Explore common questions and key information on Citrix security best practices and controls.
The Citrix Global Security Framework (GSF) leverages the suite of information security controls found within the Industry Standards Organization (ISO) 27001 and 27002 standards as its initial foundation and overall management system. The GSF provides a consistent and unified approach to securing the assets of the corporation, while protecting the interests of the company, shareholders, customers and employees. Citrix’s Policy Review Board reviews GSF policies and standards at least annually. Citrix GSF policies and standards are available to all employees via the Citrix Intranet site.
Employees must accept and acknowledge understanding of the GSF policies and procedures as well as potential implications of not adhering to them. It is the responsibility of every employee with access to corporate information and information systems to know what behaviors are expected and to conduct their activities accordingly. Citrix’s Code of Business Conduct and Acceptable Use Policy (AUP) inform employees of what is acceptable and expected behaviors and conduct.
To enable Citrix to deliver a consistent, scalable and secure cloud solution for Citrix customers, the GSF program undergoes regular reviews, evaluations and reports of the maturity and continuous growth efforts and improvement of the program.
Reference: GSF Program Summary (located in the Evidence Package)
Citrix’s Incident Response Plan governs Citrix’s response, documentation and reporting of incidents affecting computerized and electronic communication resources, such as theft, intrusion and misuse of data. The purpose of the plan is to ensure a rapid response to a suspected security event, and the timely investigation of the event in order to protect our customers, employees, shareholders and company reputation. The plan provides guidance to ensure Citrix meets its notification requirements and legal obligations to affected individuals, customers, government agencies and other entities.
Reference: Citrix Incident Response Plan Overview (located in the Evidence Package)
Citrix has completed an initial SOC 2, Type II audit of the Citrix Virtual Apps and Desktops, Citrix Endpoint Management, and Citrix Content Collaboration services. Additionally, in order to meet the requirements of our customers, as services are released for the new Citrix Workspace, these will be added to the SOC 2 audit program and validated through third party attestation. In addition, Citrix is regularly reviewing meaningful attestations and certification that demonstrate its commitment to state-of-the-art security practices. The timing, completion and release of any assessments remains at Citrix’ sole discretion and are subject to change without notice or consultation. The information provided here is for informational purposes only; includes targets, not commitments; and should not be relied upon in making purchasing decisions.
Updates will be communicated as they become available.
Citrix employs a full-time Chief Security and Information Officer (CSIO), who oversees the Global Technology and Security organization. Citrix’s Privacy team, headed by the Chief Privacy & Digital Risk Officer, is responsible for data privacy. The Citrix Internal Audit Group reports directly to Citrix's Board of Directors to maintain independence. These three teams work together to address data protection issues.
Risk Assessments and associated rankings are included in the yearly Internal Audit plan that encompasses both compliance and operational risks that can impact Citrix. In addition, corporate assets and potential threats and vulnerabilities to those assets are identified. Any findings are mitigated per the risk assessment process. Recommendations that maximize the protection of confidentiality, integrity and availability to these assets are also provided. This program uses a collaborative and qualitative approach to identify and prioritize risks. Details of the process, including time frames, are Citrix confidential.
Citrix has an Asset Management Policy, which addresses how hardware and software assets are managed at Citrix.
Products that have reached the end of their life and are no longer supported by a vendor will be assigned a sunset date. The sunset date is when the product is scheduled to be removed from production and is set far enough in advance to give management time to fund and plan for replacements.
Citrix has documented a formal Data Classification and Handling policy which contains a data control matrix. This matrix defines the required security controls based on the type of data. The matrix covers data in motion and at rest. Destruction is addressed in the data retention and media disposal policies.
Citrix requires multi-factor authentication to access the network remotely. In addition, multifactor is required to log into the Cloud Consoles remotely. For remote access directly into production machines, a user requires the VPN configuration file, the VPN management username and password, and their Production systems username and password.
Citrix maintains a policy outlining the approach to managing access to Citrix facilities, systems, and data. A formal user access provisioning process is used to assign access based on least privilege. Access, including privileged access, is granted based on job function or role. Segregation of duties is part of the overall process of creating job roles and functions. New user access, new access for existing users, or user access change requests follow a formal request process and are tracked through the internal ticketing system. Management approves access prior to access being granted or changed. User accounts follow predefined naming schemas and password requirements.
Citrix requires user authentication and verification of identification prior to allowing access to production systems. Password parameters may include, but are not limited to:
Unique user IDs enforce accountability within the system components (operating system, application, and database). Role based access restricts access to particular functions, in compliance with the security principle of least-privilege. Citrix allows non-user accounts when needed to support business objectives (testing or service accounts).
