Enabling mobile work while ensuring network security & data privacy


Published on

This paper explores how Citrix® GoToMyPC® Corporate protects the integrity of the corporate network and the privacy of sensitive data by providing full spectrum security. As secure as online banking, GoToMyPC Corporate was created with government-grade data encryption and always ensures full user control.

Published in: Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Enabling mobile work while ensuring network security & data privacy

  1. 1. White paper Enabling mobile work while ensuring network security & data privacy Citrix GoToMyPC Corporate for secure remote access
  2. 2. Executive Summary Workplace mobility is on the rise as more organizations explore the advantages of enabling employees to work anytime, anywhere. If your company hasn’t adopted a mobile work strategy yet, the request from management is likely on its way. If, however, you already have a mobile or remote work program in place, you are well aware of the return on investment that mobility provides — from increased employee productivity and organizational agility to the ability to attract and retain top talent and much more. Of course, enabling mobility means that you have to provide employees with remote access to office computers, which naturally invites the question: Does remote access infringe on corporate security? This paper explores how Citrix® GoToMyPC® Corporate protects the integrity of the corporate network and the privacy of sensitive data by providing full spectrum security. As secure as online banking, GoToMyPC Corporate was created with government-grade data encryption and always ensures full user control. As secure as online banking, GoToMyPC Corporate was created with government- How it works grade data encryption and GoToMyPC Corporate enables secure browser-based access to any Internet-connected Windows PC. always ensures full user Keyboard, mouse and display updates are transmitted over a highly compressed, encrypted stream, control. yielding a “like being there” experience over broadband and impressive performance over dial-up. Applications supported by GoToMyPC Corporate include: • Screen Sharing: Launch a resizable Viewer from any browser to enable interactive access to any desktop application (even those that are not Web based). • File Transfer: Drag and drop files, folders and directories — including fileshares — between the host Viewer and local client computer. • Remote Printing: Print from the host Viewer to a local client printer. 2 Figure 1: GoToMyPC Corporate communication architecture.
  3. 3. GoToMyPC Corporate is a hosted service made up of four components: • Computer: A small footprint server is installed on the computer to be accessed. Typically, this is a home or office PC with always-on Internet access. This server registers and authenticates itself with Citrix Online’s GoToMyPC broker. • Browser: On the client side, the remote or mobile worker launches a Web browser, visits the secure GoToMyPC Web site, enters a username/password and clicks a “connect” button for the desired computer, sending an SSL-authenticated, encrypted request to the broker. • Broker: The broker is a matchmaker that listens for connection requests and maps them to registered computers. When a match occurs, the broker assigns the session to a communication server. Next, the client viewer — a tiny session-specific executable — is automatically loaded by the browser’s Java Virtual Machine. The GoToMyPC Viewer runs on any computer with a Java-enabled browser, including many wireless devices. • Communication Server: The communication server is an intermediate system that relays an opaque and highly compressed encrypted stream from client to server for the duration of each GoToMyPC Corporate session. “ Password Change Enforcement The security features of GoToMyPC Corporate are Host Security Settings head and shoulders above Failed Log-In Lockout other standalone remote- ” access products. Hours of Access Security Settings One-Time Password Ross McKenzie Two-Factor Authentication Director of Information Systems, John Hopkins Host Authorization End Point Management Bloomberg School of Client Authorization Public Health NT Log Enabled Hosts Snapshot User Detail Monitoring & Reporting Feature Configuration Authentication Company Detail Real-Time User Control Feature Access Control User PC Limit User Control Web-Based Admin User Management Shared Access Unlimited Remote Access Unlimited Remote Access PocketView ™ PocketView™ Access Collaboration Collaboration Security Security Figure 2: GoToMyPC Corporate enables total control of remote access. 3
  4. 4. Remote access designed for gotomypc.com) that allows it to be notified if any connect requests have been received. The host will attempt to keep the connection corporate users open by sending TCP “keep alive” packets approximately every 60 seconds. This makes GoToMyPC Corporate completely The success of your business requires absolute security and compatible with application proxy firewalls, dynamic IP addresses control of information, systems and users. Unfortunately, most and network/port address translation (NAT/PAT). consumer remote-access solutions do not offer the level of security required for corporate users. GoToMyPC Corporate, And while GoToMyPC Corporate is firewall friendly, you won’t however, was created with IT concerns at the forefront, thus forfeit control over use of your company’s remote-access services. ensuring corporate network security, data privacy and complete