Secure SaaS on Zero Trusted vs. (Earned) Trusted Devices with Citrix Access Control Service

By Lyndon-Jon Martin posted 03-27-2020 05:03 PM

  

A macro scale of organisations are now in a situation of enabling remote (flexible) working styles at pace with the outbreak of COVID-19 throughout Europe. As a Londoner, I have noticed a huge difference in the volume of people’s movement, starting last week Monday. Employees are shifting to a new workplace operating model at home and, are likely to be at home until the start of the Spring time frame (maybe longer–though I hope NOT). Even organisations who must abide by regulatory compliance frameworks are having to enable huge volumes of employees to work from home for health and safety reasons. Many have already (or are due to) implement strategies to avoid as much business disruption as possible, whilst meeting strict internal organisation and/or external regulatory compliance frameworks where security compliance cannot be compromised and is a consistent top of mind topic.

It’s this topic around security compliance for not-regulated industries (I’m no expert in e.g., FCA) that spurred on my decision to write this post, aimed at helping organisations securely access and consume SaaS web apps, Citrix Virtual Apps & Desktops, through a Citrix Workspace lens where security must be the highest priority before experience. To be 100% clear, you still would need to work with your own internal security, compliance, risk and cyber security stakeholders to understand your remote (flexible) working security risks in terms of how to remain compliant.

Again, I am not a compliance specialist in any particular industry. My assumption here is that you need to enforce a strict security policy posture to avoid Pii vs. IP exfiltration attempts, while employees work from home at this time. Before we begin, some options may require further investment whilst some may already be included in your current contractual agreement. Be sure to reach out to your Citrix representative or partner for help or, you can self-check online at https://www.citrix.com/products/citrix-cloud/, which should clear up what is included vs. add-ons beyond this post.

What is the Citrix Access Control Service?

“The Access Control service enables the administrators to provide a cohesive experience integrating single sign-on remote access and content inspection into a single solution for end-to-end access control. IT administrators can govern access to approved SaaS apps with a simplified single sign-on experience.”– https://docs.citrix.com/en-us/citrix-access-control.

The below diagram depicts the following three device scenarios–Zero TrustEarned Trust and Trusted-that Access Control can help support through deploying a Secure SaaS solution from the Citrix Cloud. I’ve put together a high-level overview of my personal definitions for each level of trust so that you are clear on all three from my own perspective:

1. Zero Trust: This is a device whereby you connect, authenticate and access your Citrix Workspace using a supported HTML5 compliant internet browser (e.g., Google Chrome or FireFox) from a non-managed work device.

2.  Earned Trust: This device has the Citrix Workspace app installed on a supported platform. This also includes smart mobile devices (e.g., personal iPhone or Samsung Tablet) that are enrolled into Citrix Endpoint Management (CEM) leveraging–but only leveraging–the Citrix Mobile Application Management (MAM) enrollment method. Meaning, work apps are sandboxed from personal apps on a personal device.

3. Trusted: This, naturally, is a device (including smart mobile device) that is Mobile Device Management (MDM) enrolled, secured and, of course, fully managed by Citrix Endpoint Management (CEM). This means the device is company-managed and you can perform a remote (full) wipe of the device by the platform's supported capability and the CEM enrollment + configuration mode is either MDM only or MDM + MAM.


Citrix Access Control Service SecureSaaS Options


When setting up and deploying Secure SaaS through a Citrix Workspace lens, you can support access to SaaS web apps across all three device trust types on any platform Windows, Mac, iOS, Android, Chromebooks, Linux and thin clients (check your suppliers’ documentation or ask them). If that isn’t clear as mud, I have recorded the below video demonstrating access G-Suite on an Earned Trusted device and then simulating accessing it again from a Zero Trust device which could easily be a Chromebook or home device such as Smart TV running an HTML5-ready internet browser powered by an Amazon Fire TV Stick, for example.