Citrix performs quarterly reviews over user accounts and assigned permissions for key systems. New access to systems is reviewed and approved by management prior to being granted Access is granted on the basis of least privilege. As part of the termination process, user access is disabled/deleted in a timely manner.
Based on the sensitivity of the underlying job, various levels of background checks are performed on applicants prior to or following their employment.
Background verification checks on candidates for employment are carried out in accordance with relevant laws, regulations and ethics and are thereby proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
Employees must accept and acknowledge understanding of the Global Security Framework policies and procedures as well as potential implications of not adhering to them. It is the responsibility of every user with access to corporate information and information systems to know what behaviors are expected and accepted and to conduct their activities accordingly. Citrix’s Code of Business Conduct and Acceptable Use Policy (AUP) inform employees of what is acceptable and expected behaviors and conduct. Refresher information security training is required of employees on a recurring basis.
Citrix maintains a Physical and Environmental Security Policy and Program.
Physical access to Citrix facilities is controlled by a badge, and surveillance cameras monitor access activity. Visitors to the Citrix facilities must be signed in by an employee before a visitor badge is issued and must be escorted by the employee while on site. Administrative access to the badge access control system used to grant and revoke physical access to Citrix facilities is restricted to authorized personnel.
Physical access to co-location data centers is also controlled. Data center access is logged, monitored, and tracked via electronic and CCTV video surveillance by security personnel. Physical access is restricted by use of electronically locked doors and separate caged areas within co-location facilities. Only personnel authorized by management have access to the co-location data center facilities. Visitors accessing a secured area must be escorted by an employee. Data centers are protected by security alarm systems and other security measures, such as user-related authentication procedures, including biometric authentication procedures (e. g., hand geometry), and/or electronic proximity identity cards with users’ photographs.
Authority to access the Citrix co-location data center facilities is reviewed on a semi-annual basis. Access change requests resulting from the review are submitted to the Security group or co-location facilities for processing. Physical security of the co-location centers, such as having security guards, biometric access, electronic access cards, fire retardants, etc. are the responsibility of the co-location data center. Controls of the co-location data centers are reviewed on a regular basis.
Citrix maintains a Systems Acquisition, Development and Maintenance Policy. As part of this policy, the Citrix Software Development Life Cycle (SDL) promotes a Secure by Design approach and includes security training, secure development practices, and penetration testing.
Citrix uses a suite of commercial and in-house developed testing tools. The Engineering Security Team’s testing includes, but is not limited to exploit development, cloud hardening tests, perpetual fuzzing, attack tools development, threat modeling or security design reviews, and manual/assisted source code reviews.
The Citrix Patch Management Standard outlines the process for evaluating and applying patches and notes that changes to system software and critical software may require additional vulnerability testing to determine if there is any risk exposure. Security related patches or fixes are tested and applied following established change management process (testing, acceptance and final sign-off).
Citrix applies patches within 30 - 45 days of release date, inclusive of sufficient time to test the patch and ensure there are no issues with the release.
In the event of a zero-day or emergency patch, the patch is processed as an emergency change management ticket.
Citrix maintains an Incident Response Standard and has established an Incident Response Team (IRT). The Incident Response (IR) Team is led by Security with functional stakeholders as core team members. The Legal team manages Incident Communications and the Internal Communications Team is part of the IR extended team. Internal Communications and PR are the same team.
If Citrix determines that any data uploaded to Customer’s account for storage or data in Customer’s computing environment to which Citrix is provided access in order to perform Services has been subject to a Security Incident, Customer will be notified within the time period required by applicable law.
Yes. Citrix maintains a Supplier Relationship Management Policy, a Citrix Vendor Risk Management Standard, and a Citrix Supplier Security Standards. These documents list the technical and organizational measures and security controls that Citrix’s vendors and partners are required to adopt when (a) accessing Citrix or Citrix customer Facilities, Networks and/or Information Systems, or (b) accessing, processing, or storing Citrix Confidential Information.
These vendors are subject to annual review through the evaluation of attestation reports (when available), performance of site visits, or other procedures. Risks and exceptions are identified and assessed for impact.
Please reference Citrix Supplier Security Standards for more information.
A Business Continuity Program Management structure is in place that includes a dedicated full time team with a focus on Incident Response and Business Continuity. The dedicated Business Continuity staff responsible for the program are certified, involved in industry conferences and participate in events that facilitate continuous learning within the discipline. Regional Citrix liaisons are assigned and tasked with coordinating between the Business Continuity Management staff and local management within each region.
