In a blog post last November, we looked at the ability of Citrix Secure Workspace Access to provide users with secure access to internal corporate web applications, without relying on VPN servers or open firewall ports, also known as VPN-less.

VPN-less is an essential component for compliance with the zero trust framework, and it protects organizations against zero-day VPN attacks.

This blog post will cover the basics of a VPN-less solution and Citrix Secure Browser service and how they help organizations prevent application data theft. Finally, we will look at a new Citrix Secure Workspace Access policy that makes it easy to ensure corporate application data is never left behind on user devices.

A 10,000-Foot View of VPN-less

With a VPN-less approach, a software connector is deployed on premises, acting as a bridge between enterprise web apps and globally distributed cloud-service points. No inbound connections are ever used to access internal applications, and all connectivity is outbound from the datacenter to the users, without a firewall port opening.

A TLS cryptographic protocol connection between the connector and the cloud service secures on-premises apps enumerated into the cloud service and acts as an authentication and traffic proxy for all incoming user connections.

IT admins get increased flexibility because they don’t have to manage every personal device for security and compliance. After all, the devices aren’t accessing the network and don’t require a VPN agent.

With a VPN-less approach, IT admins can give users secure access to the on-premises web apps they need without granting access to all internal network resources.

Securing Access on Untrusted Devices

Personal devices are another critical component to consider for organizations that are cautious about how employees and contractors consume apps and data. Corporate-managed devices go through regular health checks to ensure they meet safety requirements. But most end users don’t take the same care with personal devices.

Browsing the internet poses another risk, exposing devices to vulnerabilities in websites, browsers, and browser plug-ins. Malware that lives on employees’ devices also poses risk to corporate resources.

While most users understand they shouldn’t visit potentially risky websites on their corporate-issued devices, they might not take the same care as their personal ones. Some organizations completely disallow internet browsing, affecting productivity and limiting BYO programs.

Citrix Secure Workspace Access incorporates a secure, embedded browser capable of applying stringent security policies. When security policies are enabled, the embedded browser is used. These policies include application and user interaction restrictions and advanced capabilities that scramble keystrokes and return screenshots as blank screens, protecting corporate data from keyloggers or screenshot malware.

But what if someone is using a native browser?

Citrix Secure Browser service, a secure browser hosted in Citrix Cloud, enables users to navigate the web and apps securely without introducing risk to the corporate environment. Threats that may be introduced by visiting malicious websites are isolated from corporate networks and devices. The browser is stateless and discarded at the end of each session, ensuring that any malicious software encountered while browsing the web never reaches your corporate infrastructure.

Preventing Theft of Sensitive Data with Citrix Secure Workspace Access

Enterprises want to ensure that even internal corporate apps being securely accessed via a VPN-less solution aren’t leaving behind any sensitive information (PCI, PHI, PII, etc.) on the users’ device even after the app is long closed.

That’s where our new “Open SaaS/web apps in remote browser isolation” policy comes in.

With this new policy, organizations can ensure that sensitive corporate apps and SaaS apps always open with the Citrix Secure Browser service, completely isolating malware and browser-based threats and ensuring that corporate application data are never left behind on the device. The browser is stateless and discarded at the end of each session.

How to Enable the New Policy

All current Citrix Secure Workspace Access, Citrix Workspace Premium, and Citrix Workspace Premium Plus customers are entitled to enable this new security option. Admins can enable it by simply choosing the “Remote browser” option in the application configuration’s Enhanced Security section.

The image below shows the one-click checkbox in the configuration section that enables web apps to automatically open with Citrix Secure Browser.

Learn more about Citrix Secure Workspace Access and Citrix Secure Internet Access.