Examining the popular solution for security, mobility and compliance
By Ryan Kline, Contributing Editor
Many of the more than 180,000 organizations using Citrix have to deal with new concerns about security, and they all share the same goal: to keep their system, and their Citrix implementation, as user friendly as possible. Smart cards, one time password (OTP) devices, and biometrics are all being used to authenticate the user in Citrix-controlled environments. The company is doing its part to keep up with these increasing security demands by implementing a new partnering process to certify third party security products as “Citrix ready.”
Though virtually a household name, many non-users are not quite sure what Citrix really does? Senior Product Marketing Manager Chris Harget explains that, “Citrix endeavors to deliver any application to any user, anywhere with the best performance, highest security, and lowest cost.” By virtually any measure, the company has been successful in its mission. Citrix boasts that 98% of Fortune Global 500 companies use at least one of its products.
But the ability to access information from virtually anywhere, at any time is no longer just a necessity for large companies. It is essential even for small companies, and hundreds of thousands rely on Citrix.
The distant workforce demands immediate and secure access to the applications and information on the network from anywhere the business takes it. But this need highlights the dicotomy between security and ease of access. Traditionally, if the network is to be secure one must expect more inconvenience when connecting to it.
Citrix recognizes that securing the network is essential to maintaining a risk-free environment for employees and clients. “From securing the VPN (Virtual Private Network) connection … to securing the application … to ensuring that the data does not leave the data center … and the single sign-on … are elemental functionalities that Citrix provides to secure the network,” explains Mr. Harget.
Strong authentication in the Citrix environment
Many organizations require strong authentication to be integrated with their network. In 2005, Citrix’s research suggested that 35% of its customers used some form of strong authentication. The methods included, but were not limited to, one time password generators, smart cards, USB tokens, or biometrics.
Strong authentication is most commonly used in organizations that must comply with regulations such as: medical, financial, government, manufacturing, technology, or law enforcement.
The healthcare industry complies with HIPAA via secured Citrix solutions
The largest user of Citrix’s single sign on functionality has been the healthcare industry. Single sign-on is a specialized form of software authentication that enables a user to authenticate once and gain access to multiple applications or areas of the network. Since single sign-on authenticates a user for all other applications to which he has access, passwords to secondary applications need not be shared with the user, thus minimizing risk to the organization when a user leaves.
The medical industry is required by HIPAA (Health Insurance Portability and Accountability Act) regulations to meet strong authentication for login if patients’ records are kept electronically.
Ron Crall, CIO and HIPAA Compliance Officer for St. Joseph Hospital in Bangor, Maine, understands how important it is to protect the privacy of patients’ information. In a case study done jointly between Citrix and St. Joseph Healthcare, he stated, “with HIPAA regulations, we can’t have an employee walk away from a workstation that they’ve logged into and leave the screen visible. With Citrix … we have a solution for easily disconnecting users from an active session and rapidly logging them back in without having to restart applications.”
Citrix reduces the log-on time from one minute to less than ten seconds, a time savings which can translate into treating several additional patients per shift. It also provides an additional security benefit, keeping application data behind the corporate firewall. There are no longer “pools of health information sitting unprotected on somebody’s desktop computer,” says Mr. Crall.
Security for all
Keeping critical information off or machines and behind the firewall increases security for both the healthcare industry and all industries. According to Mr Harget, “traditional firewalls allow everything through except certain ports, which means attacks can exploit open ports. Citrix’s application firewall keeps everything out except traffic required for your known applications.”
A smart access approach determines access levels based on the device you are on and the network you are coming from. From inside the firewall on a corporate device, you will be granted full access. But, if you log-on from an unmanaged device off-site, you will be restricted and possibly not allowed to print or save locally, because that is less secure.
Government plays, too
Government agencies across the United States are beginning to feel the effects of HSPD-12 and FIPS 201. With physical security in the forefront of many governmental agencies, Mr. Harget expects government agencies to lead, issuing one authentication device to secure both the entrance and the network. “We are seeing some customers look for a way to converge devices (the actual token or card) used for physical and logical access, but they do not want to converge the databases. Citrix Password Manager is very capable of working with card systems that can be used in this way.”
While creating Password Manager, Citrix took an architectural approach that made it easy to incorporate two-factor authentication. Citrix implemented a method called “GINA chaining,” which allows the network to be compatible with any hardware that conforms to the Microsoft standard. GINA, an acronym for Graphical Identification and Authentication, is the Windows component that manages the Ctrl + Alt + Delete dialog box that collects the data needed for authentication.
Many of Citrix’s products require alterations to the GINA chain. “This simply means we intercept and insert ourselves into the GINA process without disrupting it,” continued Mr. Harget, “such that we do not inhibit or alter other components that interact with GINA.”
Ultimately, any FIPS 201 compliant identification card could work with the Citrix platform. But, Citrix, for strategic reasons, partners with select vendors that have gone through testing to become Citrix Ready in order to boost confidence in third party strong authenticators. For ultimate ease and convenience governmental agencies only need to purchase FIPS 201 approved PIV cards and middleware that are also “Citrix Ready.” (Although it may be required in the future, nothing in HSPD-12 states that governmental agencies have to secure their workstations with FIPS 201 compliant log-ins.)
Currently more than 20 options for Citrix Ready two-factor authenticators exist. These products range from smart cards to one time password generators.
Citrix has an extensive selection of two-factor authentication partners that have been certified Citrix Ready. Partners use a variety of techniques, including BioPassword and bioChec as biometric solutions; Vasco and RSA with one-time password generators; and Gemalto as a smart card solution. The complete list of Citrix Ready products can be found at Citrix’s website, www.citrix.com.
Research and evaluate FIPS 201 Approved Products and get the latest info on compliant credentialing systems at FIPS201.com. Click to visit FIPS201.com.