The battle between maintaining security and letting outsiders on the network has been waging for years. On one side, the security team is tasked with preventing attacks and protecting data. On the other side of the rope are contractors, BYOC (Bring Your Own Computer) users, home users and business partners who have a legitimate need for access from their devices.
The challenges pitting these two groups against each other are the classic security issues:
- Is end-to-end ownership required for security?
- Can unmanaged devices be allowed access to protected resources?
- How can sensitive data be protected when its required to be mobile?
- What special security measures are required of contractors and others who have to work in multiple environments?
Answer these questions and some of the biggest problems obstacles separating security and usability are addressed.
Fortunately, the abstraction and isolation provided by virtualization technologies empower solutions to these big security problems.
Virtualization separates the apps, data, OS, device and user from their former physical boundaries. From a security perspective, virtualization allows security to be specific to the situation – not just to the device or user. Enabling situational security provides a set of tools and techniques that are unique to the protection needs of sensitive data. These capabilities have been instrumental in allowing secured access to contractors, home workers and in enabling BYOC.
To support the needs of most user access to sensitive data, Citrix recommends that primary consideration is given to hosted apps, data and desktops. Providing online, hosted access to data facilitates appropriate uses – especially by contractors and others who are not in direct employ of the company. The online hosted applications receive the full protection of the datacenter, including managed backup, disaster recovery, antivirus, DLP, data tokenization and encryption – just to name a few of the security measures.
Online, hosted data access is not a one-size-fits-all access method, though. Some users must work offsite and off the enterprise network. Some users must work on an airplane. These users require offline access, and locally installed or streamed applications – but what about sensitive local data? A particular challenge is for unmanaged laptops, such as those carried by contractors. Can virtualization capabilities also be utilized to protect data that must be mobile?
To provide security beyond access and protect truly sensitive mobile data, Citrix has introduced a plugin to the Receiver client framework that encrypts and manages data on unmanaged endpoints.
XenVault enables managed offline access to sensitive data on laptops and other endpoints. XenVault utilizes AES encryption and organizational policy to provide data access control. The plugin enables centralized control of distributed data, encryption and access control, with the ability to lock, delete, perform key recovery and otherwise protecting sensitive data in offline usage. Application-level granularity, with a familiar file and folder model provide for a superior user experience. Data is backed up and synchronized, freeing the user from mundane data management tasks, while ensuring that offline data is available and secured.
For enterprise users that have Bitlocker, Filevault, PGP, full disk encryption, encrypted USB or another enterprise-provided solution, Citrix recommends that you continue to leverage the advantages of these solutions. For those users who don’t have an existing enterprise solution, such as contractors, XenVault can be used to protect highly mobile data. XenClient also offers data management and protection features that enhance the security experience.
The proliferation of mobile access methods and mobile devices have strained security. Utilizing virtualization technologies, such as XenDesktop combined with with XenVault helps the security team support today’s demanding users while maintaining control over sensitive data.
More info on XenVault can be found at: http://www.citrix.com/xenvault