New courseware has been released from Citrix Education - Get up to speed on Citrix XenApp 5.0, XenDesktop 3, NetScaler 9 and more! Click on the course/certification title below for more information on these hot releases.

Instructor-led Courses

• CXA-100-1I Providing Help Desk Support for Citrix XenApp
  Prepare to troubleshoot common XenApp issues and identify whether complex issues are related to the XenApp product, the network or directory services.
• CXD-200-1I Implementing Citrix XenDesktop 3
  Learn to install, configure and manage Citrix XenDesktop 3.
• CMB-201-1I Implementing Citrix XenApp Platinum Edition Components
  Learn to properly design, implement, and support Citrix XenApp Platinum Edition components, including EdgeSight 5.0, Access Gateway 9.0 Enterprise Edition, Password Manager 4.5 and WANScaler 4.3. For experienced IT professionals.
  

Self-paced Online Courses

• CNS-200-1W Basic Administration for Citrix NetScaler 9.0
  Gain an understanding of NetScaler features such as load balancing, SSL offload, classic and advanced expressions, compression, auditing and logging and monitoring.
• CPV-200-1W Implementing Citrix Provisioning Server 5.0
  Learn to install, configure and administer Citrix Provisioning Server 5.0 farms.
  

Certification

• Citrix Certified Administrator (CCA) for Citrix NetScaler 9
  Validate expertise in the implementation and administration of NetScaler 9.
  

You might have noticed our announcement last week on XenApp 5 Feature Pack. With all of its great new features and functions, it's easy to see the many cost savings opportunities it brings. One of these is the new freedom that customers get with Single sign-on.

Single sign-on is a XenApp Platinum edition feature. With it, you can enable Single sign-on for any hosted application you deliver – that is, apps that run on the server. Now, with XenApp 5 Feature Pack, you can also use it at the endpoint without having to purchase additional licenses at a cost of $150 per concurrent user. So, as an example, if your company has 3000 users who use XenApp and you bought 1000 XenApp Platinum licenses, with the new licensing policy change in Single sign-on, you can use it for all the 3000 users and for their end point use as well. This saves you from buying additional 2000 licenses. On top of those cost savings, it can potentially reduce password related helpdesk costs by 20-30% and increase user productivity (since they won't be calling the helpdesk about a frozen password or locked account). But Single sign-on isn't all you can do with this technology set.

First, as a best practice, you should deliver any password-protected application as a hosted application. Why? The first time the user tries to access any password protected application, Single sign-on will ask to store their credentials for that application. The user provides their credentials via the encrypted connection and it is stored in an active directory store or in an encrypted store. Simple enough. But here is where the magic begins.

You configure the application to ask the user to change their password after the first logon. This is standard practice in your high security organization, right? (wink wink) Normally the user would change their password by re-sending the password over the connection, not once, but twice to verify that it's correct. So, if there was a key logger on their side the new password has just been compromised even before it is accepted by your system as the new password. But with Single sign-on, this problem is eliminated. It can be configured such that whenever the application asks the user to change their password, Single sign-on will automatically respond with a new cryptic password that matches policies that you have set. And since single sign-on is doing it in the data center, then there's no way a key logger on the users device can capture it.

Another thing is that since single sign-on changed their password, the user doesn't know their application password anymore, nor do they need to because single sign-on will provide it to the application anytime they need access. But don't be worried - if you need to cut off their access, you can be confident that shutting down their active directory account will do the job because if they can't access the system, they can't access the password via single sign-on. With manual methods of logon, they would still be able to access the application with their application password using someone else's AD credentials. With single sign-on in XenApp, this problem is eliminated. This is called "maintaining the login chain". Basically, you ensure that the user that logged into the system is the same user that logged into the application. Great for compliance purposes.

Up to this point I've been talking about hosted applications. I did mention that XenApp 5 Feature Pack now adds the ability to use single sign-on at the end-point. This is a great solution when you have a password protected application that isn't hosted on XenApp. Maybe you have streamed it to the physical or virtual desktop. You get the same benefits of single sign-on. The only difference is that you're not protected from key loggers except from virus software and such. This is why I say that the best practice is to host and run any application that requires a logon from your XenApp servers. If you still need to do it at the desktop, the good part is that single sign-on still maintains the login chain and it still automatically changes passwords to make sure that they meet your organizational standards.

Now, as soon as I even mentioned single sign-on, you were probably thinking about that old "keys to the kingdom" argument. It's a valid one. But when implementing single sign-on you've got to do some things differently. First, using single sign-on means that you simplify your users' life by taking away their need to remember all those application passwords (or write them down on a post it note somewhere). This is just the proof you need to force users to create a stronger domain password via AD password policies. In addition, single sign-on with XenApp also lets you configure whether users have to prove who they are by logging in again before automatically logging them into their application.

And if you're really paranoid (which you should be), you can add multi-factor authentication (e.g. RSA Secure ID, Secure Computing Safeword, SmartCard authentication, etc.) to your primary credentials. Yes, multi-factor authentication can be a bit cumbersome, but you just made life easier for them. Surely a trade-off is in order. And since multi-factor authentication such as token-pin combinations or Smartcards are pretty much useless to key loggers (they use changing numbers or digital certs), you're much better off than having users enter every single application password for what they need to access.

Single sign-on with XenApp also includes self-service password reset (SSPR). With SSPR, if your users get locked out of their domain account, you can let them securely unlock it by answering security questions that you set up. You can customize the questions and users personalize the answers when they set up the service. You can then enable self-service password reset and account unlock from the Windows logon screen or even from XenApp Web interface. This feature is all about reducing helpdesk calls and increasing user productivity. Good stuff for sure, and best of all, you can use SSPR independently of whether you choose to use single sign-on for your applications.

So, just to boil this down, single sign-on reduces helpdesk costs, increases password strength, increases application security, and enhances compliance. Your ability to use single sign-on in your own environment will vary on a number of factors from company culture to the level of paranoia of your security architect to whether you're the CIA. However, if you can use it, you should – even if it's just for the self-service password reset and account unlock feature. In these economic times, anything that can save you money is worth checking out.

Want to learn more? Also, check out Citrix.com/upgradetoxenapp5. Stay tuned for weekly blogs on XenApp 5 Feature Pack. As always, let us know your thoughts, questions and feedback below.

This post is part of a multi-part series on XenApp 5 Feature Pack:

• Part 1: Citrix Releases its own Economic Stimulus Plan with XenApp 5 Feature Pack
• Part 2: Manage your entire server farm from a single image with XenApp 5 Feature Pack
• Part 3: Profile Management, new in XenApp 5 Feature Pack! When does it make sense for your business?
• Part 4: Single Sign-on for any user! New in XenApp 5 Feature Pack! 
• Part 5: XenApp 5 Feature Pack Transforms Server Sizing from an Art to an Exact Science!

I interviewed Glenn MacDonald  for this topic.  Glenn is a Senior Software Engineer at Citrix. He has been with Citrix since 2003 and has worked on every release of Password Manger.  He has a Masters degree in Computing Science from Simon Fraser University and over fifteen years of software development experience.  The interview did not actually take place on the yacht, below.

Q: When did CPM begin to provide provisioning?
A:  The CPM Provisioning feature was introduced during the Nassau release in 2005. The intent of this feature was to empower CPM administrators with the ability to provide users' secondary credentials directly to CPM, rather than forcing users to do so.  Being unable to do this had been an administrator pain point during CPM roll outs and when new applications were added to deployments.
In  a sense, provisioning in CPM provides additional security, in removing the responsibility from users for providing secondary credentials,  as users tend to do things like write down their passwords before entering them.

Provisioning in CPM increases the security by avoiding the initial distribution of credentials details directly to the user. Typically this is done by a less secure method such as a memo, voice mail or email.Another focus of the feature was to provide a means to integrate with existing identity management and provisioning systems (e.g. Courion Account Courier).

Q: Does CPM provisioning set up user accounts in applications?
A: No, it just informs CPM of the users' the credentials.

Q: How does it work?
A: The new web service (the Provisioning service) responsible for receiving the provisioning commands was added to the CPM Service.  These commands are added to a per-user queue located in the user specific container of the central store. Eventually the Plugin executes the queued commands to complete the provisioning action.

Q: Is it really that simple?

A: Of course not! There are lots of details to do this securely, but that's the basic flow.

 Q: Can you elaborate on those security details?
A:  Recall that the CPM Plugin protects a user's credentials using user specific keys. (i.e. Only the Plugin running in a user session can obtain the keys). This implies that it is impossible for the Provisioning service to directly execute the commands and alter the user's central store data. (i.e. the service can't add a credential because it doesn't have the key to protect the secrets).  This is why the commands are queued until a Plugin running as the user requests them. The service is completely responsible for the life cycle and encryption of the queued commands.

The Plugin does not directly access the queued commands - it obtains them from the Provisioning service over an SSL connection. Once the Plugin has successfully executed the commands, it informs the service that the queue can be deleted.
 
Q: Is the provisioning feature standards-based, since there are many provisioning products out there to integrate with?
A:  As a matter of fact, it is.  To ease third party integrations, we opted to use the SPML V2.0 open standard. The Service Provisioning Markup Language (SPML) is an XML-based framework, developed by OASIS, for exchanging user, resource and service provisioning information. Additionally, many identity management systems already support SPML 2.0.  A connector is required for identity management integration.

Q: Why do I need a custom connector if my identity management system already supports SPML 2.0?
A: To understand why a custom connector is needed, you need to consider the conceptual differences between provisioning for CPM and provisioning in general.

Consider a typical provisioning scenario from the perspective of an administrator of an identity management system. A new employee has joined the company and needs to be provisioned with a domain account and specific accounts for SAP, Outlook, etc. The administrator will request that an SAP account get created. To do this, the identity management system will send a message to the Provisioning Service Provider (PSP) for SAP.

"Hey SAP PSP, create a new account with user name=baracko and password=prez"
The Provisioning Service Provider will create the account and return a reference ID for the account.

Next, the administrator would want to provision CPM with the newly created SAP credential. The message that the CPM Provisioning Service needs to receive must say:
"Hey CPM Provisioning Service, for the domain user bobama, add a credential for SAP having the user name=baracko and password=prez"
First, notice that provisioning from the CPM perspective is simply providing the user with his CPM secondary credentials. There is NO creation of the accounts accessed with those credentials. Those accounts must be created by an outside means completely separate from CPM. Essentially, CPM provisioning is the act of populating the user's credential store - i.e., the administrator is populating a small data store and not actually provisioning accounts or resources.

Q:  I sort of see what you mean. The CPM provisioning command added the SAP credential for the specified domain user, it didn't actually create the SAP account. How does CPM know what "SAP" refers to in the command?
A: Good, you've noticed the second subtlety. Ultimately, the goal is to have CPM submit this credential when it detects to the SAP logon page. To achieve this, the credential needs to be associated with a specific application definition.

A unique GUID is assigned to every application definition when it is created in the CPM Administrative Console. This GUID is included in the command to provide the link between the credential and the application that the credential is for. So, the message actually needs to be:
"Hey CPM Provisioning Service, for the domain user bobama, add a credential for GUID-of-SAP-application-definition having the user name=baracko and password=prez"
The connector needs to provide the mapping between the application definition GUIDs and the credentials.

Q: How does the custom connector learn the application definition GUIDs?
A:  To determine the list of applications definitions available to a user, the connector needs to send a lookupApplicationRequest. The response to this will contain a list of the applications defined in the User Configuration associated with that user. The description of each application definition will contain the GUID and the fields in the a credential (e.g. user id, password and database name). Note that the lookupApplicationRequest command is a CPM specific, custom extension to SPML v2.0.
 
Q: Are you saying a custom connector is needed because it has to provide the binding between the CPM application definitions and the specific credentials?
A: Exactly!
The connector needs to know:

-  the mapping between the application definition GUIDs and the credentials.

- how to use the lookupApplicationRequest custom command to obtain the application definition GUIDs

- how to construct the CPM specific SPML extensions to use in the data elements of the commands.

Well, it's certainly been a while since I've posted to The Citrix Blogs. Web Services has been working hard to improve our, I mean your, Web experience on our various community sites, the Knowledge Center, and of course, the Citrix Forums.

So, besides giving "props" to my team (is that even cool to say anymore? Anyway, I digress), I wanted to share some changes we've made to make it easier and faster to find all the documentation (Admin Guides, readmes, etc.) for our Citrix products....

We now have a central page (Product Documentation Links) at http://support.citrix.com/pages/docs/ that lists all our current product releases and links you directly into the Documentation tabs for each product version. As I'm sure you know, the Documentation tabs link to all the documentation for a specific release. But wait, there's more!

We have also included links from several key pages:

• Citrix.com (home) > Support > Knowledge Center > Product Documentation
• (Almost) any product page in Citrix.com > Dig Deeper section on the right > Product Documentation

In addition, we set up redirects to the Product Documentation Links page from older links published in past Citrix documentation (PDFs, HTML readmes, etc). This allows existing customers to browse to the latest, most updated versions of any document at any time. Cool, huh? Ok, well, I think it's cool.

For those of you that may have bookmarked an earlier Phase I version (published as CTX article CTX116089), that's been redirected too, so you just need to update your bookmarks.

The Web Services team, the Knowledge Center team, and of course, the Technical Publications team, hope you like the changes. Either way, please let us know what you think:

   or

but you have to say why and what you'd like to change.   Thanks!!!

I conferred with some of the security experts at Citrix on the topic of people and security.  Their advice came in several key areas:  

Physical access to IT assets: Gaining physical access to machines greatly increases the damage and theft of data a malicious user can do.   For this reason, admins should restrict physical access to sensitive resources - for example, restricting access to the XenApp farm to Citrix administrators with authorized access cards. 

Citrix products offer a great advantage in making it unnecessary to have applications and data locally stored, so physical access is less of an issue.  Some of our most security sensitive customers publish the application that can manipulate sensitive data but disable client drive mapping and the clipboard virtual channel and print screen functionality so that no data can leave the data center. 

Unattended and unlocked user workstations are also a liability and a policy that requires users to lock workstations when they leave the work area is strongly suggested.  System configuration to lock workstations after a few minutes of inactivity and password-protected screen savers are also good measures. 

Separation of Duties: Security policy should be such that no one person or role holds all control.  This means assigning roles in a manner in which it takes more than one person to accomplish certain tasks.  For example, if the task is releasing a binary to a customer, a software developer should not QA their own code.  Similarly, an administrator's activities should be monitored by a separate auditing role. 

Citrix brings value here as well, with a separate role for Citrix Administrators who share control of the overall system with Local and Network Administrators.  The Citrix Administrators manage only the Citrix environment, so there is additional separation of duties.

  Least Privilege:  The old "need to know" basis!  Well in this case, "need to have permission to do."  People's roles in an organization and access rights should be broken down to grant users only the privileges that they need for their particular jobs.  This applies to admins as well - for example, the database admin should not have management rights on the mail server or security console or the network. 

Citrix allows you to publish applications using different roles to further restrict access to certain data and privileges.   
The whole point of least privilege is that if an attacker is able to compromise an account, they can only do a small subset of tasks on the network/database/machine. 

Password Policies:

There are several ways people can weaken corporate security with their management of passwords.  The problem with passwords is users would like them to be easy to remember.  As a result, they may attempt to simplify things by using the following bad practices:

-         Write down their passwords

-         Set all of their application passwords to the same thing

-         Use really easy-to-guess passwords, like their dog's name

-         Use the same password every other time they change it (just alternating)

-         Using trivial and short passwords, like 123

-         Never changing their passwords 

These user antics are not good for corporate security!  Security Policy should specify:

-         Password length

-         Password complexity (require special characters, mix of letters and numbers, etc.)

-         Password history enforcement (force a new password and don't allow repeats for a certain number of passwords.)

-         Disallowing the use of dictionary words in the password

-         Prohibit the use of obvious words, like Citrix, in a password

-         Password expiry, forcing password changes 

Enforcement of this policy is a different matter.  Citrix Password Manager can help administrators enforce these policies in a corporate setting.  Plus, with CPM you can configure such that users do not even know their own passwords, very effectively preventing sharing.  As a side benefit, if the user leaves, de-provisioning and assuring the user can no longer access any assets is much easier, since the user didn't know their passwords in the first place. 

If you looking to get started with Password manager provisioning server SDK then don't miss this video. Michol Monaghan and George Prado from Citrix explain how to install the Citrix Password Manager Provisioning SDK and run out of the box samples.

Here is the direct link to the video
http://citrix.utipu.com/app/tip/id/3267

I read several articles about research on the behavior of IT professionals recently.  The research was sponsored by security vendor Cyber-Ark.  Amazing stuff!  A third of all IT professionals surveyed could still access the company's network after they left the job.  A third admit to snooping and peeking at  information like people's personal emails, salary info and other juicy tidbits.  Most shocking: 50% of all IT professionals still keep passwords on Post-It notes.  These are administrative passwords!!  The really omnipotent accounts!!

The press release from Cyber-Ark has more details.  The survey was of 200 IT professionals at April 2008's Infosecurity Exhibition Europe, and it was entitled "Trust, Security and Passwords". 

Interestingly, these folks admitted these things in an anonymous survey, but aside from that they might never be detected in their snooping - admin passwords generally give privileged and anonymous access to systems.

One point: there's a difference between snooping and corporate-policy-based monitoring of company IT assets.  The survey was pointing out the fact that IT administrators can inappropriately access information and they count on not being caught.

I spent some time recently chatting with Ross Duncan, VP of Channels at Gemalto, due to my role as product manager for Citrix Password Manager.While Citrix remains "strong authentication agnostic", Ross raised some great points: - Passwords are bad - I don't think anyone will argue this point!  There have been many solutions to enforce management of passwords to mitigate the inherent weakness.  Then those "solutions" that make passwords more complex can cause user convenience problems - plus bad behavior such as passwords written down, using the same password for many applications, and so on.  Then the help desk calls are both extensive and expensive.  - eSSO means putting all the keys to the kingdom in one place.  This allows IT to use hyper-secure passwords (20+ characters, special characters, etc.) that change rapidly.  However, the end user now has only ONE password to know - therefore there is a case to augment it with a strong authentication device like Gemalto smart cards. - Coupling of eSSO and smart cards brings the ultimate in convenience with maximum security - the user inserts their card, enters their PIN, and they can securely access the system.  This is much easier then entering user name/password - easier and more secure. - Vendors like Gemalto are integrated with Citrix Password Manager, smooth roaming/Hot Desktop, XenApp and CAG, which is convenient for customers.
We also discussed the merits of converging logical and physical security.  This always looks great on powerpoints, but it has been a real slow starter in real life.  It's been discussed for 8 years that I personally know about, but the actual implementations are lagging.  It always struck me this way: the physical security personnel and the IT security personnel are usually in different areas within and organization, and there are numerous political barriers to having the two groups work together and contribute budgets to make a badge/technology/management decision together.  I know Gemalto has partnerships to do this, but it seems to me to face obstacles.  Would like to hear comments!
 

Several striking aspects:

• All presentations about security in a virtualized environment were mobbed.  People were pretty angry when turned away at the doors of the presentation rooms, but fire marshall regulations prevented people from standing at the back.  It appears this is the "next interesting thing" in security, and there is great curiosity.  On the reality side, there were very few products / technology for sale to address the potential issues.  I believe there are a great many startup companies currently in stealth mode in this area.
  
• The days of radical and revolutionary change in security from the late '90's and early '00's are way over.   The big vendors seem to be just pulling together "fix it all" suites as best they can through acquisitions.
  
• Michael Chertoff's presentation was a tad scary: he mentioned that government agency computers are all interconnected, and that security is not consistent across all agencies (some have 24/7 monitoring for security and some don't).  This is bad for the obvious reason - just like in the movies, the bad guys can find an innocuous-looking, under-protected entrance and get to the agencies of interest.  The other scary part was that Mr. Chertoff seemed to think 24/7 monitoring was the main thing.  I'd tend to focus on preventative measures, vulnerability assessment, intrusion detection, user training, Identity and Access Management, strong authentication and other areas as well, but they were not mentioned.
  
• Bruce Shneier's presentation on security rationalization was provocative.  He focused on the separation between reality, feelings and models by "experts" when it comes to assessing security risks.  One example was the Tylenol scare, and it was successfully addressed from a commercial standpoint by adding hermetic seals to bottles.  It made people feel better.  The reality is that a syringe could inject poison pretty easily, but people feel better.  He also introduced the notion of "security theatrics", where the media and security vendors exaggerate risks and cause people to feel bad when the reality just doesn't match.  Interesting concept.

RSA Conference is growing: attendance was estimated at 17,000

This is a little-known fact that may be very interesting for customers who want SSO, but realize Password Manager does not natively support your language.  We have an SDK available for partners to do their own translations of the CPM UI.  It is available for free, and has already been requested by partners in Russia, Czech Republic, Sweden, Italy, Greece and Poland.

This SDK can be used with standalone CPM and XenApp Platinum (Single Sign-on powered by Password Manager.)  Both offerings are the same code base.

Our terms are intentionally simple: the local Citrix rep approves the partner to me, partner signs a EULA, I give the partner access to the SDK via FTP, and the partner owns the resultant work effort (of course CPM licenses are still required for the customers purchasing translated versions from the partner.)

The caveats are that the business partner is responsible for keeping up with changes as new releases are provided from Citrix, and the local Citrix account team vouches for the integrity of the partner.  We need to be sure the UI delivered is of quality, hence the local team involvement.

If you're interested, please have your Citrix rep contact kate.brew@citrix.com

 Would also appreciate comments on this approach - yea or nay!

Most people don't realize the value of the answers to their personal security questions (Citrix Password Manager calls this Question Based Authentication.)  As it turns out, those answers are more valuable than passwords.  If someone learns enough answers to your personal security questions, they very often can reset your password and have access to your accounts.  Yes, that includes your online bank account and it's a very real problem.  In fact, I have a friend so paranoid about this that he swears his favorite color is "three."

 Some of the issues around personal security questions are kind of interesting.  For example, I've dealt with customers where personal privacy of employees is a big consideration in selecting the questions.  Let's call that one "sensitivity".  Another issue is what I'll call "changeability" - your favorite movie may change from month to month.  Then another issue is what I'll call "detectability" - my place of birth is public record, if somebody happens to know where I was born and what my maiden name was.  Both of those are completely unguessable in my case so I am probably safe on that problem. 

 Then there is always my favorite, "guessability" - there are only so many colors, even if you count teal and puce.

We can't forget the punctuation marks either.  Tricky to remember whether I indicated a teacher's name as Mrs. Winters, Ms. Winters, Mrs Winters or Ms Winters when I signed up for a web account.  Have to be careful on that one.

 We are finding that the more flexibility you can allow the better on these personal security questions for CPM.  Let companies write their own personal security questions that are more obscure than place of birth.  Let people choose between a number of security questions that they find unique and easy to remember.

In fact, I'd love some comments on pet peeves and helpfuls suggestions on personal security questions!

Without Single Sign-On, users are left to their own devices (such as yellow stickies) to retain the many different passwords they need.

Trouble was that security vendors were so eager to provide this functionality (starting about 10-12 years ago), and the hype was so great, and the technology was so immature, that early SSO projects often had tragic results.  Early implementers in some cases dumped millions in services dollars to coax the immature SSO product into actually working for a subset of their applications.

 Well, the technology is mature now, and SSO really works!

With the Citrix SSO product, Citrix Password Manager (CPM), we have a very successful install base of customers, with many implementations with more than 50,000 users.   Very conveniently, CPM is included as the SSO XenApp Platinum component, bringing more value to users as well as value to IT administrators in increasing actual security by eliminating bad user behavior.

I just got a really nice note from a Citrix rep in Australia abut the "Cookbook" available for Citrix Password Manager.  He suggested we have similar tools for all Citrix products for our partners to use.

The CPM Cookbook, AKA Citrix Password Manager Project Guide, has been on MyCitrix for a while, but I am noticing people usually can't find it.  It contains information on sizing services revenue, developing scope of product deployment, justifying ROI, writing the Statement of Work, creating the project plan and documents and templates for training and other useful tasks.

It is located here on MyCitrix, under reference desk for CPM, under Whitepapers Exclusively for MyCitrix Users: https://www.citrix.com/English/myCitrix/refDeskResults.asp?Category=product&ResourceId=7181

If you have any problem getting it, I'd be happy to send you a zipped copy.  Please contact me at kate.brew@citrix.com

Who offers the "Best Identity Management Solution" on the market today? It will surprise some (who haven't yet seen the press release) to learn that the over 750 software industry vendors who make up the Software & Information Industry Association (SIIA) recently gave this accolade to a company much better known for application virtualization, namely Citrix. In fact, in this year's prestigious CODiE awards, Citrix Password Manager - our solution for centralized password management and Enterprise Single Sign-On (ESSO) to Windows, Web and host-based applications -  won in two categories: "Best Identity Management Solution" and "Best Data Security Solution". That's a strong hint of the value of this product in today's IT environment and a further confirmation of what Gartner concluded in their MarketScope for Enterprise Single Sign-On, when out of 13 vendors evaluated, only Citrix received Gartner's coveted "Strong Positive" rating. But it might lead you to ask, Why isn't Citrix better known as an identity management vendor?

Citrix's important role in the Identity & Access Management (IAM) space is often overshadowed by our pre-eminent position in Application Delivery (application virtualization, application streaming, desktop streaming, web app optimization, etc.). From our perspective, identity management technologies like automated sign-on, password policy enforcement, self-service password reset, and application access control (SmartAccess™) are all part of the complete Application Delivery equation, simplifying the end user's access experience while improving IT security and regulatory compliance. That's why Citrix Password Manager is available not only as a standalone product; it also powers the single sign-on capabilities of Citrix Presentation Server Platinum Edition. Identity & Access Management is all about controlling access to IT resources based on the authenticated identity of the user, and that's a key aspect of Application Delivery in the enterprise.

Similarly, you might not have categorized Citrix as a data security company, yet Citrix Password Manager won the award for "Best Data Security Solution". Clearly, data security is also a critical aspect of our broader theme of Application Delivery. Password Manager is currently going through Common Criteria EAL2 Certification, which will provide further testimony to the product's strong security attributes.

So, it just comes down to your own preferred taxonomy of technologies; whether you slot Enterprise SSO under Identity & Access Management or view it as part of the broader Application Delivery problem space doesn't really matter in the end. The value comes from recognizing that Enterprise SSO is a relatively quick win for any organization whose users are faced with multiple logins and a need for tighter security practices. Without modifying application code, you can streamline access while strengthening security, even making Password Manager the gatekeeper to sensitive applications (users don't even know the passwords). Through support for standards like SAML for Federation and SPML for Provisioning, and through an extensive ecosystem of Strong Authentication vendors offering a broad array of alternatives for validating user identity, Citrix's approach to Identity & Access Management provides flexibility for the future while solving the password problems that every organization needs to address immediately.