Citrix ShareFile Enterprise: a technical overview White Paper Citrix ShareFile Enterprise: a technical overview
2 The role of IT organizations is changing rapidly as the forces of consumerization pose new challenges. IT is transitioning from the sole provider of user services to an aggregator and administrator for both in-house and third-party services, devices and applications. In the wake of this transition, IT must be prepared for everything that employees are bringing to work, including personal devices and applications. Mobile workstyles the notion that employees should be able to work from the most optimal location prompted IT to look for solutions that could support flexible working while ensuring employees remained productive. Employees also started using personal devices at work, which led some IT organizations to adopt a formal bring your own device (BYOD) strategy. These trends, along with continued growth in dispersed and global workforces, clientele and operations, drove the need for instant access to data for easy collaboration. However, the lack of an IT-managed data sharing and syncing service led employees to turn to unsecure, consumer-style file sharing products for self-service access to their files, as well as the ability to share those files with others within and outside their organization. Such solutions, unfortunately, put sensitive corporate data, regulated data and intellectual property at risk. Simply blocking these unsecure services without providing a secure and ITmanaged alternative will result in user frustration and lower productivity. It will also be regressive for IT, which is emerging as a strategic organization that fosters change to increase business productivity. To help IT regain control over employee file sharing, Citrix offers Citrix ShareFile an enterprise-class, IT-managed, followme-data service. ShareFile Enterprise ShareFile is a secure and robust enterprise follow-me data solution that enables IT to meet the mobility and collaboration needs of all users. ShareFile empowers users to securely share files with anyone and to sync files across all of their devices. ShareFile seamlessly integrates with workflow tools such as Microsoft Outlook and provides a rich user experience on any device to enhance productivity. Unlike consumer-style file sync and sharing tools, ShareFile provides management and control functionality that allows IT to deliver a secure service and store enterprise data in the optimal locations to meet corporate data policies and unique compliance requirements. ShareFile is a powerful service that is simple for IT to implement and manage, requires no additional investment and can be fully integrated with existing security infrastructure and policies.
3 With ShareFile, IT can: Empower users with instant access to data in sync across all of their devices Improve collaboration and business productivity through secure file sharing with people inside and outside the organization Meet corporate data security and compliance standards via a secure service and the flexibility to store data on or off premises, or both Deliver an enterprise-class service that seamlessly integrates with the IT environment and meets mobility requirements to provide a rich experience on any device. Deliver a managed service that helps IT retain control over the way corporate data is accessed, stored and shared Product architecture The current ShareFile product architecture is a pure Software as a Service (SaaS) model and consists of two key components: Control Plane and StorageZones. The client device can request access to the follow-me data service through a native ShareFile application or tool, Citrix Receiver or any browser. Figure 1: Citrix Managed StorageZones Control Plane The Control Plane stores all user files, folders and account information and performs functions such as user authentication, access control and all other brokering functions. The Control Plane is hosted in Citrix datacenters and managed by Citrix as a service.
4 Following are the components of the Control Plane: Web servers for ShareFile web interface/web portal access. The web servers are also known as Main App. Web servers for client devices using the HTTPS API, including all native ShareFile apps and tools The clustered database stores user account information, access right information for all file and folder metadata and hashed user passwords.the database in the Control Plane does not contain any user files or user/corporate data. The database is also securely replicated to a secondary datacenter location for backup and recovery in case of a failover. Citrix NetScaler appliances are used to load balance all client requests across the web servers. The NetScaler appliances and web servers run in the demilitarized zone (DMZ) and the database cluster runs in the production network behind the firewall. All traffic from a client device, the web interface or a native tool connects to the Control Plane using 256-bit encryption. The NetScaler appliances then begin to load balance the traffic/requests across the various web servers. Once the connection with the web servers is made, they communicate with the clustered database for retrieval of requested information. Citrix-managed StorageZones StorageZones are where the customer data and files are hosted. The Citrixmanaged StorageZones are hosted in Amazon Web Services (AWS) datacenters today, with an option to store data in various AWS worldwide locations including the United States, Ireland (EU), Brazil, Japan and Singapore. The actual storage servers run on Amazon EC2 while the backend storage resides in Amazon S3. The data is stored on EC2 servers as elastic block storage (EBS) for caching and on S3 servers for persistent storage. Amazon EC2 hosts various components of StorageZones. ShareFile Storage Center is the main component managing all file operations. Other components include the utility servers responsible for antivirus, thumbnailing, full text index and backup functions. To support file transfer using FTP and FTPS, the Citrix-managed StorageZones also host dedicated FTP servers. Uploading and downloading data When a user uploads a file to his or her account, the client device first requests authorization from the Control Plane and then connects to the Storage Center using 256-bit encryption. If a file is being uploaded through FTP or FTPS, the client first connects to one of the FTP servers, which then communicates with a Storage Center server. Thereafter, the Storage Center server encrypts the file and places it in its local cache. Simultaneously, the file is put in queue for persistent storage in S3 servers. The file remains encrypted during this entire process.
