Duration 33:10
16+
Play
Video

Citrix Synergy TV - SYN128 - App protection and Citrix Access Control: Protect your application...

Arvind Sankarasubramanian
Senior Product Manager at Citrix
+ 1 speaker
  • Video
  • Table of contents
  • Video
Citrix Synergy Atlanta 2019
May 21, 2019, Atlanta, GA, United States
Citrix Synergy Atlanta 2019
Video
Citrix Synergy TV - SYN128 - App protection and Citrix Access Control: Protect your application...
Available
In cart
Free
Free
Free
Free
Free
Free
Add to favorites
1.01 K
I like 0
I dislike 0
Available
In cart
Free
Free
Free
Free
Free
Free
  • Description
  • Transcript
  • Discussion

About speakers

Arvind Sankarasubramanian
Senior Product Manager at Citrix
Vipin Borkar
Sr. Director of Product Management at Citrix

Working as Director of Product Management for Citrix focused on end user computing, driving the strategy for Citrix Workspace App, Linux Virtual App and Desktop.

View the profile

About the talk

In this session, learn about the new App protection offering that protects information in  SaaS, web and HDX applications. Integrated with Citrix Access Control and Citrix Virtual Apps and Desktops, App protection provides set of policies and enforcement point to protect against data leakage when apps are delivered via Citrix Workspace. App protection provides security from keyloggers and screen capturing malware and trojans installed on end user devices, stealing confidential information including user credentials and any sensitive information that requires PCI compliance, sent to applications including SaaS apps, web apps, virtual apps and desktops.Note: This session will be live-streamed during the event and available for on-demand viewing post-event on Citrix Synergy TV.

Share

Well, good afternoon. Welcome to 128 securing workspace with a production Nexus control. My name is whipping worker and with me is when we are the product managers on Citrix workspace in New Zealand. So what is this session about the session is about what Calvin talked about in the keynote on anti key-logging anti screen capture for endpoint security perspective for Citrix workspace. But before we get into the details on the technology that we have heard about the problem. The

number one type surface is the device that by 2020 connect your phone and iot devices devices become one endpoint and the time of the attack surface 4 for the doctors could be like around somewhere where they think the control of the device and don't leave the device until they didn't answer. Write and some of the ransom where's in combination of a virus becomes Lily deadly. Southern point At the same time the other big attack surface surface is the users. The end users in organizations are vulnerable because they are attacked app dark magicians

are attacked for from cyber security perspective through the end users to the end user enters, right and not many organizations even today have multi-factor authentication. Many organizations around 57% don't have a good password policy as well in the organization. So these are really serious issues with respect to endpoint security which we need to focus on. But when you think about it from Compass perspective, it's not easy to manage by the whole Security Management is really hard for them because of all the next new initiatives. They have the

support for businesses like remote worker used to grow the business at the same time. They had to make sure that the Security Management happens. What typically the the security management for do they look at security from one is visibility into what's happening right on the endpoint on on the server side. The next time you see everything and keep a watch on what's happening in the computer management II do is try to reduce the threat circus do segmentation and reduce the threat surface as much as you can so that you have less things to

worry about and last but not the least bit it rain whenever something happens are about to happen. You have to protect that so environmentally look at But there are some types of surfaces which are not easy to manage not so manageable. For example, if you have BYO devices from a Windows device device some some issues with respect to keyloggers and clean garden tools, which are really hard to protect against malware spoofing and phishing emails Back Fence and you will get every day and

interested third party Tuesday. Citrus Solutions is secure by Design on on the server side with the Pittsburgh space. We do I pay protection centralization. It is secure by Design and and the transport as well our protocol when which communicates from the endpoint to the server side is secure by Design as well as the endpoint security breaches. We have any solutions around that but is that good enough from from compliance perspective and various other reasons as well? So how does a risk of endpoint security mitigated today

organizations use various different things? They they give corporate on devices fully managed to the end user so that they have full control on those devices with having fun analysis tool which can be done online point and a manager. You can deploy lockdown synclines as well to manage risk are mitigated by super B wiring devices where you don't have control on what the user and even on the corporate manage devices as well as is high. What is critical to think about and phone security Play why you have while you have a really good

solution with with the back and you have really strong protocol security protocol on the info on the app itself to secure a ride, but there are various things around how the devices on how the end users Behavior control. So the reasons why companies are in 1 secret is critical is compliance with the financial audits that happen which require the endpoint to be secure. They need to make sure that there is data leak prevention. You need to bring BYOD device users to the organization so badly and productive and you can improve the productivity of

the users are various regulation and because of that you need to focus on endpoint security. Why don't you focus on endpoint security there are various? So, let's see what you're talking about. Delivers any application whether it is Windows app next to have a massage. Now the microwave to International Space on any device doesn't matter from where it is delivered to give experience and a choice to the losers and Willie the flexibility for them to be able to deliver all of that without compromising on

all the time and the security the all the new technologies we talked about with a protection are going to help in that context. Back-to-back, let's introduce a protection technology which which is Advanced endpoint security policies that as part of a production like anti key-logging a night has been captured and these Technologies are basically in addition to that. We do anti screen grabbing. So for example, if somebody is trying to record the screen with the

radio screen recorders various video conferencing applications in. He's trying to record something varies protection against bad as well. So anti anti key-logging all the key Technologies as part of a production So what are the key capabilities how how old is technology device agnostic to device security posture doesn't matter whether it has certain antivirus or not. The way we are integrating this technology into work space app. So if I survive this will be part of what face app, so it will be protection with all the

different actions with your do throughout space average or when will when was more detail. It'll be part of the same of space app. And only when it is enabled by the functionality That I left arm and talk about the rest and he has some interesting. So on the desktop from black windows Mac and Linux. And in addition to that we also will be providing options to the administrators of Windows managed missions to enable this capability on workspace app through GPO Auto command line. So let's begin with like what does a

protection do when one hour has workspace app do this after addiction addiction kicks in from the time your lawn's Citrix workspace app, that means from the final dialogue. So you may use active directory with OTP. All you would use Federated authenticated logins like a zoo rainy or octo up in all of that is protected from keyloggers. Let me show you how that work. In this demo video. I have a keylogger running on the right side and I have used netscaler a cidp and I'm using the

I've enabled the one-time obb that is probably the last part of the inability to TV capability and you see that asks the user types. All of the key keys are encrypted on the key logger. So that is no way that they would be able to get your password or username when when you and finders compromised. So after you login, so you'll end up plan on me the home home user interface of workspace app and left again protected as well. So that means you search queries that you do with in the workspace user interface on

the stove and user interface would be protected and all of the what will happen desktops information. I protected from screen grabbing a screen capture. Turn on just a train so it's not just about such queries on what your laptop and desktop information. So it's been workspace. What we did was the brat content which is Pee-wee integrated with content collaboration service and Broughton audio flight 5 into one single interface using Citrix workspace experience and work space app. And now we would protect those contained as well against keylogging and print a picture. So not just the

replies from Canton calibration service. If you have porcelain connectors that are integrated into Canton calibration service your files from OneDrive OneDrive for business as well as Google Drive for business would be protected from keylogging and screen capture. Let me show you how that that works again. Felicity the workspace interface. I have the key longest-running. I have all of these files that I get and only work space experience. So as soon as I try to launch a flight from the content collaboration service, it opens on the

native content viewer and its trying to do a screen capture the the hacker just get a gray screen of the user to schedule a gray screen. So what happens now is that it launcher C Office 365 scheduling and asks you to log in and all of this is again traffic to tell you when you sign in into Euro 365 account when you're trying to edit a sensitive documents again, this is protected against keyloggers. And as you can see all the characters are in Krypton. and once you land on the phone and you're trying to edit the

file and you're typing something on the file again. That would be protected by the a protection technology that is part of and of course green jobs that works on Office 365 as well. Can you can you please use the microphone have a question? Redirecting that in the session to like a Citrix workspace launching of word versus using a native word on the client. This is using the old 365 account since using the browser and taking you to the Office 365 sign

in this case. It is raining Office 365 session inside the embedded browser as part of Africa. So not just eat the works basic speed inside the new extended into little experience will also be protected using Key from Key Largo and King Cab Chevrolet production. So what does that mean is one to use intelligent experience you're going to get seeds from multiple applications which may contain sensitive information. Right? So you may get an opportunity detail or tails that I can feed into interior intelligent work space and that can

be sting capture or grab and then be used for for non legitimate purposes Ranger. When you try to submit some expense report at 4 p.m. Some of the opportunity details into Salesforce. All of that is again protected with intelligent experience and a protection technology. Let me show you how that works. This is the new iws other intelligent workspace in that letter used appliance take a screen capture and he gets only agree or a black screen light and then I'm going to commit a quick expense report and

actually typing on the on the microwave which is the the blade that comes from the left side. So he's right side and the loggers when it says enable and I'm trying to submit an expense report and the Key Largo just kids encrypted text. Of course, I don't want my boss to know that I'm submitting a $5000000 expense report. Chop and how is it delivered? So this is flying Centra technology body. The the app protection is enabled true policies on the workspace app. When you try to launch sessions from

workspace app, all of them are protected. So how does it work? So in case of a virtual apps on desktop to be we would introduce you to new to new policies in studio red where you would be able to enable Qi login or prevent key logging off 17 chapter loser to policies that will be introduced On Studio which could enable so that what was that mean a protected from keyloggers and screen capture and on the other side when you use if you have to fix access controls of it and it's Kayla Gateway Church service customer that'll be two new additional policies that would be delivered as part of the

axis control service in armed security policies. Deliberately kept the two policies are the policies at two different places because we believe the administrators for what collapsing desktop Anasazi booby two different persons or persons Let's begin with the watchful apps on desktop session lights off at work. So what's up, you have to use the latest workspace avrilia protection technology. In order to prevent user from keylogging a screen capture unpause that I'm trying to open a content on a watchful a

Microsoft Word session and it launches one leaving using workspace app, which has the app protection capability to use receiver and you're trying to launch the the same application and the same continent what happened to start we will deny V the launch of that application of the watch the virtual application for child going to order watch Man of Steel Xbox Beta app, which does not have the workspace other a production capability in that case. We would prompt the user to upgrade and install the app

protection capability. So that he could then use the device will a powerful desktop? Lights up. I think it's one of those new policy that was introduced On Studio. That means it works like any other policies for the policies are going to be possession of possession policies and when two sessions are sharing the same session, what happens is that both of these sessions get protected from keylogging and screen capture. Let me show you how. Launch watch One desktop

and as well as a virtual application, which is Powerpoint. And you see the keyloggers is standing on on the on the right side. So I'm going to open this virtual desktop session and I'm going to access some sensitive content and edit. Sensitive. So what happens in these cases, both of these sessions are protected from Key Largo and screen capture PC, as I type in this document that is delivered through the virtual desktop desktop can be Windows Virtual desktop delivered from Azure or it could be a desktop-as-a-service

delivered through Citrix managed Desktop Service, and it would be protected against keylogger and pink action. Let's look at the next session that I open the page 52 watchful PowerPoint application again, as I type in in this virtual session in the Key Largo still get you a text when I when I type in this watch full session. And I said the nice virtual Labs could be from unframed cloud or or through Citrix managed Desktop Service, and it'll all be protected when you launched in this from 7:00 space app. So what that's like the sauce Labs what we did was as you can see, we added two new

policies on the access control service under the enhanced security section 16 captured and killed just watch like in the other policies in Access Control service and you can make these policies available for that not every app requires an arrest in capturing policy. And that's how it works on pathlabs. Do you want to keep things to be noted here is that the key logging in screen capture only works when it is delivered through this example. Browser that is part of Citrix workspace app. So once it goes to the the browser the workspace app

loses control, so that means you have to enable and on security control for the policies to work on on that specific tasks app. Let me begin with how do you publish a sassafras attic access control services something new? It's just being a less than a year since we launched. Once you add in the process of adding a SAS app you choose one of the SSO templates that is only available on the access control service. and you enable this enhanced security controls and as you can see when you enable enhanced security by default

restaurant Key login under 16 cap to get enable and this policy applies only to The Office 365 application because this policy zapper app So let's look at the end user side, right? So, let's see what I'm trying to launch The Office 365 * stop. It opens on a Android browser that is part of workspace app. So you could see how you could feel that. It's amazing like experience and you see the other policies from Access Control assist Supply. That's why I like watermarking try to take a screenshot on a

black screen and then try to edit it called that you all have a keylogger can see the encrypted text. I'm trying to open a salsa with the Stars have these policies enable, which is not a sin to the rap. In this case. The user has been allowed to take a screenshot. PlayStation Live support a policy And in this case, I just stopped disable keylogging and screen capture and you can see the keylogger is now capturing the to keystrokes. So in summary of the a production

technology pro products to use a since the time of workspace app launch soap prevents the dial on a login dialog switch about Native and review it for export and once you land on the on the home user interface, it protects the intelligent workspace feed as well as the search queries in addition to that. It protects the the continent which is delivered through Canton calibration service and watch laps and desktops and Tasha Cobbs return policy control and can be enable possession Opera. Toronto Star I'm still working on

adding more capabilities into a protection and one such thing as if it's a printer, which is very specific to the window to the wall, right? So we wanted to run this workspace app for Windows in a container so that it could be running a very sexual context. So that's a technology. So what does the the optimization do as I said? It runs the workspace app for Windows in a sexual context? That means none of the dlls could be injected into work space that matter any unsigned binary for an unsigned processes could not involve workspace app for the workspace processes

light and it also does a digital signature and anti-tampering checks for that only the right processes can invoke the processes that are very special thing to be in Native app. Arab going also do chain of whitelisted processes. That means the processes that are launched 1tb. Workspace processes will be whitelisted. It will not call any of the other processes which are not chain through the workspace processor. Let me show you how that how that works. I'm going to run

the Citrix workspace with Audi containerization. So I have an untrusted binary letter hacker installers dll into the machine that this is an unsigned binary and its trying to invoke the workspace app. So you can see all of the processes around in the user context and work space is used in the binary is from a legitimate process and it authorizes start the process to launch workspace app or lunch sessions. and when I try to launch a specific session A chain of processes kicks in and one of the process is is an unsigned binary and we're trying to launch a session beer. In this case. Of course

Windows Defender. Once the user saying that you're trying to access an untrusted binary, but if he uses his run anywhere, he's doing it on on on the on the context of the hacker lights off. Then install a keylogger and then a screen capture to London capture everything that is that is being done by the user. So this would be prevented by the app internalization technology that we are working on Latin we could save. We could whitelist processes. That means processes that are only in work by the main trailer

surge brakes work space. And I whitelisted the the workspace app launcher, so what happens now is when the user tries to launch the workspace app. Haciendo see you so friend all the work space service URL and he's trying to launch a workspace virtual session, right? So as I said, it's aimed at the Public's processes. They are all white listed and if it's an unsigned binary it'll block that binary from being executed. That means that specific launch of that session is prevented as you can see since this was an untrusted binary the workspace experience Falls my to a different

experience for the user may be unaware, but he'll still try to launch a session and in this case. The launch of that session is protected because that is an untrusted vinyl in the system and work space app doesn't exist with that binary. And the launch of the app will not open it just Fades out. And you can see all these processes running up in a secure contact call. It doesn't show contacts. So this is how we achieved so that it runs in a very secure contexts and not only in the user context.

Darwin Deez are additional capabilities on top of anti key-logging and testing. Which gives additional security by running the WASP injection protection system Marcus secure by Design, so we don't need containerization the most vulnerable endpoints are other windows. And that that's why we would be on this continent a station on station as whipping said it's addition to keylogging and clean capture again. This will be a server driven orange. I've been driven policy and it can be enabled and workspace app for Denver on on on unsecured contacts.

So basically to summarize we are able to provide protection technology for everything that you do with involve space a flight from authentication screen, whether you are authenticated into any type of authentication medium with any type of authentication medium that will be protected with screen capture an anti key-logging then when you are inside the workplace app itself when you see all your applications and intelligent workspace Fierce and microwave you all of that is protected as well.

When you see files inside workspace app and you try to open a file using Office 365 account on cell phone. And are you are using a virtual session for that file. It is still protected. I'm deployed audit in the cloud artificial application as well. Also get the protection station value. We have specifically on the Windows platform for endpoint security for various different result Every Nation attacked board for compliance reasons and Andre CVS in Lord of interest in various

vertical slide pane vertical Healthcare Normandin another word as well and allows them to pass various artists 2000s fashion. And that is that is really critical for for their businesses. You can sign up for the Early Access. We are still working on how it is going to be available. It is targeted for Windows platform Mac and Linux platform as well to be available. Right now. We have an early access for Windows and Mac where you can and can start testing this technology and

give us more feedback. We are working on the policy framework and how the whole thing and Wendy's going to work and make that available for you. So please scan this QR code and you know sign up for Early Access. We are now open for questions. You can use the mic. So it works with any keylogger any type of screen grab client natively Grey's it out. Like it's on the screen and defense mechanism, right? It is destined to the best and it's going to be and has continuously to make sure that his robes. Tequila to require like a driver or anything

like that or is it just like completely needed to the application of are deploying with the anti key-logging technology on Windows and Mac and Linux different mechanisms. Do you plan to offer the policies in group policy or will they just be a fly to DIA? We are also looking at providing Group Policy to to enable or disable the toilet on every device by default install time and mandates that this has to be there then when they try to make a connection will be available to install this app protection

on Windows. Any other question? Okay, so me and I certainly wanted to give more time for questions on this looks like we are able to finish early and give you 10 minutes back if there's no question.

Cackle comments for the website

Buy this talk

Access to the talk “Citrix Synergy TV - SYN128 - App protection and Citrix Access Control: Protect your application...”
Available
In cart
Free
Free
Free
Free
Free
Free

Access to all the recordings of the event

Get access to all videos “Citrix Synergy Atlanta 2019”
Available
In cart
Free
Free
Free
Free
Free
Free
Ticket

Interested in topic “Software development”?

You might be interested in videos from this event

September 28, 2018
Moscow
16
129
app store, apps, development, google play, mobile, soft

Buy this video

Video

Access to the talk “Citrix Synergy TV - SYN128 - App protection and Citrix Access Control: Protect your application...”
Available
In cart
Free
Free
Free
Free
Free
Free

Conference Cast

With ConferenceCast.tv, you get access to our library of the world's best conference talks.

Conference Cast
525 conferences
20515 speakers
7489 hours of content