The changes in the way we work have been happening for a while. But now they’ve been accelerated by a global pandemic that has pushed organizations to rapidly move digital transformation forward.

At the same time, the millennials, a digital-savvy generation, are quickly becoming the majority of the workforce, and they bring with them very decisive expectations about how and where they want to embrace work.

Organizations need to embrace these modern, consumer-modelled, user-friendly, and cloud-based working models, allowing choice and flexibility for BYO and modern SaaS applications. But at the same time, they need to ensure a safe and secure experience for external and hosted applications and data.

At the Citrix Security Summit, we showed how Citrix is further broadening our cloud security stack. We announced two new services — Citrix Secure Workspace Access and Citrix Secure Internet Access — that allow Citrix to help most of you who are looking to move your on-prem security solutions like VPNs, SWGs, and DLP controls to cloud and delivered as a service.

Security and the Flexible Work Model

A key problem for the flexible work model is that the existing security controls that make up the network perimeter around corporate datacenters aren’t effective in a world where data and apps are scattered inside and outside the datacenter.

On top of that, with flexible work and employees using BYO devices over VPN solutions, organizations require that all traffic gets routed through the datacenter. That creates concerns around employee privacy. But wait, there’s more!

  • Employees need to work securely from any device without sacrificing user experience or productivity. However, point web-security products don’t work with unmanaged devices outside the network perimeter. They degrade the native employee experience.
  • Threats that may be introduced through malicious websites, including those spoofing web conferencing sites, must be isolated off the corporate network and devices to protect the organization’s network and data.
  • Employees may knowingly (or unknowingly) access restricted websites. The organization must block those attempts to protect its assets.

Your workforce requires consistent, fast, and secure access everywhere. Citrix Secure Workspace Access is a cloud-native solution and an integral part of Citrix’s zero trust framework with unified management. Zero trust is achieved through the implementation of a framework or a collection of products with zero trust principles built-in and integrated, along with a collective approach to achieve business outcomes. This removes the need to add redundant point solutions and the constant search for ways to reduce the threat surface.

Citrix delivers a seamless approach to flexible work by enabling workforce productivity and engagement with a consistent and secure employee experience. Adopting the zero trust framework with Citrix can improve technology performance across your organization — and with it, your employee experience, productivity, and engagement.

In this three-part series on the new Citrix Secure Workspace Access, we will cover:

  • How Citrix protects the IT perimeter from web-borne threats and enables easy access for users, wherever they are, regardless of device, from one or many clouds, on premises, or mobile devices.
  • How users get contextual access to apps and data, and how this access is only granted based on skills, job role, certification level, or other organization-established criteria.
  • How IT, with a holistic, consolidated security strategy, can manage all devices and controls policies for user access, including the ability to assess threats, stop risky behavior, and detect issues.

VPN-Less Access to Internal Web Apps

The enterprise application spectrum includes both SaaS and internal web apps that users must access to get their work done. Traditionally organizations provided access to internal web apps through VPNs. However, with the shift to a more flexible work model and, in some cases, permanent remote work, VPNs have become an even more prominent bottleneck and an area of security concern.

Citrix Secure Workspace Access provides secure access to on-premises web apps without the need for an appliance-based VPN or plug-ins on end-user devices. Citrix Secure Workspace Access is a SaaS-based offering that provides a more secure way to access on-premises apps and does not require Layer 3 access to the entire network, providing a better security approach.

Traditional VPNs that allow employees to connect to on-prem resources expose the corporate network and increase the security risks associated with network-level attacks. This is a considerable risk, especially when you have situations where most of the workforce is connecting from remote locations and using personal or unmanaged corporate devices. It also exposes employee privacy because all traffic, both business and personal, goes through the corporate datacenter and is monitored by IT.

Further, with all the user traffic going through the corporate network, web-borne threats that may be introduced by visiting malicious websites, including those spoofing web conferencing sites, are now free to roam across other corporate resources.

Using VPNs presents several challenges:

  • Management complexity: VPNs require installing an agent on end-user devices. Employees need access to corporate applications and data from personal devices that may not be managed. A traditional VPN solution is not only complex to set up, it’s also time-consuming to manage and maintain. If the VPN isn’t up to date, it can be susceptible to attacks.
  • Increased attack surface: A VPN tunnel into a datacenter enables remote user access to the entire corporate network, even though an end user may only require access to a small subset of apps based on their role and job function. And increasingly, these applications are accessible through a web browser. Opening access to the entire corporate network increases the threat surface and significantly increases the probability of an attack.
  • Lack of context: VPN solutions don’t account for the changes associated with the user or device and can’t enforce contextual policies. If a device is jailbroken or stolen and gets into the wrong hands, all bets are off.
  • Traffic backhauling: For SaaS applications, having an appliance for VPN at the datacenter means backhauling all end-user traffic to a datacenter. That affects performance and the end-user experience.
  • One-time check: A traditional VPN only checks for user-authentication at the time of login, so a hacker with stolen credentials could access all the networks and apps. There is no further check or monitoring throughout the session to ensure a user is the same person they claim to be.

Citrix VPN-Less Service Overview

Citrix maintains globally distributed cloud-service points of presence (PoPs) that securely connect to the web apps hosted in the on-premises datacenter and act as an authentication and traffic proxy for all incoming user connections. For optimal performance, users are directed to the nearest PoP location.

A connector software is deployed on-premises, where the internal web apps are hosted, to act as a bridge between enterprise web apps and cloud-service points. The connector can be deployed in a high-availability pair mode and only requires an outbound connection. No inbound connections or ports need to be open or allowed.

A TLS cryptographic protocol connection between the connector and the cloud-service secures on-premises apps enumerated into the cloud service. Web apps are accessed and delivered through Citrix Secure Workspace Access using the VPN-less connection.

This model hides the existing web-app infrastructure to the outside world, drastically reducing the attack surface.

IT admins can configure the Workspace app to include access for all applications required by the employees and other SaaS and virtual apps and desktops — or a Workspace Web app can also be accessed. This enables an essential aspect of the zero trust model, where access is granted only to specific apps required for employees to do their job. There’s no access provided to the network itself, significantly improving the organization’s security posture and reducing the attack surface.

Employees can easily access their apps from the device of their choice by simply authenticating and launching from an app icon within the Workspace app.

Citrix Workspace also offers integrated single sign-on and multi-factor authentication to access SaaS and Web applications, improving the corporate security posture and simplifying user access. We will discuss those items more in Part 2 of our series.

What’s Next

In the second post in our series, we cover SSO for SaaS and web apps, contextual access policies, multi-factor authentication, and new enhanced security policies. And in our final post in the series, we look at BYO, unmanaged devices, and the Citrix Secure Browser service.

In the meantime, get started today and learn more about migrating from a traditional VPN to a VPN-less solution with Citrix Workspace.