RSA Secured Implementation Guide for RSA DLP Endpoint VDI Partner Information Last Modified: March 28 th, 2014 Product Information Partner Name Citrix Web Site www.citrix.com Product Name Version & Platform 6.5 Product Description Citrix is an on-demand application delivery solution that enables any Windows application to be virtualized, centralized, and managed in the datacenter and instantly delivered as a service to users anywhere on any device.
Solution Summary Compared to traditional application deployment technology, virtual application delivery with enables organizations to improve application management by centralizing applications in the datacenter to reduce costs, controlling and encrypting access to data and applications to improve security and delivering applications instantly to users anywhere. The RSA Data Loss Prevention Endpoint Enforce installed and configured on the server ensures prevention of data loss from sessions. Partner Integration Overview User Actions Supported Remediation Actions Available Print to, Copy/Move, Save As, Webmail,,,, - 2 -
Partner Product Configuration Before You Begin This section provides instructions for integrating Citrix with the RSA Data Loss Prevention (DLP) Suite. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All vendor products/components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding. Configuring Citrix Install and configure a DLP Endpoint Agent on each Citrix server where you want DLP policy enforced. The endpoint agent is a service that starts when the system starts and monitors user actions as long as the computer is running. To install the Endpoint agent, follow the instructions as defined in the Installing and Configuring DLP Endpoint chapter in the RSA DLP Endpoint 9.6 Deployment Guide. After the Endpoint agent and policies have been configured, the end user s will see the following RSA DLP Policy messages: - 3 -
& : & : - 4 -
& : (Copy to Clipboard): - 5 -
Configuring VDI options within the RSA DLP Enterprise Manager Once you have successfully deployed the RSA DLP Endpoint Agent, there are a couple of configuration options within the RSA Enterprise Manager to consider. The DLP Endpoint agent runs in a virtual system the same way that it does on physical hardware. The DLP Endpoint agent can monitor the drives of the physical host that are automatically mounted to the virtual desktop, the drives of the physical host that are accessed as network shares and the clipboard data in the virtual desktop. To enable or disable monitoring of Mounted Physical Drives and Copying of the Clipboard, perform the following steps: 1. From the RSA DLP Enterprise Manager, select Admin Endpoint Endpoint Groups and then select the Endpoint Group (e.g. Default) of the Citrix servers that have the RSA Endpoint agent installed. 2. Select Edit and then scroll down to VDI Settings. 3. Make the appropriate changes to the Monitor automatically mounted physical drives and the Monitor VDI clipboard settings. 4. Click the Save button to commit the changes. Once these settings are selected, you apply them through the Endpoint Policy User Actions settings within the DLP Enterprise Manager. To do so, perform the following actions: - 6 -
5. From the Policies tab, select the Endpoint policy you want to change (e.g. PCI-DSS). 6. Click the Edit button in the upper left-hand window of the policy. - 7 -
7. Click the Endpoint tab then the Any User Action box. Click the Copy in VDI checkbox then the Save button. This will enforce both the Monitor automatically mounted physical drives and the Monitor VDI clipboard settings. - 8 -
Monitoring Clipboard Data The clipboard contains the data that you transfer between documents or applications using copy and paste operations. Policy actions for monitoring the clipboard behave differently to the end-user and within the RSA Enterprise Manager than the standard enforced DLP actions. The following is the expected outcome for the corresponding policy action: Action: or The end-user is notified of the potential violation of policy and is given the option to cancel the action. If the user clicks Yes, an event is generated and the user is allowed to copy text out of virtual desktop. If user clicks No, the user is allowed to paste the text within the virtual desktop and no event is generated. Action: The end-user is notified of the potential violation of policy and the action is blocked. The user can paste the text only within the virtual desktop and no event is generated. Action: The end-user is prompted to justify the action that triggered the violation. If the user provides a justification, the user is allowed to paste text out of the virtual desktop and an event is generated. If user clicks No, the user is allowed to paste the text within the virtual desktop and no event is generated. Important: DLP Endpoint monitors only the data stored as text in the clipboard of the virtual desktop. - 9 -
Certification Checklist for RSA Data Loss Prevention Suite Date Tested: March 28 th, 2014 Certification Environment Product Name Version Information Operating System RSA DLP Enterprise Manager 9.6.1200.107 (SP2) Windows 2008 Server R2 (x64) RSA DLP Enterprise Coordinator 9.6.1200.31 (SP2) Windows 2008 Server R2 (x64) RSA DLP Endpoint Agent 9.6.1200.82 (SP2) Microsoft Windows 7 (x64) Citrix 6.5 Microsoft Windows 7 (x64) RSA Endpoint Copy to NetShare RSA Endpoint Copy to Removable Drive RSA Endpoint Copy to Mounted Physical Drive RSA Endpoint Save As to NetShare (same file name) - 10 -
RSA Endpoint Save As to NetShare (different file name) RSA Endpoint Save As to Removable Drive (same file name) RSA Endpoint Save As to Removable Drive (different file name) RSA Endpoint Save As to Mounted Physical Drive (same file name) RSA Endpoint Save As to Mounted Physical Drive (different file name) - 11 -
RSA Endpoint Print RSA Endpoint Print to File RSA Endpoint Print with Web Browser (IE/Firefox) RSA Endpoint Print with Web Browser (IE/Firefox) to File RSA Endpoint Clipboard Copy sensitive content Copy sensitive content Copy sensitive content Copy sensitive content - 12 -
Web Mail Gmail Sensitive content as email attachment, body & subject Web Mail Yahoo! Mail - 13 -
Web Mail Microsoft Outlook (Hotmail) JJO = Pass = Fail N/A = Non-Available Function - 14 -