“Never trust, always verify” and “just enough” access.

These are the key philosophies behind zero trust approaches to cybersecurity. Although the name zero trust speaks for itself, cybersecurity architectures based on zero trust approaches ensure that your data, and infrastructure assets are protected by only giving the minimum amount of access needed, and only after verification that the user requesting access is trusted.

With zero trust network access (ZTNA), anyone trying to access a company network must be verified for identity and device context via mechanisms such as multi factor authentication (MFA) and endpoint analysis (EPA). This allows your workforce to embrace the benefits of remote access while operating under safer application access procedures, protected from data breaches.

While ZTNA is critical to your enterprise cybersecurity posture, it’s equally important to ensure that adoption of ZTNA does not impede end user experience. Keep in mind that having different secure access mechanisms for IT-managed apps, public SaaS, and websites could overwhelm your users with multiple SSOs, MFAs, and secure access tools. This is distracting and may encourage users to open helpdesk tickets or worse, look for creative ideas to circumvent the security tools you just installed.

Similarly, if your cybersecurity team needs to manage multiple vendors for different forms of secure access across the different app types, that increases operational overhead, introduces potentially new blind spots, and can add to holes in security policy.

Ideally you need one unified secure access approach, for all applications and all workers (employees and contractors), that simplifies user experience and cybersecurity administration. It’s no wonder that IT leadership teams have been actively working to consolidate tech vendors to achieve this.


Access can strengthen your security posture with location-based security and provide zero trust network access to critical business apps — all inside a simplified user experience.


This article will examine how you can implement a zero trust architecture for your organization while simplifying cyber operations and helping improve end user productivity.

Zero Trust Begins with Identifying Whom to Trust, And How Much

The reality of today’s hybrid-work model means more and more employees are able to work remotely, resulting in an increase in the number of personal unmanaged devices attempting to access your applications.

To ensure that only trusted users are accessing your applications, implementation of multi-factor authentication is important. It’s equally important to encourage password hygiene, and a relatively simple way to do this is by implementing SSO across all your applications. By requiring your employees to remember only one password, you can encourage stronger passwords. Further, you need to ensure that malware such as keyloggers and screen scrapers do not steal user passwords. All these mechanisms — SSO, identity awareness, MFA, anti-keylogging, anti-screen scraping — should be implemented as part of your zero trust approach. If you’re already using identity or MFA providers, then your zero trust provider of choice must integrate with your existing solutions.

A trusted user with an untrusted or insecure device should still be regarded as untrusted. Hence, ZTNA requires deep context awareness about the end user device. As this context changes, access granted to the device must adapt by restricting or removing access as needed. This is critical — in several cases “least privilege” and “just enough” access will still need to be granted to enable productivity. This is done by giving access only to the specific application for which the user is authenticated and by enforcing appropriate access restrictions to mitigate threats and the possibility of data loss. These access restrictions could include policies to block downloads, block screen captures, block cut-copy-paste operations, enable watermarks, or even enforce remote browser isolation.

The following example from the Citrix Big Book of ZTNA Security Use Cases highlights one such scenario.

Enable Secure BYOD and Prevent Malware Transfer with Remote Browser Isolation Scenario:

This scenario tackles the potential vulnerabilities associated with allowing unmanaged devices to access your network. Jane is preparing the company balance sheet for the annual shareholder review. While heading home she receives a call from the CEO, telling her she needs to access their corporate managed finance web app once again to make some final changes. She uses her personal laptop, an unmanaged device. Unknown to Jane, her device was recently infected with malware while she was shopping online.

What is at risk:

When accessing a sensitive web app through an unprotected native browser on a potentially insecure personal device, even via VPN or basic ZTNA solutions, malware can move from Jane’s device to the company’s network and financial application. This puts company data, customers, reputation, and revenue at risk. For instance, in this case, financial data can be leaked before the shareholder review, affecting the stock price of the company, damaging shareholder and customer trust, and creating legal compliance liabilities for the company.

How Citrix ZTNA Protects:

Citrix Secure Private Access includes remote browser isolation (RBI) functionality. This prevents malware from reaching the corporate network, as well as lateral movement of malware from a native browser or device to the rest of the network and applications. IT administrators can ensure that any unmanaged device accessing sensitive applications, such as financial applications, will need to use RBI. With RBI, Jane’s browsing experience is isolated from the actual application — her personal laptop does not directly transfer any browsing data to or from the financial application.

Instead, she only receives screen updates on her device. This creates a win/win situation. Jane can still use the application just as if it’s a native browser, and her company remains safe because the malware from her device cannot make it to the company’s sensitive apps. IT administrators can also enable functions like disabling screen captures, copy/paste, and downloading, in addition to URL filtering and session monitoring.

Jane inadvertently caused an insider threat to her company’s entire network and infrastructure simply by working on an assigned task remotely with an unmanaged asset.

If her situation sounds like one your employees might find themselves in, it’s time to enhance your remote access architectures.


A zero trust framework delivers secure access to all corporate apps, modernizes your IT security, and allows you to securely support your hybrid workforce.


What Can Zero Trust Security Do for Your Networks?

By the end of 2023, an estimated 90 percent of organizations will have a majority of their staff working remotely. Now is the time to ensure your organization is equipped to handle the security risks the “new normal” has created for today’s businesses.

A ZTNA architecture offers the following benefits:

Stronger Cybersecurity

Ensure that the right people receive precise access, only to the applications they need with additional threat-prevention and data-loss prevention mechanisms enabled as needed, enforced on managed and unmanaged devices.

Easier IT Operations

Eliminate the challenges of managing and scaling legacy VPN architectures with a cloud-delivered ZTNA solution that is agile to your changing needs, even as you onboard new workers as part of organic or inorganic (mergers and acquisitions) business growth.

Better User Experience

Legacy VPN architectures are known to cause performance challenges, lowering employee productivity, hindering collaboration, and hurting morale. ZTNA architectures deliver better user experience. User experience can further be enhanced by offering SSO and MFA that’s common across all your applications — virtualized IT-managed apps, non-virtualized IT-managed apps, and public SaaS.

Business Growth

Enable the business to safely hire contractors and partners to accelerate growth without compromising on cybersecurity. Similarly, help increase employee productivity and lower endpoint infrastructure costs by allowing employees to use BYO devices for work. All of this is possible through agentless ZTNA methods (no software install on the endpoint device).

However, not all ZTNA solutions are created equal. A detailed understanding of your existing application ecosystem, identity and cybersecurity solutions, endpoint infrastructure, and IT roadmap is the essential first step on your ZTNA journey.

How Do You Get Started with Zero Trust Implementation?

Before you begin to explore options for ZTNA solutions, here are some questions you should be asking yourself to identify the primary requirements needed in your ZTNA solution:

Device Types

Do I need to protect managed and unmanaged devices? In other words, do I have personal or BYO devices accessing applications?

Device Risk

How are managed endpoints being secured? Do they have anti-virus or endpoint detection and response (EDR) solutions protecting them? Is there data encryption on the endpoints? Are the latest versions of operating systems installed? How are you enforcing that each endpoint is secure and has an operational endpoint security solution?

Application Types

Which kind of applications are being accessed — are there internal and public SaaS applications to which access needs to be protected? Are some of the applications virtualized? Are all applications browser-based or are there a few client-server applications, too?

Users

Who would be accessing these applications — employees, contractors, or both? How would you validate identity? Have IdP solutions already been implemented? Has MFA already been implemented? If so, has it been implemented for all applications?

Locations

Where would the applications be accessed from? Are there situations where the applications would be accessed from home locations, airports, hotels, etc.?

Data

What kind of data is available in the applications? What are the scenarios through which this data can be stolen? Are there security policies that can be implemented to prevent data loss (including by insiders)?

Existing Solutions

What other forms of cybersecurity solutions have been implemented? For example, do you have security analytics, a secure web gateway, or perhaps remote browser isolation already implemented? If so, have they been implemented for all users, all apps, and all users?

As you ask yourself the above and other similar questions, it helps to create a list of possible scenarios where you might be vulnerable. This will also help you identify functionality you’ll need for your ZTNA architecture.

It’s also important to optimize user and administrator experiences. In other words, users should be able to get work done without feeling impeded by remote access technologies. You may prefer that users access all applications through an enterprise browser. Or perhaps you’d like your users to be able to pick a native browser of their choice and still have secure, VPN-less access.

From an operational perspective, administrators should not feel overwhelmed, especially as new vendors are adopted (vendor sprawl). Perhaps extending your existing solutions to provide ZTNA to all applications would reduce the learning curve for your administrators (assuming a unified management plane is used), enabling administrators to focus on more strategic projects.

Choosing a ZTNA Vendor

Once you have identified your primary requirements and use cases, you should begin to explore the approaches available. Most ZTNA vendors will base their approach on the following:

Identity Validation Prior to App Access

This is often executed through integration with an identity provider (IdP). In some cases, this may be offered natively as well.

What to watch for: Poor user experience from multiple identity validation mechanisms across the different app types — public SaaS, IT-managed, DaaS.

Context Awareness

Most ZTNA vendors will consume context, such as device information, location, user risk profile etc., from endpoint vendors to make decisions on access.

What to watch for: Only limited context is consumed, which is often insufficient to really make decisions about risk levels.

Adaptive Access Controls

Once identity and context has been verified, full, restricted or no access must be granted. Levels of access should change based on changes in context.

What to watch for: In most ZTNA solutions, full access is granted to the application once identity and context are validated. This means that a malicious insider or external threat can fully breach an application if they’re able to overcome identity and (often basic) context tests.

Segmented Access

ZTNA solutions grant access from the specific user to the specific application. This is different from VPNs where access is granted to the full network.

What to watch for: Several ZTNA solutions cannot control access from BYO or personal devices. This leaves an open attack surface for your organization.

Brokered, Outbound Connections

Connections are made from the app to the (often cloud-delivered) ZTNA broker. This way, the app does not need to broadcast its IP address, keeping it safer from DDoS attacks.

What to watch for: Multi-layered defense for your apps is still required. You would still need application and API security for the apps to which ZTNA access is being established. Your ZTNA and AppSec solutions should work well together and ideally be from one vendor to simplify operations.

Most ZTNA solutions will satisfy each of the above requirements, but many will not meet the above requirements in thorough detail. It’s important to identify the depth of capabilities of the vendors you’re engaging with. To further simplify, request a demo from your chosen vendors and ask them to show their expertise in:

  • Broad and deep intelligence about the user identity and device context so you can establish just how much trust should be granted.
  • Granular controls that allow you to enforce policy over the typical segmented ZTNA access, so you can enforce true “just enough” access.
  • Protection for all users, including users on unmanaged devices, without overwhelming the user experience or administrative operations.

How Can Citrix Help?

Citrix extends secure access to all workers, for all apps, on managed and unmanaged devices. We can offer zero trust access to all IT-managed applications — virtualized and non-virtualized — as well as secure access to public SaaS and websites. This can be done through agent-based and agentless methods. The depth of context and granularity of security policies offered by our solutions is unique, and we offer an enterprise-browser that can be pushed onto your devices in hours so you can get started on your deployment quickly.

Most importantly, Citrix can help extend to additional security capabilities such as app and API security through a support team that you can trust.

Request a demo today and find out how Citrix can simplify remote access and provide a zero trust security strategy that suits the needs of your business.