Duration 01:24:49

Citrix Synergy TV - SYN236 - Citrix Workspace: addressing the security conundrum

George Kuruvilla
Strategist, Worldwide Presales at Citrix
  • Video
  • Table of contents
  • Video
Citrix Synergy Atlanta 2019
May 23 2019, Atlanta, GA, United States
Citrix Synergy Atlanta 2019
Citrix Synergy TV - SYN236 - Citrix Workspace: addressing the security conundrum
In cart
Add to favorites
I like 0
I dislike 0
In cart
  • Description
  • Transcript
  • Discussion

About speakers

About the talk

Topic: IT

End-user computing has fundamentally changed over the years as ever-changing ways of working have led to poor user experiences, security risks, and intellectual property theft. In this demo-heavy session, you will learn how Citrix Workspace reduces complexity, provides end-to-end visibility and analytics, and helps organizations address the most common security challenges, all while improving user experience. You will learn how to protect SaaS and web apps from data loss, malware and ransomware and how to address the data fragmentation issue with secure content collaboration. The session will also cover governance risk and compliance, proactive user behavior analysis and risk mitigation as well as device security.Note: This session will be live-streamed during the event and available for on-demand viewing post-event on Citrix Synergy TV.


Alright, welcome everyone. And before we get started for those of your the back, it would be great. If you guys can come forward as you can see it's a 00:04 large room that's making more intimate because we've been known to give some things away and I can guarantee you if you're sitting in the back of that 00:11 room. You are not going to be able to find the thing that we're giving away and hint V role might be a good one to sit at 00:21 Actually, it's great because if you come forward we're recording the session there a lot of people who may have had a party just a little too much 00:36

last night. Watch this online. Please do and then it look like Scott and George really drawcrowd. All right. I think we 00:44 get started. My name is Jorge kuruvilla. I'm a solution strategies with Citrix. I've been with Citrix about seven years based out of Chicago was just 00:54 cold colder and colder. So happy to be here at the Other Extreme. But as a solution strategist, I work with some of our largest account at Citrix and 01:01 peanuts cotton I engage in these accounts together a lot of times. So with me, I have Scott Lane and when you know, you talked about why you got that 01:10

hat on in the church got this hat on. There you go. Does anybody know why? I'm boarding a playoff beard. 01:17 But anyway, yes, Scott Lane. I'm just English sales engineer. I actually have a mailing address in the 01:26 st. Louis area. I'm rarely there. I've been at Citrix 15 years almost now and before that a customer so always 01:36 always love to do these things. So thank you for coming. And I'll take the head off now George Beck you all right. So the goal of the 01:45 session is to look at Citrix workspace from a security perspective. I'm sure all of you, you know the last few days. I've heard a lot about workspace 01:55

workspace intelligence. The user experience the productivity aspects the sessions really focused around why it matters from a security angle. So 02:03 that's really the goal of the session and demos, by the way, so hopefully you appreciate that. All right, so I think I love you agree. We live in this 02:12 any any world not right so users using all sorts of devices accessing applications that are no longer monolithic. They're spread all across 02:22 the environment you got stuff in public files. You've got stuff in a private Cloud some nice applications. If you got all kinds of issues to deal with 02:32

in the same applies to data and this is quite different from how things used to be back in the day of and you just came into an office. You're very 02:41 well to find perimeter. You give them a call for Donna said you deployed applications onto that device. Everything was under control if they have to 02:49 work remotely. They go with that device does a VPN well and good, but that just no longer applies. And as a result of this any any world, we 02:56 brought a perimeter that's constantly expanding right you got different types of workers on different types of devices connecting or various types of 03:06

networks accident applications that are different different types, like staff and Rabon mobile and windows. And on top of that deal applications are 03:15 delivered from different location and the same applies to your content. So it's a major Challenge and this leads us to the next piece which is if you 03:25 look at any customer out their security is top-of-mind. That's the number one concern and if you look at it budget budget, that's where most of the 03:34 money lies because that's the number one issue that most Enterprises deal with it and nobody wants to be on the front page of Wall Street. So that's 03:42

that's a big big issue. And it's perfect work space that is one of the fundamental challenges that we are trying to solve. So how do we do this? First 03:49 off? We take a very people Centric approach, right? So in other words we want that uses to be able to use any device that they want. You don't want to 03:59 come find you if you want to empower you there. So from that perspective, you don't want to limit the users in terms of what they can use the last 04:07 piece one. Number two, we provide you an application that either the Flight of the user can enroll by themselves and then they can 04:14

just deployed on their device and access it on that device and they instead of going to multiple points of Entry there a single place to go to so they 04:24 can essentially enter URL or you can order and roll them and they get to that workspace app to access all of these applications and data that they 04:32 need access to the next piece to that is I found the applications go they come from all different locations writer like for instance. I could have 04:40 stopped and that could be coming from different sources bite from a user's perspective. You want to ask track. So users. He's let's say 04:50

or some other application. He doesn't really need to worry about where that's coming from and you can complete the abstract that from them so that 04:59 simplifies the user experience regardless of whether accessing the application from or what device are going to End of the back NV allow oit 05:08 organizations to essentially deploy these work clothes wherever they choose so depending on the use case or the application. That might be a 05:17 particular Cloud that sooner or maybe you want to keep stuff on premises. It doesn't matter V aggregate those resources and make it easy for you those 05:26

who consume them but most importantly from a security perspective. Now you you are essentially reducing your car or all attack Surface by providing 05:33 users access to delete apps in a single app, but also a single point of entry right? So that's that's great and me for why do end-to-end visibility as 05:43 well. So all the way from the app that uses accident from the device and then all the way back into into the net worth of Ypres. Why do the full 05:52 visibility required to essentially apply the policies in the contextual fashion as needed? So what are the three pillars of 06:00

this vision of arthritis of the first simplified control? So regardless of where the applications hosted and where is being deployed from you can 06:10 still apply the policies that you want on those applications for that specific user in a dynamic fashion and the user just consumed the toy farmer 06:19 user that's actually an application from a culprit device versus you know my own personal device. It doesn't matter. The policies are applied in a 06:29 dynamic fashion. That's as soon as a simplified control aspect. The second piece is the 360 visibility so giving you an to invisibility from an IT 06:36

organization perspective. This is extremely critical especially because of the security concerns that most organizations have so giving you that into 06:45 invisibility the big pieces. And the last piece is an analytics, right? So it's not just about what's happening. Now. It's understanding Trends in 06:53 behavior and then being able to proactively take action. That's a big piece of this rich in Israel. So over the next what is that like 80 07:02 80 minutes or so, we're going to go to some of the security benefits of workspace. So we look at each one of these talk about some of the 07:12

aspects of each element and then we'll go into a lot of dentals. So let's start off with contextual access. Right? So most 07:22 environments are dealing with unsanctioned applications. SAS applications web applications. And if you look at how they tackle these different use 07:31 cases, you got different point solutions to addresses and Eastpointe solution could be best but then from a user experience perspective. It's a 07:40 nightmare, right? And even from an ID complexity perspective is its a headache. So even if a large organizations they have in some cases, they 07:49

probably have 30 40 different things of points of entry for users to get to so if we use the word leave that organization and you're trying to 07:56 troubleshoot something or just trying to log to use it down by the time you actually restrict all of the different accounts inside the user might be 08:04 long gone with your intellectual property, right? So that's a major challenge. So the baby solve this is with our Access Control solution, right? So 08:11 regardless of the application of application you've got different concerns you want you want to protect your intellectual property you want to protect 08:20

against Ransom Ransom you want to provide users the best experience and turn the single sign-on and maybe all of these don't apply to every single 08:28 yusuke. So depending on the use case, we make it easy for you to apply the security policies that you want and then give them the best user experience 08:37 as well and Scott will be showing this to you in a little bit. So another nice aspect of a solution is smart access how many of you have heard of 08:45 small axe by using smart actors today? What if you all right, so it's been it's been around for a while and the fact that we are still talking about 08:54

it is because it's still very very relevant. Right? So think about the scenario where you've got uses using virtual apps that stops and then you need 09:01 to essentially dynamically control what they can access based on the device that connecting from other network error connecting from are based on just 09:11 the authorization you're able to do that with smart access and this is where if I have a Samsung device, I connecting I go to you Orlando my 09:19 credentials I can access my set of applications and do whatever I need to know if I go to that same URL from a different device on an unsanctioned 09:28

Network just based on the fact that I'm logging in from a different device and post assessments. I can respect that access and applied different 09:37 controls based on the application that I'm asking. So it's pretty popular in amongst our customers, especially those were more security conscious. 09:44 Alright, it's time for a first time. All right, so let me switch over here to my Surface and let me mention that I 09:54 normally try to do all of my demos live. I I'm Wise Guys. I love doing live demos as you guys probably all know. So where do some live some are going 10:04

to be by video? It's not because they're not real. They're very real. It's just that I can only carry so many devices and set up so many things on 10:13 this table in this time. So the first device I'm on is is a Surface Pro. I must start with with the access control service and let's talk about 10:22 work space as it sits today and has it ships today before we put the intelligent workspace stuff on up on top still incredibly valuable 10:32 tool to have to secure your Enterprise who he wants more. I've never seen or I 10:41

don't know what you what what what's one what's got you all excited for us, but you 10:51 know just the other day. I'm catching myself. Even with a with a Morgan Stewart having to always reset my password cuz I can't keep up with it. All 11:01 right and who here has wanted to go to something, but you have no idea on how to get to it. Okay that happens. Right? So what we want to do again, 11:08 even with work space in its current form is bring everything together your apps for SAS, and of course traditional as well as desktop send files to 11:16

the first thing I want to do is go over here and click on G suite. And by the way, I've already asked medicated to this and it can be two-factor 11:25 authentication using are the time-based one-time passcode. All right. So this point we've been in both the embedded a workspace browser and I'm now in 11:32 2 G suite and you can see that watermark on there which would tend to deter me from wanting to take screen. Lots more on that in a moment or a 11:42 picture. I'm going to go into Gmail. I don't go to call out that fishing is absolutely a real problem. Right? In fact, they want to cry 11:50

and Pesci attacks all came through fishing. But tempting thing to click on them actually gave myself a link here and for what it's worth. 12:00 All the phishing emails we get are much more sophisticated than this. I just wanted to break it down and make it very simple for you. There's a couple 12:10 of things before I get into that that we can do with the workspace. First of all because we control this browser we can lock some things down in this 12:18 particular one. You can see we left the print button on but you don't see the address bar. The download button is broken or not. They're actually I 12:27

shouldn't say broken if I were to go over here and just try to copy and paste you can see they're very clearly that we are blocking clipboard 12:35 operations. Probably not a real good idea for someone in our Enterprise be going to The Pirate Bay. So that's where our Access Control 12:44 service sees that as a blacklist. We are stopping them either by specific site or by site type or keyword. But maybe we 12:53 have a legitimate reason to go somewhere but we aren't sure if we trust it and this case I've used espn.com and his example and what's 13:03

Happening Here is in case this is a bad link we're saying hey call that and I like to call it this the marketing folks probably don't like me calling 13:13 at this that great big men app server in the sky that magically gets thrown away when I'm done. Okay, it's basic basically a hosted Linux OS and if 13:21 something goes wrong if this was bad, we just throw it away so that the key differentiator most environments are doing as far as content filtering. 13:31 It's an allowed then I typically like we have a white blister with Blacklist you filter you have some kind of transparent authentication. We have an 13:41

additional option here, which is this launching an application in a secure browser that's running on a completely isolated Network. So you're still 13:48 giving users access to that URL what is running off of your network? So you still Yost. You are mitigating the real Associated with it. So that's why 13:56 it's a little bit more options as far as what you can do with those apps. So the next thing I'm going to do I'm going to switch over now George and 14:04 we're going to move into smart access and we had some folks that actually said that that they are they are using this. So I'm going to tell you the 14:12

smart access cool and it's old school. I hope you guys think that about me he's cool. He's old stuff, but I'm going to try to put a little bit of a 14:19 different switch on it a little bit of a new school attitude with it. I want to show you some thanks. Okay. Again, this is very real. This is this is 14:28 being done off of video, but this is from my eyes are environment which is of course is fronted by Citrix Cloud app and Desktop Service and a 14:36 Citrix Gateway that I have sitting in a drawer. So go ahead and click to start the video so 14:46

really good offer. So I bought a mini lift something so I go home I get on a Chromebook 14:51 first thing I go open up open up the Chromebook in the URL here not trusted. So you'll notice that I'm asked for a couple things who I am my passcode 15:01 and a one-time time bass passcode delivered from the Gateway service. We now include that cyclic on the 15:10 Enterprise desktop and it's going to connect me up to the desktop and right away. You're going to notice some things and me as a user if I don't log 15:20

in a lot in this scenario. I know there's some things right away. You'll notice the watermarking that's fairly new school came along and VA 717 again 15:28 to deter me from wanting to take a picture of it. Okay some other things here. Let's say that I want to get to work and actually start pulling up that 15:38 particular workflow that I want to do. First thing to do is launch an application critical to the Enterprise in this case. It's just an sap out that I 15:47 have in my demo environment how we can watch what's going on next thing. I want to call up a very confidential file its back in the corporate 15:56

Network. Do I use connectors through Citrix files? There's the customer confidential. I'd like to take this customer list 16:06 a few things with it and get my windows all situated up here. What are the ways that I can take this information away? 16:15 Well, I could copy and paste it just do simple clip boarding so you can see a Broadband org ID and just to show you. Yeah, of course, it works within 16:25 the session. Okay. Now that must say I were to copy all of those cells for the interest of the stimuli just did one. So it's easy to follow go out to 16:33

the local OS and I open Google Docs because nobody is tracking me there right and I can just start to bring that whole list out. So let's get a blank 16:43 document open here and I'll go on ahead and paste. That doesn't look like an org ID. The reason why 16:53 is that it's the the Texas in the local buffer of the Chromebook. We have blocked clipboard from the host to the client and that was dynamically 17:03 controlled and turned on by smart access. Okay. So now let's say that I might want to actually copy something from the whole front of a client into 17:11

the host and there's a legitimate business reason I can do that. And by the way HDX policy has been around for a little while lot of people don't know 17:21 about it. I can lock down what type of information okay next thing if you're familiar with the Chrome client you'll notice or you'll know that there's 17:29 always when I have the ability to print a chrome print object that shows up here. It's blocked. And then what about saving as 17:37 well? If you're familiar with using a Chromebook light, you'll notice you'll know that we often don't know. We don't map the the client drives here. 17:47

But up here on the context bar isn't upload or download function again blocked HDX policy invoked because 17:55 not sure I trust what this guy's doing. He obviously was not coming in from a trusted device. Our guy is determined to take this information away. 18:05 And I hope that is it administrators. We stop this or we we tracked it. He goes and opens Yahoo! Mail inside the virtual desktop many copies. 18:14 You think we'll catch him doing that George. I have a pretty good suspicion. We will all rights. We didn't get much luck other than email. So now he 18:25

goes to work or eaccess is a work on computer puts in the same URL What closely it detects something again 18:34 all those different things we can look for in this case. It looks for a certificate it even suggest a different authentication profile because we've 18:44 got a new layer of trust. It just says enter my password. Okay, so the certificate matches and now I can enter the password for my username launch the 18:51 same desktop, by the way, you can search on all kinds of things files registry keys different water marks within the registry keys and versions and 19:01

latest patches. You name it right just to give you some perspective like back in 2007. I was doing this at a law firm has been around a long time. 19:10 It's a very mature person, but I'll show you that the new stuff that's with it. So and he's watching over 19:18 and he's trying to get this information is determined to get this information out George. This guy is really a problem. name, Scott Lake 19:28 He goes to print because we trust and you'll notice that client print napping so we could print it off but he's not sure that really works. So he 19:39

doesn't think that we wish all people didn't do it goes to his local OfficeMax or Staples and he buys one of these thumb drives 19:46 and he puts the thumb drive into the into the local client. And because we have this wonderful thing called USB mapping 19:56 it shows up in the session. Okay, so now he goes to save it. And you'll be successful at Saint 20:03 George cuz he'll be able to walk away with that confidential information. Can we go ahead and let him save it here so that we can set up for the next 20:13

section. So there you guys he finds a removable disk. And this guy must be a Bruins fan cuz he's really giving me a hard time. I'm sorry, 20:22 if you're from Boston. You're cool. Alright. So you can see he saved it. All right, George. You think we caught him? I don't 20:31 know. Okay, here's the new school stuff. Big brother is watching that whole thing. Session recording has been around almost as 20:41 long as I've been at Citrix. We've really put some new juice into the squeeze if you will recently and I'm kind of excited about version 20:51

19-3 just came out a couple months ago now supports the Citrix Cloud delivery controllers in Cloud connectors. I could not have built this demo in my 21:00 environment until this came out. That's the new piece of this the quick bull who the youth session recording hear anyone. Interesting interesting. I 21:07 get a lot of traction and talking about it more and more right now. And if you want to know more about it, we don't want to dig too deep in it. Feel 21:16 free to talk to George right afterwards, but I can this is another new thing is coming. I can trigger the recording start or stop based up on things 21:23

that I detect through Citrix analytics. It will show you that little bit later. And then if I'm really inclined to do so and coding 21:32 I could actually with with maybe a homegrown solution trigger it to on the Fly start via Powershell. You'll also notice right over 21:42 here. If you look over here to the side lawn client Drive mapping La generic USB log the app starts and since files 21:52 and browser usage. I caught him. Yeah, I'll show you. I caught him. I caught this guy. So this is session 22:02

recording. I want search for that ass Lane guy. You can see that I've got a special here is blinking. That's because it's still going on. It's live. I 22:11 can look at it. I can interact with it. He doesn't know I'm looking at it. It's a lot like TiVo, but I'm more interested in the third one down here 22:19 and you can see look down there in the lower left. There's already some bookmarks in there will dig into this just a little bit and you can see that 22:26 it plays back exactly as it went, but I can bring it full screen and I can search through to certain bookmarks. 22:35

In fact, the first bookmark I'm going to search to is right there. You can see that bookmark down at the bottom of the screen that bookmark is where 22:45 this user launch that sap app. So if I'm wanting to always track what they're doing a certain app, and they've been working for 8 hours. It's easy for 22:54 me to scrub and find what I'm looking for. So there you go watching the sap at additionally there other bookmarks in there as you could see 23:04 for example over there at the side going out and getting to the web and we were able to determine that the the the user was trying to get 23:13

out additionally were also saying all of his file access in here. We was actually trying to save it off but it is on the Chromebook smart 23:23 access had locked everything down turned off all those policies. He didn't get anywhere. So if I'm the security analyst looking at this, I'm like, 23:33 well I can see he tried but nothing really happened. So can I switch to the live Windows session? And then this is where I really come up with stuff 23:41 because I see a a client Drive mapping. And actually I can see that I thought he stopped a nap and so on and so forth and I'm actually to able to see 23:51

and have Visual Evidence that he plugged in the USB thumb drive cuz it'll show up down in the corner and that he actually copy the file over and 24:00 by the way, I'm not an attorney but these can be digitally signed. So that becomes admissible evidence to court security 24:10 access to the USB drive. He wanted using the same posture assessment but in some scenarios, you trusted user you provide them access and even they 24:19 could be, you know, stealing your copper data. So that's where those scenarios now you can actually detect when that's happening you have actual 24:29

evidence and then you can even proactively and I'll take actions with Analytics. All right, George. So the recording goes on but in the 24:36 interest of time. I'm going to move over to the next thing who here was excited about the armored climbed Emma. What are we officially call it Criss? 24:45 I mess it up every time during the app protection policies protection policy. I will always call it armor client when this guy first 24:54 showed it to me Chris about I went crazy tonight. That's right at everywhere. So I'm going to do 25:04

it to you right now and try to do it in a little bit deeper fashion than what they did a lot of times when we show 25:14 customers, you know Foster assessment and the policies that we have, you know, they usually come a come up with a few different use the few UK so that 25:24 we can address and that's, you know screen captures keylogging right? So guess what now, we're dressed screen captures and keylogging with the 25:33 solution. So even for that, you know, 1% of Youth cases that we couldn't address before now we have a solution and more important. It's not a solution 25:40

that separate from the rest is all cohesive and uses can consume it fairly easy 25:49 from the financial services firm that that I used to cover as an SE. I won't tell you 25:54 what city they're in you can probably guess but I remember trying to say why are you why you buying laptops for your financial advisor all all over 26:04 United States? It seems like such a waste. Why don't you deliver the whole things reached and you let our firm 26:13 handle and then your financial advisor decided to answer your question on a weekend. He went to his aunt's and you know infected old 26:23

Windows 7 with zero-day vulnerability PC and and load up your portfolio. Would you feel comfortable and I had to think about 26:32 that a bit cuz I'm thinking all the things we can lock down and HDX just like I just showed but there is very little to stop. The keyloggers in the 26:42 screen scrapers. Okay. So for example here if you look here I've got to a keylogger running on my Windows laptop. 26:51 But if I go here and let's go ahead and launch Salesforce case a sap 26:57

very very important. From the moment we launch workspace and the moment we go to login. What is one 27:07 of the most valuable pieces of information the bad guy could get My password absolutely, so I'm going to type it in here with a keylogger on. 27:17 I will tell you that it's not Citrix 1 to 3, but it certainly isn't 4 / V carrot Asterix, Mr. Forest 27:31 Asterix at creative. Okay. So at that point now I'm up and running and now I'll go into Salesforce. Now. What's 27:40

also very important if I'm in Salesforce what's also important to the to the to the bad guy? Oh gosh to find out who I might be working with. 27:50 I got a couple sales guys up in the front. Can you give me a customer name? This is not live data. Just throw me a name. Cargill they have some good 28:00 chicken Spelled with two L's, right? I typed in Cargill and it came up up care U bracket 28:09 9 F A M I won't find Cargill in here. Guess what happens if I try to do Snipping Tool? Let's say 28:19

And just get a screenshot of what I found on Cargill if I go to snip. Everything's great out. So we're protecting not just 28:30 the password with indication for protecting the Sass apps deliver to work space and if I go ahead and launch HDX, it protects that too and just by the 28:40 way cuz I'm a guy that likes to prove it's not smoke and mirrors if I bring up something local like the local Notepad. On this device and pull it over 28:50 here to sign Factory even see there that it saw that I typed in notepad, and now the typing test. 28:59

It picked up every single thing text by text letter by letter Key by key when I used something outside the work space so you can see why 29:10 I'm very excited about everybody else as well. Alright, George. I'll throw it back to you 29:20 my friend. Yep, and just to let you know he talked about the local app issue here in functionality. That is definitely something thinking about like 29:29 around. Dr. Fleck has a message for you. Turn on let's talk about device security. We talked about 29:39

contextual access securing SAS applications. Another major concern is you've got various types of devices Inc. Uses coming in with their own devices. 29:49 Then you've got your corporate assets and it's not a one-size-fits-all solution. Right? So if you look at how Enterprises tackle this they typically 29:58 have one solution for the time management strategy and they brought a different solution for the mobile device management strategy and the challenges 30:07 that overtime just if you go through this process using different tools add complexity. The user experience is not great. I see this every day with my 30:16

wife who uses some of the competing products and she keeps asking me like, what does this mean? I have no idea right so it becomes really really hard 30:26 and you know, it's also easy for the bad folks out there to essentially steal data when you've got all these different points of view should So 30:34 what are we seeing out of the industry is that these Solutions are essentially converging into what's called unified endpoint management and Citrix 30:44 has a solution in the space as well, which we call Citrus endpoint management. So what does that really include first off? We have mobile device 30:50

management. So that is if you think about your own assets, you can apply whatever policies you want on those assets and you know, you 30:59 can secure to the point where you can just pick specific functions, if you know if the device is stolen you can essentially wipe the device which is 31:09 pretty intrusive in terms of the policy that you're playing. But if it's your acid, why not if you know you want it, but as far as Citrix goes, we 31:17 provide some bells and whistles above and beyond your basic Andy and this is where you know, we can do custom security policies based on trigger. So 31:24

instead of just having a blast in a black-and-white list of what's allowed on denied. We look for specific conditions and based on the condition. We 31:31 can trigger a specific action. But more importantly what about BYO right most of us like to carry our own devices. I know Scott and I are both Android 31:38 fans. We both like our Windows devices. We only accept and the Chromebook. Yes. So we like our devices and we have probably the exception but we like 31:48 using those right. So in in that scenario and if Citrix one or two and then Romeo probably be upset because I'm concerned about someone accidentally 31:57

wiping my device not ideal. So for that scenario, we have what's called mobile application management and the idea here is pretty simple know it's 32:05 your device, but I'm going price customer when I'm deploying Enterprise application. I'm going to call Walter some space within your device encrypted 32:13 container and I'm going to deploy these applications within that include the container and I'm going to apply policies on app or application basis, 32:22 right? So I might have a mail application. I might have some content that deliver their is well, I might have some call for naps. Now all of these 32:29

applications don't necessarily need to have the same policies like for instance authentication. Let's take that as an example. My authentication 32:36 policy for mail is going to be different from let's say more sensitive A Penny RPM, perhaps maybe for the RPF. I want to force a user to login every 32:43 single time, but for me and maybe from a user experience perspective. I want to have a long a time you can set those policies because our policies are 32:52 done on a pro-rata basis of our competition is a fairly small number. 32:59

So that's an important differentiator as well 33:08 with Mom and this 33:11 is Walter what time but still in most cases you have a VPN tunnel that's being established at the device level. So basically all of your traffic is 33:21 flowing in what we can do is we can apply the the VPN on a pro-rata basis and apply wife. Listen Blacklist on a pro-rata basis. So the time out in 33:28 such can be set at that level as well. So this gives you more flexibility so much. Show that some of our partners that using this capability when 33:38

deploying their moms emission system. This is one of my favorite pieces. I didn't watch truly differentiate Citrix 33:46 is our Citrix ATC netscaler, you know some of us still like to call an Escalade but nonetheless what really gives us an advantage 33:56 in the market, right? Because it's an end-to-end solution. We have so many great security features and functionality built into our ADC that we can 34:05 leverage when using the rest of work space when he talked about Mobility. You can apply multi-factor authentication single sign-on to micro VPN 34:14

capability SSL termination to all of these are made possible because of the fact that our Mobility stock is front-ended with our Gateway and ATC. 34:21 So again, support perspective, you know, it's always supported into him. That brings us to the next demo. 34:31 I got to show you this man. I got to show you how we manage our unified influences free cool stuff here, man. 34:40 Unite when we work together we get so wrapped up with forget. We have people around this. You're right, but already got here on my phone. There's got 34:51

to be a better way. Yeah. Well. George, this is one of my favorite things to do, right? If it ever comes up it 34:56 did it go to sleep. Not let me go a my favorite things to do. And by the way, remember we told everybody move to the front 35:06 and hint anyway. 35:16 If I can get a hair get it that whole session up there. I'm sold for sure. I think I'm so sorry that I'm going to give one away today. So why don't 35:25 you guys just look under your seat one of you will find something that looks like 35:34

Find anything. Thanks like that. Look hotter. I'll give you a hint. I see someone sitting right next to it. I am 35:47 standing pretty close to the area in the room where it is. All right, I think we have a better come on out. 35:56 All right. So, who do we have here? So we have with us. Ian Anderson fan Anderson, 36:07 absolutely 36:16 You'll get a pie. Actually. These are RX HDX by in Computing course, there are more down there. Feel free to use that. So George should I be concerned 36:27

that I just gave you and that pie I brought you worried about the security. I mean, you just unplugged it and gave it to him know. I'm not actually 36:36 not at all because here I'll go ahead and show you here. Yeah, and you know, you see right there it says workspace Hub. Yeah 36:44 Citrix in point management does more than smartphones and tablets now so I can push configurations to that nobody when you go put that thing in. I 36:54 didn't actually get it done. But have I gotten it enrolled into my environment. I could wipe it as soon as you plug it in. So but it's ready for you 37:02

to use and for you to enjoy and thank you for coming to our session. By George, there's actually a better story to 37:10 security around this. I love pie. Do you know why I like pie so much and letting me what's my birthday. 37:20 I'm a pie baby by the normal after there's a security story behind 37:29 that. I mentioned that I used to work for a customer before I came to work for Citrix and that was a financial services company if we walked up to a 37:39 teller line think back a little bit right now. We open them online but we go to the teller line when I want to open deposit. I want to open 37:48

a checking account. Do they make you stand right there to do that know they were saying I'm so glad you're going to be a customer in XYZ Bank and 37:58 Trust. Let me come around. Let's go out to the personal banker desk where I can take your information for us. The personal banker desk was literally 38:07 the first desk when you walk through the door and it had a full back then Windows XP PC sitting on it. Anybody could log into and 38:16 take open a new account now back then I work for the bank and I had to work on a number of those devices and I would always find spreadsheets with 38:26

customer information on them. We never had it happen, but can you imagine? One of those walking out the door with a whole bunch of 38:35 customer contact information on it by us giving that to Ian. Janner Ian. Yes, okay. Sorry. He got absolutely 38:45 nothing. So that's the security angle if we keep the data off the endpoint and we can do it at a low cost. There's a lot of benefits to that and I 38:55 think there have been a couple of customer cases that exactly happened right people have walked away with devices and their Los Angeles of property 39:04

for the scanner dress it and I think another important differentiator when you talk about it and DM capabilities, we just showed you how we can extend 39:12 beyond your typical devices Windows Mac and what not to RN phone, you know, he's here so he can essentially get a whole stack of these deployed to 39:18 your end-users a plug it in its fully configured and ready to go and you can wipe them and if something is wrong with that you just plug another one 39:28 and able to go and Frank start was doing a presentation. This was before hours. I would recommend you go to it. He was actually showing how he was 39:35

pushing all the configurations to them. So they're very easy to manage very very going to take it off the shelf. Right? One of my favorite device is 39:42 my Chromebook. And you'll notice the map in here. This is for my Chromebook and I actually have my Chromebook manage. So I went in and I could 39:49 actually track where my Chromebook was. So there's a lot I can do with my Chromebook to control the endpoint. I want to switch to the Chromebook right 39:58 now. This Chromebook is enrolled in Citrix endpoint management, and I'll stop here and point out as I put in the password that one of the things I can 40:05

do is actually lockdown the browse as guest. Well, don't ask how but somehow or another I managed to get myself locked 40:13 up by doing that so I turned it off for myself, but there's a couple of things to point out that happen here. You'll notice right away if pops up and 40:23 says, hey enter PIN. Okay. So that's that basically unlocked my ability to browse with this Chromebook. And now this Chromebook being fully enrolled. 40:31 We have some control over no matter where in the world it is because we have right there in the app the Citrix secure hub Golf course I 40:40

also have my workspace on it so I can do all kinds of things right everything that comes to me inside of work space pretty much can do here on the 40:50 Chromebook. There. We go to the network also important to mention that we just announced extending secure mail to the Chromebook. So when you talk 40:58 about offline access to mail now you can do it on the Chromebook system and that's one of those things that I need a doctor Flex cuz I'm a big 41:07 Chromebook guy they got you. Am I good old trusty thumb drive here. 41:15

Guess what? Yep, can't do it that's yet another policy we can control on Chromebook Windows Max other things 2 41:25 Cognito mode. No, I'm not that's yet another saying that 41:35 I can block on my Chromebook and you don't want George. Oh, well, what the heck? I'm just go ahead and type in that URL anyway. 41:45 thepiratebay.org not going to do it blocked that brings up an interesting point that we talked earlier about access 41:55 control and assassin web applications and put in Compton fencing around that we will be extending that capability to the native browser as well. So in 42:05

the future in the near future actually see if you wanted to control the local browser on the user then point and do fulfilling you'll be able to do 42:13 that as well. So now I'm going to transition back to the smartphone and before actually go to the slide how many people here 42:19 how many people here are our parents World parent who has little kids little kids. Okay. Yeah, I have grandkids. 42:29 So I guess I'll I qualify the iPad the tablet that you love to use maybe even your phone and so you put a very simple pin 42:39

or no pin on it whatsoever because when Junior wants to watch Peppa Pig, Yeah, and I'm the iPad right but meanwhile 42:49 right there is your corporate mail and those applications delivered to you by Corporate America. And how does Corporate America 42:59 by George said? So 43:07 again, this is an Android phone still works with with with apple butt. What I have 43:17 here on this one. I have to click the start. I'm sorry. Let me get that going. 43:27 Okay. So what I have here is a phone that has no passcode off the front but I can enforce make that passcode mandatory and that 43:37

was actually a three digit passcode or 6 digit passcode. But now when I launched securemail, did you know that asked for a second pass code that was 43:47 four digit. So now even though you have corporate information. You got to have a passcode even if you don't control it 43:56 and oh, by the way when you launch the corporate information, you got to have a second passcode something different. So when your kid watches Peppa 44:05 Pig that same passcode won't get you in the mail. This goes back to the conversation around MDMA and policies that you can apply 44:13

on a pro-rata basis. That's a great example. So, I don't know if you caught this yet or not. I let me back up here just a little bit. So there was a 44:23 link in their Network. You can see this one opened. That's our micro VPN technology. 44:33 No need to have a VPN client on this phone some companies that talk to do that. We do app specific now, there's an 44:42 attachment. I open it in the preview or we're going to save it off to remember. This phone is not fully managed. I can restrict the open in 44:52

in this case. I can only open in Citrix files. And in this case. I'm going to save it to Citrix files. 45:01 And then let me see here. Oh, yeah. I know what the next thing is if I go back to the mail and I can't save it anywhere and 45:12 I got the VPN I get into work, but only certain things. Can I just copy and paste that information out to something local? Well, by the way guys for 45:22 this recording I hit paste like three times just like I did in the the HDX demo you can't do that. So now that I want to send this email off George 45:31

and I've been working on that letter and I'm going to send to a guy who we work with a lot by the name of Adam Nando boom, and I'm not sure I trust 45:41 Mr. Man to bloom he gets this all the time. I wish you was here, but you know, I got a lot of things I can do like I can 45:48 share by Citrix files email pay attention to this. I use this feature on an insurance claim and it helps me get a very good insurance 45:58 claim. So I'm going to send it off to mr. Amanda bloom. And it's for his review. See all of the swipe, right? 46:08

Android for the win, but it's not rescues review. Pay real close attention now. I can require the recipient the login. I've got a check to notify me 46:18 every time their access and look at these options view online only you online with Watermark or let them have full control the story that I'll tell 46:28 you as an insurance claim of a flooded basement, by the way, I'm going home to another one right now in Missouri. I said a whole bunch of receipts to 46:37 my insurance adjuster got no notification ear Evernote opened. I went to my agent she said how do you know that he didn't open them? So I sent them to 46:45

her she opened her email. She's all here are all the receipts and I got notified that you open them. I never got that when I sent them to the 46:55 adjuster. I got a good settlement. I really did call him. Anyway, I'm not picking on anybody who might be in the insurance industry. So what about 47:05 a Chao workspace here getting access to the files? One of the things today and work space on a device like a tablet 47:14 even more. So on a smartphone is if I went back there and I launched Salesforce. It doesn't open it in the native Salesforce or or work day. And 47:24

this is where you get to show you something a little bit future looking right. It actually uses local browser and to be right honest with you while it 47:34 does so you can give you the contextual controls and puts a watermark on there and all that beautiful stuff. I'm about to George. I don't like using 47:42 the experience to show you is a mock-up. Okay. This is not 47:50 real and get to it here. Not real it is a mock-up, but it is due too, and I did get approval Chris by the product 47:59

teams to show this. So essentially let me go on ahead and start the demo video for you. oops 48:09 Oh man, can't get that started on this map. 48:20 Weather if you haven't figured it out yet. Chris gets to play with all of her all the cool brother. I wish I had his job like that. Let me see 48:31 that little start arrow down there. Are start Arrow? I don't see it either. Play go 48:41 there it is. Okay. Thank you George. So I open workspace URL click on it and I'll George check out my super 48:50

secret secure password. Nice job. Yeah, this is this is not real. So I go on ahead and log in and 49:00 then I'm into the workspace on my Android or my iPhone. Just like normal, right and go look and find all my apps my desktops my files 49:10 and I'm looking for something. I'm looking for work. They saw use Universal search. So I'll type in keyword work. 49:20 and search And of course we find at that point different things right files as well as apps and there's working at watch when I click on 49:30

work day. It opens the native app SSO me in. Okay, so I don't have to remember that password to get into workday to use the native 49:40 app on the phone again workspace. Was that a syndication at strong athentication workspace was the key that unlocked the door for everything and this 49:50 is this is coming soon. Alright George. There you go 49:59 in peace already. So we talk about 50:06 what's the next big thing as its content? Right? So normally users use their desktops to get to apps and data. Let's talk about data 50:13

and how we secured. So most environments if you look at data the challenges that a lot of the data to the lives on premises and maybe someday that 50:23 will forever live on Promises song will move to the clouds. If you look at the most Enterprise file sync and share Solutions out there a store most of 50:32 the data in the cloud very few offer the flexibility to keep that stuff on premises. What's nice with our collaboration solution is that we allow you 50:41 interview give oranges of the flexibility to access data from anywhere, but we abstract the complexity, right? That's what are the uses concerned. 50:50

