Technical security overview

The Analytics service hosted in Citrix Cloud collects data across Citrix portfolio products and third-party products. These products are called data sources. Citrix Analytics supports both cloud and on-premises data sources. The information in this document applies to Citrix Analytics and its data sources.

Data flow

Citrix Analytics automatically discovers the Citrix Cloud data sources that are subscribed to the customers. But the on-premises data sources require additional configuration to integrate with Analytics. For example, you have to add your on-premises Citrix Virtual Apps and Desktops Sites to Citrix Workspace before Analytics can discover the Sites. Similarly, on-premises Citrix Gateway requires you to configure a Citrix ADM agent. For more information on enabling Analytics on the data sources, see Enable Analytics on Citrix data sources.

You can integrate a few third-party products such as Microsoft Graph Security and Microsoft Active Directory with Analytics. For more information, see the following topics:

Citrix Analytics can also send risk intelligence information to customer-owned Splunk environment. This integration requires deploying and configuring Citrix Analytics Add-on for Spunk on the Splunk environment. For more information, see Splunk integration.

Without customer consent, Citrix Analytics does not process any events received from the data sources. To process the events from the data sources, the Analytics administrator must enable data processing. For more information on data collection, storage, and retention by Analytics, see Data governance.

Network requirements

Identity and access management

  • To access Analytics, you must use your Citrix Cloud account. By default, Citrix Cloud uses the Citrix Identity provider to manage the identity information for all users in your Citrix Cloud account. You can also use other identity providers as mentioned in Identity and access management.

  • Citrix Analytics supports delegated administrator permissions. You can assign a read-only admin permission to a user to manage Analytics in your enterprise. For more information, see Delegated administrators.

Data residency

Citrix Cloud manages the control plane for Citrix Analytics. Data received from the data sources are stored in multiple Microsoft Azure environments. These environments are located in the United States and the European Union regions. The storage location depends on the home region selected by the Citrix Cloud administrators when onboarding their organizations to Citrix Cloud. For more information, see the following topics:

Data protection

Citrix Analytics receives data from the subscribed Citrix Cloud data sources, on-premises data sources, and the third-party products. Analytics does not process the received data unless the customer has a Citrix Cloud entitlement and the Analytics administrator has explicitly enabled data processing for each of the subscribed data sources.

Citrix Analytics protects the customers’ data using the following security measures:

  • Citrix Cloud authentication for the Analytics users. For information, see Identity and access management.

  • Tenant-based data access controls enforced by the Data Service and Data Access Layer.

  • Strong data isolation per customer or tenant in all data stores in the data lake and data warehouse.

  • TLS-encrypted data transfer between the various micro services and data stores, applicable for the public endpoints (APTs/inputs/outputs) of the platform and within the platform.

  • High standards in TLS endpoints. TLS 1.0 and TLS 1.1 are disabled.

  • Encrypted data storage using encryption keys and secrets that are stored in appropriate key vaults.

  • Strong user management access controls for service operations and support while protecting customer logs.

  • Vulnerability scanning, intrusion detection, anti-malware, rootkit scanning used along with Azure Security Center.

As with all Citrix Cloud services, data collection is strictly subject to the End User Service Agreement (EUSA). For more information, see the following agreements:

Security responsibility

Citrix responsibility

Citrix is responsible for securing all infrastructure and data residing on the Citrix-managed cloud environments that host Citrix Analytics. Citrix is responsible for applying regular software updates and patches on cloud environment to address security vulnerabilities.

Customer responsibility

Citrix customers are responsible for securing their data sources, policy enforcement points, and Security Information and Event Management (SIEM) systems that are integrated with Citrix Analytics, which include:

  • On-premises data sources owned and managed by customers:

    • On-premises data sources: Citrix Gateway, Citrix Virtual Apps and Desktops, Microsoft Active Directory

    • SIEM: Splunk and any other third party products that use the Kafka brokers to read events from Citrix Analytics.

  • Customer-provided administrator credentials for managing Citrix Cloud services, including Citrix Analytics.

  • Customer-owned administrator accounts that receive emails or notifications from Citrix Cloud services.

  • Customer-provided administrator credentials for deploying and integrating the agents such as Citrix ADM agents, Analytics policy agent. Access to these agents must be restricted because they store the keys locally to communicate with Citrix Analytics.

  • Citrix Analytics-generated credentials for configuring Citrix Analytics Add-on for Splunk.

  • End user devices running on Windows, Mac, Android, iOS to connect to Citrix Cloud or Citrix Workspace and integrated with data sources.

For more information on security provisions, see the following documents: