142: The Citrix Session: Strengthening your Citrix security, one feature at a time

Aug 29, 2023

We’ve released a variety of Citrix security features over the past few months that improve security in the cloud, on-premises, and in hybrid environments. Working to make Citrix solutions work for you is our number one priority. We listened to your feedback, and we know that features that power your secure Zero Trust environment, no matter where your desktops are hosted, are the most important to your business. So we built our Destination: Hybrid product roadmap around more security. 

We’re prioritizing the development of features that make your environment even more secure and compliant. New features have rolled out for a number of our solutions, including Anti-DLL injection and granular security controls for App Protection, an on-premises version of Secure Private Access, and upgrade scheduling and on-premises upgrades for Session Recording. Even better, you can access all of these features through the Citrix Universal subscription

With Destination: Hybrid, we’re delivering more tools, and more controls across our suite of technologies to create a single platform for Zero Trust app access. And we will continue to make security improvements for you as part of our security and compliance improvement initiatives. Read on for more on how your environment is more secure than ever with features to protect you against old and new threats. 

Host: Andy Whiteside
Co-host: Geremy Meyers
Co-host: Todd Smith


00:00:01.990 –> 00:00:10.730
Andy Whiteside: Hello, everyone! Welcome to episode 1 41 of the Citrix session. I’m your host. Andy Whiteside today is August 20, eighth, 2023.

00:00:10.850 –> 00:00:16.220
Andy Whiteside: And we’re gonna re be reviewing a security blog, as it relates to Citrix.

00:00:16.329 –> 00:00:44.879
Andy Whiteside: which, if you ask me, the number one way to secure an environment is to present, not deploy what you’re doing and a lot of security folks aren’t that way. But I believe it is a major step in security environments gonna review a blog by Monica Gristmar, who’s been on with us multiple times. The name of the blog is strengthening your Citrix security. One feature at a time, I would say, strengthening your security in general. But in this case around Citrix got Todd Smith on with me, Todd, how’s it going?

00:00:44.910 –> 00:00:46.890
Todd Smith: I’m doing well, Andy, how are you? Day?

00:00:46.970 –> 00:00:55.700
Andy Whiteside: It’s good, it’s good. You’re making a reference to your cabin in on your farm, and the fact that you bought a cot wasn’t the built for a guy that’s 6 8

00:00:56.260 –> 00:01:03.520
Todd Smith: no, it’s a couple of issues too short. So I’m actually looking at the the excel version the extra long.

00:01:03.680 –> 00:01:04.670
Andy Whiteside: Now.

00:01:04.790 –> 00:01:09.329
Andy Whiteside: Okay, I wanna pick on you real quick. You you knew this was gonna be a problem, right?

00:01:09.400 –> 00:01:19.900
Todd Smith: I did. But it was it to? To my, to my defense? I did look for one that was already designed for extra tall people, but it wasn’t extra tall enough.

00:01:21.020 –> 00:01:28.190
Andy Whiteside: You’re extra. I’m extra tall. Jeremy’s tall. I’m extra tall, and you’re extra extra extra tall.

00:01:28.510 –> 00:01:35.830
Geremy Meyers: Yeah, I’m not used to being the shortest guy in the room, but when I’m in the room with you guys, I have to look up. It’s not. It’s different, that’s all.

00:01:36.090 –> 00:01:38.409
Andy Whiteside: Well, if it makes you feel better, I’m pretty sure I’m shrinking.

00:01:39.970 –> 00:01:48.480
Andy Whiteside: I’m getting skinnier. So that was the voice of Jeremy Myers, Jeremy Jeremy runs the technical team on the partner side at Cloud software group.

00:01:48.550 –> 00:01:50.290
Andy Whiteside: Jeremy, what’s going on your world?

00:01:50.590 –> 00:02:04.070
Geremy Meyers: Oh, man, not too much. All my my daughter started high school today. So that was a big move. So we live 5 min from the school, and yet it still took a half an hour. So we did. The you know, dropped her off. I was in the car line, so that part of me that’s my!

00:02:04.390 –> 00:02:09.570
Geremy Meyers: I thought it was going to be my 7 min of a long time with my daughter ended up being a half an hour, which is not terrible.

00:02:09.889 –> 00:02:13.270
Andy Whiteside: I assume it gets better over time.

00:02:13.370 –> 00:02:16.810
Geremy Meyers: I think it does. I hope it does. Yeah.

00:02:16.940 –> 00:02:23.439
Andy Whiteside: So let me ask you guys, when we jump into the blog, do you? Do you agree to with me that if you can present

00:02:23.760 –> 00:02:29.310
Andy Whiteside: through a single point in the firewall or single hole in the environment

00:02:29.670 –> 00:02:45.510
Andy Whiteside: over a very capable protocol. Everything the users are trying to do, and you have a resiliency on the back end that reboots to back to a gold image for a lot of the stuff. Or maybe it’s a one time launch of an application. And then the image that was running in gets destroyed afterwards

00:02:45.550 –> 00:02:48.200
Andy Whiteside: is is, are those security plays to you guys

00:02:49.250 –> 00:03:15.309
Geremy Meyers: 1, 100%. So when you talk to any security team. They’ll tell you that security is a layered approach. Right? So you need to have multiple things that play into that. And that’s a pretty powerful couple of layers, you know. So just from the from the layer perspective, you know, having that one pinhole only presenting, not deploying. That’s a pretty big layer, but even just containing any sort of you know security incident. You know the fact that you can roll back to a gold image

00:03:15.350 –> 00:03:19.570
Geremy Meyers: is a pretty powerful tool as well, and if those are the only 2 you used out of Citrix Stack.

00:03:19.890 –> 00:03:23.430
Geremy Meyers: you know, highly powerful. There’s a lot more we can do. But

00:03:23.720 –> 00:03:25.049
Geremy Meyers: I mean, absolutely.

00:03:25.280 –> 00:03:34.189
Todd Smith: Yeah. And you just touched on the the control aspects of it, not not including all of the monitoring, reporting

00:03:34.480 –> 00:03:35.580
Todd Smith: and

00:03:36.160 –> 00:03:44.509
Todd Smith: the the adjusting, you know, being able to adjust that user experience, but also the security requirements based on

00:03:44.880 –> 00:03:48.309
Todd Smith: the the goal of reducing those threat vectors that are out there.

