With the rapid shift to work from home, many employees are relying on a VPN and a standard browser to do their job. There are known risks, however, that should be considered with this setup. Remote VPN users have elevated privileges and resource access beyond the apps required for their role. And if the PC/laptop gets infected with malware, a cyberattack can easily spread across the network to internal resources. This is especially a risk with BYO devices used from home.
Citrix Workspace with Citrix Secure Workspace Access provides a safer alternative to the standard VPN and regular browser. But before we look at how, let’s consider various browser types:
- Embedded Browser: This is a Chromium-based browser, embedded inside the Citrix Workspace app, that adds configurable security functions along with traditional Citrix Receiver components.
- Citrix Secure Browser Service: Hosted in a virtual machine in Citrix Cloud, this browser is launched and deleted with each use. This browser could be a standard browser or the Citrix embedded browser.
- Citrix Virtual Apps Secure Browser: This is similar to the Citrix Secure Browser service, but the browser is hosted (published) from an organization’s Citrix Virtual Apps and Desktops data center.
- Native (Standard) Browser: This is the local default browser on a Windows or Mac, like Chrome, IE, Edge, or Safari.
Organizations can provide access to internal web apps and resources with a VPN and a “regular” browser. The problem is that while there might be some authentication control with the initial login, IT has no control over of the browser session beyond that. Users can download any amount of data, copy and paste into non-sanctioned services or devices, and print any sensitive information. Sensitive data can also be cached in the browser.
If the SaaS app includes links to risky malware sites or policy violations, a standard browser offers no protection. Not only is there no control over SaaS and web traffic, there is no IT visibility into what is happening. Often only access to the company intranet or limited app access is required and a full VPN creates unwarranted risks.
If, however, an organization adopts Citrix Workspace, IT can securely deliver SaaS and internal web apps to users and still maintain full control over not only the SSO authentication, but the entire session, without a VPN!
On a per-app basis, IT can configure SaaS/web apps to launch from the Workspace app and inside the embedded browser with enhanced security features. This includes copy/paste control and watermarking, plus the ability to define the control bar features to include or exclude printing. IT can also add App Protection policies including keystroke logger and screen copy protection.
With Citrix Workspace and Citrix Secure Workspace Access enabled, if a user clicks on a link inside the SaaS app, the URL is directed through a web filter that blocks any known malware sites, as well as policy violations. If a URL is unknown, then it is seamlessly directed to the Citrix Secure Browser service to open safely outside the organization’s network. This is more effective than standard web filters that don’t find zero-day exploits or may block legitimate site access.
In addition, information is sent (with IT control) to the Citrix Analytics platform, which can then identify and score user behavior risks, notify IT/security, and even log off and block a user. When SaaS apps are configured with SAML for SSO, the SaaS service will automatically redirect to Citrix Secure Workspace Access and prevent users from gaining access through a back door. So, if a user downloads an excessive amount of sensitive data, for example, this could be flagged and even blocked. This capability can enhance or even replace CASB (cloud access security broker) solutions, which have their own overhead and limitations.
Note that the embedded browser opens locally on a PC/Mac and does not consume servers, storage, or added licenses, providing a significant level of control without the conventional overhead.
How Users Benefit from Citrix Secure Workspace Access
Users also benefit from Citrix Workspace and Citrix Secure Workspace Access. They get all their apps in one place and can favorite the ones they use the most. SaaS apps are displayed right alongside hosted Windows and web apps. They get instant access via SSO to any SaaS or web app after authenticating once to Citrix Workspace. Apps launch fast locally, and if they’re using Outlook Web Access through Citrix Workspace app, users can click on a URL to an internal app or resource and, without a VPN (or an error message), get instant access.
If a user does not have Citrix Workspace app, they can still gain access from any HTML5 browser, which will then route enhanced security apps to open in the Secure Browser service.
With Citrix Workspace and Citrix Secure Workspace Access, organizations now have more secure options than standard VPNs and browsers.