Technical security overview
The Analytics service hosted in Citrix Cloud collects data across Citrix portfolio products and third-party products. These products are called data sources. Citrix Analytics supports both cloud and on-premises data sources. The information in this document applies to Citrix Analytics and its data sources.
Citrix Analytics automatically discovers the Citrix Cloud data sources that are subscribed to the customers. But the on-premises data sources require extra configuration to integrate with Analytics. For example, you have to add your on-premises Citrix Virtual Apps and Desktops Sites to Citrix Workspace before Analytics can discover the Sites. Similarly, on-premises Citrix Gateway requires you to configure a Citrix ADM agent. For more information on enabling Analytics on the data sources, see Enable Analytics on Citrix data sources.
You can integrate a few third-party products such as Microsoft Graph Security and Microsoft Active Directory with Analytics. For more information, see the following topics:
Citrix Analytics can also send risk intelligence information to a customer-owned Splunk environment. This integration requires deploying and configuring Citrix Analytics Add-on for Spunk on the Splunk environment. For more information, see Splunk integration.
Without customer consent, Citrix Analytics does not process any events received from the data sources. To process the events from the data sources, the Analytics administrator must enable data processing. For more information on data collection, storage, and retention by Analytics, see Data governance.
Citrix Cloud services requirements: To use the Citrix Cloud services, you must be able to connect to the required Citrix addresses through the HTTPS port 443. For more information, see Internet Connectivity requirements.
Citrix Analytics requirements: Review the system requirements before using Analytics. In addition to the Citrix Cloud requirements, the following endpoint addresses must be accessible through the HTTPS port 443 to use the Analytics service.
Endpoint US region EU region Admin UI
Admin UI (Demo site)
Not Available API micro services
Get Public IP
Event Hub (Not applicable for Citrix ADM agent)
Event Hub (For Citrix ADM agent)
Citrix Analytics has discontinued the support for TLS 1.0 and TLS 1.1 for most of the preceding endpoints.
Citrix Cloud Connector installation: Some data sources such as Citrix Endpoint Management, Citrix Virtual Apps and Desktops, and Microsoft Active Directory require you to install a Citrix Cloud Connector on your resource location. The Citrix Cloud Connector is a communication channel between Citrix Cloud and your resource locations. After installing the Citrix Cloud Connector, you must configure the web proxy settings. For more information, see Cloud Connector Proxy and Firewall Configuration.
Citrix Analytics endpoint for Splunk: To integrate Analytics with your Splunk environment, you must configure the Citrix Analytics add-on for Splunk. The add-on connects to the following endpoints on Citrix Analytics:
Endpoint US region EU region Kafka brokers
Identity and access management
To access Analytics, you must use your Citrix Cloud account. By default, Citrix Cloud uses the Citrix Identity provider to manage the identity information for all users in your Citrix Cloud account. You can also use other identity providers as mentioned in Identity and access management.
Citrix Analytics supports delegated administrator permissions. You can assign a read-only admin permission to a user to manage Analytics in your enterprise. For more information, see Delegated administrators.
Citrix Cloud manages the control plane for Citrix Analytics. Data received from the data sources are stored in multiple Microsoft Azure environments. These environments are located in the United States and the European Union regions. The storage location depends on the home region selected by the Citrix Cloud administrators when onboarding their organizations to Citrix Cloud. For more information, see the following topics:
Citrix Analytics receives data from the subscribed Citrix Cloud data sources, on-premises data sources, and the third-party products. Analytics process the received data only if the customer has a Citrix Cloud entitlement and the Analytics administrator has explicitly enabled data processing for each of the subscribed data sources.
Citrix Analytics protects the customers’ data using the following security measures:
Citrix Cloud authentication for the Analytics users. For information, see Identity and access management.
Tenant-based data access controls enforced by the Data Service and Data Access Layer.
Strong data isolation per customer or tenant in all data stores in the data lake and data warehouse.
TLS-encrypted data transfer between the various micro services and data stores, applicable for the public endpoints (APTs/inputs/outputs) of the platform and within the platform.
High standards in TLS endpoints. TLS 1.0 and TLS 1.1 are disabled.
Encrypted data storage using encryption keys and secrets that are stored in appropriate Key Vaults.
Strong user management access controls for service operations and support while protecting customer logs.
Vulnerability scanning, intrusion detection, anti-malware, rootkit scanning used along with Azure Security Center.
As with all Citrix Cloud services, data collection is strictly subject to the End User Service Agreement (EUSA). For more information, see the following agreements:
Citrix is responsible for securing all infrastructure and data residing on the Citrix-managed cloud environments that host Citrix Analytics. Citrix is responsible for applying regular software updates and patches on the cloud environment to address security vulnerabilities.
Citrix customers are responsible for securing their data sources, policy enforcement points, and Security Information and Event Management (SIEM) systems that are integrated with Citrix Analytics, which include:
On-premises data sources owned and managed by customers:
On-premises data sources: Citrix Gateway, Citrix Virtual Apps and Desktops, Microsoft Active Directory
SIEM: Splunk and any other third party products that use the Kafka brokers to read events from Citrix Analytics.
Customer-provided administrator credentials for managing Citrix Cloud services, including Citrix Analytics.
Customer-owned administrator accounts that receive emails or notifications from Citrix Cloud services.
Customer-provided administrator credentials for deploying and integrating the agents such as Citrix ADM agents, Analytics policy agent. Access to these agents must be restricted because they store the keys locally to communicate with Citrix Analytics.
Citrix Analytics-generated credentials for configuring Citrix Analytics Add-on for Splunk.
End user devices running on Windows, Mac, Android, iOS to connect to Citrix Cloud or Citrix Workspace and integrated with data sources.
For more information on security provisions, see the following documents: