Duration 37:58
16+
Play
Video

Citrix Synergy TV - SYN129 - Getting ahead of global regulations and compliance with Citrix

Florin Lazurca
Senior Technical Marketing Manager for Security at Citrix
+ 2 speakers
  • Video
  • Table of contents
  • Video
Citrix Synergy Atlanta 2019
May 21, 2019, Atlanta, GA, United States
Citrix Synergy Atlanta 2019
Video
Citrix Synergy TV - SYN129 - Getting ahead of global regulations and compliance with Citrix
Available
In cart
Free
Free
Free
Free
Free
Free
Add to favorites
228
I like 0
I dislike 0
Available
In cart
Free
Free
Free
Free
Free
Free
  • Description
  • Transcript
  • Discussion

About speakers

Florin Lazurca
Senior Technical Marketing Manager for Security at Citrix
Peter Lefkowitz
Chief Privacy & Digital Risk Officer at Citrix
Joseph Nord
Security Product Manager at Citrix

Information Technology architect with pre and post sales experience in network optimization, virtualization, and security. Technical hands on with the design and deployment of secure solutions protecting networks, systems and applications for diverse companies and organizations. Passionate about Information Systems Security; with knowledge of security tools, technologies, and best practices.

View the profile

Accomplished attorney and data governance professional with 10+ years as Chief Privacy Officer for major multi-nationals. Extensive experience with cloud, IoT, regulatory compliance and public policy. 2018 Chairman of the International Association of Privacy Professionals.

View the profile

Security Product Manager for Citrix Systems. Define security related product requirements for XenApp and XenDesktop, for on premise products and cloud delivery of the hosted applications and desktops. Facilitate certifications including FedRAMP, Common Criteria and FIPS 140-2 compliance as well as customer usage for Payment Card Industry (PCI DSS) and HIPAA.

View the profile

About the talk

Learn how Citrix products and services can help you get ahead of global compliance regulations, manage risk, and proactively secure information. Take your digital transformation to the next level by maintaining security AND compliance with Citrix Workspace, Networking, Analytics and Content Collaboration platforms.Note: This session will be available for on-demand viewing post-event on Citrix Synergy TV.

Share

Welcome to Synergy 129 getting ahead of global regulations and compliance with Citrix. I am Joe Nord. I am director of product management out of working out a Citrix Fort Lauderdale. I worry about requirements for a bunch of products notably absent desktops with influence across the company on what it is. We're building and where we're going with me exploring. Hey Aunt Flora Noah's Ark. Thanks for joining us today. I'm part of the technical marketing team dealing with security. So dealing with security events evangelism anything involving talking to customers about

what our security capabilities are with that looks good going. No standards lights and start us off. This is synergy 129 as you get towards the end, they'll be opportunities for raiding the session in the mobile app. And we ask that you do it helps foreign and I have opportunities to come back and talk to people about subjects such as certification in the future. So at the end, please do that and we appreciate your support. And I am J. Jordan Twitter. You can follow me here for lots of information on Citrix and security and

compliance and occasionally information on how to manipulate thermostats in hotels. Thank you spell in on-premises World in Cloud World. We're gonna introduce this a little bit of where we are and where we're going and for money to take over payment card industry HIPAA and now in the last couple of years, we see a lot of outdated privacy as well as as well as a gdpr privacy officer and he'll kick their ass Peter left with you speak to a little bit later about the trust Center and he's got a lot of questions for him about the tricks and privacy and security. He's a good resource. Are you on the

spot that so PCI HIPAA and gdpr compliance got one two, alright three I so now it's just high level overview for those that are not in our payment card industry data security standard we're talking about it's it's a voluntary that these Merchants to Merchants that use credit cards at store credit card numbers that transmit that process credit card numbers are subject to now you may think this might just be, you know, retail.com e-commerce, but a lot of places use credit cards including the church right now to get

this question in your old to get into some of the terms of PCI compliance. Burt Young pci-dss certification and what it means I get to questions product manager is citric pci-compliant. I always respond. Oh, yes. We are you actually can buy a license on citrix.com using a credit card and our use of that credit card number does meet the requirements of PCI DSS. But that's never really the question that people were asking what they were asking was is your environment suitable for me to hold my credit card data in the cloud because it's the customers environment that ultimately get

certified by their qsa auditor and buy they're issuing Bank as suitable for holding credit card data and releasing that we're going to get a little more into on-premises vs. Cloud, but there's a lot of Bender guidance we've had in the past for PCI and that's taken us a long way. It's it's some things change as as we hit the club. Process like finds parking ticket fines eye clinics that do both HIPAA and we are processing customer information around credit cards, right? They may

have overlapped there. So PCI is not just something that simple just me or ecommerce.com type of stuff. We look at the overview basically 12 in general rules. I think we may have some of these rules are they all have a subset of different requirements. For example, the number one installing and maintaining a firewall configuration. That's a number of different specifications on a required but they're the general goal here is creating a protected Zone that has access control that has authentication that has

auditing being able to protect that credit card holder data rights. How do you do this with a Citrix environment? And that's when we look at that not only is did technical but we also have policy and operations right having the right policies in place and having the right operations to How to manage its environment so bowl is too great. This secure network is down that's away from with keep the credit card data away from people that shouldn't have access and need to know type of scenario. So you have internal users and maybe even external users that's another use case and you have this credit

card data, right? So first we go and say well let's add the firewalls. We have a number of partners that we work with and firewalls, but let's add a gateway to connect to this environment where we do two Factor authentication. We do auditing we do we have the capability of encrypting that traffic from from this secure Zone to the endpoints and let's keep the endpoints out of this picture completely don't actually transfer any of that credit card data to those in points right to not transfer any of that sensitive information to that to that endpoint. That's the

credit card CVV number the expiration date all that stuff that's sensitive. So we have this environment that at this point B comes out of scope right through the goal here not only protect that data but also reduce the scope of the audit by making those in points out of this now when you're going additional look at this PCI Tech environment and desktops you give me a jump points for your end users to connect to the environment. I using storefront if you protect storefront with a web at firewall as well, as any other

resources that are on there that are webcert resources. He can protect it with a bad and I've at firewall one thing I'd like to draw a little attention to I'm going to get a lot of inquiries often from Merchants that were a lower-tier that they didn't have as much a requirement on their credit card processing but as they grew and became larger the expectations of their Bank in the qsa grew as they could hire PCI tear and they're under pressure to get their environment qualified for pci-dss certification and they're very

common usage of Citrix xenapp and xendesktop to localize the the database of the credit cards away from the majority of the company's Network. They have their Auditor in and or under They're trying to get their environment qualified but qualifying their entire company. It would just be an overwhelming problem and using hosted app and desktop and netscaler. They can submit the the network that holds the credit card data so that there's no IP connectivity between the two and that's what's been very successful over a very

long. Of time for payment car with the Citrus Hops and desktops. Exactly. You're creating this dedicated Sakura zone for this transaction is a place and that should that data doesn't transfer over or bleed over to other networks. Now, let's talk about peace sign. Yeah PCI in the cloud from the slide a minute ago. It was described the the network that holds the credit card data and the the the excess is not really an external connection. It's an internal connection, but the separation a network between the two that entire environment

isn't the customer environment. So in the historic on-premises world of payment card industry, it's all customer space that seeking the certification of their auditor. So is a vendor Citrix were providing vendor and guidance on how to deploy but we're not actually involved in the certification of the environment in the cloud that model kind of changes because Citrix is involved in some of the aspects of the publishing you what acts what applications are available to what users we still we Citrix can't see the data. But from a PCI auditor perspective they

start to ask many questions about the cloud is still a customer's environment that's getting the PCI certification. But they're looking to Citrix to prove our Readiness on the cloud portion of that and many of probably heard of an attestation of compliance. That's what they're asking for and we'll go through a bunch of things on where we are and where we're going as this pitch goes on. All right. So now we're looking at hip-hop. We're talking about health insurance portability protection account Act. Who is covered by both PCI

and HIPAA? Wow, we got one. Okay. Anyway just had by. All right, so it's quite established in the healthcare industry and in a lot of hospitals my mother-in-law my mother-in-law's Hospital else to use as subjects to get access to their records and so forth. So definitely something that we see as a as a large used case know when we're dealing with we're looking at the primary people that are primary organizations that are impacted by this regulation to this law or this act is Healthcare Providers the insurer.

Is anybody that's dealing with Jesse Phi rights are protected health information. I know there's two components of this one is around privacy and that is a foreshadowing of our next conversation. Right? What is something that's identifiable as personal information then we looking at the security of the security Rule and that actually has a bit more prescriptive on the Physical that Technical and the administrative safeguards that are needed to be in place and that was augmented with the date of breach notification or high-tech. So besides having all these standards and safety

controls in place that protects patient names and it protects the email and physical addresses when you look at health care if it's a treasure Trove of information right here looking at anybody dealing with Healthcare information has Social Security numbers as credit card information. His address is has a pretty much a complete breakdown of a individual rights. So it's highly targeted information fingerprints images and so far. So this is where you want to protect that data as I mentioned. This was augmented with the data breach notification the one I'm looking at the actual technical

safeguards. Similar on a few fronts Rye were talking about encryption. We're talking about access control and there's a some items that are there that are specific Healthcare like an automatic log off. Are you working at a station you walk away. Imagine if it's a nurse working at a station lot walks away that station needs to shut off after a while so that there's no more at the access used to log off so that the information in the access is not open for a long time. But we also have something like emergency access should access to the whole environment

fail. Power outage or whatever it is that got to be another way in to get them Medical Data cuz we were talking about life and death situation cigarettes a similar Concepts Integrity of the data encryption of the data confidentiality and so forth Access Control out of auditing, but now we have a couple other things that look at the the the timeliness of that data. But it's one we're looking at it since its environment. It's a very similar scenario. We're building a an environment that is creating a secure zone for that data to stay off of endpoint

sent to stay in a zone that is accessible by a select few nights. Are you having the accountability and the auditing and the encryption involved and you're riding on their session log on X expiration and so forth and you're providing another set of controls to make sure that these environments are always available things like gslb in Fort Worth. Anything you want ad you? Yeah, it's a very similar picture to what we had before. It's the next light. I really want to get into we touched on attestation of compliance. If you look up on many

of these certifications what their PC I would help you are talking about are certifying that the the customer environment is ready, but for the cloud piece the Auditors, are you looking for an attestation? That is an ARG where another auditor perhaps the same but arguably independent has looked at the cloud environment and deemed it suitable for HIPAA data in the cloud and and for payment card with the some control of that environment occurring through the clown and Ford Citrix sharefile and write signature. There's a link here to the

auditor's report for our attestation of of compliance for sharefile and on HIPAA. Phone that is dead that it's your file and write signature is not work space and you can imagine that's an environment where we're headed and when I get in 10 to solve for the full Suite of products, but that's kind of a Visionary statement of where I wish to taken. So let's look at some privacy regulations. Most notably in the last two years. The general data protection regulation is the one that

stands out if you're not familiar with it just a quick recap. We're going to say it's a it's a law that unifies a few desperate laws and regulations and acts around the EU a different countries have their own regulations set an accident laws that were put in place over the years. Some of them were pre-internet pre social media in terms of when they were written and then they're their Vision. They're so not only did a normalize them but kind of brought it up to date and it basically puts the onus on organizations to protect their customer data changes. The way

things are done in terms of consent. You might start seeing when you go to a web page that you get this automatic. Hey, we're using cookies. I haven't seen that in a dozen years, but now it's automatically back right that's part of it some organizations. They haven't been able to become compliant. Code compliant directions Stop service to IP addresses that are coming from the EU I've seen that happen. Now with the couple things are the date of subject. And is it going to be on the next flight as well more control over their data and write so their data subjects

have additional rights and what they can do with that data, but the big thing that I always stands out is that the fine system is a little heavier in terms of the amount that a organization can be fined. There's already been a couple of instances that I'm aware of a company out of an organization out of the Portugal and one out of Germany some hit with a larger finding others based on their interaction with The Regulators based on how open the air with the breach open with access and how Pretty much how much they cared

in my opinion, but we're looking at 2% and 4% 4% of the global revenue of the turnover of the revenue. So that's a fine. That's so large that it's kind of Bill to reduce the amount of people at a time that's been sound like well, do we secure this environment. We just accepted the risk calculation didn't in Florida near win. We Citrus products we're looking to gdpr is it is it was coming online? We did significant inventories to figure out I mean hit it sounds wrong, but even to understand the data that we do

collect you tend to think that the majority of the data is outside of our world, but there is information. We have their we have email addresses we have names and though some of that data is just personal data and then with EU users, even if you're talkin about us Based Services as a global entity, you know, the gdpr apply and we we did significant work to figure out what we have. An hour tension policies for for keeping it and in some scenarios, the the the things we had to do to ensure compliance were really reducing our retention

and programmatically deleting stuff it a more aggressive schedule. Then we were doing before the duck on this with the ability of the of the customer the consumer to ask to have their data deleted as one of them right be able to go in and say this date is incorrect. I need to be updated to rectify that date as well. But there's also I think Peter can speak to this little bit later as an organization, you're dealing with multiple vendors. How do you what is the process? They're all the Agreements are in place. What are the effects if you're in like a multi tier using services using additional

providers and what are their you're on the hook for that? Because you know what? Their policies are the kind of going on you as well. But then you have just from an organizational stamp when you may have the generic it issue of data sprawl guy. There's data everywhere. There's an endpoint store data on multiple servers. There's data on someone's Excel sheet. That might be personal there might be on a laptop that's lost or stolen right to how to use centralized that data. How do you put those controls in place to actually give it to go down to what's being stored and

you two dated privacy for the GT Garza 72 hours notification, right stuff. As soon as you're aware. You have 72 hours to make an initial statement that there's been an incident and we're investigating and so forth. But that may happen before a really you have an idea before the Auditors are in before the forensics are and you may not know exactly what happened. So do you guys like 99 different articles? It's a fairly lengthy documents. But the two of that really stand out our article 25 around access control and article 32

around encryption and data isolation and data protection. As you can see this kind of ties into some of the conversation. We already had about ensuring availability ensuring integrity and things like ransomware that destroys data think things like how I'm making sure that items are data is not modified. So you got the Integrity piece and then people that shouldn't have access to it should not get access to looking at the access control and encryption components of it as well. and when we look at building and environment, we've had a number of customers that I've

done this in the past where You may have multiple environments with multiple applications that have a different sensitivity of their data, right? You may have an HR application. You may have a financial application. You want to Silo these environments are there is no data bleed. Now. There's another component of guy that talks about separation of data locality. If you will each of those beans individualized Networks, you're still talking about single off. So normally this type of configuration would include a Federated authentication into the environment so that

the users could have been a cave once outside outside of this bubble to whatever their authentication sources and it run time except the apps within each environment with HDX bring in the user interface out to the user screen, but with no data movement between those owns, Papa ya With getting access to more secure environment with nautical the common data as well as sensitive data as well. Like we do sing the friction there for that access not having multiple logins multiple login pages and so forth. Is it something I can freshen

memory but it's definitely not the end of it. Right? So when we look at the privacy rules and regulation, it's been kind of an anvil action Avalanche in the last few years prior to that 1981. I think there was something in the eighteen-hundreds, right? So there's a huge Got a speeding up of a requirement. So we're looking at in a 2018 are not only Brazil, California 2019 Japan. So these are updates or or new additions and I think there was some talk about having no with California that possibly could push her a more of a

National Standard as well as so it's a domino effect that speeding up so I wouldn't expect any of this to go away is my point. I got to go a little bit into. Historic certifications and Cloud certifications where we are where we're going. We're we're we're headed the blue box here is talking about a lot of on premises certifications, criteria. I'll dive into it in a little bit more detail, but it says it's been a long time existed standard out of many governments for qualification for sale sent to their environment likewise for fips 140. It

says you have quality crypto suitable for use in environments that require that level of certification and section 508 which I believe it's actually been renamed which is usability compliance to say that your software even your admin interfaces are done in a way that people with disabilities are able to utilize software. The other piece of this in the green box is more cloud-centric sock to as the and you'll see the little word priority there that doesn't so much mean that we're working not in preference to other

but what it says is this is the one we're trying to get out as quickly as we can and first and also note the fedramp there that were working that and in some large Ernestine John's Gyros well from our certifications group. Thanks. Common criteria, there are I believe 28 member nations and the standard of common criteria says if you qualify for sale if you've been tested and approved in one of the issuing countries, your software is approved for use and all of the member nations. So they have a common set of security

requirements across them and you can certifying in one and sell to all types of separate. I'll get to that in a minute and into picture here. I kind of like I've used it in some other pitches if you've seen it before I apologize but each one of these certifications of common criteria is like a million dollar investment years of work by Deb teams and when you get done, this is me at the common criteria conference a few years back where I picked up certifications 1/4 netscaler 14 Dobson desktops, and I think that one of them was for xenserver type of ice There

was coming back on the bus carrying these three things and they're laminated. You know, they weren't terribly fancy. But the guys across from me were like I've been working for years and my company and I have nothing in your carrying three someone up on stage Great Gig if you can get it go to a conference go up on stage get the award in and be done where I'm going with that is we've been doing that game for a long time and and we're good at it. now on premises Somebody told me once everything was certification should be columns

should be talkin about everything in your company as having common criteria down the board V down the board on everything 508 and that's definitely the right answer now. I've got mostly green check boxes here couple of places where I don't have things filled in but I've got, Criterion apps on desktop going back to metaframe XP in some year. I can't even remember fips compliance for Quality crypto. War. O m e the stuff goes Forever on netscaler apps and desktops and also usability.

We've been turning the crank on this for a very long time and we know how to do it. Now. We do it generally against LTR ltsr releases because the act of getting these things qualified is actually longer than a year year-and-a-half couple years worth of work and the CR cycle just doesn't mesh up with that. Right? So we've been doing 7.6 7.15 an hour on the new number range games and I'm actively working to pull the crank on this again as we head towards the next ltsr. Now one of the thing I want to throw out there is our own

crypto module and in Phipps crypto. There may be there are things of saying you did your crypto rifle there. A lot of things have to say one is that you use an approved validated crypto module in by having our own module which we do in Citrix. It gives us a lot of flexibility on how we can Embrace new platforms much of the work we did for example on I got to use the right terms in point management benefited from our having our own crypto module and were able to get fips compliance in that space as we Embrace Cloud a

lot of the stuff we build is on top of Microsoft infrastructure in the OS has validated modules already, but we also have our own SDK on top of that to make sure that we have one way of programming crypto within Citrix and this is taking us a long way and having our own module also allows us to be fips compliant in additional arrests that might not have Validated crypto in in the base system. This is been a win-win we plan to grow on this and utilize it for additional puzzles that we can solve overtime.

Cloud certification I touched on already on premises and we've touched on payment card industry in HIPAA as really customer service stations, but it test stations for the the call Bender in a lot of them have a lot of things in common. Yes, they're different certification in each have their their own requirements and their own specific needs but a lot of things are common stock to Isabelle professional operations. And that's pretty common with what is expected out of iso 27001

actual requirements vary, but the idea of the system you need to build is pretty consistent between them and I rap is a similar standard being done out of Australia and it has a lot in common with sock to but the one that really really wanna fight as the whole world and brings together the secure execution environment along with the cloud operations is Federer that went 1-2 far I can bring it back good fedramp is a US Government standard for qualification of purchases of cloud

software, but it's really more than US Government because it's a testament to the security Readiness of cloud software as suitable for commercial as well. V crypto is also a government standard but many in insurance and Minnie and finance insist on using fips validated crypto, and we've been successful without on-premise. Product manager looking after Security in Citrix. My central mission is fedramp. So I said sock to his priority that's still true. But where I'm sitting all the

requirements across the various product groups is fedramp and that's a long journey in the end of pretty big Road. Or talk about the control families similar to the control families for PCI in for HIPAA, right? It's got a number of similar underlying themes around Access Control looking at the processes and policies around incident responses as well contingency planning stuff. It's a bit of regulations of our policies that are borrowing from each other

as similar Concepts like ISO 27001 similar Concepts. Some are just more specific to the industry. Now when we're looking at nist, we have a couple of things that are are different in terms of risk assessments and and planning that may not show up on the other ones as well. But fundamentally, they have a foundation that is very similar. We're looking at fedramp and job down here with the idea of these terms fedramp ready fedramp in process or authorized. And it is it's more complicated puzzle

than even that because they're you can get approved for Federal app by an agency authorization or by The Joint authorization board are there are all kinds of the advantages and disadvantages of the different group. The one on chasing is is the job I don't have that yet. But that's where I want to go cuz that's pretty well gets me everything I could use across the entire sector but did the big thing here is that this is me and push by Office of Management and budget to make sure money is spent efficiently. Now, it's going to be similar to buying things for the government

in the large. They don't want to have a whole bunch of different security standards. And for the cloud is fedramp I predict this is going to be the standard of measure not just for the government, but for commercial industry as well across cloud. Last year at Cinergy there was a chart in the king of this chart. I lifted it from the Synergy keynote of last year that said coming later this year. We will be providing Citrix virtual apps and desktops in Microsoft Azure government. I put this slide up with a little checkbox to say we did what we said we would do this

has been stood up since July of last year at the first step on the fedramp journey, cuz there's chicken and egg things there. You got to have the cloud environment to get a qualified and we have the cloud environment. We've done that. It's a little tricky to sell the that environment cuz they're not actually able to purchase that much until the certifications are in place. But it's all it all happens in parallel is Rerun. So we have time for Q&A, but before that if we can get Peters microphone on and we can talk about the trust Center. Anything else you may want to add?

There's a note to self a little is terrific. So I'm I'm Peter left with I'm Citrix has cheap privacy and Digital Risk officer and I have the pleasure of working with these two fine gentlemen with John bordwine who's in our front row who does are certifications and audit one of the things we've been very focused on last year because we know that privacy laws security laws, the various standards and regulations not going away is making sure that were transparent as possible about what we do. So what we've done in

the last year as we stood up somebody called the citric trust Center, you can just Google it and what we have on the trust Center is all of our form customer contracts vendor contracts all of the security standards. We sign up to the customers for cloud all of the security standards that we require Upstream of all of our vendors. Security side. We have details of documentation about our security services, including our certifications privacy and compliance. We get deeper into our policy bass all of our major agreement. And then at the end

we have product documentation that specific to security and then a link out from there to the page where we have much deeper documentation that sell products on the notion that given what we do for a living all of our product documentation is going to speak to that security stack. What we've added recently is a place where customers and others can report security issues vulnerabilities and incidents and also separate spaces for us to talk about Security in the news and you'll continue to see this site develop over time. It should have more in coming months about our bug Bounty

program around our secure development standards around our CVSs scoring and and we hope to just Continue to enrich the information that we provide to you without about how we do what we do. Thank you guys very much. We have a few minutes left for a Q&A. Don't be bashful. There's a microphone and everything. You can ask if you want to ask you wondering about feel free. This'll be the first one. While we are waiting, okay. I do have some accounts in the education sector so wondering or I'm sorry government, but would you would we have any plans for sibo compliance from an

ABC perspective? Probably for me before you. The ease the conduct of the fast answer in the the correct answer is know that it is lower on the priority list compared to the other certifications that I don't mean to. Dismiss it as a as an appropriate goal as we get the sock to as we get fed ramp as we have I so the foundation requirements or similar across the mall, and it would be perfect perfectly reasonable and expected for us to get auditor qualification and in those environments as well. So I kind of want to make that sound like a yes,

but it's not one that I'm actively chasing. Thank you. Any well Kurt got any questions. Alright, so I just want to do a quick recap, right? So we spoke about some of the certifications and compliance standards that are most common are very common some of the things around auditing and reducing the scope of an audit using Citrix environment and get that data off of a 10 points. I fit the endpoint has to have data. How do you secure it encrypted where we going and where we are from from Joe the Citrus center from from Peter.

I do ask you that you do review our session and give us feedback and this should be available in your app now since you logged in since you scanned in thank you very much.

Cackle comments for the website

Buy this talk

Access to the talk “Citrix Synergy TV - SYN129 - Getting ahead of global regulations and compliance with Citrix”
Available
In cart
Free
Free
Free
Free
Free
Free

Access to all the recordings of the event

Get access to all videos “Citrix Synergy Atlanta 2019”
Available
In cart
Free
Free
Free
Free
Free
Free
Ticket

Interested in topic “Software development”?

You might be interested in videos from this event

September 28, 2018
Moscow
16
129
app store, apps, development, google play, mobile, soft

Buy this video

Video

Access to the talk “Citrix Synergy TV - SYN129 - Getting ahead of global regulations and compliance with Citrix”
Available
In cart
Free
Free
Free
Free
Free
Free

Conference Cast

With ConferenceCast.tv, you get access to our library of the world's best conference talks.

Conference Cast
525 conferences
20515 speakers
7489 hours of content