Citrix last month significantly expanded its business with the $500 million acquisition of XenSource, which makes tools to help companies virtualize applications and storage. Much has been said in the aftermath of the deal, but many people are still overlooking a critical aspect of the Citrix-XenSource merger: security.
Citrix is now well positioned to take advantage of the growth driven by disruptive vendors and technologies such as VMware, Cisco, and Intel's vPro. There is no free lunch Citrix still has to brilliantly execute but it has good tools to work with.
Many security pros are fans of desktop virtualization, because it allows applications to execute in a secure data center instead of on untrusted endpoints. Endpoint security creates holes that security teams sometimes find impossible to plug, in both customer and business partner devices. It is all too easy for an untrusted home PC to store working copies of confidential data, keep sensitive information in temporary buffers, or record username and password keystrokes via spyware.
In centralized environments, however, application delivery technology can be deployed to handle authentication requirements and to display the application for the end user as if it were running locally. In healthcare and finance environements, I often see an integrated chain of tools that work together to create this centralized environment:
- A VMware-based virtual datacenter that keeps data in the data center. The endpoint is the weakest link, so the enterprise reduces its risk by never storing data on the endpoint. It is an effective and compelling technique.
- Thin clients supporting Citrix Presentation Server, Microsoft Terminal Server, SSL-driven application servers, or even Suns SunRay x-terminal application. These thin clients give the user a "local" look and feel for the application. Use of a two-factor authentication token can reduce the risk of passwords being stolen due to poor endpoint security.
One of the problems with centralizing applications in a virtual data center is that some applications still need to execute locally to maximize performance. This processing might be required to correlate data from multiple sources, to allow the user access to data when disconnected from the network, or even to offer a secure environment to process compressed streamed multimedia content.
In a classic, thin-client virtualized environment, there is a lot of underutilized processing power at the endpoints that could be exploited if the application delivery system had end-to-end intelligence.
Citrix isn't ready to divulge its plans for XenSource, but it's still fun to conjure up a few of the possibilities that could change traditional approaches to enterprise security:
- Virtual data centers could be used to protect the data. Citrix can lessen its dependency on VMware with a XenSource-based virtual data center. Organizations can keep the data in the data center, where it belongs, allowing the customer to dynamically choose among accelerated SSL, virtualized presentation services, or streaming applications. This approach could clear the way for customers to place more applications, and sensitive data, in secure data centers.
- Endpoint security won't matter. Using Intel hardware capabilities for isolation, businesses could shield sensitive data and user information from malware, while cleaning up residual data upon VM application termination. A business application does not have to care about the endpoint security profile if the application delivery system uses XenSource to isolate itself from the rest of the desktop.
- Application delivery could drive security. If sensitive data is protected in the data center and at the endpoint, then businesses will focus on application delivery systems for the proper blend of performance and end-user capability. The ability to dynamically coordinate protocols and distribute processing between the centralized data center and the endpoint can become a real business enabler.
- NAC could finally find its niche. Trying to manage endpoint profiles of unmanaged devices in a connected world is a fools errand. Application delivery systems need only to check at connect time for the appropriate XenSource application agent VM, and then dynamically choose the application delivery method for optimal performance. If this approach can reduce the risk of unmanaged devices, then handling managed devices becomes easy.
Virtualized data centers are great, but end-user applications still need secure application delivery mechanisms to the endpoint. Citrix is nicely positioned to use its application delivery strengths to change the way that IT crafts its applications for safe and efficient business communications. Isnt that what security is supposed to do?
Eric Ogren is the principal analyst and founder of the Ogren Group, a firm specializing in consulting services for security vendors. Ogren's background includes more than 15 years of enterprise security experience with both the Yankee Group and Enterprise Strategy Group. Ogren has also served in a variety of senior positions at vendors including Tizor, Okena, RSA Security, and Digital Equipment. Special to Dark Reading.