6
Enabling mobile work while ensuring network security & data privacy Citrix GoToMyPC Corporate for secure remote access White paper
Enabling mobile work while ensuring network security & data privacy
Citrix GoToMyPC Corporate for secure remote access
White paper
2
Executive Summary
Workplace mobility is on the rise as more organizations explore the advantages of enabling employees to work anytime, anywhere. If your company hasn’t adopted a mobile work strategy yet, the request from management is likely on its way. If, however, you already have a mobile or remote work program in place, you are well aware of the return on investment that mobility provides — from increased employee productivity and organizational agility to the ability to attract and retain top talent and much more.
Of course, enabling mobility means that you have to provide employees with remote access to office computers, which naturally invites the question: Does remote access infringe on corporate security?
This paper explores how Citrix® GoToMyPC® Corporate protects the integrity of the corporate network and the privacy of sensitive data by providing full spectrum security. As secure as online banking, GoToMyPC Corporate was created with government-grade data encryption and always ensures full user control.
How it works
GoToMyPC Corporate enables secure browser-based access to any Internet-connected Windows PC. Keyboard, mouse and display updates are transmitted over a highly compressed, encrypted stream, yielding a “like being there” experience over broadband and impressive performance over dial-up. Applications supported by GoToMyPC Corporate include:
Screen Sharing: • Launch a resizable Viewer from any browser to enable interactive access to any desktop application (even those that are not Web based).
File Transfer: • Drag and drop files, folders and directories — including fileshares — between the host Viewer and local client computer.
Remote Printing:• Print from the host Viewer to a local client printer.
Figure 1: GoToMyPC Corporate communication architecture.
As secure as online banking, GoToMyPC Corporate was created with government-grade data encryption and always ensures full user control.
3
GoToMyPC Corporate is a hosted service made up of four components:
Computer:• A small footprint server is installed on the computer to be accessed. Typically, this is a home or office PC with always-on Internet access. This server registers and authenticates itself with Citrix Online’s GoToMyPC broker.
Browser:• On the client side, the remote or mobile worker launches a Web browser, visits the secure GoToMyPC Web site, enters a username/password and clicks a “connect” button for the desired computer, sending an SSL-authenticated, encrypted request to the broker.
Broker: • The broker is a matchmaker that listens for connection requests and maps them to registered computers. When a match occurs, the broker assigns the session to a communication server. Next, the client viewer — a tiny session-specific executable — is automatically loaded by the browser’s Java Virtual Machine. The GoToMyPC Viewer runs on any computer with a Java-enabled browser, including many wireless devices.
Communication Server:• The communication server is an intermediate system that relays an opaque and highly compressed encrypted stream from client to server for the duration of each GoToMyPC Corporate session.
Figure 2: GoToMyPC Corporate enables total control of remote access.
The security features of GoToMyPC Corporate are head and shoulders above other standalone remote-access products.
Ross McKenzie Director of Information Systems, John Hopkins Bloomberg School of Public Health
“”
Password Change Enforcement
Host Security Settings
Failed Log-In Lockout
Hours of Access Security Settings
One-Time Password
Two-Factor Authentication
Host Authorization End Point Management
Client Authorization
NT Log
Enabled Hosts
Snapshot
User Detail Monitoring & Reporting
Feature Configuration
Authentication
Company Detail
Real-Time User Control
Feature Access Control
User PC Limit User Control
Web-Based Admin
User Management
Shared Access
Unlimited Remote Access Unlimited Remote Access
PocketView™ PocketView™ Access
Collaboration Collaboration
Security Security
4
Remote access designed for corporate users
The success of your business requires absolute security and control of information, systems and users. Unfortunately, most consumer remote-access solutions do not offer the level of security required for corporate users. GoToMyPC Corporate, however, was created with IT concerns at the forefront, thus ensuring corporate network security, data privacy and complete control of remote-access users. GoToMyPC Corporate provides corporate-level security that is essential for fully protecting your organization while enabling remote access.
Enabling network security & data privacy
Protecting the integrity of the corporate network and the privacy of sensitive data is of utmost concern to any organization. GoToMyPC Corporate employs the same data encryption standards as the U.S. Government and is as secure as online banking, which requires a similar Web-based exchange of confidential data. With GoToMyPC Corporate, remotely accessing the corporate network – just like a bank account – should be a convenience that in no way compromises security.
Here’s how GoToMyPC Corporate safeguards network security and data privacy:
No Firewall Configuration Neccesary: GoToMyPC Corporate is firewall friendly. It generates only outgoing HTTP/TCP to ports 80, 443 and/or 8200. Because most firewalls are already configured to permit outgoing Web traffic, there’s no bypassing the corporate or branch office firewall or the remote worker’s firewall to implement secure remote access with GoToMyPC Corporate.
Many other solutions require servers to receive incoming packets at a public IP address. The GoToMyPC Corporate host establishes a persistent TCP connection to the GoToMyPC broker (poll.
gotomypc.com) that allows it to be notified if any connect requests have been received. The host will attempt to keep the connection open by sending TCP “keep alive” packets approximately every 60 seconds. This makes GoToMyPC Corporate completely compatible with application proxy firewalls, dynamic IP addresses and network/port address translation (NAT/PAT).
And while GoToMyPC Corporate is firewall friendly, you won’t forfeit control over use of your company’s remote-access services. Companies can control GoToMyPC Corporate traffic by simply blocking traffic sent to the GoToMyPC broker’s IP address. Upon request, Citrix Online will filter GoToMyPC Corporate connections made to a company’s network address block, ensuring that only company-authorized computers can be accessed by company-authorized users. This permits a company’s visitors to use GoToMyPC Corporate to reach their own off-site computers while preventing unauthorized use of GoToMyPC Corporate to access a company’s own computers.
Data Privacy: GoToMyPC Corporate employs 128-bit Advanced Encryption Standard (AES) encryption of all data. AES is the standard used by the National Institute of Standards and Technology (NIST), as well as the U.S. Government. Moreover, GoToMyPC Corporate’s tough security protocol satisfies both government regulatory compliance and HIPAA compliance for its clients.
100-Percent Privacy: Although GoToMyPC communication servers relay traffic between the client browser and host computer, these packets are encrypted. Citrix Online cannot decipher this traffic because it does not possess the access code used to generate encryption keys. Even if a hacker were to gain access to Citrix Online’s servers, computer access codes are not stored there and individual session traffic is not recorded, so live-session traffic cannot be compromised.
Strong Encryption Keys: Even a strong cipher is vulnerable if it does not use strong, confidential encryption keys. That’s why for each connection, GoToMyPC Corporate generates unique secret keys derived using a zero-knowledge, public-key-based protocol called SRP. The access code verifier resides on the computer in encrypted format and is never transmitted to or stored on Citrix Online servers. Would-be hackers cannot intercept or generate the keys necessary to decode encrypted data.
Multiple Passwords: With GoToMyPC Corporate, two passwords are required for remote access. Users must authenticate using a password with the GoToMyPC Web site, as well as the host computer.
GoToMyPC Corporate meets our very tough security requirements.
Shirley Scott, IT Operations Manager Texas Department of Family and Protective Services
5
Strong Passwords: GoToMyPC Corporate requires that every password be at least eight characters long and contain both letters and numbers. This requirement helps to prevent accounts from being configured with short, common passwords that are easily compromised with a dictionary attack. The longer and more complex the password, the stronger the protection. With GoToMyPC Corporate, administrators can set password expiration, as well as update and reuse rules, to align with existing corporate password policies.
Two-Factor Authentication: Companies that have already deployed RSA SecurID two-factor authentication can easily use that added protection with GoToMyPC Corporate. To enable SecurID authentication, a computer must be configured with names of the company’s own RSA Server(s). Thereafter, a user supplying the correct access code will be required to enter the value currently displayed by his or her SecurID token. That value changes constantly, preventing access by anyone who does not have the token in his or her physical possession. Two-factor authentication is a proven method, widely used to strengthen remote access to enterprise networks. GoToMyPC Corporate integrates seamlessly with a company’s existing SecurID infrastructure, without requiring complex configuration or delegation of trust to Citrix Online servers.
One-Time Passwords: GoToMyPC Corporate gives administrators the option of combining the access code with One-Time Passwords. To enable One-Time Passwords authentication, the user clicks a button to generate a list of passwords from the computer to be accessed. When initiating future connections, a user who supplies the correct access code will be prompted for a numbered password from this list. Each password is used for a single connection, and the user can cancel or regenerate the list at any time. One-Time Passwords provide a simple method for achieving stronger authentication without added infrastructure.
TRUSTe Licensee: Citrix Online is a TRUSTe licensee, adheres to established TRUSTe privacy principles and has agreed to comply with the TRUSTe oversight and consumer-resolution process.
