In our two previous blog posts, we talked about zero trust the Citrix way and a key use case, why traditional VPNs don’t make the cut for a zero-trust deployment.

In this post, we’ll look at a second use case: Why URL filtering alone isn’t enough to achieve a zero-trust outcome when defending against malicious URLs. A URL filtering solution is deployed to prevent a user accidentally (or on purpose) accessing an internet site that has malicious content, or content that breaks compliance requirements. Access to malicious URLs can pose a risk to the entire network and all the devices and applications on that network, while access to links that break compliance can attract hefty fines. A common URL filtering use case for enterprise customers is protecting users from accessing malicious links that come through spam or that are are embedded in otherwise safe or whitelisted web pages/URLs.

Limitations of a Traditional URL Filtering Solution

The big question is always, are the URLs deemed safe or whitelisted by these URL filtering engines really safe and can be trusted? According to the 2019 Webroot Threat Report, 40 percent of the malicious URLs were found on good domains.

So how do we protect against an enemy that’s posing as a friend?

Before we jump into the solution, let’s talk about the limitations of a traditional URL filtering engine.

  • Implicitly trusts a whitelist URL: A traditional URL filtering engine assumes trust for a whitelist URL. As a reminder, 40 percent of malicious links are embedded in URLs that are presumed to be safe. For example, anyone with access to a Facebook or Linkedin page deemed safe by a URL filtering engine can post a malicious URL that others can access. These malicious links can affect your devices, and networks once they are accessed by users connected to your network. Similarly, there are millions of other web pages, deemed safe by URL filtering engines, that can host these malicious links.
  • No way to address “grey status on URLs”, that affects end-user productivity: A traditional URL filtering engine offers binary controls to either allow or block a URL based on the policies as defined by an administrator. These policies are based on specific URLs and/or categories of URLs as defined by a URL filtering engine to be either blacklisted or whitelisted. Having a binary set of rules prevents a user from accessing content they need to get their job done. The result? A frustrating user experience that can lead to disengagement and loss of productivity. These binary rules exist because in a traditional solution there is no “third” way to securely access sites that fall between the two existing categories.
  • Requires device to be managed: Most URL filtering engines push a pac file on the end user’s device that’s either managed to has to be connected to a domain. But what about unmanaged or BYO devices? According to the 2019 Webroot threat report, home-user devices are more than twice as likely to be affected as business devices. And these devices are used to access corporate information. Now, you can connect the dots.
  • Requires multiple vendors to protect against malicious URLs: To protect from a beach caused by a malicious link, enterprises often deploy multiple vendor solutions to secure endpoints and provide device management, URL filtering, and browser isolation. That’s in addition to multiple analytics and monitoring platforms. This becomes costly and complex to maintain over time.

How can we simplify our security infrastructure so it’s more secure, easier to manage, and doesn’t get in the way of employee productivity?

Citrix Workspace, Powered by Citrix Access Control, Provides the Solution

Citrix Workspace offers an integrated approach to secure access to the internet using both managed and unmanaged BYO devices in a secure manner and from within the solution. In addition to managing user devices, our approach focuses on protecting a user’s workspace on both managed as well as unmanaged BYO devices and ensures user information is always protected, whether accessing whitelist or blacklist URLs or URL categories from a managed or an unmanaged BYO device.

Citrix Workspace with Citrix Access Control offers a URL filtering engine and an integrated browser isolation service that give an admin the choice to completely block a URL, access any URL in a sandbox environment, or take a cautious approach even for accessing whitelist URLs. This ensures users get access to the information they need, does not have an impact on productivity, and provides protection against any unforeseen threats or malicious content delivered from the internet. It’s a win for all parties.

In addition to providing the above mentioned controls, Citrix Workspace with Citrix Analytics for Security offers monitoring and calibrating of all user activity and provides data that makes the policies adapt to a user and their user profile in the system. With this data, an admin can decide all appropriate controls to apply, given the user’s risk score. This is the core to the zero-trust model Citrix offers.

How does it work?

To learn how Citrix ties our security in with single sign-on and protects the workspace, check out the demo video below.

An IT or a security admin can configure web filtering and secure browser policies with Citrix Workspace. For a true zero-trust deployment, having secure browser policies for some, if not all, whitelist and grey URLs is a must. This will not only protect you from unknown threats embedded in websites that are known to be trustworthy, but also allow users access to information on the internet they need to get work done, in a secure and an isolated environment.

Once web filtering policies are defined within the Citrix Access Control service UI, user traffic from Citrix Workspace is automatically proxied through Citrix Access Control’s globally distributed cloud-service points of presence (PoPs) locations. There, URLs are analyzed and appropriate policies are enforced.

For blocked links, Citrix Access Control service denies access to the URL or embedded link; for approved or allowed links, Citrix Access Control service allows the user to access the link; and for links that require caution, Citrix Access Control redirects the URL to Citrix’s Secure Browser service, which automatically starts a new isolated browser session for the user. Users are directed to the nearest PoP location available for Citrix Workspace and Citrix Access Control to ensure the most optimal performance.

The Role of Citrix Analytics for Security in Zero Trust

Citrix Analytics for Security monitors all the end user traffic coming from Citrix Workspace. It evaluates all the user activity and the actions taken by a user while accessing information within Citrix Workspace. Additionally it calculates a risk score for users. A user’s risk score increases if there are anomalies detected or if a user tries to complete an unauthorized task or access a blacklist URL. The dashboard below  shows seven high-risk users and five medium-risk users.

With Citrix Workspace, powered by Citrix Access Control service, you can allow both whitelist and risky/gray state URLs to be accessed within an isolated environment, using Citrix Secure Browser service. The screenshot below shows an admin UI within Citrix Access Control service, where you can define these redirect policies.

Citrix Workspace Provides a Zero-Trust Outcome for a Web Proxy

Citrix Workspace, powered by Citrix Access Control service and Citrix Analytics for Security, provides a zero-trust deployment for a web proxy. It integrates the user experience for both the reverse proxy (single sign-on, VPN-less access to web and SaaS apps) and the forward proxy (web proxy, browser isolation) so an end user doesn’t have to log in separately while accessing both corporate and internet applications.

Start Your Zero-Trust Implementation with Citrix

Interested in trying the Citrix Access Control service? Request your free trial by creating a free Citrix Cloud account and clicking on the “Request a Free Trial” tile for Citrix Access Control. You can try out Citrix Analytics for Security by selecting the Analytics tile in Citrix Cloud.

If you already have a Citrix Cloud account, you can log in to your account and be guided through the process of setting up single sign-on for on-prem hosted enterprise web applications. Refer to the online documentation page for detailed information on configuring web apps.