In our previous blog post, we discussed Citrix’s approach to zero trust outcomes with our Citrix Workspace and Citrix Networking solutions. In this post, I will elaborate further on our solution to address a key use case for secure access to enterprise web applications.

A common use case for remote workers to access corporate apps and data is predominantly achieved through virtual private network (VPN) technology. However, with evolving threats, and changes in the application and mobility landscape, is this still the right approach for zero trust access? Let’s take a look.

Limitations of a Traditional VPN-Based Solution

VPNs have long been the traditional way to access corporate applications and data outside corporate locations. This model has worked for use cases where end users get access to the corporate network, typically from approved corporate-managed devices only. End-user trust is strictly based on the notion of access to the corporate network.

With applications being modernized for web-based access and deployed in multi-cloud environments, the traditional VPN model doesn’t adequately meet the needs of the evolving use cases and falls short on end-user experience and security. There are several limitations when it comes to implementing a zero trust solution with this traditional approach:

  • Management complexity: VPNs require installing an agent on end-user devices. End-users are demanding access to corporate apps and data from personal devices that may not be managed by an MDM solution. The types of operating systems on end-user devices vary, from Windows to MacOS, from iOS to Android and Linux and others. A traditional VPN solution is not only complex to set up, it’s also time consuming to administer and manage.
  • Increased attack surface: A VPN tunnel into a data center enables a remote user access to the entire corporate network, even though an end user may only require access to small subset of applications based on their role and job function. And increasingly these applications are accessible through a web browser. Opening access to the entire corporate network not only increases the threat surface but also significantly increases the probability of an attack. Clearly this is not an adequately secure model for access.
  • Lack of context: VPN solutions don’t account for change in context such as user or device to define and enforce contextual policies. If a device is jailbroken or stolen and gets into wrong hands, all bets are off. This, again, defeats the zero trust model.
  • Traffic back-hauling: For applications accessed as SaaS, having an appliance for VPN at the data center means backhauling all end-user traffic to a data center, affecting performance and the end-user experience.
  • One-time check: A traditional VPN only checks for user-authentication at the time of login. A hacker with stolen credentials could access all the network and apps. There is no further check or monitoring in place to ensure a user is the same person they claim to be throughout the session.

There’s a Better Way

How about a solution that can overcome these restrictions and better align with the evolving needs for governing secure access? What if you could do away with device-based agents and client certificates? What if you could simply enable end-user access to just the right set of applications through a web browser, irrespective of whether the application is hosted in a data center or on a public cloud? Access isn’t just network-based but governed through contextual information that is end-user and device-based. Additionally, the system could continuously monitor end-user activities and assess user behavior and patterns, in addition to performing authentication checks.

It’s a reality right now. As part of Citrix Workspace, Citrix Secure Workspace Access along with Citrix Analytics for Security provide this solution.

Solution Overview

Citrix Workspace, powered by Citrix Secure Workspace Access and Citrix Analytics for Security, is a Citrix-managed SaaS solution that provides end-user access to sanctioned web-based and virtual apps deployed on-premises within a corporate network. With Citrix Secure Workspace Access, security admins can provide the right levels of access to applications deployed on premises without opening access to the entire network and enforce security policies that are contextual.

This model offers a secure alternative to the traditional VPN appliance-based approach and helps reduce your on-premises footprint. With Citrix Analytics for Security, security admins gain continuous user risk assessment and mitigation to protect the business after initial login validation. Policies are easy to set up and can be created to monitor various user behaviors as they interact with Citrix Workspace components. Once policy thresholds are triggered, closed-loop actions can be initiated.

How Does It Work?

Check out this demo of how the solution works:

IT admins can configure Citrix Workspace to include access for enterprise web applications along with other SaaS and virtual apps and desktops. This enables an important aspect of the zero trust model, where access is granted only to specific applications required for end users to do their job. There’s no access provided into the network itself, significantly improving the organization’s security posture by reducing the attack surface. End users can easily access Citrix Workspace from the device of their choice and access the web application they need by authenticating and launching it from an app icon within Citrix Workspace.

End-user traffic from Citrix Workspace is automatically proxied through Citrix Secure Workspace Access’ globally distributed cloud-service points of presence (PoPs) locations, which securely connect to the web applications hosted in the on-premises data center. For optimal performance, a user is directed to the nearest PoP location available for Citrix Workspace and Citrix Secure Workspace Access. Connector software is deployed on premises, within the data center, to act as a bridge between enterprise web apps deployed on premises and the Citrix Secure Workspace Access service in the cloud. The connector can be deployed in an HA pair and only requires an outbound connection. No inbound connections or ports need to be open.

A TLS connection between the connector and the Citrix Secure Workspace Access service in the cloud secures the on-premises applications that are enumerated into the cloud service. Web applications are accessed and delivered through Citrix Workspace using a VPN-less connection. This model hides the actual web-app infrastructure to the outside world, reducing the attack surface.

The following illustration shows how an end user accesses web apps using Citrix Workspace and Citrix Secure Workspace Access.

Governing Access and Enforcing Security Controls

Security admins can also define and enforce secure access policies to each web app easily from the Citrix Secure Workspace Access policy console. These enhanced security controls include the ability to enforce watermarking and restrict actions including downloads, printing, navigation, and clipboard access to further drive trust-based access to sanctioned web apps.

Continuous Monitoring and Authentication with Citrix Analytics for Security

Citrix Analytics enables security admins to continuously monitor and identify inconsistent or suspicious activities and provides actionable insights into user behavior and usage. Specifically, Citrix Analytics for Security offers continuous monitoring and insights into website access such as malicious, dangerous, or unknown websites visited, bandwidth consumed, and risky download and upload activity. If a user is downloading excessive amounts of data, an action can be triggered to request a response from the user to validate their identity. Based on the user reply, a secondary action could be triggered.

Rules can be configured in Citrix Analytics to trigger specific actions on user accounts based on continuously assessed user risk score thresholds. For example, an end-user session authenticated into Citrix Workspace can be logged off from their account based on a change in risk score in real time. Security admins can re-enable access once user risk levels are lower than acceptable levels.

In Summary

Citrix Workspace, powered by Citrix Secure Workspace Access and Citrix Analytics for Security, gives users access to all their sanctioned applications, including enterprise web-apps, SaaS, and virtual and mobile apps, from one place and enables access on any device, anywhere. It not only improves the end-user experience and productivity and reduces IT complexity, it also delivers a more secure environment that is simpler for IT to manage and operate, enabling organizations to achieve zero trust outcomes.

Start Your Zero Trust Implementation with Citrix

Interested in trying the Citrix Secure Workspace Access? Request your free trial by creating a free Citrix Cloud account and clicking on the “Request a Free Trial” tile for Citrix Secure Workspace Access. You can try out Citrix Analytics for Security by selecting the Analytics tile in Citrix Cloud.

If you already have a Citrix Cloud account, you can log in to your account to be guided through process of setting up single sign-on for on-premises hosted enterprise web applications. Refer to the online documentation page for detailed information on configuring web apps.

Stay tuned for our next blog post, where we’ll look at why URL filtering alone isn’t enough for a zero trust solution to protect against web-based threats.