted Data plug-in. This plug-in will run on Windows 7 through the Citrix Receiver and it does not matter if Windows 7 is running on physical hardware or as a VM in XenClient. It is fully managed and configured via Merchandising Server.
With this plug-in, IT can now manage and encrypt the corporate data and ONLY that corporate data. No need to encrypt the whole drive (which in cases like those described here is really overkill). Also with this plug-in, the XenApp applications are all restricted to store their data in a redirected encrypted location. Let me describe quickly how that is done (a more complete explanation of the technology is here).
The \AppData\ folder located in the user’s profile (by default in c:\User\ %USERNAME%) gets redirected to the encrypted data folder for all XenApp applications (hosted and streamed). The XenApp applications are only allowed to save in this encrypted space. In fact, if an attempt is made to save data outside this encrypted space, the user will get an access denied. Local applications like Notepad are also denied if they attempt to access the encrypted space.
So now with the Encrypted Data plug-in, IT has the flexibility to capture and encrypt just the data they care about and deliver polices for locking or deleting that data as needed. The flexibility to allow any device to be leveraged becomes a much easier proposition without the burden to IT of having to own and manage that device in entirety. Now they only need to manage what matters most to them – the business applications and the business data.