CUGC Blogs

Content Collaboration Made Easy with Citrix ShareFile and a Touch of Security (Part 1)

By Lyndon-Jon Martin posted 03-15-2018 12:02 AM

  

dtkhbpsf.690.jpg.png

In this the first blog post of a short series focused on Citrix ShareFile, I will cover what it is at a high level, the user experience, enabling IT to say 'yes' and the elephant in the room at the moment–its security capabilities. The primary focus of this post is to highlight the "Security" built into Citrix ShareFile, which comes out of the box as a SaaS-Style service from Citrix that often many individuals are simply just not aware of, and many of which have been available for several years now.

Before I get started, lets take a moment hit the pause button and think about how much "Security" could there actually be in Citrix ShareFile?

Introduction to Citrix ShareFile

ShareFile is a Simple, Secure Way to Collaborate, providing a better way to securely transfer content and enabling IT to say YES (sharing content externally). Therefore, enabling employees to distribute any content via secure web links, which ensure controlled consistent access to content (e.g., files & folders, images, videos, audio files, etc.), by enforcing organisational compliance when sharing content externally to collaborate with external teams or (trusted) 3rd parties in different locations or even geographies.

How does this concept of controlled consistent access work? It's achieved through the secure web link, calling home to your homed Citrix ShareFile control (mgmt.) plane either EU vs. US (e.g. https://citrix.sharefile.com/d/1-34-6789-bc-ef-h - I randomised a download example), which then enforces what the recipient(s) of the content are able to do by the sender or inherited enforced preferences set by IT within the organisation (e.g., they can view the content online only for one week or have unlimited downloads over the course of a full year).

Citrix ShareFile provides multiple security capabilities and combinations when securely sharing + collaborating on any content powered by https://www.sharefile.com or https://citrix.cloud.com, so be sure to throughly read through the "ShareFile Enterprise Security White Paper" -  https://www.sharefile.com/content/dam/sf/pdf/en/sharefile-enterprise-security-whitepaper.pdf, which contains a wealth of in-depth technical knowledge spanning traffic flows, architectural diagrams, and modern authentication (e.g., oAuth 2.0, mobile app security and so so so much more). Finally, be sure to also read the "ShareFile Security FAQ" available from Citrix Support at - https://support.citrix.com/article/CTX208317.

I am going to highlight a few key areas around Citrix ShareFile "Security" that have been in-place for several years now, this post is NOT about that EU compliance law that is coming into affect soon and what Citrix can do or talk about, just to be clear. The Citrix ShareFile security features and capabilities described below are already baked in and been consumed by Citrix customers today, well before anyone was talking about that four-lettered-named elephant in the room, therefore on that particular note, the Citrix ShareFile team has prepared a white paper on the subject which is available for download at - https://www.citrix.com/content/dam/citrix/en_us/documents/white-paper/gdpr-and-citrix-sharefile.pdf. Likewise, if this topic is of interest to you, please visit the Citrix microsite on the subject accessible at -https://www.citrix.com/it-security/gdpr.html. So now back to the "Security" topics of my post.

The Citrix ShareFile Security Experience for Users

In part 2+ of this series, I will look at the user experience in greater detail. But for now, I will touch and focus on the "Security" elements that Citrix ShareFile does really well without compromising the users' experience.

ShareFile Security UX Small


Citrix ShareFile provides customers with an Outlook plug-in - https://support.citrix.com/article/CTX207779 that allows either IT vs. Users to provide the right vs. relevant level of controlled consistent access to content that leaves their organisation as a secure web link. The above image (click to enlarge) depicts Outlook, which has the ability to request files from any individual with an e-mail address with a single click, or encrypt your e-mail message, attach files from any configured data repository (see Connectors) while deciding upon how the recipient of your content can interact with it (e.g., view it online only vs. limiting the number of downloads over one week to 10, etc.), and all users have the power to "Revoke Access" to any sent secure web links that they have sent themselves, by visiting their Sent items folder in Outlook, finding that particular e-mail, opening it up and clicking "Revoke Access."

