Technical security overview
The Analytics service hosted in Citrix Cloud collects data across Citrix portfolio products and third-party products. These products are called data sources. Citrix Analytics supports both cloud and on-premises data sources. The information in this document applies to Citrix Analytics and its data sources.
Data flow
Citrix Analytics automatically discovers the Citrix Cloud data sources that are subscribed to the customers. But the on-premises data sources require extra configuration to integrate with Citrix Analytics. For example, you have to add your Citrix Virtual Apps and Desktops sites to Citrix Workspace before Citrix Analytics can discover the Sites. Similarly, on-premises Citrix Gateway requires you to configure a Citrix ADM agent. For more information on enabling Citrix Analytics on the data sources, see Enable Analytics on Citrix data sources.
You can integrate a few third-party products such as Microsoft Graph Security and Microsoft Active Directory with Citrix Analytics. For more information, see the following topics:
Citrix Analytics can also send risk intelligence information to a customer-owned Splunk environment. This integration requires deploying and configuring Citrix Analytics Add-on for Spunk on the Splunk environment. For more information, see Splunk integration.
Without customer consent, Citrix Analytics does not process any events received from the data sources. To process the events from the data sources, the Analytics administrator must enable data processing. For more information on data collection, storage, and retention by Analytics, see Data governance.
Network requirements
-
Citrix Cloud services requirements: To use the Citrix Cloud services, you must be able to connect to the required Citrix addresses through the HTTPS port 443. For more information, see Internet Connectivity requirements.
-
Citrix Analytics requirements: Review the system requirements before using Citrix Analytics. In addition to the Citrix Cloud requirements, the following endpoint addresses must be accessible through the HTTPS port 443 to use the Citrix Analytics service.
Endpoint United States region European Union region Asia Pacific South region Admin UI https://analytics.cloud.com/
https://analytics-eu.cloud.com/
https://analytics-aps.cloud.com/
Admin UI (CDN) https://cas-api-cdn-ep.azureedge.net/
https://cas-api-cdn-ep-eu.azureedge.net/
https://cas-api-cdn-ep-aps.azureedge.net/
API Services https://api.analytics.cloud.com/
https://api.analytics-eu.cloud.com/
https://api.analytics-aps.cloud.com/
API Services (Performance Analytics) https://api-a.was.cloud.com/
https://api-eu-a.was.cloud.com/
https://api-ap-s-a.was.cloud.com/
https://api-b.was.cloud.com/
https://api-eu-b.was.cloud.com/
https://api-ap-s-b.was.cloud.com/
Get Public IP https://locus.analytics.cloud.com/
https://locus.analytics.cloud.com/
https://locus.analytics.cloud.com/
Event Hub (Not applicable for Citrix ADM agent) https://citrixanalyticseh-alias.servicebus.windows.net/
https://citrixanalyticseheu-alias.servicebus.windows.net/
https://citrixanalyticsehaps-alias.servicebus.windows.net/
https://citrixanalyticseh2-alias.servicebus.windows.net/
Event Hub (For Citrix ADM agent) https://cas-eh-ns-alias.servicebus.windows.net/
andhttps://cas-eh-ns2-alias.servicebus.windows.net/
https://cas-eh-ns-eu-alias.servicebus.windows.net/
https://cas-eh-ns-aps-alias.servicebus.windows.net/
Bulk Upload https://casstoragebulk.blob.core.windows.net/
https://casstorebulkeu.blob.core.windows.net/
https://casstorebulkaps.blob.core.windows.net/
Note
Citrix Analytics has discontinued the support for TLS 1.0 and TLS 1.1 for most of the preceding endpoints.
-
Citrix Cloud Connector installation: Some data sources such as Citrix Endpoint Management, Citrix Virtual Apps and Desktops, and Microsoft Active Directory require you to install a Citrix Cloud Connector on your resource location. The Citrix Cloud Connector is a communication channel between Citrix Cloud and your resource locations. After installing the Citrix Cloud Connector, you must configure the web proxy settings. For more information, see Cloud Connector Proxy and Firewall Configuration.
-
Citrix Analytics endpoints for SIEM integration: To integrate Citrix Analytics with your Security Information and Event Management (SIEM), ensure that the following endpoints are in the allow list in your network:
Endpoint United States region European Union region Asia Pacific South region Kafka brokers casnb-0.citrix.com:9094
casnb-eu-0.citrix.com:9094
casnb-aps-0.citrix.com:9094
casnb-1.citrix.com:9094
casnb-eu-1.citrix.com:9094
casnb-aps-1.citrix.com:9094
casnb-2.citrix.com:9094
casnb-eu-2.citrix.com:9094
casnb-aps-2.citrix.com:9094
casnb-3.citrix.com:9094
Identity and access management
-
To access Citrix Analytics, you must use your Citrix Cloud account. By default, Citrix Cloud uses the Citrix Identity provider to manage the identity information for all users in your Citrix Cloud account. You can also use other identity providers as mentioned in Identity and access management.
-
Citrix Analytics supports delegated administrator permissions. You can assign a read-only admin permission to a user to manage Analytics in your enterprise. For more information, see Manage administrator roles.
Data residency
Citrix Cloud manages the control plane for Citrix Analytics. Data received from the data sources are stored in multiple Microsoft Azure environments. These environments are located in the United States, the European Union, and the Asia Pacific South regions. The storage location depends on the home region selected by the Citrix Cloud administrators when onboarding their organizations to Citrix Cloud. For more information, see the following topics:
Data protection
Citrix Analytics receives data from the subscribed Citrix Cloud data sources, on-premises data sources, and the third-party products. The received data is processed only if the customer has a Citrix Cloud entitlement and the Analytics administrator has explicitly enabled data processing for each of the subscribed data sources.
Citrix Analytics protects the customers’ data using the following security measures:
-
Citrix Cloud authentication for the Analytics users. For information, see Identity and access management.
-
Tenant-based data access controls enforced by the Data Service and Data Access Layer.
-
Strong data isolation per customer or tenant in all data stores in the data lake and data warehouse.
-
TLS-encrypted data transfer between the various micro services and data stores, applicable for the public endpoints (APTs/inputs/outputs) of the platform and within the platform.
-
High standards in TLS endpoints. TLS 1.0 and TLS 1.1 are disabled.
-
Encrypted data storage using encryption keys and secrets that are stored in appropriate Key Vaults.
-
Strong user management access controls for service operations and support while protecting customer logs.
-
Vulnerability scanning, intrusion detection, anti-malware, rootkit scanning used along with Azure Security Center.
As with all Citrix Cloud services, data collection is strictly subject to the End User Service Agreement (EUSA). For more information, see the following agreements:
Security responsibility
Citrix responsibility
Citrix is responsible for securing all infrastructure and data residing on the Citrix-managed cloud environments that host Citrix Analytics. Citrix is responsible for applying regular software updates and patches on the cloud environment to address security vulnerabilities.
Customer responsibility
Citrix customers are responsible for securing their data sources, policy enforcement points, and Security Information and Event Management (SIEM) systems that are integrated with Citrix Analytics, which include:
-
On-premises data sources owned and managed by customers:
-
On-premises data sources: Citrix Gateway, Citrix Virtual Apps and Desktops, Microsoft Active Directory
-
SIEM: Splunk and any other third party products that use the Kafka brokers to read events from Citrix Analytics.
-
-
Customer-provided administrator credentials for managing Citrix Cloud services, including Citrix Analytics.
-
Customer-owned administrator accounts that receive emails or notifications from Citrix Cloud services.
-
Customer-provided administrator credentials for deploying and integrating the agents such as Citrix ADM agents. Access to these agents must be restricted because they store the keys locally to communicate with Citrix Analytics.
-
Citrix Analytics-generated credentials for configuring Citrix Analytics Add-on for Splunk.
-
End user devices running on Windows, Mac, Android, iOS to connect to Citrix Cloud or Citrix Workspace and integrated with data sources.
For more information on security provisions, see the following documents: