This case study describes the fundamental components of the security architecture at Block and Company and how data is transferred across secure connections.
Citrix: There are two main methods by which information distributed using Citrix is secure.
Step 1 is verifying that the entered user/name password is valid one (as based on the directory of possible users). As shown in the diagram, the username and password is encrypted (using SSL or Secure Sockets) prior to its transfer across the Internet so that it cannot be intercepted. This is indicated by the lock icon on your web browser. If the username/password is valid, the user now gains access to those resources they have been given rights to.
Step 2, once the user is validated the Citrix server establishes a “session” for them to work in and all programs run, data accessed or e-mail read is done within the Citrix session (this is BEHIND the firewall). The user, connected across the Internet, is “viewing” all that is happening in their Citrix session through a secure (SSL) connection as well. Therefore, all work being performed, and data viewed, is encrypted and not possible to be viewed.
VPN: A VPN connection (or Virtual Private Network) is a technology that allows the connection to a corporate network, over the Internet, just as they would if they were physically attached to the network. The advantage of the VPN is to encrypt all the files and data moving across the connection so that it is unreadable by any unknown source.
As with the Citrix connection, the first step is to authenticate the user has access to your network. Simply put, they are given a login and password and the firewall device verifies they have rights to access your network. Once the VPN connection is established, they are able to login onto the network and gain access to what resources they have been given rights to.
Similar to the Citrix connection, Step 2 includes the encryption of all accessed data before it is transmitted across the Internet using “strong”, 128bit, encryption algorithms.
As VPN’s are very powerful, they are limited in use to only those trusted third parties, and Block users, that require them and meet policy standards(for BLC, Stacy). Corporate policy has established that VPN clients cannot be loaded onto laptops or home computers all access to corporate resources must be done through Citrix.
Exchange Web Client: The power of the Exchange web client is to gain quick access to e-mail without the need to establish either a Citrix connection (to run Outlook) or to establish a VPN (then run Outlook). As long as you have a web browser you are able to read your e-mail. Just like the two methods described above, there are two steps to gain access to e-mail.
Step 1, is to verify the entered username and password is valid against the directory of possible users. As shown on the diagram, the username and password are transmitted over an SSL, or encrypted, channel to prevent them from being compromised.
Step 2, once authenticated, the user will now be presented with the Outlook Web Client that allows the reading, composing and managing of all their e-mail. As shown in the diagram, all this transfer of information is done using SSL and therefore secure from being compromised.
Summary: It should be noted that there is no one “right” way to access data on the system. For example, you could use all three methods to view and manage your e-mail and they would be equally secure. For MFG/Pro users they could use both Citrix and VPN and still maintain the level of security necessary. Care has been taken to provide the right method to fit the business need. In all instances, the underlying “technology” meets best practice and aligns with corporate policy to insure Block and Company is protected.
With that said, much care should be taken to insure usernames and passwords are well managed, encouraged to not be shared and kept strong (in alignment with our password policy). Protecting usernames and passwords aligns well with insuring the system is secure as a whole.