5 The utility servers communicate with the Control Plane and learn about the new file that is being uploaded. They begin to fill up their respective queues for the files that require antivirus scans, thumbnail creation, full-text indexing and backup. All files on S3 are processed according to their position in the queue. When a client device requests a file, the file is delivered from the local EBS if it is in cache; otherwise it is delivered from the S3 storage. The file is decrypted by Storage Center and delivered to the client over an encrypted connection. If the downloaded file is requested through FTP or FTPS, it is delivered to the client through the FTP servers. Citrix has a service level agreement (SLA) with AWS to ensure high availability for ShareFile even in the case of hardware failures. ShareFile also creates a backup of all encrypted file data that resides in a third-party datacenter. This backup server communicates with special backup utility servers in EC2 and with backup files from S3. It is important to note that client devices communicate with both the Control Plane and the StorageZones and there is interaction between the Control Plane and the StorageZones; however, customer files never travel from the StorageZones to the Control Plane. On-Premises StorageZones Thanks to an innovative new capability, IT will soon have the flexibility to leverage On-Premises StorageZones within a private cloud, as well as to use Citrixmanaged StorageZones in multiple worldwide locations. IT will also be able to build its own solution with a customized storage model leveraging the benefits of both Citrix managed and On-Premises StorageZones. The On-Premises StorageZones option will allow IT to store data within the datacenter to meet compliance and data sovereignty requirements. With the flexibility to store data both on and off premises, IT can optimize user performance by storing data in desired proximity. Multiple storage options allow IT to build the most cost-effective solution. With the on-premises option, Citrix envisions being able to support any sort of CIFS- or NFS-based network storage system and enable access to existing on-premises file stores, such as Windows network shares and Microsoft SharePoint, to eliminate cumbersome data migration.
6 Figure 2: On-Premises StorageZones Regardless of the customer s choice of StorageZones, the Control Plane will reside in Citrix-managed secure datacenters, making this a hybrid model. The On-Premises StorageZones can have one or more Storage Center servers running on Windows Server 2008 with Internet Information Services (IIS) and can utilize local network-attached storage (NAS). The StorageZones components run inside the customer s datacenter, allowing IT to build a fully customized solution. The ability to store highly regulated data in their own datacenters and the rest in Citrixmanaged StorageZones will help organizations meet compliance requirements while benefiting from secure and effortless administration. Client connectivity and communication run the same way as for the Citrixmanaged StorageZones: customer data will not go through the Control Plane. With On-Premises StorageZones, IT can also generate encryption keys. StorageZones can be set at the user level or root folder level, allowing IT to store data based on user profile or type of data. The On-Premises StorageZones feature is now available in tech preview at StorageZones Tech Preview and will soon be generally available. Security features ShareFile architecture is secure by design. It also provides additional robust features that IT can use to control, manage and audit the use of data. Secure architecture All datacenters containing ShareFile servers are certified to SSAE 16, demonstrating high standards for security. The servers are firewall protected and regularly updated to ensure that all of the latest security patches and updates are in place. Files are transferred to and from ShareFile servers using 256-bit SSL encryption and all files are stored with AES 256-bit encryption at rest.
7 Comprehensive disaster recovery mechanisms protect against loss of data. Files are frequently backed up to a disaster recovery datacenter and mirrored in real time to a secondary server location to ensure that service can be quickly resumed in case of a disruption at the primary server location. In the event of accidental deletion of files by a user, the files can be recovered within 28 days through the lazy file deletion option. Additional security features In addition to providing a secure architecture, ShareFile offers IT a granular level of control over sensitive corporate data. Remote wipe: This feature allows both users and IT to wipe all ShareFile stored data and passwords on any device in case it is lost or stolen. In the event of a security breach, IT can remove the device from the list of devices that can access ShareFile accounts, lock the device to restrict use for a specified period or completely wipe all ShareFile data that resides on that device. End-user and IT reporting: Users can receive reports on file sharing activity within their workspaces. IT can also track and log all user activity. Users and IT can create custom reports on account usage and access. Poison pill: The poison pill feature enables IT to prescribe data expiration policies for mobile devices and activate audit controls to track user logging activity. This feature is now available in the new ShareFile app for ipad. Provisioning and authentication ShareFile offers multiple options for seamless integration with Microsoft Active Directory. CloudGateway integration: Enterprise directory integration with Citrix CloudGateway is recommended for all Citrix customers. The integration simplifies and accelerates role-based: provisioning and de-provisioning and enforces two-factor authentication with NetScaler Access Gateway. It also provides Citrix Receiver integration for a rich content editing experience through hosted applications and helps monitor service levels and license usage. SAML 2.0 support: Support for Security Assertion Markup Language (SAML) 2.0 integration is available to customers with existing SAML solutions such as Microsoft ADFS. This integration allows users to authenticate using their Active Directory credentials without passing those credentials through ShareFile. Citrix Receiver integration The combination of ShareFile, CloudGateway and Receiver provides a seamless experience as users move from device to device. These components together provide a single pane of glass along with single sign-on to all enterprise resources (apps and data). Enterprise directory integration with CloudGateway and Receiver is recommended for all Citrix customers. The integration simplifies and accelerates role-based account provisioning and de-provisioning, enforces two-factor authentication with NetScaler Access Gateway and provides a rich content editing experience on mobile devices through virtualized applications.
8 Conclusion To embrace workforce mobility and users demands for instant access to data, ShareFile Enterprise helps IT organizations retain control while improving collaboration, mobile workstyles and productivity. Citrix has long provided IT the power to deliver a rich and powerful follow-me desktops and apps experience. Now, ShareFile completes the mobility story with a rich, enterprise-ready, follow-me data solution. Enterprise follow-me data service: ShareFile Enterprise offers best-in-class follow-me data service with features that enterprise IT and users expect Flexible storage options: The innovative StorageZones feature gives IT the flexibility to choose between using Citrix-managed, secure StorageZones in multiple worldwide locations and leveraging On-Premises StorageZones within their private cloud, or to combine the two options. Managed and secure data sharing: ShareFile Enterprise is a secure, managed service with robust security features that allow IT to determine how sensitive data is stored, accessed and shared Optimized for mobile workstyles: ShareFile Enterprise helps IT embrace user mobility requirements by enabling employees to work and collaborate from anywhere, on any device Citrix understands the importance of data from the perspectives of the end user and the IT organization. Citrix continues to drive innovation by investing in new features that make the user experience more delightful and support IT goals by simplifying management, enhancing control and helping IT retain its strategic role in the organization.
9 Corporate Headquarters Fort Lauderdale, FL, USA Silicon Valley Headquarters Santa Clara, CA, USA EMEA Headquarters Schaffhausen, Switzerland India Development Center Bangalore, India Online Division Headquarters Santa Barbara, CA, USA Pacific Headquarters Hong Kong, China Latin America Headquarters Coral Gables, FL, USA UK Development Center Chalfont, United Kingdom About Citrix Citrix Systems, Inc. (NASDAQ:CTXS) is the company transforming how people, businesses and IT work and collaborate in the cloud era. With market-leading cloud, collaboration, networking and virtualization technologies, Citrix powers mobile workstyles and cloud services, making complex enterprise IT simpler and more accessible for 260,000 enterprises. Citrix touches 75 percent of Internet users each day and partners with more than 10,000 companies in 100 countries. Annual revenue in 2011 was $2.21 billion. Learn more at www.. 2012 Citrix Systems, Inc. Citrix, NetScaler, Citrix ShareFile, Citrix Receiver, CloudGateway and NetScaler Access Gateway are trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered in the United States Patent and Trademark Office and in other countries. All other trademarks and registered trademarks are property of their respective owners. 0712/PDF