Suggested Leading Practises for the Secure Browsing Service

By Lyndon-Jon Martin posted 9 days ago

  

Suggested Leading Practises for the Secure Browsing Service



This wasn’t supposed to be a series, but it's now a 3-part series. The first post is available at “Secure Internet Browsing or Surfing for Every & Anyone." In part 3, I’ll take a closer look at the integrations into Citrix Workspace and the Citrix Endpoint Management Service, but for this post, I am going to explore some of my suggested leading practises for setting up and consuming the Citrix Secure Browsing Service from https://citrix.cloud.ccom.

What are regions and which do I select?

The Secure Browsing Service (SBS) supports up to 5x regions. These are West US, East US, Southeast Asia, Australia East, West Europe and “Auto.” (I’ll come back to that later.) Regions are where the SBS operates “Secure Browser VMs,” which are used to deliver those one-time-use secure browsing session(s) either controlled by the Access Control Service policies for Citrix Workspace or magic links (e.g., https://launch.cloud.com/TENNANT/RESOURCENAME) which you can distribute to employees. But personally, you are better off using the Access Control Service for this as it allows for SSO, local sandboxing of your SaaS LOB apps controlled by Citrix Workspace app. Now that you know what a region is, which one do you configure? Well it depends to a degree on, drum roll....common sense. Lets take a look at two examples: an in-country vs. worldwide SaaS app that will be consumed.

In-Country

Gett is a taxi app that allows you to catch a Black Cab in London. In this example, let's say you federate them (I don’t know if they do this, it's just a fictitious example, take note folks) for Business use so that you can enable SSO including enforcing secure SaaS policies, (e.g., Local sandbox, web filtering etc.) in Citrix Workspace setup and managed by the Citrix Access Control Service, so that employees can book Black Cabs seamlessly on any device. So, in this example, the Gett SaaS LOB app is targeted to the UK market and therefore it makes no sense to set the region preference to “Auto” but rather to “Western Europe” or in other words pin it to a region.

Worldwide

Now for that other taxi app that doesn’t use (I think) Black Cabs in London, and is in every major city around the world. In this scenario, but in-line with the above context, you are better off setting the region preference to “Auto,” so whereever your employees are worldwide, they will receive the best experience and app interactivity when booking a taxi via the website. The “Auto” preference setting means the SBS will automatically connect you to the closest region based on your geolocation.

In the end, it's your choice. Personally, I set mine to “Auto” because the SaaS LOB apps that I do consume are available worldwide, but in the end, it's worth noting this capability, so that if you are offering custom SaaS service(s) within a specific geo vs. economic area you may want to pin to region for additional **security compliance and governance e.g Western Europe.

Policies* 

I would question, why do you feel the need to enable the Clipboard, Printing policies vs. disabling the Non-kiosk mode? The whole point of the SBS is to deliver a consistent safe, secure one-time use internet browser that isolates the employee's device, LOB apps and data, the connected (trusted) network from the web traffic that the employee is consuming in the SBS session beyond the HTTPS traffic to the SBS region hosting your “Secure Browser VM” running your session.

Naming Conventions

This topic seems slightly ridiculous, but having a good naming convention of your “Published Secure Browsers” makes a lot of sense as that list will grow very quickly. Some suggestions at a glance to help identify published resources is key:

SAAS-REGION-SSO- SECURITYPOSTURE example gett-westeu-cwp-0 where cwp is Citrix Workspace app and 0 translates to the strongest security policy set*  

SAAS-REGION-DEPT example gett-auto-salesservices

SAAS-DESCRIPTION example gett | The UK's black cab app

Security

The SBS is operated and managed by Citrix and secure browsing traffic between the consumed device(s) and SBS in Citrix Cloud only supports TLS 1.2. and in addition, it's worth stating **“The owner of the web application is responsible for its security, including patching the web server and application against vulnerabilities,” quoted and referenced from - https://docs.citrix.com/en-us/citrix-cloud/secure-browser-service.html#technical-security-overview.

Easter Egg for Developers

SBS offered Preview APIs which are available at - https://developer.cloud.com/_secure_browser/secure_browser.html, referred at - https://docs.citrix.com/en-us/citrix-cloud/secure-browser-service.html#additional-resources. 

The views expressed here are my own and do not necessarily reflect the views of Citrix.