At Citrix, we always talk about how virtual desktops and apps can increase security of application delivery. This is due to the fact that the apps, desktops, and associated data live in a centrally controlled datacenter as opposed to being stored on  thousands of distributed end-points.

We are  also encouraging BYO initiatives that can help reduce costs at the end point. IT departments let users bring their own Mac, PC, tablet, or smartphone to do their work and may provide them with a stipend to help offset the cost.

These are all great points, but these benefits do not come automatically. One has to apply some simple principles to actually secure any virtual computing environment, and this blog summarize some of my personal thoughts around two key questions:

  • How do I keep my data from walking out of my organization on my employee’s personal device?
  • How do I actually save money by providing BYO?

Before I start, I have to state that I am not asserting or implying that these recommendations will stand up to industry specific security audits – if you’re working in high security environments, you should plan your security practices along with your auditors and security experts. I am also not implying  that you’ll save a specific amount of money with BYO – that all depends on your current and future organizational structure and other factors.

Now, with the disclaimers out of the way, here we go.

  •  The network: Conceptually, it’s pretty simple. Regard your corporate network outside of the datacenter as “dirty”. Think about it. With employees and third party users plugging in around your offices, you have no way to control network security, enforce antivirus standards, prevent malware, etc. So, don’t stress it and just regard your corporate network outside of the datacenter the same way your favorite coffee shop treats their wireless network – as Internet access only. Because you’re moving all apps and their data into the datacenter, focus on security there and treat your datacenter as “clean” by applying rigorous security and antivirus practices. You should put firewalls and gateways between the datacenter and the rest of the corporate network. Seamless access to applications and desktops is provided by Citrix Access Gateway.
  •  Access to the datacenter. Don’t allow wide open VPN access,  but allow direct access only to published apps and desktops. No drive mapping, no direct access to file shares from the end point.
  •  Access to data: If you prevent client drive mapping at the end point, you will effectively prevent users from copying corporate data onto their personal devices. As one additional layer of security, you could disallow any access to file shares other than through the servers that are hosting virtual apps or desktops.
  •  Client drive mapping: don’t allow it – for the reasons stated above.
  •  Client-side printing: try not to allow it – control all printing via central print servers, so that users can’t print to their personal devices. You’ll have to think about it as printing may be an important part for your employees who are working from home. However, there are certain things that should not be printed outside of a controlled environment (patient or personal financial data, for example.)
  • Client USB storage devices: don’t allow them to prevent filed from being saved to a users personal device.

Now that you have done all that, you may wonder how you prevent users from emailing data directly to their personal email accounts.  This is not necessarily an easy thing to do. Within the virtual desktops and apps, start by blocking common web email sites, file sharing services, etc. You may have to employ common web security technologies to block web proxies that allow your users to simply circumvent some of the restrictions you put in place. Note that because you’ll regard your office network outside of the datacenter as “dirty”, there won’t be a need to block users from personal email access or other Internet resources.

What about offline users? Well, that’s a little more tricky. Thanks to 3G personal hotspots and the wide availability of  wifi even on airplanes, the times when we’re truly offline are very limited. If you have users who need to be offline, consider handling their data through enterprise-level file sharing services such as Citrix ShareFile. Note that the emphasis is  “enterprise-level” as popular consumer service allows users to move sensitive data to unmanaged and untrusted cloud services. Citrix XenClient, specifically the XT version, can also provide isolation and security on an offline device.

 This is it for security – again, the main goal here is to  avoid that your data walks out of the organization if an employee leaves the company and takes their BYO end point with them.

Speaking of devices: In order to actually achieve any kind of cost savings with BYO, I recommend that you consider this a mandatory program once you’re ready. When your infrastructure is live, discontinue the issuance and support of corporate devices. You’ll have to do this over a period of time so as to not disrupt current users, but whenever someone’s PC or laptop comes up for renewal, allow the user to choose between a BYO stipend or an IT owned thin client (for those not required to travel).

I’d like to hear from you and your thoughts. Please share your comments…

Florian Becker

Director, Citrix WW Consulting Solutions

Twitter: @florianbecker

My Healthcare blog:

Citrix Consulting wisdom: