We enforce security from the enterprise boundaries to every individual end point device. We design layered secure zones to prevent information leakage. We are armed to the teeth, protecting every bit of our information. But is that enough?

Even a small leak could sink a great ship; every detail needs to be considered to foresee possible breaches. So, let’s take a step back and take a look at our existing security layers. The glaring question is: how can we protect ourselves from inside attackers?

The fact is that people are the weakest links in your protection chain. How can you prevent insiders from simply taking the screen and leaking your most brilliant ideas to external sources? How can you trace a leak back to when it first happened?

Citrix In-session Watermark offers a solution for you. It adds traceable information on top of the VDI screen. This provides a deterrent to prevent people from stealing the screen. To take this one step further, even if the information is leaked, you can still easily trace back to follow the identity on the screenshot.

While XenApp & XenDesktop provides a great barrier to information theft for outside attackers, In-session Watermark is provides an additional layer of security against theft from inside users. To clarify, watermarks are primarily a deterrent to inside users – for trustworthy users, yes, who sometimes need a reminder to be honest, and also for malicious insiders who are working to steal intellectual property. Since users control their endpoints running Citrix Receiver, there are security advantages to implementing server-side protections, and this is where we implemented In-session Watermark.

The watermark is added to the image before it is transferred to the endpoint. Compare the approach for implementing Citrix In-session Watermark on server side to other solutions and offerings on the market. The Citrix In-session Watermark cannot be removed without killing the session. If a watermark solution were implemented using a user space process to draw the watermark, the malicious users can kill that process to remove the watermark, which is clearly not a sufficient deterrent.

In the Citrix solution, the watermark is added deep inside the HDX engine and if the user were to kill the process that draws the watermark, it would also kill the user’s session, which is a much more effective deterrent.

The benefits of embedding this security into the HDX engine also include better screen coverage. The Windows 10 start menu and UWP apps will be covered properly with Citrix Watermark while a user mode process might leave some of the screen uncovered.

Like any security feature we design, there are always other aspects of In-session Watermark that we need to consider: user experience and performance. This feature is essentially a graphic enhancement, so the impact to user and network bandwidth needs to be considered. In our solution, we’ve optimized dramatically to minimize the bandwidth impact and have also provided several parameters for you to fine tune the watermark display.

The Citrix In-session Watermark solution is available now as a XenApp & XenDesktop technical preview. In summary, we provide:

  • Highly secure solution design
  • Centralized policy control
  • User configures what to display. This includes use logon name, client IP address, VDA IP address, VDA host name, login timestamp, and even customized text
  • User could tune the display effect: watermark style and opacity.
  • These settings can be deployed via group policy management in this experimental release. You can download the ADM template here.
  • Optimized user experience and performance

You can download our solution here —try it and provide us with feedback, which will help us sharpen the solution to make it more valuable for you.

Follow Wayne Liu on Twitter.