The Citrix Workspace Cloud Applications and Desktops Service enables you to deliver secure virtual apps and desktops to any device, with the simplicity and agility of a cloud-based solution. Security is a top consideration for any customer considering a move to the cloud, so it’s is a topic that comes up frequently when discussing the service.

The key to understanding security in the Citrix Workspace Cloud Applications and Desktops Service is understanding the security boundaries between the customer and Citrix. Unlike a traditional XenApp or XenDesktop deployment, where the entire stack is hosted and managed by the customer, the Workspace Cloud Applications and Desktops Service splits the responsibilities between the customer and Citrix.

Applications and Desktops Security Boundaries

Citrix operates the management components (often called the control plane) for customer deployments. This includes the controllers, management consoles, SQL database, license server, and optionally StoreFront. The Citrix operations team takes the responsibility of updating, patching, and ensuring the availability of this half of the system.

The other half of the service consists of the actual workloads themselves: the apps and desktops, hosted on machines known as Virtual Desktop Agents (VDAs), along with any hypervisors, Microsoft Active Directory, gateways, and application-specific servers or databases. These remain under the customer’s control, and can be hosted in the datacenter of their choice, either cloud or on-premises.

Apps and Desktop Service Overview

With the service’s architecture, the customer’s application data, HDX traffic, and golden images used for provisioning are always hosted within the customer setup. The control plane only has access to the necessary metadata, such as usernames, machine names, and application shortcuts, restricting access to the customer’s intellectual property from the control plane.

For more details and deployment recommendations

Citrix has recently posted a Technical Security Overview for the Workspace Cloud Applications and Desktops Service. This document provides additional details on the security boundaries, along with deployment recommendations for the customer-managed components in the service. For more details, see: