I recently had a meeting with a large healthcare organization that was intrigued with the Workspace Access Control solution that uses the embedded browser inside Citrix Workspace app. However, after seeing a demonstration, their response was along the lines of: “So, why do I need this? What’s wrong with a regular browser?”

First, let’s clarify some browser definitions.

Embedded Browser – This is a Chromium-based browser, embedded inside Workspace app, that adds configurable security functions along with traditional Receiver components.

Citrix Secure Browser Service – This is a browser that is hosted in a virtual machine in Citrix Cloud that is launched and deleted with each use. This browser could be a standard browser or the Citrix embedded browser hosted.

Citrix Virtual App ( XenApp ) Secure Browser – Similar to the Secure Browser Service, but the browser is hosted (published) from an organization’s Citrix Virtual App and Desktop ( XenApp ) data center.

Native Browser – The local default browser on a Windows or Mac. ( Chrome, IE, Edge, Safari )

As organizations adopt and expand the use of SaaS and Web applications, often these get deployed to a native “regular” browser. The problem is that although there may be some authentication control with the initial login, IT has no control over of the SaaS/Web session beyond that. Users can download any amount of data, copy and paste into non-sanctioned services or devices, print any sensitive information, and sensitive data can be cached in the browser. If the SaaS app includes links to risky malware sites or policy violations, a standard browser offers no protection. Not only is there no control over SaaS and web traffic, there is no IT visibility into what is happening.

If, however, an organization adopts Citrix Workspace, IT gets the ability to securely deliver SaaS and web applications to users and still maintain full control over not only the SSO authentication, but the entire session. On a per-app basis, IT can configure SaaS/web apps to launch from the Workspace app and inside the embedded browser with enhanced security features. This includes copy/paste control and watermarking, plus the ability to define the control bar features to include or exclude printing. Soon IT can also add App Protection policies including Keystroke Logger and screen copy protection.

With Citrix Workspace and Access Control enabled, if a user clicks on a link inside the SaaS app, the URL is directed through a web filter that blocks any known malware sites as well as policy violations. If a URL is unknown, then it is seamlessly directed to the Secure Browser Service to open safely outside the organization’s network. This is more effective than standard web filters that don’t find zero-day exploits or may block legitimate site access.

In addition, information is sent (with IT control) to the Citrix Analytics platform, which can then identify and score user behavior risks, notify IT/security and even log-off and block a user. When SaaS apps are configured with SAML for SSO, the SaaS service will automatically redirect to Citrix Access Control and prevent users from gaining access through a back door. So, if a user downloads an excessive amount of sensitive data, for example, this could be flagged and even blocked. This capability can enhance or even replace CASB (Cloud Access Security Brokers) solutions, which have their own overhead and limitations.

For SaaS and Web apps that do not have enhanced security requirements, IT can configure the apps to launch with SSO or simply provide links to designated URLs. For SaaS and Web apps that have special browser requirements, such as IE or specific plug-ins, then (CVAD) Citrix Virtual App Secure Browser can be published alongside other apps launching in the embedded browser.

Note that the embedded browser opens locally on a PC/Mac and does not consume servers, storage, or added licenses, providing a significant level of control without the conventional overhead.

“OK, our security guys will like this … but what’s in it for the user?”

Users can also benefit from Workspace Access Control in a number of ways. They get all their apps in one place and can favorite the ones they use the most. SaaS apps are displayed right alongside hosted Windows and web apps. They get instant access SSO to any SaaS app after authenticating once to Citrix Workspace. Apps launch fast locally.

In Windows, all apps are available in the start menu and task bar as real apps, not browser icons. On Mac SaaS app icon appear in the native dock.

If a user does not have Citrix Workspace app, they can still gain access from any HTML5 browser, which will then route enhanced security apps to open in the Secure Browser Service.

Looking forward, consider how controlling the browser can provide a platform for added features including additional analytics, security, control and better user experience. Stay tuned for a case study and let me know of any questions.