Duration 33:10
16+
Play
Video

Citrix Synergy TV - SYN128 - App protection and Citrix Access Control: Protect your application...

Arvind Sankarasubramanian
Senior Product Manager at Citrix
  • Video
  • Table of contents
  • Video
Citrix Synergy Atlanta 2019
May 21 2019, Atlanta, GA, United States
Citrix Synergy Atlanta 2019
Video
Citrix Synergy TV - SYN128 - App protection and Citrix Access Control: Protect your application...
Available
In cart
Free
Free
Free
Free
Free
Free
Add to favorites
914
I like 0
I dislike 0
Available
In cart
Free
Free
Free
Free
Free
Free
  • Description
  • Transcript
  • Discussion

About speakers

Working as Director of Product Management for Citrix focused on end user computing, driving the strategy for Citrix Workspace App, Linux Virtual App and Desktop.

About the talk

Topic: IT

In this session, learn about the new App protection offering that protects information in  SaaS, web and HDX applications. Integrated with Citrix Access Control and Citrix Virtual Apps and Desktops, App protection provides set of policies and enforcement point to protect against data leakage when apps are delivered via Citrix Workspace. App protection provides security from keyloggers and screen capturing malware and trojans installed on end user devices, stealing confidential information including user credentials and any sensitive information that requires PCI compliance, sent to applications including SaaS apps, web apps, virtual apps and desktops.Note: This session will be live-streamed during the event and available for on-demand viewing post-event on Citrix Synergy TV.

Share

Well, good afternoon. Welcome to 128 securing workspace with a production Nexus control. My name is whipping worker and with 00:04 me is when we are the product managers on Citrix workspace in New Zealand. So what is this session about the session is about 00:14 what Calvin talked about in the keynote on anti key-logging anti screen capture for endpoint security perspective for Citrix workspace. But 00:23 before we get into the details on the technology that we have heard about the problem. The 00:33

number one type surface is the device that 00:40 by 2020 connect your phone and iot devices 00:49 devices become one endpoint and the time of the attack surface 4 for the doctors 00:59 could be like around somewhere where they think the control of the device and don't leave the device until they didn't answer. Write and some of the 01:07 ransom where's in combination of a virus becomes Lily deadly. Southern point At the same time the other big attack surface surface 01:16 is the users. The end users in organizations are vulnerable because they are attacked app dark magicians 01:26

are attacked for from cyber security perspective through the end users to 01:36 the end user enters, right and not many organizations even today have multi-factor authentication. Many organizations 01:46 around 57% don't have a good password policy as well in the organization. So these are really serious 01:56 issues with respect to endpoint security which we need to focus on. But when you think about it from Compass 02:05 perspective, it's not easy to manage by the whole Security Management is really hard for them because of all the next new initiatives. They have the 02:15

support for businesses like remote worker used 02:23 to grow the business at the same 02:26 time. They had to make sure that the Security Management happens. What typically the the security management for 02:36 do they look at security from one is visibility into 02:46 what's happening right on the endpoint on on the server side. The next time you see everything and keep a watch on what's happening in the computer 02:56 management II do is try to reduce the threat circus do segmentation and reduce the threat surface as much as you can so that you have less things to 03:06

worry about and last but not the least bit it rain whenever something happens are about to happen. You have to protect that so 03:15 environmentally look at 03:23 But there are some types of surfaces which are not easy to manage not so manageable. For example, if you have BYO devices from a 03:33 Windows device device some some issues with respect to keyloggers and clean garden tools, 03:41 which are really hard to protect against malware spoofing and phishing emails Back Fence and you will get every day and 03:50

interested third party Tuesday. 04:00 Citrus Solutions is secure by Design on on the server side with the Pittsburgh space. We do I pay protection centralization. It is secure by Design 04:11 and and the transport as well our protocol when which communicates from the endpoint to the server side is secure by Design as well as 04:20 the endpoint security breaches. We have any solutions around that but is that 04:29 good enough from from compliance perspective and various other reasons as well? So how does a risk of endpoint security mitigated today 04:39

organizations use various different things? They they give corporate on devices fully managed to the end user so that they have full control 04:49 on those devices with having fun analysis tool which can be done online point and a manager. 04:59 You can deploy lockdown synclines as well to manage risk are mitigated by 05:09 super B wiring devices where you don't have control on what the user and even on the corporate manage devices 05:18 as well as is high. What is critical to think about and phone security Play why you have while you have a really good 05:27

solution with with the back and you have really strong protocol security protocol on the info on the app itself to secure a ride, 05:37 but there are various things around how the devices on how the end users Behavior control. 05:47 So the reasons why companies are in 1 secret is critical is compliance with 05:56 the financial audits that happen which require the endpoint to be secure. They need to make sure that 06:04 there is data leak prevention. You need to bring BYOD device users to the organization so badly and productive and you can improve the productivity of 06:14

the users are various regulation and because of that you need to focus on endpoint security. Why don't you focus on endpoint security there are 06:24 various? 06:33 So, let's see what you're talking about. Delivers any application whether it is Windows app 06:43 next to have a massage. Now the microwave to International Space on any device doesn't matter from where it is delivered to give experience and a 06:53 choice to the losers and Willie the flexibility for them to be able to deliver all of that without compromising on 07:03

all the time and the 07:10 security the all the new technologies we talked about 07:18 with a protection are going to help in that context. Back-to-back, let's introduce a protection technology 07:28 which which is Advanced endpoint security policies that as part of a production like anti key-logging a night has been captured and 07:38 these Technologies are basically in addition to that. We do anti screen grabbing. So for example, if somebody is trying to record the screen with the 07:47

radio screen recorders various video conferencing applications in. He's trying to record something varies protection against bad as well. So anti 07:57 anti key-logging all the key Technologies as part of a production 08:06 So what are the key capabilities how how old is technology device agnostic to device security posture doesn't matter whether 08:16 it has certain antivirus or not. The way 08:26 we are integrating this technology into work space app. So if I survive this will be part of what face app, so it will be protection with all the 08:36

different actions with your do throughout space average or when will when was more detail. 08:45 It'll be part of the same of space app. And only when it is enabled 08:55 by the functionality That I left 09:04 arm and talk about the rest and he has some interesting. So on 09:14 the desktop from black windows Mac and Linux. And in addition to that we also will be providing options to the administrators of Windows managed 09:24 missions to enable this capability on workspace app through GPO Auto command line. So let's begin with like what does a 09:33

protection do when one hour has workspace app do this after addiction addiction kicks in from the time your lawn's Citrix workspace app, that means 09:43 from the final dialogue. So you may use active directory with OTP. All you would use Federated authenticated logins like a zoo rainy or 09:52 octo up in all of that is protected from keyloggers. Let me show you how that work. In this 10:02 demo video. I have a keylogger running on the right side and I have used netscaler a cidp and I'm using the 10:12

I've enabled the one-time obb that is probably the last part of the inability to TV capability and you see that asks the user types. All of the key 10:22 keys are encrypted on the key logger. So that is no way that they would be able to get your password or username when when you and 10:31 finders compromised. So after you login, so you'll end up plan on me the home home 10:41 user interface of workspace app and left again protected as well. So that means you search queries that you do with in the workspace user interface on 10:51

the stove and user interface would be protected and all of the what will happen desktops information. I protected from screen grabbing a screen 11:00 capture. Turn on just a train so it's not just about such queries on what your laptop and desktop information. So it's been workspace. What we did was 11:08 the brat content which is Pee-wee integrated with content collaboration service and Broughton audio flight 5 into one single interface using Citrix 11:18 workspace experience and work space app. And now we would protect those contained as well against keylogging and print a picture. So not just the 11:28

replies from Canton calibration service. If you have porcelain connectors that are integrated into Canton calibration service your files from OneDrive 11:36 OneDrive for business as well as Google Drive for business would be protected from keylogging and screen capture. Let me show you how that that works 11:43 again. Felicity the workspace interface. I have the key longest-running. I have all of these files that I get and 11:52 only work space experience. So as soon as I try to launch a flight from the content collaboration service, it opens on the 12:01

native content viewer and its trying to do a screen capture the the hacker just get a gray screen of the user to schedule a gray screen. 12:10 So what happens now is that it launcher C Office 365 scheduling and asks you to log in and 12:19 all of this is again traffic to tell you when you sign in into Euro 365 account when you're trying to edit a sensitive documents again, this is 12:29 protected against keyloggers. And as you can see all the characters are in Krypton. and once you land on the phone and you're trying to edit the 12:37

file and you're typing something on the file again. That would be protected by the a protection technology that is part of 12:47 and of course green jobs that works on Office 365 as well. Can you can you please use 12:58 the microphone have a question? Redirecting that in the session to like a Citrix workspace launching of word versus using a native 13:08 word on the client. This is using the old 365 account since using the browser and taking you to the Office 365 13:17 sign 13:25

in this case. It is raining Office 365 session inside the embedded browser as part of Africa. So 13:36 not just eat the works basic speed inside the new extended into little experience will also be protected using Key from Key Largo and King Cab 13:45 Chevrolet production. So what does that mean is one to use intelligent experience you're going to get seeds from multiple applications which may 13:54 contain sensitive information. Right? So you may get an opportunity detail or tails that I can feed into interior intelligent work space and that can 14:03

be sting capture or grab and then be used for for non legitimate purposes Ranger. When you try to submit 14:13 some expense report at 4 p.m. Some of the opportunity details into Salesforce. All of that is again protected with intelligent experience and a 14:23 protection technology. Let me show you how that works. This is the new iws other intelligent workspace in that 14:31 letter used appliance take a screen capture and he gets only agree or a black screen light and then I'm going to commit a quick expense report and 14:41

actually typing on the on the microwave which is the the blade that comes from the left side. So he's right side and the 14:50 loggers when it says enable and I'm trying to submit an expense report and the Key Largo just kids encrypted text. 15:00 Of course, I don't want my boss to know that I'm submitting a $5000000 expense report. Chop and how is it delivered? So this is 15:10 flying Centra technology body. The the app protection is enabled true policies on the workspace app. When you try to launch sessions from 15:20

workspace app, all of them are protected. So how does it work? So in case of a virtual apps on desktop to be we would introduce you to new to new 15:30 policies in studio red where you would be able to enable Qi login or prevent key logging off 17 chapter loser to policies that will be introduced On 15:39 Studio which could enable so that what was that mean a protected from keyloggers and screen capture and on the other side when you use if you have to 15:49 fix access controls of it and it's Kayla Gateway Church service customer that'll be two new additional policies that would be delivered as part of the 15:58

axis control service in armed security policies. Deliberately kept the two policies are the policies at two different places because we believe the 16:06 administrators for what collapsing desktop Anasazi booby two different persons or persons Let's begin with 16:15 the watchful apps on desktop session lights off at work. So what's up, you have to use the latest workspace avrilia protection technology. 16:25 In order to prevent user from keylogging a screen capture unpause that I'm trying to open a content on a watchful a 16:35

Microsoft Word session and it launches one leaving using workspace app, which has the app protection capability to use receiver 16:45 and you're trying to launch the the same application and the same continent what happened to start we will deny V the launch of that application of 16:55 the watch the virtual application for child going to order watch Man of Steel Xbox 17:04 Beta app, which does not have the workspace other a production capability in that case. We would prompt the user to upgrade and install the app 17:14

protection capability. So that he could then use the device will a powerful desktop? Lights 17:23 up. I think it's one of those new policy that was introduced On Studio. That means it works like any other policies for the policies are going to be 17:33 possession of possession policies and when two sessions are sharing the same session, what happens is that both of these sessions get protected from 17:42 keylogging and screen capture. Let me show you how. Launch watch One desktop 17:52

and as well as a virtual application, which is Powerpoint. And you see the keyloggers is standing on on the on 18:01 the right side. So I'm going to open this virtual desktop session and I'm going to access some sensitive content and edit. Sensitive. So what happens 18:11 in these cases, both of these sessions are protected from Key Largo and screen capture PC, as I type in this document that is delivered through the 18:20 virtual desktop desktop can be Windows Virtual desktop delivered from Azure or it could be a desktop-as-a-service 18:30

delivered through Citrix managed Desktop Service, and it would be protected against keylogger and pink action. 18:40 Let's look at the next session that I open the page 52 watchful PowerPoint application again, as I type in in this virtual session 18:50 in the Key Largo still get you a text when I when I type in this watch full session. And I 18:59 said the nice virtual Labs could be from unframed cloud or or through Citrix managed Desktop Service, and it'll all be 19:09 protected when you launched in this from 7:00 space app. So what that's like the sauce Labs what we did was as you can see, we added two new 19:19

policies on the access control service under the enhanced security section 16 captured and killed 19:29 just watch like in the other policies in Access Control service and you can make these policies available for that not every app requires an arrest 19:38 in capturing policy. And that's how it works on pathlabs. Do you want to keep things to be noted here is that the key logging in screen capture only 19:48 works when it is delivered through this example. Browser that is part of Citrix workspace app. So once it goes to the the browser the workspace app 19:58

loses control, so that means you have to enable and on security control for the policies to work on on that specific tasks app. 20:07 Let me begin with how do you publish a sassafras attic access control services something new? It's just being a less than a year since we launched. 20:19 Once you add in the process of adding a SAS app you choose one of the SSO templates that is only available on the access 20:28 control service. and you enable this enhanced security controls and as you can see when you enable enhanced security by default 20:38

restaurant Key login under 16 cap to get enable and this policy applies only to The Office 365 application because this policy zapper 20:48 app So let's look at the end user side, right? So, let's see what I'm trying to launch The Office 365 * stop. It 20:58 opens on a Android browser that is part of workspace app. So you could see how you could feel that. It's amazing like experience and you see the other 21:08 policies from Access Control assist Supply. That's why I like watermarking try to take a screenshot on a 21:18

black screen and then try to edit it called that you all have a keylogger can see the encrypted text. 21:26 I'm trying to open a salsa with the Stars have these policies enable, which is not a sin to the rap. In this case. The user has been allowed to take a 21:41 screenshot. PlayStation Live support a policy 21:51 And in this case, I just stopped disable keylogging and screen capture and you can see the keylogger is now capturing the to 22:01 keystrokes. So in summary of the a production 22:11

technology pro products to use a since the time of workspace app launch soap prevents the dial on a login dialog switch about Native and 22:21 review it for export and once you land on the on the home user interface, it protects the intelligent workspace feed as well as the search queries in 22:30 addition to that. It protects the the continent which is delivered through Canton calibration service and watch laps and desktops and Tasha Cobbs 22:39 return policy control and can be enable possession Opera. Toronto Star I'm still working on 22:47

adding more capabilities into a protection and one such thing as if it's a printer, which is very specific to the window to the wall, right? 22:57 So we wanted to run this workspace app for Windows in a container so that it could be running a very sexual context. So that's a technology. 23:07 So what does the the optimization do as I said? It runs the workspace app for Windows in a sexual context? That means none of the dlls could 23:18 be injected into work space that matter any unsigned binary for an unsigned processes could not involve workspace app for the workspace processes 23:28

light and it also does a digital signature and anti-tampering checks for that only the right processes can invoke the processes that are very special 23:37 thing to be in Native app. Arab going also do chain of whitelisted processes. That means the processes that are launched 1tb. 23:47 Workspace processes will be whitelisted. It will not call any of the other processes which are not chain through the workspace processor. Let me show 23:57 you how that how that works. I'm going to run 24:06

the Citrix workspace with Audi containerization. So I have an untrusted binary letter hacker installers dll into the 24:16 machine that this is an unsigned binary and its trying to invoke the workspace app. So you can see all of the processes around in the user context 24:26 and work space is used in the binary is from a legitimate process and it authorizes start the process 24:36 to launch workspace app or lunch sessions. and when I try to launch a specific session 24:46 A chain of processes kicks in and one of the process is is an unsigned binary and we're trying to launch a session beer. In this case. Of course 24:57

Windows Defender. Once the user saying that you're trying to access an untrusted binary, but if he uses his run anywhere, he's doing it on on on the 25:07 on the context of the hacker lights off. Then install a keylogger and then a screen capture to London capture everything that is that is being done by 25:15 the user. So this would be prevented by the app internalization technology that we are working on Latin we could save. 25:25 We could whitelist processes. That 25:37 means processes that are only in work by the main trailer 25:41

surge brakes work space. And I whitelisted the the workspace app launcher, so what happens now 25:51 is when the user tries to launch the workspace app. Haciendo see you so 26:01 friend all the work space service URL and he's trying to launch a workspace virtual session, right? So as I said, it's aimed at the Public's 26:10 processes. They are all white listed and if it's an unsigned binary it'll block that binary from being executed. That means that 26:20 specific launch of that session is prevented as you can see since this was an untrusted binary the workspace experience Falls my to a different 26:29

experience for the user may be unaware, but he'll still try to launch a session and in this case. The launch of that session is protected because that 26:39 is an untrusted vinyl in the system and work space app doesn't exist with that binary. 26:48 And the launch of the app will not open it just Fades out. 26:59 And you can see all these processes running up in a secure contact call. It doesn't show contacts. So this is how we 27:09 achieved so that it runs in a very secure contexts and not only in the user context. 27:18

Darwin Deez are additional capabilities on top of anti key-logging and testing. Which gives additional security by running 27:32 the WASP injection protection 27:42 system 27:46 Marcus secure by Design, so we don't need containerization the most vulnerable endpoints are other windows. And 27:56 that that's why we would be on this continent a station on station as whipping said it's addition to keylogging and clean capture again. This will be 28:06 a server driven orange. I've been driven policy and it can be enabled and workspace app for Denver on on on unsecured contacts. 28:15

So basically to summarize we are able to provide protection technology for everything that 28:25 you do with involve space a flight from authentication screen, whether you are authenticated into any type of authentication medium with any type of 28:34 authentication medium that will be protected with screen capture an anti key-logging then when you are inside the workplace 28:43 app itself when you see all your applications and intelligent workspace Fierce and microwave you all of that is protected as well. 28:53

When you see files inside workspace app and you try to open a file using Office 365 account on 29:03 cell phone. And are you are using a virtual session for that file. It is still protected. 29:11 I'm deployed audit in the cloud artificial application as well. Also get the protection 29:25 station value. We have specifically on the 29:31 Windows platform for endpoint security 29:41 for various different result Every Nation attacked board for compliance reasons and Andre CVS in Lord of interest in various 29:50

vertical slide pane vertical Healthcare Normandin another word as well and allows them to 29:59 pass various artists 2000s fashion. And that is that is really critical for for their businesses. 30:09 You can sign up for the Early Access. We are still working on how it is going to be available. It is targeted for Windows platform Mac and Linux 30:19 platform as well to be available. Right now. We have an early access for Windows and Mac where you can and can start testing this technology and 30:27

give us more feedback. We are working on the policy framework and how the whole thing and Wendy's going to work and make that available for you. 30:37 So please scan this QR code and you know sign up for Early Access. We are now open for questions. 30:48 You can use the mic. So it works with any keylogger any type of screen grab client natively Grey's it out. 31:02 Like it's on the screen and defense mechanism, right? It is destined to the best and it's going to 31:12 be and has continuously to make sure that his robes. Tequila to require like a driver or anything 31:22

like that or is it just like completely needed to the application of are deploying 31:32 with the anti key-logging technology on Windows and Mac and Linux different mechanisms. 31:42 Do you plan to offer the policies in group policy or will they just be a fly to DIA? We 31:55 are also looking at providing Group Policy to to enable or disable the 32:05 toilet on every device by default 32:11 install time and 32:19 mandates that this has to be there then when they try to make a connection will be available to install this app protection 32:28

on Windows. Any other 32:38 question? Okay, so me and I certainly wanted to give more time for questions on this looks like we are able to finish early 32:48 and give you 10 minutes back if there's no question. 32:58

Cackle comments for the website

Buy this talk

Access to the talk “Citrix Synergy TV - SYN128 - App protection and Citrix Access Control: Protect your application...”
Available
In cart
Free
Free
Free
Free
Free
Free

Video

Get access to all videos “Citrix Synergy Atlanta 2019”
Available
In cart
Free
Free
Free
Free
Free
Free
Ticket

Interested in topic “IT”?

You might be interested in videos from this event

September 28 2018
Moscow
16
122
app store, apps, development, google play, mobile, soft

Buy this video

Video

Access to the talk “Citrix Synergy TV - SYN128 - App protection and Citrix Access Control: Protect your application...”
Available
In cart
Free
Free
Free
Free
Free
Free

Conference Cast

With ConferenceCast.tv, you get access to our library of the world's best conference talks.

Conference Cast
505 conferences
19653 speakers
7164 hours of content