The Core Business Continuity Team is broken down into three smaller teams that are activated when a situation arises and for planning purposes. The Core Business Continuity Team mission is to provide overall direction/preparation and recovery efforts for the aspects of the organization that affect the underlying foundation of Citrix business operations.
A recovery strategy has been developed for our work campuses globally for all critical Citrix locations. Technology recovery for critical business units is provided via contracted services. A command and control center for coordination of events has been determined.
Table top exercises are conducted on a yearly basis to ensure plans are kept up to date and the team is familiar with the response and recovery processes.
Operational resilience strategies have been developed which utilizes Citrix’s US West datacenter to conduct production processing in the event of a disaster or major outage. Citrix operates four datacenters worldwide. All Enterprise applications are hosted in the corporate tier-IV datacenter located in Miami, Florida and delivered to business users globally via Citrix Virtual Apps and Desktops. Regional datacenters host a small amount of distributed infrastructure and regional applications where necessary, which are also delivered using Citrix Virtual Apps and Desktops. Business critical data is replicated real-time to our US West DC. In the event of a disaster at our corporate datacenter, we are ready to failover all business critical applications and seamlessly point end users to our highly available global Citrix Virtual Apps and Desktops environment.
Based on our global presence, Citrix uses the follow the sun framework for areas such as Tech Support and Customer Care. Utilizing this framework on a daily basis provides us with the ability to quickly reroute mission critical services to an alternate location.
An IT Disaster Recovery Plan has been developed and is tested on a quarterly basis. Quarterly exercises of the IT Disaster Recovery Plan have been conducted over the past several years, exceeding the industry norm of annual testing. These exercises involve the restoration of critical production processing using the DR Data Center.
Our Disaster Recovery Test Team is rotated with each quarterly test ensuring multiple personnel are adequately trained regarding our recovery processes. Change Management is tightly integrated with our Disaster Recovery Program resulting in exact duplicate environments.
Reference: Citrix Business Continuity Overview 2018 (located in the Evidence Package)
Table top exercises are conducted on a yearly basis to ensure plans are kept up to date and the team is familiar with the response and recovery processes. Hurricane scenario plans are in place for critical business units located at the Fort Lauderdale campus. Formal testing of these plans is conducted annually. The IT Disaster Recovery Plan is tested on a quarterly basis.
Citrix conducts a Business Impact Analysis (BIA) annually. The BIA provides information necessary to develop Disaster Recovery and Business Continuity plans for each of Citrix’s locations globally. BIA results are analyzed and recovery strategies are developed ensuring Recovery Time and Recovery Point Objectives are met. To prepare for the hurricane season, Citrix also conducts a BIA review.
Citrix performs periodic internal reviews and assessments based on assessed risk, and will contract with independent parties to do so when as required by certifications and standards, and as appropriate. These reviews include IT controls assessments, vulnerability assessments, and penetration tests. Results are reviewed by qualified security personnel and remediated according to threat & vulnerability management processes.
Citrix uses qualified external assessors and an internal security testing team to perform threat modeling, vulnerability scanning, and penetration testing for the Citrix Secure Digital Workspace (CSDW).
The CSDW consists of multiple products/services that currently adhere to their own individual testing and evaluation schedules. The Citrix Cloud security assessment is a four-phase project. The testing includes the Citrix Cloud Platform, Citrix Virtual Apps and Desktops Service, Citrix Content Collaboration Service, and Citrix Endpoint Management Service. Our third-party tester has prepared a separate attestation for each service
Each release of the platform and the products/services hosted on it require security assessments by Citrix’s internal testing team prior to new releases. All of the valid findings from the external assessment have been remediated or the risk accepted.
Citrix Cloud manages the externally facing attack surface using processes such as monitoring, automation, and security testing. Cloud platform providers provide a significant number of native security capabilities as well including host-based and perimeter firewalls, intrusion detection and prevention systems, anti-DDoS capabilities, and centralized visibility using services like Azure Security Center. Further, the products, services, and components hosted within public clouds ship logs to Citrix’s security information and event management system (SIEM), which provides alerting and event correlation capabilities.
Firewall devices for Citrix are configured to restrict access to the Citrix environment by limiting the types of activities and service requests that can be performed from external connections.
Firewall rules follow an established standard that leverages least privilege permissions approach, among other leading practices. Access to specific entities within the network is restricted and exceptions are only authorized when necessary for a short (<24 hour) period. Automation polices any exceptions and removes them nightly as needed.
Protection with an external network firewall with a ‘default deny’ ruleset is a mandatory requirement. This applicable for Amazon Web Services (AWS) and Microsoft Azure Security Groups, as well as NetScaler. Citrix corporate and non-cloud facilities are protected with network-layer firewalls.