Citrix in-session watermark

in Citrix Cloud/Receiver/XenApp/XenDesktop by

The fact in VDI security designs is that people are the weakest links in your protection chain. How can you prevent insiders from simply taking the screen and leaking your most brilliant ideas to external sources? How can you trace a leak back to when it first happened?

Citrix In-session Watermark offers a solution for you. It adds traceable information on top of the VDI screen. This provides a deterrent to prevent people from stealing the screen. To take this one step further, even if the information is leaked, you can still easily trace back to follow the identity on the screenshot.

While XenApp & XenDesktop provides a great barrier to information theft for outside attackers, In-session Watermark is provides an additional layer of security against theft from inside users. To clarify, watermarks are primarily a deterrent to inside users – for trustworthy users, yes, who sometimes need a reminder to be honest, and also for malicious insiders who are working to steal intellectual property. Since users control their endpoints running Citrix Receiver, there are security advantages to implementing server-side protections, and this is where we implemented In-session Watermark.

The watermark is added to the image before it is transferred to the endpoint. Compare the approach for implementing Citrix In-session Watermark on server side to other solutions and offerings on the market. The Citrix In-session Watermark cannot be removed without killing the session. If a watermark solution were implemented using a user space process to draw the watermark, the malicious users can kill that process to remove the watermark, which is clearly not a sufficient deterrent.

In the Citrix solution, the watermark is added deep inside the HDX engine and if the user were to kill the process that draws the watermark, it would also kill the user’s session, which is a much more effective deterrent.

The benefits of embedding this security into the HDX engine also include better screen coverage. The Windows 10 start menu and UWP apps will be covered properly with Citrix Watermark while a user mode process might leave some of the screen uncovered.

More details can be read in the original Citrix article at: https://www.citrix.com/blogs/2017/12/04/a-new-option-to-protect-your-workspace-in-session-watermark/

Leave a Reply