00:03:48.610 –> 00:03:53.180
Todd Smith: I think that’s another critical component of what we’re trying to do here.

00:03:53.740 –> 00:04:00.200
Andy Whiteside: And I think in the blob, we’re gonna talk about things like secure private access and session recording and other things, too. And I mean, those are.

00:04:00.220 –> 00:04:08.680
Andy Whiteside: or at least we’re gonna reference them, those those are massive security things within the security of just the overall concept. Now, now, if I were to say Todd and Jeremy.

00:04:08.740 –> 00:04:13.350
Andy Whiteside: most customers I run into don’t use a presentation approach

00:04:13.670 –> 00:04:21.909
Andy Whiteside: as one of their layers, because it’s a security play. They use it because it’s the best way to make bad applications behave better. What would you say?

00:04:22.710 –> 00:04:24.910
Todd Smith: I would agree with that? Yeah.

00:04:25.220 –> 00:04:28.769
Geremy Meyers: I would say, yes, I think that’s how it started to be fair. I think that’s how

00:04:29.260 –> 00:04:40.779
Geremy Meyers: you know, application virtualization was initially pitched. Right. So think about 25 years ago, would we have? We had dial up right? We had worse than dial up in some cases we actually had dialing into servers, you know. So

00:04:40.950 –> 00:04:55.410
Geremy Meyers: I know. Andy and Todd were both in an error. We had this Digi cards in the back of a server where you actually dialed into the server? Right? So that was the initial use case. You take a fat client server app and you want to do that across dial get out of here right? And I think that’s where the initial use case

00:04:55.490 –> 00:04:58.689
Geremy Meyers: made sense. You you layer on thin clients.

00:04:58.730 –> 00:05:15.609
Geremy Meyers: If folks think of that, less of a security plan in some cases, and more of a low cost. Endpoint use case which, by the way, is still valid. But you know, when we talk about cost savings, and that being a big part of it. You know, I think what gets bypassed. You’re absolutely right. Is the security piece to this.

00:05:17.230 –> 00:05:22.209
Andy Whiteside: Yeah, I like to think that when I first saw an application launch through presentation whatever.

00:05:22.320 –> 00:05:35.570
Andy Whiteside: I immediately thought, hey, this is security play. I in H. In hindsight. I like to think I thought that, and maybe I did but it sure has proven itself to be over the years and then layer in, you know, an up, a non persistent image.

00:05:35.640 –> 00:05:45.749
Andy Whiteside: which I have lots of debates by myself sometimes about non persistent versus persistent. I want to go non persistent. Anytime I can. I’ll go persist, and if it means moving forward and not getting stuck. But

00:05:46.560 –> 00:06:02.500
Geremy Meyers: so so let’s ask this one, Andy. So we see this deployment, and it’s not uncommon. It’s let me fire up my VPN. And then, once my VPN. Is up, then I’m going to fire off my citrix session right now. Granted, let’s forget Adc. For a second. Let’s forget Netscaler and the gateway and the proxy. But the fact that

00:06:02.530 –> 00:06:07.770
Geremy Meyers: you know the the folks are thinking, hey, you know what? I’ve gotta fire up a VPN. Before I can do this application presentation.

00:06:07.880 –> 00:06:18.399
Geremy Meyers: Just tells you the folks aren’t necessarily thinking of it as a security layer, if you will. Yeah, I mean, did you add an extra layer that didn’t need to be there, and it made it less secure. That’s craziness.

00:06:19.700 –> 00:06:21.090
Andy Whiteside: So

00:06:21.310 –> 00:06:25.810
Andy Whiteside: let me come to both of you guys and say, what, what’s the point in this blog, Todd, do you want to go first.

00:06:26.450 –> 00:06:38.379
Todd Smith: Yeah. So I think, I think the main point that we’re trying to trying to talk about is blog is is really some of the advances that have been introduced.  over the past year.

00:06:38.480 –> 00:06:45.170
Todd Smith: specific to security. And it’s not a we have to deploy all these capabilities

00:06:45.330 –> 00:06:55.510
Todd Smith: you can pick and choose. I mean, obviously, if you deploy all of them, and if utilize all these advances, then it’s a So it’s a better story.

00:06:55.600 –> 00:07:01.030
Todd Smith: But you don’t have to go down. you know, kind of pick with pick and choose what applies to you

00:07:01.630 –> 00:07:14.409
Andy Whiteside: your individual requirements in your individual situations. So this is beyond the conversation we were just having about whether you see this as if you’re going to do this. Then there’s things you need to consider turning on in that scenario. Yep.

00:07:15.180 –> 00:07:17.160
Andy Whiteside: Jeremy, your thoughts on the overall idea here.

00:07:17.550 –> 00:07:39.849
Geremy Meyers: So I think there are a couple of additional layers. That get introduced here. So number one, you know what you just described in presenting an app versus deploying is great, right? But at the end of the day we still aren’t. What’s a good way to say this locking down that endpoint, you know you’ve got the workspace app running on the endpoint. The first thing we talk about. Here are some things around something called app protection, and the idea is.

00:07:40.010 –> 00:08:02.179
Geremy Meyers: you know, at the end of the day I still have to enter in my password on that local endpoint. You know, I still am sharing looking at the screen. In some cases. Because I’ve had this app presented to me, I could be on a teams call where someone could see. You know. What application I have running the idea is, is, can we add some additional layers of security on that endpoint, and there’s 2 in particular that we’ve had for probably 2 or 3 years. Now

00:08:02.240 –> 00:08:18.499
Geremy Meyers: one is we can help with key login. You start typing your password into, you know, virtual session, or even the workspace app itself to log in. We can obfuscate, which is a very hard word to say that that password that you type in. So if you had a key log or running, if your endpoint was compromised.

00:08:18.520 –> 00:08:34.409
Geremy Meyers: you could see what that password was same thing for sharing your screen. So you’ve got a virtual app running. You were sharing your screen on a team session. You could actually keep folks within that team session from seeing what that virtual app is doing. Right. So again, another layer and protecting the information that might be.

00:08:34.440 –> 00:08:44.300
Geremy Meyers: Yeah, you might be running right. So the idea is, we’ve added 2 additional layers, and we’ve added something fairly recent, which is called anti dll injection, which, again.

00:08:44.320 –> 00:08:58.309
Geremy Meyers: if you’ve got a compromised endpoint. Something could introduce things like malware which at the end of the day is not going to impact your your hosted session. So something running out of the data center. But it could pick impact the endpoint. You know, there’s another way we can wrap on top of this.

00:08:58.610 –> 00:09:25.199
Andy Whiteside: So I wanna go back to the conversation around key logging and and Logos, or imaging on the screen like watermarking. I mean those up until you said it like 2 years ago. Those were like the far reaching things we could we could not prevent in in the delivered session. And then, 2 or 3 years ago that was solved. And now we move on to more advanced things. Todd, have you seen people adopting the the key logging and the and the water marking as much as you thought they would.

00:09:25.590 –> 00:09:28.050
Todd Smith: Yeah. And I think this is something that

00:09:28.170 –> 00:09:32.939
Todd Smith: it’s starting to become. A normal practice is to

00:09:33.180 –> 00:09:40.589
Todd Smith: make sure that that organizations are protected from key logging. Right? So they’re either putting it and installing it on

00:09:40.650 –> 00:09:42.289
Todd Smith: end point devices

00:09:42.310 –> 00:09:55.879
Todd Smith:  through through the common. It managed devices that are out there but we’re also seeing it, you know. People want to see that built into their into their products. And there’s the services that they’re consuming.

00:09:56.000 –> 00:09:59.099
Todd Smith: Right? So how do I know that it’s not being

00:09:59.600 –> 00:10:06.580
Todd Smith: that there’s not a key log or put into the the web service? Right. So a lot of the security

00:10:06.660 –> 00:10:14.620
Todd Smith: consultants that are out there. That’s one of the things they’re looking at when they review websites. Right? Does it? Is that susceptible to key logging.

00:10:14.830 –> 00:10:25.829
Todd Smith: So you’re talking about it on the endpoints. But you’re also talking on anyone who’s providing you a service. And it’s more than just putting in the secure connection or the secure session.

00:10:25.840 –> 00:10:29.550
Todd Smith: It’s actually looking at that one level deeper.

00:10:29.720 –> 00:10:41.179
Todd Smith: so we’re seeing a lot of that. We’re also seeing a lot of folks. And this a lot of this is based on the jurisdiction that the customer resides in, or whether they’re delivering their service from.

00:10:41.290 –> 00:10:44.629
Todd Smith: and that is around is a watermark.

00:10:44.910 –> 00:11:00.489
Todd Smith: Does that on your screen automatically give you an additional protection. And more specifically, legal protection right? Is that now considered intellectual property is that now considered a trademark or a service mark? Is there?

00:11:00.620 –> 00:11:05.379
Todd Smith: Is there information we can put inside that watermark to

00:11:05.590 –> 00:11:11.180
Todd Smith: to make sure that you know if someone does do a screen capture or someone does do

00:11:11.490 –> 00:11:21.410
Todd Smith: a you know, a photograph of that screen is that is that protected under, you know, either copyright or other types of legal protections that are out there.

00:11:21.730 –> 00:11:28.209
Andy Whiteside: Yeah, I mean at at a minimum, putting your stamp on it, which is basically you’re doing there shows some degree of ownership that

00:11:28.410 –> 00:11:32.609
Todd Smith: if you took it it wasn’t by accident. You you knew you took it.

00:11:32.810 –> 00:11:43.040
Andy Whiteside: Yeah. So for me, Todd, so let me guess the question again. Have you seen so II know we love it. I know it makes sense. Have you seen widespread adoption of those 2 things.

00:11:43.050 –> 00:11:48.530
Andy Whiteside: and if you could kind of quantify your answer, have you seen white option of it?

00:11:48.630 –> 00:12:00.280
Todd Smith: So? So I’ve seen more widespread adoption in the the key anti key logging requirements that are out there and probably widespread is, you know, it’s between the 40 and 50%

00:12:00.630 –> 00:12:12.140
Todd Smith: mark of customers. The screen capture or not. Sorry. The watermarking is a little bit more or or less widespread.

00:12:12.410 –> 00:12:15.399
Todd Smith: but it is a little bit more in specific

00:12:15.470 –> 00:12:20.440
Todd Smith: used cases. So specific industries. We’re seeing the

00:12:20.490 –> 00:12:25.359
Todd Smith: the watermarks being put into, you know, healthcare and banking as an example.

00:12:26.670 –> 00:12:41.650
Andy Whiteside: Usually I asked that question because I thought when we had those 2 boxes checked after all these years, that the security guys, I would not have to convince them this was a security play anymore that that would make it obvious to them. It was. And I’m still having, I’ll say, polite arguments with security folks

00:12:41.770 –> 00:12:55.829
Andy Whiteside: trying to point out that this layered approach that includes deliver versus deploy is a massive step towards securing an environment, and you know the watermarking and the key logging did not bring them in my direction as as much as I thought it would.

00:12:57.310 –> 00:13:06.169
Todd Smith: and I think this goes back to the arguments that occur in in most organizations between the operational side and the security side

00:13:06.330 –> 00:13:19.150
Todd Smith: operations and administrators, administrators sometimes will look at the overhead associated with adding a key and adding an anti key logger, or adding in that session of watermarking

00:13:19.360 –> 00:13:25.150
Todd Smith:  into the environment. Right? It it does add some overhead in some cases, especially

00:13:25.190 –> 00:13:29.939
Todd Smith: several years ago, when we first introduced it, there was there was some additional overhead required.

00:13:30.050 –> 00:13:36.579
Todd Smith:  so sometimes the you know, unless you were talking directly to the security folks.

00:13:36.680 –> 00:13:42.000
Todd Smith: That message sometimes got, you know, either watered down or left out completely.

00:13:42.670 –> 00:13:43.620
Geremy Meyers: So

00:13:44.000 –> 00:14:11.360
Geremy Meyers: you know I’ll I’ll say it this way. You know I do. We have customers who are using presented applications presented desktops as a security play. Yes, in fact, it’s a pretty significant deployment. We see a lot. But you gotta think about where this technology sits within the organization sometimes. So, for instance, a lot of organizations are leveraging this from the application development or the application. You know. Department folks who manage apps are the ones who own Citrix.