Inactivity Time-Outs: There is, of course, the potential for users to walk away from public PCs without logging out or to leave home PCs unattended. GoToMyPC Corporate addresses these user vulnerabilities by applying inactivity time-outs. Users are automatically logged out of the GoToMyPC Web site if the SSL connection is inactive for several minutes. Users can also configure the Viewer to time out after a period of inactivity, subject to limits set by the administrator. Additionally, host security features allow users to blank the host screen and lock the host keyboard and mouse from accepting input. GoToMyPC Corporate also enables
administrators to require use of these security features (e.g., setting a maximum time-out or preventing user modification).
User Access Control: GoToMyPC Corporate gives administrators full control of all levels of user access. Administrators can configure user account parameters to meet organizational needs, implement corporate security policies and support privacy mandates. Moreover, administrators can limit access by users or groups to specific features such as File Transfer, Clipboard Sharing and Remote Printing. Administrators can also enforce password update frequency and reuse policies, limit time-out periods, lock accounts and computers after authentication failure and mandate use of One-Time Passwords or RSA SecurID two-factor authentication. Fine control over these settings allows administrators to match corporate security policies, and customizable multi-level groups enable enterprise-wide policy enforcement and rapid update, even in very large deployments.
Inviting and Canceling User Accounts: Only the administrator is authorized to create new user accounts and groups. A customizable email message containing instructions and a one-time self-activation URL is then sent to each invited user. The new user visits this URL, defines his or her own password and then adds computers to his or her own account. The administrator can limit the number of computers available to each user and can require explicit administrative authorization of both host PCs and client viewer systems. In addition, an administrator can prevent non-permitted GoToMyPC Corporate access by limiting host computers within a network to a specific GoToMyPC Corporate account. The GoToMyPC Corporate Administration Center can also be used to check the activation status for individuals and groups. Controls are available to temporarily suspend or permanently delete any user or group account. These approaches streamline large-scale deployment while retaining enterprise control over remote-access authorization and end-user privacy and accountability.
Monitoring Usage: Administrators can view connections for any given day and end active connections immediately. The Administration Center can also be used to generate and archive reports for specific dates and date ranges that provide details on users, connection time and average connection duration. Administrators can generate additional reports to evaluate data such as enabled users; the features enabled for each user/group; hours of access; last log-in time; or the frequency of failed log-in attempts. These standard reports can be analyzed to spot unusual access patterns, including exceptionally long connections and unexpected client IP addresses. They also serve as audit trails, making it possible to see who accessed a particular computer at a particular time.
Citrix OnlineCitrix Online division
Product information:corp.gotomypc.com
Sales inquiries:[email protected]: 1-888-646-0016 Media inquiries:[email protected] Phone: +1-805-690-2961
www.citrixonline.com
For more information on Citrix GoToMyPC, please visit corp.gotomypc.com
www.citrixonline.com
About Citrix Online
Citrix Online provides secure, easy-to-use online solutions that enable people to work from anywhere with anyone. Whether using GoToMyPC® to access and work on a remote PC, GoToAssist® to support customers or GoToMeeting® to hold online meetings and Webinars, our customers – more than 35,000 businesses and hundreds of thousands of individuals – are increasing productivity, decreasing travel costs and improving sales, training and service on a global basis. A division of Citrix Systems, Inc. (Nasdaq: CTXS), Citrix Online is based in Santa Barbara, California. For more information, visit www.citrixonline.com or call +1-805-690-6400.
©2009 Citrix Online, LLC. All rights reserved. Citrix® is a registered trademark of Citrix Systems, Inc., in the United States and other countries. GoToMyPC®, GoToAssist® and GoToMeeting® are trademarks or registered trademarks of Citrix Online, LLC, in the United States and other countries. All other trademarks and registered trademarks are the property of their respective owners.
18718/1.08.09/PDF
Conclusion
Workplace mobility is well on its way to becoming a standardized business process. And as more companies adopt mobile work strategies, finding remote-access solutions that guarantee corporate-level security will be top of mind for IT managers. GoToMyPC Corporate provides corporate-level security that is essential for fully protecting your organization while enabling remote access. That’s security you can count on — without question and without compromise.
To learn more about secure remote access with GoToMyPC Corporate, please call 1-888-646-0016. If you are calling from outside the U.S., dial +1-805-690-5780.
A Division of Citrix Systems, Inc.