Companies can control GoToMyPC Corporate traffic by simply control of remote-access users. GoToMyPC Corporate provides blocking traffic sent to the GoToMyPC broker’s IP address. Upon corporate-level security that is essential for fully protecting your request, Citrix Online will filter GoToMyPC Corporate connections organization while enabling remote access. made to a company’s network address block, ensuring that only company-authorized computers can be accessed by company- authorized users. This permits a company’s visitors to use GoToMyPC Corporate to reach their own off-site computers while GoToMyPC Corporate meets our very tough preventing unauthorized use of GoToMyPC Corporate to access a security requirements. company’s own computers. Data Privacy: GoToMyPC Corporate employs 128-bit Advanced Encryption Standard (AES) encryption of all data. AES is the Shirley Scott, IT Operations Manager standard used by the National Institute of Standards and Texas Department of Family Technology (NIST), as well as the U.S. Government. Moreover, and Protective Services GoToMyPC Corporate’s tough security protocol satisfies both government regulatory compliance and HIPAA compliance for its clients. Enabling network security & data privacy 100-Percent Privacy: Although GoToMyPC communication servers relay traffic between the client browser and host computer, Protecting the integrity of the corporate network and the privacy these packets are encrypted. Citrix Online cannot decipher this of sensitive data is of utmost concern to any organization. traffic because it does not possess the access code used to GoToMyPC Corporate employs the same data encryption generate encryption keys. Even if a hacker were to gain access standards as the U.S. Government and is as secure as online to Citrix Online’s servers, computer access codes are not stored banking, which requires a similar Web-based exchange of there and individual session traffic is not recorded, so live-session confidential data. With GoToMyPC Corporate, remotely accessing traffic cannot be compromised. the corporate network – just like a bank account – should be a convenience that in no way compromises security. Strong Encryption Keys: Even a strong cipher is vulnerable if it does not use strong, confidential encryption keys. That’s why for Here’s how GoToMyPC Corporate safeguards network security each connection, GoToMyPC Corporate generates unique secret and data privacy: keys derived using a zero-knowledge, public-key-based protocol called SRP. The access code verifier resides on the computer in No Firewall Configuration Neccesary: GoToMyPC Corporate is encrypted format and is never transmitted to or stored on Citrix firewall friendly. It generates only outgoing HTTP/TCP to ports 80, Online servers. Would-be hackers cannot intercept or generate 443 and/or 8200. Because most firewalls are already configured the keys necessary to decode encrypted data. to permit outgoing Web traffic, there’s no bypassing the corporate or branch office firewall or the remote worker’s firewall to Multiple Passwords: With GoToMyPC Corporate, two passwords implement secure remote access with GoToMyPC Corporate. are required for remote access. Users must authenticate using a password with the GoToMyPC Web site, as well as the host Many other solutions require servers to receive incoming packets computer. at a public IP address. The GoToMyPC Corporate host establishes a persistent TCP connection to the GoToMyPC broker (poll. 4
  5. 5. Strong Passwords: GoToMyPC Corporate requires that every administrators to require use of these security features (e.g., password be at least eight characters long and contain both setting a maximum time-out or preventing user modification). letters and numbers. This requirement helps to prevent accounts from being configured with short, common passwords that User Access Control: GoToMyPC Corporate gives administrators are easily compromised with a dictionary attack. The longer full control of all levels of user access. Administrators can and more complex the password, the stronger the protection. configure user account parameters to meet organizational needs, With GoToMyPC Corporate, administrators can set password implement corporate security policies and support privacy expiration, as well as update and reuse rules, to align with existing mandates. Moreover, administrators can limit access by users corporate password policies. or groups to specific features such as File Transfer, Clipboard Sharing and Remote Printing. Administrators can also enforce Two-Factor Authentication: Companies that have already password update frequency and reuse policies, limit time-out deployed RSA SecurID two-factor authentication can easily use periods, lock accounts and computers after authentication failure that added protection with GoToMyPC Corporate. To enable and mandate use of One-Time Passwords or RSA SecurID SecurID authentication, a computer must be configured with two-factor authentication. Fine control over these settings names of the company’s own RSA Server(s). Thereafter, a user allows administrators to match corporate security policies, and supplying the correct access code will be required to enter customizable multi-level groups enable enterprise-wide policy the value currently displayed by his or her SecurID token. That enforcement and rapid update, even in very large deployments. value changes constantly, preventing access by anyone who does not have the token in his or her physical possession. Inviting and Canceling User Accounts: Only the administrator Two-factor authentication is a proven method, widely used to is authorized to create new user accounts and groups. A strengthen remote access to enterprise networks. GoToMyPC customizable email message containing instructions and a one- Corporate integrates seamlessly with a company’s existing time self-activation URL is then sent to each invited user. The new SecurID infrastructure, without requiring complex configuration or user visits this URL, defines his or her own password and then delegation of trust to Citrix Online servers. adds computers to his or her own account. The administrator can limit the number of computers available to each user and can One-Time Passwords: GoToMyPC Corporate gives require explicit administrative authorization of both host PCs and administrators the option of combining the access code with One- client viewer systems. In addition, an administrator can prevent Time Passwords. To enable One-Time Passwords authentication, non-permitted GoToMyPC Corporate access by limiting host the user clicks a button to generate a list of passwords from the computers within a network to a specific GoToMyPC Corporate computer to be accessed. When initiating future connections, a account. The GoToMyPC Corporate Administration Center user who supplies the correct access code will be prompted for can also be used to check the activation status for individuals a numbered password from this list. Each password is used for a and groups. Controls are available to temporarily suspend or single connection, and the user can cancel or regenerate the list permanently delete any user or group account. These approaches at any time. One-Time Passwords provide a simple method for streamline large-scale deployment while retaining enterprise achieving stronger authentication without added infrastructure. control over remote-access authorization and end-user privacy and accountability. TRUSTe Licensee: Citrix Online is a TRUSTe licensee, adheres to established TRUSTe privacy principles and has agreed to comply Monitoring Usage: Administrators can view connections for with the TRUSTe oversight and consumer-resolution process. any given day and end active connections immediately. The Administration Center can also be used to generate and archive Inactivity Time-Outs: There is, of course, the potential for users reports for specific dates and date ranges that provide details to walk away from public PCs without logging out or to leave on users, connection time and average connection duration. home PCs unattended. GoToMyPC Corporate addresses these Administrators can generate additional reports to evaluate data user vulnerabilities by applying inactivity time-outs. Users are such as enabled users; the features enabled for each user/ automatically logged out of the GoToMyPC Web site if the SSL group; hours of access; last log-in time; or the frequency of connection is inactive for several minutes. Users can also configure failed log-in attempts. These standard reports can be analyzed the Viewer to time out after a period of inactivity, subject to limits to spot unusual access patterns, including exceptionally long set by the administrator. Additionally, host security features allow connections and unexpected client IP addresses. They also serve users to blank the host screen and lock the host keyboard and as audit trails, making it possible to see who accessed a particular mouse from accepting input. GoToMyPC Corporate also enables computer at a particular time. 5
  6. 6. Conclusion Citrix Online Citrix Online division Workplace mobility is well on its way to becoming a standardized business process. And as more companies adopt mobile work strategies, finding remote-access solutions that guarantee corporate- Product information: level security will be top of mind for IT managers. GoToMyPC Corporate provides corporate-level corp.gotomypc.com security that is essential for fully protecting your organization while enabling remote access. That’s Sales inquiries: security you can count on — without question and without compromise. gotosales@citrixonline.com Phone: 1-888-646-0016 To learn more about secure remote access with GoToMyPC Corporate, please call 1-888-646-0016. If you are calling from outside the U.S., dial +1-805-690-5780. Media inquiries: pr@citrixonline.com Phone: +1-805-690-2961 www.citrixonline.com For more information on Citrix GoToMyPC, please visit corp.gotomypc.com About Citrix Online Citrix Online provides secure, easy-to-use online solutions that enable people to work from anywhere with anyone. Whether using GoToMyPC® to access and work on a remote PC, GoToAssist® to support customers or GoToMeeting® to hold online meetings and Webinars, our customers – more than 35,000 businesses and hundreds of thousands of individuals – are increasing productivity, A Division of Citrix Systems, Inc. decreasing travel costs and improving sales, training and service on a global basis. A division of Citrix Systems, Inc. (Nasdaq: CTXS), Citrix Online is based in Santa Barbara, California. For more information, visit www.citrixonline.com or call +1-805-690-6400. © 2009 Citrix Online, LLC. All rights reserved. Citrix® is a registered trademark of Citrix Systems, Inc., in the United States and other countries. GoToMyPC®, GoToAssist® and GoToMeeting® are trademarks or registered trademarks of Citrix Online, LLC, in the United States and other countries. All other trademarks and registered trademarks are the property of their respective owners. 18718/1.08.09/PDF www.citrixonline.com