00:14:11.480 –> 00:14:22.670
Geremy Meyers: and so it becomes more of an application delivery play to your point, originally and less of a security play. So we’re gonna let the apps guys do what they do. And we’re gonna have the security team come in behind and protect

00:14:22.750 –> 00:14:27.280
Geremy Meyers: what the app guys are doing like that is some pretty classic mentality that I see a lot

00:14:27.380 –> 00:14:45.790
Geremy Meyers: now, having said all that we do have some folks who have been compromised where they come to us and go. Hey, we’ve got to find a better way to do this. You know, we wanna quit putting stuff on our endpoints because we were. We had a ransomware attack that started from an endpoint across a VPN. All right, we can’t do this anymore. Let’s pick a better, better way to do this, and so they’ll present the apps. And all of a sudden it kind of clicks.

00:14:45.790 –> 00:15:00.100
Geremy Meyers: But a lot of times. It’s just where does Citrix sit within the organization is gonna define how it gets looked at from within the organization until you have a leadership change where you know, someone comes in and goes. This is going to be a part of our strategy. It’s gonna take that sometimes to to make the switch.

00:15:00.240 –> 00:15:00.970

00:15:01.270 –> 00:15:04.179
Andy Whiteside: and somebody’s got to be looking for where there’s layers

00:15:04.590 –> 00:15:18.410
Andy Whiteside: of what we’ve been doing, how we can make those more secure matter or matter more or less. Let me give you an example. Going back to the whole original conversation around Citrix being Citrix and presentation type, things versus deploying being a Security Todd

00:15:18.820 –> 00:15:40.980
Todd Smith: are. Do you remember when you used to go to a safe deposit box at the bank and they would take you into the vault where the deposit boxes were, and you would get out whatever you get out right there in the vault. Did did you ever experience that? Yes, yep, and oftentimes the bank manager had a key, and I had a key.

00:15:41.100 –> 00:15:52.480
Todd Smith: The bank I used to do business with. We’d actually go into a separate small little room, and then I wouldn’t be left in the room with the contents of the box, and then, when I was done, we’d go. We would then go in.

00:15:53.220 –> 00:16:03.889
Todd Smith: put the, you know, slide the box back in the vault, and then both turn the keys at the same time. In order to lock it back in right? So that was, that was a very traditional.

00:16:04.110 –> 00:16:07.920
Todd Smith: you know. It required 2 different people with 2 different keys.

00:16:08.230 –> 00:16:16.170
Todd Smith:  going through multiple different physical security barriers to get into the vault, to actually go there.

00:16:16.650 –> 00:16:19.330
Todd Smith: Now they didn’t care about what the contents were.

00:16:19.560 –> 00:16:39.420
Todd Smith: but they did care about the overarching packet in the containerization of the content. Well, and I may be wrong here because I haven’t done that forever. But I’m under the impression you don’t go in the vault with them anymore. They just bring the box to you. Is that, or am I wrong? Do you? Actually, you know what II can’t tell you, because I haven’t

00:16:39.450 –> 00:16:51.090
Todd Smith: the security box and say, deposit box in a while. I’m just going back on what it what it used to be, but you know. Think about it, banks were the banks, oftentimes were the the leading.

00:16:51.350 –> 00:17:00.760
Todd Smith:  you know they they set the standard for a lot of these security measures that are still in place today, for sure, Jeremy, you know, have you gone to a site deposit box?

00:17:01.350 –> 00:17:21.559
Geremy Meyers: I have never been to a safe deposit mark. Yeah, yeah, no. I do remember the goofy looking team my parents had. But I never witnessed that first hand. Okay, so my analogy is not gonna play out here. But I think back in the day you actually got to go in the vault. I remember going in the vault. I mean, I can see money is all locked up. But yeah, these days, when I think, Citrix, you never go in the vault. You see the vault.

00:17:21.770 –> 00:17:39.729
Andy Whiteside: but you never go in the vault, and that’s an extra layer of security that just makes it almost impossible to do a lot of bad things alright. So Jeremy covered anti Dll injection. Todd, you wanna you wanna just cover it again real quick. That kind of brought us back. And now we’re going forward again. Your take on anti Dll injection as a additional security play.

00:17:39.770 –> 00:17:46.420
Todd Smith: Yeah. So so it obviously isn’t an additional, you know, it’s it’s an additional feature that can be turned off and turned on.

00:17:46.470 –> 00:17:52.689
Todd Smith: Based on what you want to do. And you know, Dlls have always been a challenge, right? Especially where?

00:17:53.100 –> 00:18:03.550
Todd Smith: The user doesn’t certain the user certainly doesn’t understand what a Dll is. Developers are getting and using Dlls from all over the place.

00:18:03.850 –> 00:18:12.250
Todd Smith: And oftentimes, you know, we don’t have that much interaction anymore with the operating systems that are opening and closing these. Dll’s. So

00:18:12.430 –> 00:18:19.300
Todd Smith: you know, we’ve got to have some way of saying, yes, this is above, or this is outside of normal operating parameters.

00:18:19.640 –> 00:18:22.269
Todd Smith: And this is one of those things that can really help with this

00:18:24.100 –> 00:18:28.079
Andy Whiteside: Jeremy. Anything else to add to the Dll conversation. So

00:18:28.520 –> 00:18:57.239
Geremy Meyers: II think so. Going back to the Security plan the layers, you know. The idea is we should not have to leverage anti dll injection. You know there should be some protection that security team is authorized to put on the endpoint that should catch screen loggers, is it. You know, rogue applications that are gonna inject a dll that should be caught. This is the backup plan, right? This is the additional layer which, by the way, is probably already included with most customers. So if you’re a daz premium daz premium plus customer.

00:18:57.390 –> 00:19:03.529
Geremy Meyers: you’ve already got this right so it shouldn’t stop you to go. Turn this thing on. Just add an additional layer. But you know ultimately.

00:19:03.770 –> 00:19:14.150
Geremy Meyers: you know, to stop 0 day attacks, you know. Sometimes things make it past the first layer. This is something you should have tacked on. It turned on automatically, because you probably already own it just to enable it. Yup.

00:19:14.340 –> 00:19:18.130
Andy Whiteside: how about the how about overhead, as it relates to this thing? Any concerns there

00:19:19.490 –> 00:19:22.299
Geremy Meyers: like processing overhead? Just what would

00:19:22.730 –> 00:19:34.309
Todd Smith: man? I don’t have a good feel for that, do you, Todd? I don’t think it’s much. No, I don’t have any. I don’t know what the current the overhead requirements are.

00:19:34.700 –> 00:19:38.720
Todd Smith: I could promise you. It’s not as tough as in ours.

00:19:39.350 –> 00:19:49.220
Geremy Meyers: The last statement in this paragraph said, this is a huge step in preventing unwanted data leaks and saves admin time on security patching and updates.

00:19:49.430 –> 00:19:57.560
Andy Whiteside: Well, yeah. And and you’re and you’re maybe you 2. But people in general won’t tell me. Security is a I mean. Excuse me, Citrix is a security play

00:19:57.990 –> 00:20:09.790
Andy Whiteside: it it is especially when you look at it from a suite of things that make up layers of things. Alright todd will lately, on this one contextual app protection for Workspace and store fronts. Tell me what that means.

00:20:10.430 –> 00:20:17.510
Todd Smith: So so one of the one of the challenges that a lot of times we’ve we’ve had is adjusting

00:20:17.750 –> 00:20:19.909
Todd Smith: security policies

00:20:20.680 –> 00:20:24.720
Todd Smith: based on a variety of different things. One of them is, you know, obviously.

00:20:24.920 –> 00:20:36.790
Todd Smith: who you are, where you’re coming in, from, what device you’re on, you know. Kind of the how do we protect on the any, any, any, any plane? This one actually allows you to do

00:20:37.140 –> 00:20:43.970
Todd Smith: increase the granularity based on, you know, specific user contacts. Right? So if I am in.

00:20:44.160 –> 00:20:58.289
Todd Smith: If I’m on a control browser, I’m gonna have a different experience. I’ll have different controls put on, put on me by either the workspace itself. So the Workspace app will be communicating back with the Workspace controllers.

00:20:58.380 –> 00:21:06.129
Todd Smith: or you can do it on the storefront itself. Basically say, you know, what if I’m accessing this application from this storefront, then I need to have.

00:21:06.160 –> 00:21:10.429
Todd Smith: a certain amount of additional controls put in place.

00:21:12.370 –> 00:21:13.500
Andy Whiteside: Hear me, thoughts?

00:21:14.710 –> 00:21:30.790
Geremy Meyers: Yeah. So the key here is being able to identify whether folks are, you know, internal externals. That would be a thing. It’s based on device posturing as well. So it’s just being able to tear what kind of control that you put on, you know, workspace and storefront? Right? So

00:21:31.300 –> 00:21:44.169
Geremy Meyers: you know, it’s something that we’ve done as a part of like, say, smart access on Netscaler for years. But now we’re adding it as as a service out of you know. Citrus Cloud, if you’d like it, or you know, do that as well on Prem

00:21:44.340 –> 00:21:56.370
Andy Whiteside: and and help me when you say Workspace, are you talking Workspace App Worksay Workspace landing web page. What what does Workspace mean in this or in this conversation?

00:21:56.580 –> 00:22:10.759
Geremy Meyers: So in this conversation, it’s cloud delivered storefront that Workspace not so much workspace app. But Workspace as a service, right? And that’s versus like, say, storefront, which is 100% on prem, right? So if you’re hitting storefront.

00:22:10.920 –> 00:22:18.000
Andy Whiteside: you’re doing it directly, or you’re doing it through a net scalar. That’s it’s a resource location. Yeah. Got it? Okay? Awesome. Thanks.

00:22:18.410 –> 00:22:35.119
Todd Smith: Alright. Next section says, bringing secure private access to everyone. Todd continue to find secure private access force real quick. Because I find a lot of people have no idea what this really really is. Yeah, sure. So secure private access is, you know what it once again, component of our 0 trust

00:22:35.260 –> 00:22:38.430
Todd Smith: network access or Z Tna,

00:22:38.440 –> 00:22:43.649
Todd Smith: and really, what it does is it encompasses replacing things like a VPN.

00:22:43.730 –> 00:22:48.110
Todd Smith: Improving your security posture, overall

00:22:48.190 –> 00:22:53.030
Todd Smith: in being able to to really give you a lot more control

00:22:53.370 –> 00:22:55.659
Todd Smith: invisibility into, you know

00:22:55.940 –> 00:23:01.069
Todd Smith: who’s coming into your network, what they’re allowed to do, and, more importantly,

00:23:01.110 –> 00:23:06.360
Todd Smith: gives you that visibility into what they’re doing while they’re in the session, or what they’re doing while they’re connected.

00:23:08.440 –> 00:23:10.089
Andy Whiteside: Jeremy, how do you want to explain it?

00:23:10.460 –> 00:23:12.850
Geremy Meyers: So I am coming up with?

00:23:12.970 –> 00:23:38.170
Geremy Meyers: I’m constantly evolving my analogy for this, because I’m trying to figure out the best way to say it. But when you think about how we’ve delivered apps in the past. It’s all been hosted, that’s, you know, sat in the data center. We’ve presented it honestly, it’s the first half of this conversation we’ve had. But you know, with secure private access we’re talking about, how can we make a almost a better VPN cause? That’s the worst analogy. That’s what I’m trying to fix. But the idea that we don’t wanna turn everything on we would just wanna present

00:23:38.260 –> 00:23:55.060
Geremy Meyers: at a network level these applications. So, for instance, in the past, I might have launched a web page, an internal web page by opening up a VPN. Opening up my browser and going direct in. There’s a lot of security implications with that. So the idea is, what if I could give you specific access to

00:23:55.060 –> 00:24:16.299
Geremy Meyers: internal websites? Heck! Even, you know, public facing websites and wraps some control around that as well. So, for instance, one of the common ones that I use at Citrix, here is, listen. I’ve got a handful of cloud tools that I use all the time. So they give me insight into you know, cloud tenants, and you know I’m constantly helping customers out on the back end. But these are internal only tools.

00:24:16.500 –> 00:24:24.720
Geremy Meyers: so I am accessing them through secure private access. So I’m not having to fire up a VPN. The key is, it’s paired with an enterprise browser.

00:24:24.860 –> 00:24:26.429
Geremy Meyers: So the idea is.

00:24:26.470 –> 00:24:39.579
Geremy Meyers: you know, if I’m you know, not presenting like I have in the past, and I’ve turned all these security controls on to protect the delivery of that app. Well, what happens if I’m accessing it directly from my endpoint? I’m firing up my local browser going to that web page.

00:24:39.640 –> 00:24:45.089
Geremy Meyers: You know. How do I protect that? Well, that’s where the Enterprise browser comes in, so I can throw those same security controls

00:24:45.200 –> 00:24:51.530
Geremy Meyers: when I’m accessing that internal website because I’m doing it from a protected browser. And that is huge. That’s that’s actually a game changer.

00:24:51.590 –> 00:25:14.859
Andy Whiteside: Yeah, so so just to be clear on the blog, it talks about secure private access, which is your way of being able to get into the internal environment without having to do a full blown VPN. And as we’re pretty political about how you said it, my answer is, it’s 2023. If your organization is using a VPN for anything other than hardcore administrative stuff that you gotta get back in the back end to do it. You’re doing it wrong. You’re

00:25:14.860 –> 00:25:32.339
Andy Whiteside: you’re doing it wrong. I sometimes I get more derogatory than that. But you’re doing it wrong 0 0 trust secure private access technology is a way to do it. And then, Jeremy, you took it to the next level, which, by the way, I’m gonna show you my, my, is my. And then the computer. I’m sitting in front of right now. These are my default apps. And look what I have from my my browser.

00:25:32.400 –> 00:25:34.719
Geremy Meyers: There it is, Enterprise, browser.

00:25:34.770 –> 00:26:01.229
Andy Whiteside: And and I’m having that conversation, because there’s other players in the space now that are having, you know, non consumer browsers, Aka enterprise, citrix being one. And I’ve got people my team going. That’s a great idea. And I’m like, what are you talking about? We’ve had that for over a year now and then you pair it up with some like secure private access, and you’ve got peanut butter and jelly, and one heck of a good, you know sandwich but there’s still so many people when I say Enterprise browser, they start talking about secure browser service.

00:26:01.240 –> 00:26:09.339
Andy Whiteside: and they don’t even understand that for the last 30 years, 20 years at least, they’ve been using the consumer browser to get worked on, which is a very, very bad thing.

00:26:09.710 –> 00:26:17.709
Geremy Meyers: So what’s different in this blog here is. This is traditionally been something delivered from citrus Cloud. So Spa secure private access was a service.

00:26:17.760 –> 00:26:19.699
Geremy Meyers: Now this works completely off

00:26:19.960 –> 00:26:30.259
Geremy Meyers: off the cloud completely. You know, storefront on prem net scalar gateway on Prem. That sort of thing so not required to have the cloud tenant to do it

00:26:30.310 –> 00:26:46.439
Geremy Meyers: now. And this is what it’s trying to point out here is it also includes enterprise browser. So I can take my enterprise. Browser. Not the service. Take my enterprise browser connect that through my netscaler through storefront to access my internal apps. And what this video and the blog does is walk through what that user experience actually is.

00:26:46.510 –> 00:26:48.660
Andy Whiteside: Yeah, no Brainer Todd go ahead.

00:26:49.390 –> 00:26:51.929
Todd Smith: I was just gonna agree. I mean, I think, that

00:26:51.960 –> 00:26:56.609
Todd Smith: the move towards a a secure browser.

00:26:56.800 –> 00:27:01.379
Todd Smith: that’s Enterprise class. It has all of the policies that you could put in there just like you were.

00:27:01.670 –> 00:27:07.909
Todd Smith: You know. What we’re trying to do here is replace the the need to publish a browser as a

00:27:08.120 –> 00:27:22.459
Todd Smith: publish application, right? So have it be native, have it be included in the components? Have it being able to be accessed directly from the workspace, having it show up as one of your common default. Browsers is absolutely critical, and I think this is one of those

00:27:22.560 –> 00:27:24.170
Todd Smith: one of those features

00:27:24.260 –> 00:27:29.040
Todd Smith: that oftentimes it gets overlooked, and is certainly a lot of times misunderstood.

00:27:29.670 –> 00:27:52.940
Andy Whiteside: What’s what’s the version of windows they had over in Europe, or they have everywhere now but Europe forced it to happen where they made note where the operating system came with no browser, that in is it the in addition. I think it’s been all of them. I think the Europeans forced them to remove the browser explorer. You really

00:27:52.940 –> 00:28:12.729
Andy Whiteside: you really couldn’t. But with with edge. Maybe you can, maybe. Anyway, actually you can’t. I’ve looked into it. You can’t. But to me an ideal world going forward is you get your windows? OS, and you systematically insert an enterprise browser versus having to have one on the system. That’s you know, consumer built for consumer use cases.

00:28:13.520 –> 00:28:24.250
Todd Smith: Yeah, I love. But I had to set up a a new machine for one of my one of my nephews over the weekend. And it it was interesting going to install chrome on it.

00:28:24.330 –> 00:28:26.830
Todd Smith: The first thing I had to do was open up

00:28:27.330 –> 00:28:29.900
Todd Smith: edge, because that was what was installed

00:28:30.200 –> 00:28:38.190
Todd Smith: on a factor default to go in to go and download chrome. So I could actually install that and replace Browser. It’s default, Browser is as that.

00:28:38.930 –> 00:28:43.590
Geremy Meyers: How would you get a browser. If windows didn’t have a browser.

00:28:46.320 –> 00:28:49.840
Geremy Meyers: your it team would put it on there, and that would be all have to be yeah

00:28:49.910 –> 00:28:58.019
Todd Smith: and find out what the Ftp. Server is, and then download. Connect to the Ftp. Server the public side of the Ftp. Server.

00:28:58.270 –> 00:29:00.529
Todd Smith: Work your way through the libraries.

00:29:01.100 –> 00:29:06.859
Geremy Meyers: workspace app on there, and it will be on there done.

00:29:06.970 –> 00:29:18.239
Geremy Meyers: So windows. In addition, there was an Xp version of this. It shipped without windows media players what it was, but there was some anti-trusting there as well. And I think there’s a version that didn’t do a browser. That’s interesting.

00:29:18.590 –> 00:29:19.350

00:29:19.700 –> 00:29:26.360
Andy Whiteside: alright next section. I can’t remember who’s up. I’ll go with Todd. Better compliance around session recording

00:29:27.260 –> 00:29:30.809
Andy Whiteside: Todd give us a brief history on session recording and what this particular

00:29:31.210 –> 00:29:40.780
Todd Smith: scenario. So so it’s interesting, because session recording originally started off with being able to record a specific application that was being delivered via

00:29:40.840 –> 00:29:42.479
Todd Smith: a citric session

00:29:42.790 –> 00:29:45.660
Todd Smith: no, no pun intended

00:29:45.880 –> 00:29:59.429
Todd Smith: but within a within a Zen app context, right? So if I can deliver, you know an application, so say, for instance, it’s excel. And I wanted to be able to see what the person was doing when they’re inside the excel spreadsheet

00:29:59.900 –> 00:30:04.490
Todd Smith: I could turn on session recording. and then I would have to. Then.

00:30:05.690 –> 00:30:08.239
Todd Smith: you know, get the administrator to

00:30:08.990 –> 00:30:25.229
Todd Smith: review the recording we then changed it so that you could actually share the recording out to specify group of people because oftentimes the recording didn’t need to be reviewed by the It administrator, by someone in training or compliance, or whatever.

00:30:25.680 –> 00:30:34.819
Todd Smith: So what we did is, we then expanded that into include desktop recording. So being able to record the entire desktop. So the the the Vdi session was that desktop session

00:30:34.860 –> 00:30:45.109
Todd Smith: and then being able to continuously leverage the recording capabilities to identify, you know, potential security breaches people not doing.

00:30:45.210 –> 00:31:01.120
Todd Smith: not doing those tasks as they should be, so it could be a training issue and then oftentimes it’s being used for compliance. So think about bank transactions that are large and scale. I wanna see who, you know, who was actually doing that, what they were, what they were clicking on

00:31:01.260 –> 00:31:09.109
Todd Smith: while they were in that session. But it’s really being designed, it being utilized primarily for compliance issues

00:31:09.760 –> 00:31:10.460
Andy Whiteside: right?

00:31:11.740 –> 00:31:20.149
Andy Whiteside: Hear me your thoughts on session recording it’s origins and how it’s worked in any real world examples where you know it. It proved it’s worth

00:31:20.350 –> 00:31:33.929
Geremy Meyers: so Todd specifically talked. And this blog is specifically focused on security. I think one of the other areas we’ve seen, this use is training. So being able to reproduce an issue, you know, cause you know, user will dial in call in and say, Hey, I’m having this issue.

00:31:33.950 –> 00:31:44.440
Geremy Meyers: Actually be able to go back and say, Hey, what you’re doing. Let’s do this a little bit differently. So just being able to understand what users are doing, and kind of train them up on

00:31:44.490 –> 00:31:53.170
Geremy Meyers: how to do something a little bit differently. So that is the other use case. I’ve seen what? How? The services evolved is becoming more and more managed.

00:31:53.250 –> 00:32:07.080
Geremy Meyers: So one of the reasons most customers have not deployed is simply because, historically, there’s just been a lot to go turn on to get session recording up and going. And so what’s nice now is the session recording service. You can deploy a lot of it.

00:32:07.230 –> 00:32:15.509
Geremy Meyers:  you know, hands, I would say hands-free. But just recently we had the ability to deploy most of it out to azure. And it’s automated, which is pretty slick.

00:32:15.990 –> 00:32:25.449
Andy Whiteside: And and maybe to give this blog it’s due, some of this is talking about the ability to manage those configurations and rollouts. That is that really what this portion here is.

00:32:28.360 –> 00:32:31.519
Andy Whiteside: the cloud cloud client update kind of control thing.

00:32:31.700 –> 00:32:34.480
Geremy Meyers: Yeah, I would think so. Yeah, yeah.

00:32:34.790 –> 00:32:36.710
Andy Whiteside: Sorry.

00:32:36.720 –> 00:32:38.670
Geremy Meyers: By the way, what was this originally called?

00:32:38.890 –> 00:32:46.980
Geremy Meyers: I Googled that because the name escaped me, and as it turns out. None of the Google

00:32:47.100 –> 00:32:48.050
Geremy Meyers: hits

00:32:48.360 –> 00:32:54.379
Todd Smith: hit. But I’ve got web chat, Gpt running on the side. So it automatically looks it up to. Of course.

00:32:54.620 –> 00:33:06.910
Andy Whiteside: I don’t know if you guys saw that or not. But I just sent you a chat. I just popped up the screen. So Microsoft is releasing, like as we speak and enterprise browser like it’ll it’ll still be edge. But whatever my point is.

00:33:07.100 –> 00:33:11.120
Andy Whiteside: you gotta get this consumer browser crap out of the way. It’s it’s a problem.

00:33:11.130 –> 00:33:12.150
Geremy Meyers: It is

00:33:12.270 –> 00:33:22.210
Andy Whiteside: alright. So let’s go, Jeremy. I think new on-premise security features for session, recording what is this part of the blog calling out.

00:33:23.000 –> 00:33:37.379
Geremy Meyers: oh, let’s take a look. Yeah, I think there’s a couple of different things here. So number one just managing who can see recordings. So, for instance, you know, as you expand this out, and you give more people access, just being able to tear. Who can see what

00:33:37.410 –> 00:33:41.489
Geremy Meyers: just notifying users before they’re logged down, their sessions locked, locked.

00:33:41.650 –> 00:33:54.540
Geremy Meyers: It’s pretty important. The you know the other piece to this. Maybe it’s not called here, is. There’s an integration with you know the Security analytics service as well. So maybe that’s a little bit of the tie in there, you know. If something were to happen.

00:33:54.680 –> 00:34:02.410
Geremy Meyers: And your machine was to, you know, maybe trigger security analytics. You could log some folks out and make sure they have an update before it happens.

00:34:03.250 –> 00:34:06.079
Andy Whiteside: You know, we haven’t talked about security analytics at all

00:34:06.360 –> 00:34:11.880
Andy Whiteside: in any of this. That’s that’s a whole nother element of taking the workspace and bringing it to

00:34:11.960 –> 00:34:17.640
Andy Whiteside: a place where it’s got all kinds of security initiatives going on real time, or as on demand, as needed.

00:34:17.800 –> 00:34:18.580
Geremy Meyers: Umhm

00:34:19.699 –> 00:34:23.569
Andy Whiteside: Todd. Anything else you’d want to highlight around the session recording feature.

00:34:24.040 –> 00:34:25.920
Todd Smith: I think the the

00:34:26.090 –> 00:34:39.589
Todd Smith: the comment you just made around security analytics piece of it. You know. What if you could have a security analytics, event, trigger session recording to automatically start. And then, once the recording is done.

00:34:40.040 –> 00:34:46.270
Todd Smith: then notify not the administrator, but notify the person who is responsible for reviewing that

00:34:46.440 –> 00:34:53.150
Todd Smith: and and make it seamless. Right? So that’s that’s a critical step, and that’s a critical

00:34:53.409 –> 00:34:55.790
Todd Smith: move in the right direction when it comes to

00:34:57.110 –> 00:34:59.550
Todd Smith: making it less cumbersome

00:35:00.030 –> 00:35:07.999
Todd Smith: for security administrators to really do their jobs. And it’s a it’s a piece of the automation stack that a lot of people overlook.

00:35:08.850 –> 00:35:09.580
Andy Whiteside: Yeah.

00:35:11.100 –> 00:35:29.439
Andy Whiteside: So this last section says, the tools you want to create the secure environment you need. And then it lists a whole bunch of stuff Google identity, authentication, azure dynamic security groups and trusted launch support for azure ephemeral OS disk. I think my main point in calling out this whole blog as well as others is.

00:35:29.640 –> 00:35:37.439
Andy Whiteside: You know, Citrix kind of built this space. And they’re still. You guys are still investing cloud software groups investing in what Citrix does from a security place.

00:35:37.600 –> 00:35:48.830
Andy Whiteside: I can’t say any people just assume Citrix is done, and there’s no innovation going on. I think there’s probably more innovation going on now than there was a year ago. Just gotta make sure people realize it.

00:35:49.240 –> 00:35:52.589
Todd Smith: I think what’s interesting is security doesn’t live in a silo.

00:35:52.710 –> 00:36:20.899
Geremy Meyers: and you’ve gotta be able to integrate with a lot of what folks bring to their conversation. Right? So part of the hybrid talk we have is the fact that you’ve got to integrate together with things that you got so multiple clouds, multiple things like that. And we’re just extending out security as well, right? So we understand a lot of folks are using things like azure id. There’s a security platform with azure id that folks are gonna leverage. How do we integrate with that? You know, later today, we’re gonna do a podcast around service. Now, the idea being.

00:36:20.900 –> 00:36:24.469
Geremy Meyers: how do we integrate citrix cloud, the on-prem stuff

00:36:24.500 –> 00:36:41.830
Geremy Meyers: with service. Now, in fact, we’re gonna do that on our next. Podcast but the idea is, you’ve got to be able to tie these things together, and security is no different right? So how can we consume? How can we contribute to? You know, sort of the broad solution that a customer is going to have. How do we integrate into it part of every conversation? You have

00:36:41.840 –> 00:37:11.370
Todd Smith: improvements that we’re making.

00:37:11.730 –> 00:37:14.509
Todd Smith: you know. Zen app performance, or you know.

00:37:14.630 –> 00:37:26.089
Todd Smith: the next feature within Zendeskop. you know what we’re really doing when it comes to looking at security and looking at security as a holistic component

00:37:26.500 –> 00:37:36.279
Todd Smith: of what we do right, and we used to have a one of the slides that we always had in our decks. That I absolutely hated was the secure by design

00:37:36.420 –> 00:37:48.980
Todd Smith: slide, because it didn’t explain exactly what that meant. It was just well, yeah, we’re working on security. Well. we need to lead with that. And this is this is this, blog is yet again, another example of

00:37:49.060 –> 00:37:58.869
Todd Smith: you know where security is a critical component in every single thing we’re doing when it comes to developing an application developing product, developing a service.

00:37:59.030 –> 00:38:12.429
Todd Smith: It cannot be an add on, it has to be an integral. You know, it’s got to be built into the foundation. It’s the rebar that goes into the concrete.  you know. It’s it’s not just something that we add on at the at the very end

00:38:14.120 –> 00:38:19.069
Geremy Meyers: secure. Did you say security is the rebar? That might be my new favorite

00:38:19.980 –> 00:38:24.840
Todd Smith: analogy. There, Tom, yeah. Feel free to use it any time in alright, Jeremy.

00:38:26.540 –> 00:38:29.070
Andy Whiteside: I will. I’m sure he will, too.

00:38:29.130 –> 00:38:33.590
Geremy Meyers: I’m sure I will. And sometimes that security might be as simple as turning off.

00:38:33.930 –> 00:38:39.549
Andy Whiteside: you know. Local client drive mapping or printer, redirection or printer print redirection it.

00:38:39.720 –> 00:38:44.810
Andy Whiteside: There’s so many things that in the presentation protocol of Ica hdx, if you will.

00:38:45.010 –> 00:38:54.349
Andy Whiteside: It’s in there from a security perspective that was enable customers to do stuff at the same time can easily be turned off. Those are. Those are security features.

00:38:54.510 –> 00:38:56.870
Andy Whiteside: If you want to stop and look at it the right way.

00:38:56.990 –> 00:38:57.680
Todd Smith: Yep.

00:38:58.370 –> 00:39:03.310
Andy Whiteside: And look, if you’re an organization still using Vpns for users to get work done, you need to stop

00:39:03.610 –> 00:39:06.430
Andy Whiteside: cause. It’s wrong. It just it is. It’s wrong.

00:39:07.780 –> 00:39:17.209
Andy Whiteside: Well, guys, thank you for the time today. Talk citrix and security. I am. I’m adamant that it is, and III fight the good fight all the time, talking to

00:39:17.370 –> 00:39:30.459
Andy Whiteside: other security folks, vendors that don’t even keep it in the loop as one of the layers, but it without a doubt it’s one of the layers in our world to bring security to to ourselves as well as our customers. So I appreciate you guys talking through this

00:39:30.480 –> 00:39:46.049
Geremy Meyers: absolutely appreciate it, guys. Well, I’ll tie something back into what Jeremy, said I, we were spending a ton of money internally to implement service now for ourselves and for our customers, and I may have done this with you before. But then I asked my team. Okay, this is great. Why are we spending so much money? What’s our goal here? And the answer was, security

00:39:46.580 –> 00:39:53.319
Andy Whiteside: implement service. Now for security, I’m like. I don’t understand that, he said. Well, look until you get everything into one place. You can’t secure it because you don’t know what you have.

00:39:54.630 –> 00:40:08.710
Andy Whiteside: and that. And we’re going to be launching that series where we talk about service now, a lot that’s that’s enabling user enabled initiated workflows very important, getting your hands around your virtual and physical environment, so you can secure it equally as important.

00:40:10.370 –> 00:40:11.630
Geremy Meyers: Couldn’t agree more.

00:40:12.110 –> 00:40:15.620
Geremy Meyers: Alright, gentlemen, enjoy the rest of your Monday. Alright.