Citrix XenVault: corporate safe in user environment

In any medium or large company, the organization of work of employees is approximately the same: a desktop computer, an account in the corporate network and user rights limited by the taste of the system administrator and high authorities. True, instead of a standard desktop, a laptop is increasingly issued: the difference in price is not fundamental, and the fuss with the boxes is much smaller. But there is another danger: the laptop may be lost, and the documents stored on it may end up with competitors, in the press, or (unknownly, worse) on a popular torrent tracker.

In any case, the same problem is solved: how to give the employee enough freedom, but at the same time maintain the required level of security? Citrix solves this problem by moving the working environment to the server. Indeed, in this case it becomes not at all important from which computer the employee connects to the virtual desktop. This is how the concept of Bring Your Own Computer was born: you can never provide employees with laptops. Instead, you give them a certain amount, and they choose the computer on their own criteria.

An attractive solution, but it is not without flaws, if you do not forget about security. Of course, when using virtualization technologies, the user does all the work on the server, and nothing is saved on the laptop. But sooner or later, the employee will have a desire to work "offline", for which you will need to drag a couple of working documents to the laptop. Citrix XenVault technology will help ensure secure access to work data.

')
User must be trusted



Ensuring the necessary level of security of corporate data, one should not forget about the employees themselves: they also need to work in these conditions. Therefore, data protection should be as transparent as possible, and XenVault is the best solution from this point of view. Unlike XenClient , which makes the working environment accessible and offline, but requires software to be installed on bare hardware, XenVault is much easier to use. In fact, this is part of the Citrix Receiver client, a standard program for connecting to a virtual desktop from any device.



XenVault technology provides for the creation of a virtual disk in the client operating system, on which working data will be stored in the future. This disk is encrypted using a 256-bit AES key, and the security policy determines which programs get access to it. In a typical case, programs from a virtual environment can access a virtual disk. In a more advanced version, you can provide limited disk access through the "Explorer". The process of creating a protected disk can be seen in this video:



Offline access

Thus, a company employee can work in a virtual environment most of the time, but retains access to certain files even when the computer is disconnected from the network. There is no need to install a more complex solution (for example, XenClient), the necessary functionality is already built into the standard Citrix Receiver client. But the conditions of access and storage of data on the user's PC are determined by the corporate security policy. In case of theft, data on a protected virtual disk simply cannot be opened, but Citrix is ​​developing a poison pill method just in case, which will automatically destroy the encrypted data when you first connect the missing laptop to the Internet or after a certain time.

Citrix developers' plans also include the automatic implementation of additional security policies on the user's computer. In particular, work is underway on locking the clipboard when working with protected documents, as well as on a system for quickly synchronizing local working data with the server.

On the admin side

XenVault is an optional component of the Citrix XenDesktop desktop virtualization solution. This plugin became available in the Feature Pack 2 version, and was released simultaneously with the Citrix XenClient solution. This is quite logical, since both XenClient and XenVault solve the same problem of securely storing corporate data on a user machine in various ways. By default, virtual applications delivered using Citrix Receiver or Microsoft App-V have access to the data on the user's machine.

On the server side, a dedicated server (Merchandizing Server) is used to configure and deliver the plug-in, with which security policies are determined. The following basic settings are available:

- The ability to save the password locally is determined. If enabled, the protected area opens automatically after a successful launch of Citrix Receiver.

- Sets the minimum number of characters in the password.

- You can enable the mandatory use of complex passwords. In this case, the password
Three of four conditions must be met: capital letters, lowercase letters, numbers, special characters.

Merchandizing Server also manages the virtual disk blocking policy, backing up keys to be able to restore encrypted data on the client device in case of a password loss. You can also force data to be locked if you are not connected to the corporate server for a certain time. In this case, the user will receive advance warnings about possible blocking for 2 and 1 day, as well as 12 hours, 2 hours and 10 minutes. And, finally, as a last resort, it is possible to force the deletion of data from the client device when connecting to the server. Users of commercial versions of XenDesktop - VDI, Enterprise or Platinum can work with the XenVault plugin.