In Part 1 of our series on Citrix Secure Workspace Access, we looked at why organizations need to embrace modern, consumer-modeled, user-friendly, and cloud-based working models, allowing choice and flexibility for BYO and modern SaaS applications. But at the same time, they need to ensure a safe and secure experience for external and hosted applications and data.

Especially now, it’s imperative for organizations to support flexibility without increasing security risks and attack surfaces, all while delivering an engaging user experience that enables employees to be productive and deliver value.

The changes in the way we work have been happening for a while. But now they’ve been accelerated by a global pandemic that has pushed organizations to move digital transformation forward rapidly.

In Part 2, we’ll look at how Citrix enables multi-factor authentication (MFA), single sign-on (SSO) with contextual access, and secure unified access to web and SaaS apps.

Multi-Factor Authentication (MFA)

Password spraying and credential stuffing are common types of attacks used to gain access to critical systems. A Verizon study showed that 81 percent of data breaches are related to weak passwords, which are essential to the success of these attacks. There’s good news, though. According to research by Microsoft, MFA can prevent 99.9 percent of these attacks.

Citrix Secure Workspace Access offers MFA policies integrated with SSO. Users leverage a time-based, one-time password (TOTP) on a secondary device, like a mobile device, as a second authentication factor.

Further, if your organization already has an SSO provider, you can integrate into Citrix Secure Workspace Access to use the enhanced security policies and contextual access,  and users can also start connecting to Citrix Workspace with a FIDO2-compliant YubiKey, like Yubico.

Citrix Workspace customers can deploy passwordless access with YubiKeys for FIDO2 passwordless SSO through integrations with Azure Active Directory (AAD), OKTA, SAML, and various other identity providers. With FIDO2 passwordless login, the YubiKey acts as a single hardware authenticator with no shared secrets.

At the time writing, Citrix provides authentication support for Active Directory, Azure Active Directory, Active Directory + OTP, on-premises Citrix Gateway, Okta, and SSO with Citrix Federated Authentication Services. And soon, you will also have the option to use SAML 2.0 as authentication mechanisms.

Unified Access to Web and SaaS Apps

In Part 1 of our series, we discussed how VPN-less access enables organizations to secure access to internal web apps without the need to poke holes in the network perimeter or create traffic backhauling through VPNs.

However, apps today are deployed across datacenters and clouds, and they are delivered as SaaS. That means that the users need a seamless and unified way to access internal and external apps.

That’s what Citrix Workspace is all about! Citrix Workspace delivers seamless, secure access to business apps, files, and desktops from any device, anytime, anywhere to improve workforce productivity and the employee experience.

Unified Access with Enhanced Policies Overview

With Citrix Secure Workspace Access, internal web apps that require employees to have access to the corporate network are accessed using secure VPN-less access, eliminating the need for network access. Meanwhile, external SaaS apps that do not require corporate network access are accessed without backhauling the corporate network traffic to enforce web-filtering rules and/or security controls.

Citrix Secure Workspace Access recognizes the apps’ differences and automatically grants access using the appropriate methods and security context.

Further, Citrix Secure Workspace Access includes the Citrix Secure Browser service, which we’ll cover in Part 3 of our series. With the Secure Browser service, IT can be confident that users can securely navigate the web with a cloud-based browser that will minimize risk within the corporate environment.  Threats that may be introduced by visiting malicious websites, including those spoofing web conferencing sites, are isolated off the corporate network and the device. The browser is discarded at the end of the session, ensuring that any malicious software encountered while browsing the web never reaches your infrastructure.

Template Library

Citrix made sure to make SSO configuration for SaaS apps and services effortless. In the Citrix Cloud Template Library, administrators can select from dozens of popular and pre-configured app templates that are pre-filled with much of the information required for configuring your organization’s access to the applications. (Click image below to view larger.)

Enhanced Security (Cloud App Control)

SaaS apps have grown in popularity because of their simplicity and zero dependencies on managed infrastructure. However, many lack the security controls and governance that IT needs to meet corporate security standards. Additionally, many organizations welcome the opportunity to add layers of security to their on-premises web apps.

Citrix Secure Workspace Access enables IT to apply these added security controls to both SaaS and web apps to prevent data exfiltration. This includes policies to restrict copying and pasting, printing, downloads, navigation, watermarking (overlays a screen-based watermark showing the username and IP address of the endpoint), and more. (Click image below to view larger.)

Each policy enforces a restriction on an embedded browser when using the Citrix Workspace app for desktop or Citrix Secure Browser service when using the Workspace app web or mobile.

Single Sign-On with Contextual Access

Most corporate apps require users to be authenticated before they get access to resources. Every time a user needed to move between apps in pre-SSO days, they had to sign in with a set of credentials. Most of the time, apps had a separate set of credentials, resulting in poor user experience, failed sign-ins because of forgotten credentials, inconsistent access control policies, and higher cost to support these apps.

SSO has dramatically simplified the way users interact with and access their apps. Users can save time by accessing all their apps and other corporate resources like network file shares with only one credential set.

When we look at SaaS applications, most of them allow users to log in directly with their username and password. However, with Citrix Workspace and SSO, users always log in via the Workspace app, and attackers cannot guess passwords for the SaaS app. For example, IT doesn’t have to worry about setting complex password policies for every app because of this credential chaining. This simplifies access for employees because they get a single pane of glass for all their apps and files.

What about Contextual Access?

The Citrix product portfolio is extensive, and the cloud services are designed from the ground up to interact and amplify each other. As part of this portfolio, you will find Citrix Analytics for Security.

Citrix Analytics for Security natively integrates with Citrix Secure Workspace Access to provide continuous monitoring, risk assessment, and mitigation to protect organizations during and after the initial user log in, across different applications and clouds, for both compliance and governance.

Using this continuous monitoring, the system can identify inconsistent and suspicious activities, providing actionable insights into user behavior across Identity, Devices, Locations, Networks, Apps, and Files.

For example, assume a user is downloading excessive amounts of data via the VPN-less connection. In that case, an action can be triggered to request a user’s response to validate his/her identity or email the user to verify their activity and put them on a watch list. And based on the user’s reply response, a secondary action could be initiated.

These rules can be configured to trigger user accounts’ specific actions based on continuously assessed user risk score thresholds. For example, an end-user session authenticated into Citrix Workspace can be logged off based on a change in risk score in real-time.

Read more about Citrix Analytics for Security in this blog post.

What’s Next

In the final post in our series, we look at how Citrix Workspace Access enables the onboarding of BYO devices and how unmanaged devices can be considered safe for accessing corporate resources. We’ll also discuss the Citrix Secure Browser service and app protection policies.

Get started today and watch our on-demand webinar on four keys to a successful transition to zero trust network access with Citrix Workspace.


For Citrix Investors

This release contains forward-looking statements which are made pursuant to the safe harbor provisions of Section 27A of the Securities Act of 1933 and of Section 21E of the Securities Exchange Act of 1934. The forward-looking statements in this release do not constitute guarantees of future performance. Those statements involve a number of factors that could cause actual results to differ materially, including risks associated with the impact of the global economy and uncertainty in the IT spending environment, revenue growth and recognition of revenue, products and services, their development and distribution, product demand and pipeline, economic and competitive factors, the Company’s key strategic relationships, acquisition and related integration risks as well as other risks detailed in the Company’s filings with the Securities and Exchange Commission. Citrix assumes no obligation to update any forward-looking information contained in this press release or with respect to the announcements described herein. The development, release and timing of any features or functionality described for our products remains at our sole discretion and is subject to change without notice or consultation. The information provided is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making purchasing decisions or incorporated into any contract.