They see that folder. They don't really understand where you're coming from, but we can secure that The data and also apply policies that you deem 50:58 necessary on that data. If you're storing the data in Cloud V still give you the ability to own the encryption Keys as well. So it's a best-of-breed 51:07 right in the sense that you have the flexibility to keep the data where it needs to be both on premises in the cloud the other big pieces. We talked 51:16 earlier about the fact that the Gateway the Saturday TC front ends all of our Solutions. So because of that we have inherent Security benefits in this 51:23

case single sign-on is multi-factor authentication the big piece of that. We also proxy the all the connections coming into our Enterprise Cloud 51:32 solution conglomeration through the Gateway service. You have a data source choice. So in other words, you know, if you wanted to aggregate data 51:39 from various repository, so that doesn't very nice possibility that they use is already using Edition solutions. I think I was in dance photo session 51:49 yesterday, but he talked about how cheap he is and he uses every free throws that he can use and he will continue to do so, but for him to be 51:58

productive he needs access to that data to and guess what we can aggregate all of that data in addition to our solution and no in many cases OneDrive 52:04 for business as well. So that's available and lastly we have workflows in collaboration built into the solution Del Sol. And then another key 52:12 differentiator is the reporting and analytics right? So we've had pretty rich reporting right from the get-go with your house. If you wanted to know 52:21 who is accessing different links. So the links that Scotch odelia left in the shed out if you wanted to track you that cuz I need all you wanted to 52:28

put policies around how many times that link and we access we can do that but more importantly you can run reports that show you where those links 52:35 have been accessed from the IP address what they doing with that says pretty rich in there by myself, but now we've gone even further with the 52:43 analytics in the integration, right? So now we can essentially drivers indicators based on user Behavior. So how much data is actually being 52:50 downloaded should a noise if it crosses a certain threshold, perhaps the trigger an action we can do that kind of thing, but we can figure out session 52:57

recording or expiring so it's pretty rich in terms of what you can do. In addition to that another common thing that comes up as most environments 53:05 have almost Enterprise customers. Anyway have some sort of information right solution and my management solution deployed already. Alright, they 53:14 classify the data and they want it sent to use the existing classifications Battalion to our accountant collaboration Solutions, and we 53:21 eventually allow that by leveraging the icap protocol with most leading Solutions support. So that's another integration point that allow 53:30

customers like to take advantage of And lastly, I think Scott shoulders or live with his demo, right? So when you talk about when you share a file 53:39 out, perhaps he want to Watermark that fight and make him you only think of it as lightweight irm right for that capability as is available as well 53:48 and the beauty of it. Is that link. So we showed your DLP 53:57 TV show DUI RMB showed you the native flexibility of storing your data on premises are in the clouds over for dinner. That's more restrictive more 54:07

security can keep that on premises as well. And for the day. That's living in the cloud. You can own the encryption keys. So no demo here in the 54:15 interest of time so we can move on to governance risk and compliance again. I feel like every customer is worried about this gdpr comes up almost on a 54:24 daily basis. So it's it's a youth games that we can help you address of want to eat at a high level and Transit GDP of the things that you can most 54:34 customers are worried about his employees that actually work out of the EU and then customers are in the EU and you want to keep that do you know do 54:41

you want to have the authority in this case and you know this content collaboration and white relax and desktops you can actually address that use 54:48 case. But in addition to that there are various other compliance regulations that need to be addressed and our suite of solutions can essentially help 54:54 you address those you schedule we've been doing it for a very long time with watch relaxing desktops. I would say that a majority of the use cases for 55:03 what. The security of later than one big piece of that is compliance. All right. So let's move on to security analytics. 55:10

How many of you already heard about security and let you know too much about it. I'm going to see if you were alright, so you know, what? Why 55:19 does this matter? I'm going to try to take an angle of what customers do that the kind of helping differentiate what we do right? So when you look at 55:29 the same Solutions the challenges that you've got all kinds of disparate systems, you got all kinds of data flowing and you got to find some sort of 55:37 an aggregation Point. Can you find the solution that essentially collecting all of this data syslog data, you have a lot of data and now you got to 55:45

normalize data make this data actually convey a message and then find out you know, what actions need to be applied on this is not easy, right? If you 55:54 look at some of that have deployed some solutions at the end of learning curve there. It's quite steep. Now, once you get to a point where you learn 56:03 the solution is its operational it gets better, but the point is to get to the point. Where you can actually gather some relevant information it takes 56:11 time and our solution is fundamentally different now a big caveat to that is for for a solution to provide value or induces need to start consuming 56:19

works by then. Hopefully, you know, we've done a good job selling you on the security benefits of the workspace. So once they start consuming 56:29 workspace as they start consuming different Services application all day using device Security account on collaboration or what your lap all of these 56:36 provide data points into our analytics solution that we can then use to provide you with some calming Christian Wiman and what actions can be 56:46 delivered but the point is that he said turn key solution. You don't really need to do much. Once you start consuming work space and you just turn it 56:55

on your collecting data that won the second thing is because it's a closed-loop autonomous system. We are looking at the user from various Vantage 57:02 points, and the accuracy tends to be higher. And lastly it is, so we provide you a list of actions that you can essentially enable buy a checkbox. 57:11 So it's an even though the risk indicated might be worth relax and desktops. Will you could apply an action that's from a completely different product 57:21 probably if the content collaboration function do we give you that kind of flexibility because it's all part of the workplace. So I can just to kind 57:29

of run through the benefits like it helps you identify what happened how it happened and looking at Trends. You can find a predict what will happen 57:37 and then give you actions are in terms of what to do, and we've also recently mentioned that we have extended capabilities that you can integrate our 57:45 solution with Splunk and very soon. We will also be able to integrate us with a dresser. The solution is not restricted to customers that Leverage 57:54 The Cloud public Cloud alone. If your on-premises you can still lovers this or even if you're hyper Cloud customer this can be lovers. Are the timer 58:04

switch over here? Do my trusty Chromebook and now we're in the center console and 58:14 I've landed on analytics. The first thing I'm going to do is actually this is my my live environment. I don't really have anything set up that's on 58:23 purpose. I want to show you where we kick this whole thing off with session recording and I mentioned that you can dynamically kick in session 58:32 recording of things going on based upon what do users doing so I'm going to go here to settings just show you how easy it is to do a few things. First 58:38

of all to get to the point where you're collecting data. It's pretty doggone easy. You just go in here. These are all the Citrix data sources you just 58:45 turn them on and then oh, by the way, you can add and hear things like Microsoft security graph. I've already got them on so they're in my 58:54 environment. The next thing though is you can set up if you if you do nothing, you'll still collect data from the data sources and you'll be able to 59:01 see the risk scores go up. But now I'm going to set some policies and let's say that I really wanted to do something based upon the session recording. 59:11

So if a certain action is Matt, and I can look at several different things here and let me go to Virtual apps and desktops and I will choose potential 59:19 data exfiltration. Guess what that's what are rogue user was doing at the beginning of this session all those recordings that we captured do the 59:27 following. Well, I can do several things based up on that one thing there, but I'm going to start session recording and basically I get the policy a 59:37 name and at that point it just happens. So you don't have to have that recording on all the time. I just happened to do that for the sake of that demo 59:46

to show you its capabilities another environment that is actually a demo environment and it has some static number. I want to say, I don't want to say 59:54 static but some demonstration data in it. It's just a kind of show you what we can do. Rob landed on the dashboard and I want to change the view 1:00:04 out the last day look over the last day and I've got some high-risk users coming in here first. I see Georgina and I see 1:00:14 Caroline and Kevin. I'm going to look first at Caroline looks like she is starting to Trend up there. She's not yet high high but she's training up 1:00:23

there. So if I look down here and I'm choosing Carolina because you just talked about content collaboration and Caroline here obviously has an issue. 1:00:32 We don't know why weather Caroline has had her credentials lifted or whether Caroline is up to no good, but we are starting to see some things 1:00:42 here like unusual upload volume. She was using some different devices. If I look at this I can click it out even further and see where 1:00:52 even sometimes wear. These. Are you there? You are actually she was using a Windows NT device there when we talked about the smart access that CPA 1:01:01

stand for Here's here's some unusual SAS usage stuff that she doesn't normally use can't we even get the IP address and where that's at, but then we 1:01:10 start to see, you know, once we see some of this going on we're going to notify the administrators start session recording if something happens inside 1:01:19 the virtual desktop, but look what's going on here DLP alerts potential data exfiltration downloads 1:01:26 an excessive file sharing. This is where autonomously automatically we can take proactive action 1:01:36

to stop the breach and this is a big one on content collaboration see what happened here expired all the links by this time. We know 1:01:45 that something's wrong Caroline knows something's wrong and everything that she's generated is expired in case somebody's been going in there and 1:01:55 getting it on her behalf and sending those out on her behalf. So that's an example with Caroline. I'm going to jump out now and go over here to 1:02:04 Georgina kalu. Georgina is an interesting person because we're Georgina actually, you know travels around a lot. 1:02:14

It may appear so against you start your day off logging in from a variety of unmanaged devices and 1:02:24 jailbroken broken or rooted devices. Now, first of all, most people aren't like George and I We have one device that you use ride. We will you and I 1:02:34 use many but most people have one device that you use and so that's something they're concerned. They're one of the boys say, why do I said we have 1:02:43 many that we use so, you know, but most users only have one device. Okay. She also has excessive file downloads as well. We started the session 1:02:53

recording we can see DLP alerts in authorization failures. And if we look here at the we can dig in and get even more 1:03:03 information about what types of things that she was trying to access through the the ATC usual login access and look at this. It's coming from 1:03:13 Grease now in the interest of time. I will tell you that I've dug into some of these many many deeper and deeper and you will see in some cases the 1:03:23 user and see if this one actually shows it. No, it doesn't but in some cases the user will be in Greece and 1 in in 15 minutes later. They'll be in 1:03:31

Australia and that's clearly a breach password. So what do we do we can set the actions that the system takes. Depending 1:03:40 upon what type of business we are Financial trading organization will tell me that if something like this happens for real. I want all sessions killed 1:03:50 all links expired. I want to notify admins. I want to lock the accounts and I want to notify her now at an executive 1:04:00 breathing. The next customer came and we had this discussion and they said we're Healthcare. What is Georgina is a critical care nurse and the 1:04:09

critical I see you in that case. I want to notify Georgina put her on that watchlist. Make sure I T know something's going on. But whatever you do 1:04:17 start session recording to buy the way while she's in the Epic system, but whatever you do do not terminate her a cat her access because she may be at 1:04:26 the patient bedside taking orders from a doctor that is giving life-saving Care at that very moment. So it's all up to you. Here's the thing about 1:04:35 analytics. If we never create a policy we can learn a lot just by watching the risk scores rice and it's just that easy to set 1:04:44

up and that's only the recommendation read. The first thing you want to do is enable. I kind of try to understand what the normal behavior patterns 1:04:54 are before you go ahead and enable actions. Alright George. I think I am wrapped up with that. 1:05:01 Alright, so I just want to give it to promote a deep dive on analytics of what number. 1:05:10 Next room for 15. All right, if you want to learn more about spending a whole session on analytics on like 3 minutes like I did write Anna. 1:05:21

Yep, and another important thing to talk about out of the day. So in the past one of the complaints with your from users is hey, I'm completely on 1:05:30 premises. I was relaxing desktops on premises. I can't really take advantage of analytics because I'm not going to start using workspace just yet. So 1:05:38 you could technically use workspace entirety on premises were closed for them. So we've heard that loud and clear and we 1:05:47 are going to be extending capabilities, but you can use existing storefront and tie. Back into our analytics service to take advantage of the same 1:05:57

people that's coming soon. But the important thing there to is that you're using not staying back on a version of receiver. You going to be on 1:06:06 workspace app, correct? Exactly like So now this is probably why most of you came here, so we've got you didn't come here to see us 1:06:12 fix ecology fellow was going to show us a glimpse into the future 1:06:21 if you're pretty excited about this is a all right? So what 1:06:31 are one of the show is a couple of demos and and some videos as well, but wanted to follow up to what was presented earlier 1:06:40

here talking about security and work space and some of the things that were announced here this week. So one of the things that was announced that 1:06:50 that didn't the store to get a lot of detail underneath it was the hybrid configuration for Access Control. So what what Scott demoed earlier is a 1:06:59 great new value-add for SAS and web applications that you can add to Security and compliance add 1:07:08 watermarks excetera although up until now what that's required is a you to move your your storefront 1:07:18

Chris. Sorry. I didn't realize you needed to do. Okay, so we'll do that before the 1:07:28 right, which is you've got a perimeter. You've got storefront on Prim you've got 1:07:34 genap on Prim and for your remote users or for an internal user, they would go to storefront and then connect to there 1:07:44 an app for xendesktop and have a direct connection and we recognize that that's a common configuration that people don't want to change 1:07:53 this early cuz it gets the best performance and and and provide a direct connection. Similarly if your got external users are go 1:08:03

through a Gateway and then connect in 2 as an obsession that that's running inside the what we're showing the different now 1:08:13 and the way to enable access control for gas and web is to be able to now with at user 1:08:22 would effectively route outside only for the SAS traffic. So in other words if you want to enable workday 1:08:32 Salesforce any of you that the new additional SAS applications that you might be delivering to your employees, or maybe they're getting through their 1:08:41

lines of businesses where you lose control what you're able to do now is provide the access control service, but don't touch her 1:08:51 storefront and the way that that happening is we basically created a new utility that allows you to sync 1:09:01 the access control. Did the security policies that URL the icon all of that actually gets pulled out 1:09:11 of access control and then inserted into your storefront into the DDC. And so that way you are xenapp mission-critical 1:09:20 applications are untouched your storefront son touched but you can add the security and the access control benefit that 1:09:30

goes up to the cloud only so let me go through it. Okay, here's the view of the the actual 1:09:40 control where you would pick the apps that you want to deliver the SAS apps the web applications the sink utility that 1:09:49 talks through an API to the cloud service and then gives you that same ability to launch a SAS or web 1:09:58 application without having to impact your your on Prim infrastructure. Millburn absolutely, Chris. So so 1:10:08 what you see here is again, this is looks like a an existing storefront, right? Cuz it is but what's new is 1:10:17

these icons the Salesforce then again? What we're showing here is this is not Salesforce running on a hosted browser on 1:10:27 xenapp and then launching it's actually launching natively inside the embedded browser in workspace at 1:10:37 so again workspace app and is much more than a name change from receiver. We've got an embedded browser with security policies 1:10:46 that does things like the watermark like to download control the restrictions the analytics and your effect without all the overhead. 1:10:56

So this didn't take any at its servers. It didn't take any added storage didn't take any added infrastructure or Microsoft licenses or anyting else. I 1:11:06 were able to launch and protect Salesforce and any other SAS application like that and do it without the 1:11:14 traditional overhead door without the risk that a lot of companies are taking when they allow their lines of business is to deploy SAS applications to 1:11:24 employees through a standard browser. You might be able to control the the authentication front but then you have no control after that. And so this 1:11:33

is a dramatic Improvement terms of the security posture for any SAS application. What's your last name. 1:11:41 Stops today in to deploy browser-based apps in the primary reason for that is Ida performance or security. So what he essentially showed you is now, 1:11:51 you know, you have another option you can use this hybrid SAS model to use the embedded browser to apply the same HDX Life policies for your app for U 1:12:00 of M application that no longer have that added infrastructure required to do with the old. Something to think about health care, right Chris 1:12:09

where we have though the workstations that are pointing to a local store Front because they're running a local Estes of epicurus Turner One Of Those 1:12:19 EHR step and they aren't quite ready to make all wet move to the Cloud yet. And so therefore they still want to do this ass up stuff. They can nuggets 1:12:26 right this way. So how many here have a storefront on Primm? Hands went up there. This is for you. This is 1:12:34 a way to add security to SAS applications that maybe you're not doing today or has George said you might be 1:12:44

publishing browsers ons an app which comes with a overhead in the cost of some of the things we've heard about recently is companies that have been 1:12:53 doing that but they've got servers that have got Windows Server 2008 3rd, whatever they going to other aspiring and now 1:13:02 they have to do something about it. This is a way to actually improve security with some of the same type of H E X features, but without the overhead 1:13:12 of doing that for the old man have a legacy application that has certain Java plugin to watch now, you're probably still going to use 1:13:22