If we now switch to a mobile experience using SecureMail by Citrix XenMobile, which integrates with Citrix ShareFile, it provides similar capabilties enabling secure web links within the body of your e-mail without attaching the content itself. This also frees up your mailbox and everyone else at the same time (happy exchange admins!). Finally, you have the same controls using the ShareFile mobile app to send content directly from within the app itself or request a secure web link or even initiate a workflow+.

ShareFile Security

ShareFile Control Plane + StorageZone Controllers

* Download the Citrix ShareFile Security White Paper and read through the listed pages:

  • Customer files are never processed, stored or transferred to or via the Citrix ShareFile SaaS application tier e.g EU vs. US control planes ref to page 7.

  • Citrix ShareFile provides two control planes EU vs. US enabling customers to choose where to be homed upon signing up to meet their own internal compliance and governance. For example, a customer may say, "I am only happy for my (optional encrypted) metadata to be hosted and held by Citrix within EU geographical boundaries," so you'd then choose the EU control plane to be homed.

  • Customer files are never processed, stored or transferred to any Citrix ShareFile control plane EU vs US. Citrix ShareFile therefore stores metadata about your content within your chosen control plane only which is "data that describes your data e.g content held within Citrix ShareFile" and is categorised into User info, File info and Other. Please refer to pages 7, 15-16 for a complete list. The below table provides just the simple basics and how Citrix ShareFile provides the means to (de)encrypt your metadata using a customer-owned encryption key with Customer-managed Restricted StorageZones - https://docs.citrix.com/en-us/storagezones-controller/5-0/restricted-storagezones.html. Or, if you make use of Citrix ShareFile cloud storage, you can make use of "Customer Managed Encryption Keys," so please refer to pages 29-31 and read CTX221241 Customer Managed Encryption Keys for Cloud Storage - https://support.citrix.com/article/CTX221241 for a how-to guide.

    Metadata Basics

    User Info First, Last Name; Email; ACL e.t.c
    File Info File Name; File Description; File Creation Date; ACL e.t.c
    Other Auditing & reporting e.t.c


  • Support for traditional (AD) and Modern Authentication techniques (e.g., SAML 1.0, available since 2014, and 2.0, pages 36-37) which has been supported for several years now. Today, Citrix ShareFile includes support for OAuth 2.0, pages 38-44. Citrix ShareFile also provides support for two-step verification, which utilises your phone to add an extra layer of security, which you can learn how to enable using the following CTX article - https://support.citrix.com/article/CTX208336. Citrix ShareFile also enables IT to assign the desired granular control to users through permissions against your account. For more details, please refer to https://support.citrix.com/article/CTX208423. While we are on the topic of users, it's important to understand the difference between employees vs. clients - https://support.citrix.com/article/CTX208467 in a Citrix ShareFile world.

  • The Citrix ShareFile architecture prevents forged requests by using Hash-based Message Authentication Codes or HMAC’s when uploading vs. downloading content which is encrypted and secured in transit via HTTPS connections between any ShareFile client (WebUI, Desktop, Outlook Plug-ins, Mobile apps) and your StorageZone Controllers (on-premsies vs. cloud) for any upload vs. download requests that are received for content. It is important to highlight that your content does not flow through any of the control planes EU vs. US as these secure HTTPS connections are always directly between the client initiating the request and the StorageZone Controller, which hosts the source content. Once the request has been validated by the chosen homed control plane described and referred to on page 9-10, which also covers encryption of data at rest between ShareFile clients vs. content stored on StorageZones Controllers using 128 bit encryption with SCKeys.txt (page 14), or customers can choose enable FIPS 140-2 mode against their StorageZone Controller - https://docs.citrix.com/en-us/storagezones-controller/5-0/manage-storagezone-controllers/enable-fips-140-2.html.

