White Paper
citrix.com 3
End-To-End Encryption with XenApp and XenDesktop
Protecting sensitive data often requires end-to-end encryption,
meaning that data is encrypted from the point of service to
the nal point of termination, with no intervening decryption.
This is in response to trends that include regulatory compliance,
privacy legislation, contractual policies and vulnerability
mitigations. These trends mean that many organizations need
urgently to migrate to the use of TLS 1.2, and to manage cipher
suites closely.
This white paper describes when and where to implement encryption, how to select encryption
protocol options, and explains where to nd detailed conguration guidance for the
components of Citrix XenApp, XenDesktop, and NetScaler Gateway. It also discusses encryption
in the cloud and in the Internet of Things, and the future direction of cryptography.
Most organizations now do not attempt to retain full control over use of corporate networks,
as these networks often extend beyond organizational and management boundaries. Instead,
they segment networks according to use cases and security levels (for example, segmenting
less-trusted wireless networks available to visitors from more-trusted datacenter networks).
Meanwhile, organizations have also realized that the insider threat is greater than previously
believed. These threats can be perpetuated by malicious insiders, honest mistakes, and
miscongurations. Staff who are tricked by spear-phishing attacks, and “trusted” network
devices already compromised by external attacks clearly illustrate an insider threat that
simulates—but does not require—a rogue individual. Attackers are motivated to attack
corporate networks not just to obtain corporate assets, but also personal data that can
be used against individuals for identity theft or spear phishing.
The combination of disruptive forces—motivated insider threats on less trusted networks—means
that data must be protected by end-to-end encryption not just when crossing the Internet, but
also when traversing corporate networks. This is reected in recent regulatory requirements,
including updates to the PCI Data Security Standard. With end-to-end encryption, data is
protected throughout the data lifecycle, including data at rest, data in transit, and data in use.
However, blanket use of end-to-end encryption is not always an effective approach, due in part
to needs for content inspections, logging, and trafc management. This white paper explains a
prescribed use of end-to-end encryption with XenApp and XenDesktop, with specic details for
conguring the Transport Layer Security (TLS) protocol.
This white paper builds on the guidance in the white paper “Getting Started with Citrix XenApp
and XenDesktop Security” white paper, including the representative deployment described
there. This paper is designed to meet the needs of security specialists, systems integrators,
and consultants designing, deploying, and securing Citrix deployments.
SSL and TLS
The TLS (Transport Layer Security)
protocol has superseded SSL.
Although many products support
both SSL and TLS, and the term
“SSL” is often used to describe
both, the difference between
SSL and TLS is crucial.
Use TLS. SSL is no longer secure.