Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Citrix's Security Play

With acquisition of XenSource, Citrix puts itself at forefront of data center virtualization - and security

Citrix last month significantly expanded its business with the $500 million acquisition of XenSource, which makes tools to help companies virtualize applications and storage. Much has been said in the aftermath of the deal, but many people are still overlooking a critical aspect of the Citrix-XenSource merger: security.

The crown jewel of XenSource is its open-source hypervisor, a software technology that allows multiple operating systems and applications to coexist on the same physical server. XenSource gives Citrix the potential to build out its application delivery infrastructure inward – into the virtual data center – and outward, onto the endpoint.

Citrix is now well positioned to take advantage of the growth driven by disruptive vendors and technologies such as VMware, Cisco, and Intel's vPro. There is no free lunch – Citrix still has to brilliantly execute – but it has good tools to work with.

Many security pros are fans of desktop virtualization, because it allows applications to execute in a secure data center instead of on untrusted endpoints. Endpoint security creates holes that security teams sometimes find impossible to plug, in both customer and business partner devices. It is all too easy for an untrusted home PC to store working copies of confidential data, keep sensitive information in temporary buffers, or record username and password keystrokes via spyware.

In centralized environments, however, application delivery technology can be deployed to handle authentication requirements and to display the application for the end user as if it were running locally. In healthcare and finance environements, I often see an integrated chain of tools that work together to create this centralized environment:

  • A VMware-based virtual datacenter that keeps data in the data center. The endpoint is the weakest link, so the enterprise reduces its risk by never storing data on the endpoint. It is an effective and compelling technique.

  • Thin clients supporting Citrix Presentation Server, Microsoft Terminal Server, SSL-driven application servers, or even Sun’s SunRay x-terminal application. These thin clients give the user a "local" look and feel for the application. Use of a two-factor authentication token can reduce the risk of passwords being stolen due to poor endpoint security.

One of the problems with centralizing applications in a virtual data center is that some applications still need to execute locally to maximize performance. This processing might be required to correlate data from multiple sources, to allow the user access to data when disconnected from the network, or even to offer a secure environment to process compressed streamed multimedia content.

In a classic, thin-client virtualized environment, there is a lot of underutilized processing power at the endpoints that could be exploited if the application delivery system had end-to-end intelligence.

Citrix isn't ready to divulge its plans for XenSource, but it's still fun to conjure up a few of the possibilities that could change traditional approaches to enterprise security:

  • Virtual data centers could be used to protect the data. Citrix can lessen its dependency on VMware with a XenSource-based virtual data center. Organizations can keep the data in the data center, where it belongs, allowing the customer to dynamically choose among accelerated SSL, virtualized presentation services, or streaming applications. This approach could clear the way for customers to place more applications, and sensitive data, in secure data centers.

  • Endpoint security won't matter. Using Intel hardware capabilities for isolation, businesses could shield sensitive data and user information from malware, while cleaning up residual data upon VM application termination. A business application does not have to care about the endpoint security profile if the application delivery system uses XenSource to isolate itself from the rest of the desktop.

  • Application delivery could drive security. If sensitive data is protected in the data center and at the endpoint, then businesses will focus on application delivery systems for the proper blend of performance and end-user capability. The ability to dynamically coordinate protocols and distribute processing between the centralized data center and the endpoint can become a real business enabler.

  • NAC could finally find its niche. Trying to manage endpoint profiles of unmanaged devices in a connected world is a fool’s errand. Application delivery systems need only to check at connect time for the appropriate XenSource application agent VM, and then dynamically choose the application delivery method for optimal performance. If this approach can reduce the risk of unmanaged devices, then handling managed devices becomes easy.

Virtualized data centers are great, but end-user applications still need secure application delivery mechanisms to the endpoint. Citrix is nicely positioned to use its application delivery strengths to change the way that IT crafts its applications for safe and efficient business communications. Isn’t that what security is supposed to do?

— Eric Ogren is the principal analyst and founder of the Ogren Group, a firm specializing in consulting services for security vendors. Ogren's background includes more than 15 years of enterprise security experience with both the Yankee Group and Enterprise Strategy Group. Ogren has also served in a variety of senior positions at vendors including Tizor, Okena, RSA Security, and Digital Equipment. Special to Dark Reading.

  • Cisco Systems Inc. (Nasdaq: CSCO)
  • Citrix Systems Inc. (Nasdaq: CTXS)
  • Intel Corp. (Nasdaq: INTC)
  • Microsoft Corp. (Nasdaq: MSFT)
  • Sun Microsystems Inc. (Nasdaq: SUNW)
  • VMware Inc. (NYSE: VMW)
  • XenSource Inc.

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 11/19/2020
    New Proposed DNS Security Features Released
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: He hits the gong anytime he sees someone click on an email link.
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-29070
    PUBLISHED: 2020-11-25
    osCommerce 2.3.4.1 has XSS vulnerability via the authenticated user entering the XSS payload into the title section of newsletters.
    CVE-2020-26212
    PUBLISHED: 2020-11-25
    GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of ever...
    CVE-2020-26243
    PUBLISHED: 2020-11-25
    Nanopb is a small code-size Protocol Buffers implementation. In Nanopb before versions 0.4.4 and 0.3.9.7, decoding specifically formed message can leak memory if dynamic allocation is enabled and an oneof field contains a static submessage that contains a dynamic field, and the message being decoded...
    CVE-2020-25650
    PUBLISHED: 2020-11-25
    A flaw was found in the way the spice-vdagentd daemon handled file transfers from the host system to the virtual machine. Any unprivileged local guest user with access to the UNIX domain socket path `/run/spice-vdagentd/spice-vdagent-sock` could use this flaw to perform a memory denial of service fo...
    CVE-2020-29071
    PUBLISHED: 2020-11-25
    An XSS issue was found in the Shares feature of LiquidFiles before 3.3.19. The issue arises from the insecure rendering of HTML files uploaded to the platform as attachments, when the -htmlview URL is directly accessed. The impact ranges from executing commands as root on the server to retrieving se...