  • The Citrix ShareFile mobile apps for iOS - https://itunes.apple.com/gb/app/citrix-sharefile/id434391375?mt=8 and Android - https://play.google.com/store/apps/details?id=com.sharefile.mobile&hl=en_GB can be controlled with the call home capability against your account at either the EU vs. US control planes. The below table depicts some of these built-in security features and what Citrix XenMobile can offer to further strengthen the mobile security posture (which most organisations often are simply not aware of) that come straight Out Of the Box with Citrix ShareFile.

    MAM Capabilities for iOS & Android

    Provided by ShareFile ref *page 46 Jail-break detection; Wipe; Disable offline access; File self-destruct; Encrypt files at rest; Disable external applications; Session inactivity timeout e.t.c
    Provided by XenMobile + ShareFile ref *page 47-48 Wipe data after security event; Constrain clipboard (cut, copy & paste), external applications & URL Schemes; Block microphone, camera, email compose & screen capture; Require internal network; Application white list/ black list for MDM e.t.c

    So if you are a Citrix XenMobile customer, we can MAM enlighten your ShareFile app https://docs.citrix.com/en-us/xenmobile-apps/10/sharefile.html to further enforce stronger security features vs. capabilities, as described above, to meet even the strictest organisation requirements around your Unified End-point Management (UEM) and/or secure file sharing, workflow & collaboration strategies for today's modern secure digital workspaces. Finally, if you are a consumer of an alternative MDM solution, Citrix ShareFile has multiple integrations into leading major MDM vendors as well, so please reach out to your local Citrix partner or sales rep for help & support.

  • Auditing and reporting (page 29) is already available and baked-in to Citrix ShareFile capabilities since before I started delivering partner workshops, way back in Q2 of 2014. A sample of some of the provided reports include activity, usage, storage and permissions, which can be run on-demand vs. scheduled from the Web UI.

  • NetScaler Integration (pages 32-35), while optional as a proxy between the internet and your StorageZone Controllers in the trusted network, offers so much more around increasing your security posture, high availability and more. For me personally, its a 100% must-have for StorageZones Controller (SZC). The NetScaler load-balance requests with real-time status indicators; offload of TLS connections to the SZC are obvious efficiencies, validate URI signatures before forwarding messages to SZC and finally, ensure that only valid + authenticated requests from clients for content sat within the trusted network on SharePoint, or existing network shares can be accessed and securely shared via a secure web link.

  • Protecting your content in the wild can be achieved in a variety of different ways with Citrix ShareFile. I've already looked at mobile, in a virtual app & desktop world restrict the clipboard, local vs. remote HDD redirection policies (at a a glance) but what about corporate vs. BYO devices? The Citrix ShareFile Sync tool is often used to do exactly what the name implies, which is to sync your content to your local machine from the SZC. This can be a risk for some customers, so you can restrict the Sync tool from being consumed by non-standard corporate-built devices by configuring the Sync's tools access to a restricted key. A how-to guide is available at - https://support.citrix.com/article/CTX207680#CustConfig – search for "Customising sync access" to get started and to learn more. Finally, Citrix ShareFile provides Data Loss Prevention (DLP) integration including Information Rights Management (IRM), pages 22-24 for detailed information.

  • If your users utilise their own personal consumer SaaS-style versions of a secure file sharing service to do their day jobs, you could look to implement Citrix ShareFile's Connectors technologies - https://support.citrix.com/article/CTX208596 for on-premises vs. cloud. This allows users to determine how and where to store files. Note that there are two types of Connectors: on-premsies vs. cloud so please visit - https://support.citrix.com/article/CTX208593 to understand the differences between them, how-to configure and manage access to them as well.

How do I Demystify and Fully Understand Citrix ShareFile?

If you have found this post somewhat useful, relevant and you really want to become a ShareFile rockstar, you have a few options available to you:

I hope that you have found this post useful and insightful. 

Further Reading:

The HD Content Workspace for External Real-Time Collaboration, Touching on the User Experience (Part 2)

Hello Citrix (ShareFile) Content Collaboration + Files (Part 3)

The views expressed here are my own and do not necessarily reflect the views of Citrix.


#ShareFile
#Security
#CTA