the Virtual Lab methodology all his performance is a huge concern. Maybe that's still an approach for the point is for a majority of use cases. You 1:13:32 don't need to do that. You have this this year and they can do side-by-side year as well. As you mentioned. There. Are you stationed there better 1:13:39 browsers based on chromium. So it's if your app works in chromium, it'll probably work here. But if it does have special requirements of putting 1:13:48 it on a host of browsers is still the right thing to do is chromium of all, the tests to be done with browsers is probably the most broadly compatible 1:13:58

one fact as you may know actually even Microsoft has kind of thrown in the towel with Woodedge and they're basing that on 1:14:07 chromium now as well. Here is also a new feature which is basically internal web apps. So I'm 1:14:17 pointing to an intranet site that's behind our firewall in Miami Datacenter, but you see how fast that launched and his works well and 1:14:27 yet it still has the the security Benefits on it. And again, we're adding security to Native web 1:14:36 applications without the overhead with great performance. Great usability. Basically a micro VPN back to that site. That's exactly exactly what it is 1:14:46

micro tpn the phone inside the embedded browser with the security controls. So let me move on to 1:14:55 some additional. Let's see. What's this one? Okay. So this one got some Tuesday when we announced it 1:15:05 and what we've got here is so how many of you have users employees that have native applications 1:15:15 desktop apps Windows apps everyone else knows a bunch of hands right as much as we loved virtual there still lots of use cases and lots of 1:15:25 users millions and millions that use stop apps what you're seeing here in what we just announced is and is a recording but it's it's showing 1:15:34

launching from work space in this case one note was actually install the ready you just click and it launches but it's 1:15:44 Inside the work space environment and then the next out there what we're showing is its private was not installed at this point. 1:15:54 We're using the Citrix endpoint management server and an MDM to push down the application. So it's being pushed down 1:16:03 and now just clicking launch and run it locally. So that's a big Advantage. I think for 1:16:13 companies that want to again put all their applications in one place where there is virtual whether it's local weather its web whether its ass whether 1:16:22

you know, any we keep saying any any but we had a couple of big exceptions before 1:16:31 this one thing that comes to mind with this right and then I've had this discussion with some folks inside the 1:16:36 product groups. We want the workspace to be that one place where you go to work. That's right everything all inclusive there. I just put Works based 1:16:46 on It's really acidic 8 to it and my world is unlocked for me. And I don't worry about any passwords beyond that point. I don't worry about how to 1:16:53

connect. But if I'm traveling out of the work space to get back to a local app, it's kind of a disjointed experience. So I'm really excited about this 1:17:00 cuz I think this is something that was that's been missing and work space and one which we lay our on all the intelligent workspace on top of that 1:17:09 Nirvana work done one place. Now, this is coming out next quarter and you'll be able to use 1:17:15 endpoint management to integrate and deliver native applications like this about you can think beyond what we're not announcing yet, but you can 1:17:24

probably speculate like, okay. So now we have this armor technology broke ligers. We've got this screen capture technology. We've got 1:17:33 great analytics for user security. We've got great analytics performance so you can imagine obviously we're going to be able to apply these 1:17:43 Technologies to Local app. In addition to HDX that's in addition to SAS apps in addition to mobile app. 1:17:52 It's not does aggregation. It's the entire lifecycle right? It's the flying 1:18:00 the application aggregating the application and then reporting on the application. It's all of the above and ask customers go down. This transition to 1:18:10

work space is not going to happen overnight for a long time that still going to have those native application that will eventually transition. So this 1:18:17 gives us a way to essentially aggregate those applications and also give customers a strategy in terms of how they go about moving suddenly collapse 1:18:24 into that was for valders a squirrel or whatever. It might be in the future and Chris on excited about this one. 1:18:32 Folks here and someone told me recently 1:18:42 either they have it or they want it and if they have it they paid too much. But anyway what we're 1:18:48

showing here in this is not available yet. But again that shows the new stuff that I'm always looking for feedback as too. You know, what what should 1:18:58 we do next? And what's the priority and so what we're showing here is extending the functionality of our endpoint management, 1:19:06 which already going to what's a robust proven system that has users and AD synchronization 1:19:16 and tokenization and we've got this ability to enroll devices. Well, what if you could enroll your badge and so 1:19:25

that's what we're able to do now is actually enroll badge. Is into our endpoint management 1:19:35 system and so what you see here is an enrollment process where the the admin would initially when the 1:19:45 single time use in tap a badge and give it a you associate with a username and then that one 1:19:54 site username is established. The first time a user would would actually click to our tap their 1:20:04 badge that they would have thought they would need to enter it as soon as you see the the bad. She just got enrolled in our device management system. 1:20:14

The first time the user uses it they would have to enter their password. But that's a one time use only so they may then login 1:20:23 and from there a user would basically just tapped into their session and that's going to 1:20:32 Launch a session or could launch a app within a session and were able to effectively use tap to enter and 1:20:42 we can also again because we've got endpoint management and enrolled mobile devices we can use the the Bluetooth connectivity 1:20:52 to to do disconnect a disconnect based on proximity. So even if the physician forgets to 1:21:01

tap out when they walk away and they're out of the out of the room it'll disconnect automatically and that's one of the things that we are addressing 1:21:11 as well as the complaints we hear is the the window the time out window is typically very short because you guys 1:21:21 right b i t doesn't trust the physician to tap out and you don't want the EMR screen left up there for 10 minutes or however long, but if you 1:21:31 know that When that physician leaves the room that that sessions going to disconnect anyway, then you can give them a longer session without having a 1:21:41

short neck. So I'm dying. I mean obviously Healthcare is a place where I see this a lot, but I mean recently I had an inquiry from a large 1:21:51 manufacturer of had an inquiry from a retailer very very large big warehouses interested in Tap & Go Solutions. Do we see it going Beyond Healthcare 1:22:00 are there but they're only dealing with health care but 1:22:10 there's lots of other industries that could use this stuff. So yeah, we're interested in feedback on this. I'm interested in feedback on it. What what 1:22:20

actually happened under the covers here as well is single sign-on to Legacy apps. So 1:22:29 earlier with The SAS apps is we're assuming that that 1:22:36 it's a saml enable new modern SAS app and for that hour access control works great. But as you know, there's still a lot of Enterprise 1:22:46 applications out there that have credentials usernames ideas passwords that are different than a d and we've got a solution for that now as well 1:22:56 aren't that guy? Who said he wanted more passwords apparently left. I think we were solving a problem break. The password 1:23:05

management is something that I'm interested in feedback. We're not announcing it here, but we do have a working where he we've got it demoed it both 1:23:15 these things all of these things at the at the end of a shin Hub if if you want to come by and get a more in-depth demo awesome Chris before you leave 1:23:25 one last question, which I bet everyone's thinking here. Where do we find those shirts? Need to find me 1:23:33 answer your question the clearance rack often. 1:23:42 Are you ready for this? I mean he shops 1:23:47

off the clearance rack. This is summarized. Hopefully through this 1:23:57 session. We were able to show you that work spaces Beyond just user experience and productivity that are various Security benefits not argue that if 1:24:07 you look at most customers at lovers to fix today, it's primarily that security use case and we were hope hopefully me show you all the different 1:24:16 aspects that we can address with the workspace still some old-school stuff up imagine that summer. I kind of thought I 1:24:23

felt it, but I appreciate it. Thank you very much for your thank you. 1:24:32

Cackle comments for the website

Buy this talk

Access to the talk “Citrix Synergy TV - SYN236 - Citrix Workspace: addressing the security conundrum”
In cart


Get access to all videos “Citrix Synergy Atlanta 2019”
In cart

Interested in topic “IT”?

You might be interested in videos from this event

September 28 2018
app store, apps, development, google play, mobile, soft

Buy this video


Access to the talk “Citrix Synergy TV - SYN236 - Citrix Workspace: addressing the security conundrum”
In cart

Conference Cast

With ConferenceCast.tv, you get access to our library of the world's best conference talks.

Conference Cast
505 conferences
19653 speakers
7164 hours of content