Historically, IT network security has been based on a traditional castle-and-moat concept. In this model, access to corporate information by end users and user devices from outside the network is protected by a combination of firewalls, device-posture assessment, and remote-access technologies like a VPN solution.

However, access to the same corporate resources by users and user devices from within the network is trusted by default and doesn’t require extensive investigation.

The shift of applications and data from within the data center to hosted in the cloud or to delivered as SaaS has led to a shift from a single corporate perimeter to a perimeter-less digital workspace, rendering traditional castle-and-moat security models obsolete. Allowing access to protected or corporate resources simply by determining whether the user and device is inside the network is fraught with security vulnerabilities. It is widely estimated that the average cost of a single data breach is about $4 million.

Today’s digital business, where applications, devices, and users often live and work outside of the corporate boundary, requires continuous assessment of contextual factors — user, device, location, network, threat signals, and more — to provide secure access to corporate resources, irrespective of where they’re hosted. Context is no longer static, and a one-time authentication for access to all resources is no longer valid. Incorporating a zero trust philosophy and providing adaptive access based on the appropriate level of risk is sine qua non for today’s work environment.

Zero trust is an emerging security paradigm that requires enterprises to not trust any entity (e.g. user, device, apps, APIs) inside or outside the perimeter of the network at any time. Instead, it requires a way to continuously assess and continuously authorize every user and every device looking to access any protected resource.

The way to achieve implementation of continuous assessment and continuous assurance is not through implementing multiple point products that don’t integrate with each other. It’s by implementing a security solution that provides a centralized approach to defining and monitoring security controls. In other words, enterprises must look for vendors that have solutions that can cater to all type of devices, that support access to all types of applications and data, and that is delivered across all type of networks.

The Citrix Approach

Citrix approaches the zero trust security model and broader security within Citrix Workspace in the following ways:

  1. Providing zero trust-based adaptive access to protected resources
  2. Protecting users from threats on BYO/unmanaged and managed devices
  3. Protecting corporate data and files from threats without compromising experience

Zero Trust-Based Access

Citrix Workspace enables secure access to company resources like SaaS and internal web apps, native apps, virtual apps and desktops, and files on any devices from anywhere, without the need for a VPN solution. Unlike other access management solutions, it not only provides SSO to SaaS and web apps, it also provides additional security controls to protect data within these apps. Using our security capabilities, admins can insert watermarks on SaaS pages that have critical and highly sensitive information; they can prevent copying data from these applications; and they can prevent user and corporate data being stolen by preventing access to malicious links embedded in these applications. Citrix Workspace’s VPN-less remote access to enterprise web apps provides better security and end user experience over traditional VPN models. Learn more about VPN-less access to enterprise web apps and why traditional VPNs don’t make the cut.

Citrix Analytics for Security provides continuous monitoring of signals and assessment of risk scores to provide continuous assurance and adherence to the zero trust philosophy of never trust, always verify before providing access that is appropriate to the level of risk/security posture of the enterprise’s security operations center (SOC). Its ability to aggregate events from the entire Citrix portfolio of services and ingest risk indicators from third-party security solutions like Microsoft Security Graph to create user risk scores is unique in the industry.

Example of Security Analytics policy creation for continuous monitoring of signals

Protect the User by Protecting the Workspace on BYO/Unmanaged Devices

Protecting the user from external threats is of paramount importance for a secure work environment. Citrix protects the user by protecting the workspace. Citrix Workspace’s anti-key logging technology provides transparent protection against malicious key loggers and screen-capturing malware. URL filtering and remote browser isolation solutions protect the user from malware attacks such as phishing and ransomware. URL filtering isn’t enough for a zero trust deployment, and Citrix’s approach protects users from internet malware on both BYO/unmanaged and managed devices. This enables remote workers to use their BYO devices and still securely access corporate data without compromising productivity.

Citrix’s BYO identity approach not only enables enterprises to preserve their investments, it also allows them to leverage native IdP security capabilities like two-factor authentication and biometrics to protect the user within Citrix Workspace. These capabilities can be triggered based on contextual factors at the time of logon. Citrix Analytics for Security provides a secure envelope around the user by continuously monitoring events and risk indicators from Citrix services and third-party security solutions such as Azure AD protection from Microsoft. Learn more about incorporating third-party signals for risk assessment in our Citrix Analytics unifies threat intel with Microsoft Security Graph blog post.

Protect Data and Files Without Compromising Experience

Contextual-enabled DLP security controls within Citrix Workspace like anti-screen capture, copy/paste containerization, watermarking, and enable/disable of downloads/printing ensure company data is protected from insider threats or compromised users. Citrix microapps play a role in protecting data by reducing the attack surface of system-of-record applications by exposing only the most common actions within the workspace.

The mobile device management and mobile application management capabilities of Citrix Endpoint Management, along with its integration with Microsoft Endpoint Manager, secure data across devices and provide rich data protection policies for data-at-rest/in-use/transit, preventing corporate data leakage.

Citrix Files’ inherent security with configurable controls such as granular access controls, audit logs, account lockout, and session timeout thresholds protect corporate documents. Combined with Citrix Analytics for Security, Citrix Files can enable customers to detect anomalies in file-related activities, identify breaches, and take appropriate actions.

Example of Citrix Workspace DLP capabilities for web and SaaS apps

Citrix Differentiation

Zero trust is an emerging security paradigm, and you’ll see more companies adopting the approach as they deliver their products and services. What makes Citrix different?

  • The Citrix portfolio and the integration within our products provide the widest profile of use cases you can get from a single vendor. The ability to provide an SSO and VPN-less experience and granular security controls at the application layer with Citrix Secure Workspace Access, at the device layer with Citrix Endpoint Management, and at the network layer with Citrix SD-WAN, makes us a leader in this space. Combine all these stacks and you get a single monitoring dashboard you can’t get anywhere else.
  • Citrix Analytics for Security’s continuous monitoring and risk assessment methodology, with its closed-loop-action system, provides a strong value proposition to our for our zero trust approach. Our methodology of issuing risk scores via ML modeling on events from the Citrix portfolio of services and third-party risk indicators like those from Microsoft Security Graph; our ability to trigger security actions that are appropriate to the level of risk or security posture of the enterprise; and our ability to enforce actions across endpoints, clouds, and applications are unique.
  • Security controls such as remote browser isolation, anti-keylogger, anti-screen capture, and workspace DLP capabilities provide a differentiated, “invisible security”-based approach to protecting the user by protecting the workspace, all without compromising experience.
  • A zero-footprint-based protection for Citrix Workspace for both managed and, more importantly, BYO/unmanaged endpoints enables customers to support widespread enterprise mobility initiatives among their workforce.

Because we design our products around centralized delivery, visibility, and control of apps and data, security is built into the core of Citrix solutions and practices. Learn how you can implement zero trust security with one solution — Citrix Workspace.

Looking for more insights? Check out the ZTNA section of our Unified Security Guide.