System Requirements, Pre-requites & Getting Started


1. You require a Citrix Cloud account follow the steps described at https://docs.citrix.com/en-us/citrix-cloud/overview/signing-up-for-citrix-cloud/signing-up-for-citrix-cloud.html if you don’t have one. I am reminded for new folks that you should carefully consider where to home your control plane for Citrix Cloud Services, so be sure to read the following article – https://docs.citrix.com/en-us/citrix-cloud/overview/signing-up-for-citrix-cloud/geographical-considerations.html.

2. As this will most likely be new for many IT Professionals, you’ll likely sign-up for a trial of the “Access Control” service initially following the guidance at https://docs.citrix.com/en-us/citrix-cloud/overview/citrix-cloud-service-trials.html#request-a-service-trial or contact your Citrix rep or partner, to set up an internal Proof of Concept (PoC) prior to deploying the solution to your workforce. If you have a Citrix Workspace bundle check your entitlements*.

3. Review the internet connectivity system requirements at https://docs.citrix.com/en-us/citrix-cloud/overview/requirements/internet-connectivity-requirements.html and pass this over to the right and relevant network and security teams. You don’t want to be slowed down unnecessarily if you want to shift to a production model longer term.

4. Download and install a pair of Citrix Cloud Connectors. Follow the guidance at https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-resource-locations/citrix-cloud-connector/installation.html. This allows you to assign Secure SaaS resources to the right and relevant security groups from within Citrix Cloud “Subscribers” –https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-management/identity-access-management.html#subscribers. You can change the “Citrix identity provider” to be AD – https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-management/identity-access-management/connect-ad.html; AAD – https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-management/identity-access-management/connect-azure-ad.html; you can even use an on-premises Citrix Gateway as an identity provider to authenticate subscribers signing in to their workspaces – https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-management/identity-access-management/connect-ad-gateway.html. If you deploy more than one RL you’ll need to define a primary RL – https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-management/identity-access-management/primary-resource-locations.html and finally longer term Citrix has a Technical Preview for OKTA as an identity provider to Citrix Cloud – https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-management/identity-access-management/okta-identity.html.

5. Review the supported list of Secure SaaS web apps at https://docs.citrix.com/en-us/citrix-access-control/saas-apps-supported-by-acs.html, inclusive of configuration guidance per app.

6. You can then begin configuring the service with your preferred Secure SaaS web apps – https://docs.citrix.com/en-us/citrix-access-control/configure-access-control-service.html, you can always revisit and reconfigure for example the enhanced security features (https://docs.citrix.com/en-us/citrix-access-control/manage-settings.html) at a later date or if a security threat index for low graded SaaS web app suddenly changes, inclusive of updating white vs. black listing of website categories (https://docs.citrix.com/en-us/citrix-access-control/available-categories-list-for-access-control-service.html) to block for example Adult Content, Parked Domains, Gambling etc. You can also enforce that selective blocked categories are redirected (https://docs.citrix.com/en-us/citrix-access-control/use-case-configure-access-policy-to-allow-selective-access-to-apps.html) to a one-time use internet browser powered by the Secure Browsing Service (https://docs.citrix.com/en-us/citrix-cloud/secure-browser-service.html). This means the employee can still access that site but it’s isolated from the employee’s current device, apps, data and the network they are connected to.

7. Finally, you can configure the Citrix Gateway Service (https://docs.citrix.com/en-us/citrix-gateway-service/support-saas-apps.html) inclusive of the enhanced security capabilities (e.g., Restrict clipboard access/printing/navigation/downloads/watermark and Enforce policy on mobile device, which can be configured by reviewing “Ways to configure SaaS apps” –https://docs.citrix.com/en-us/citrix-gateway-service/support-saas-apps.html#ways-to-configure-saas-apps). 

The below is a Tech Insight video on the Access Control Service. It’s about 10 minutes in length and contains some useful insights, overviews and how-to, I’d strongly recommend watching it.



I am aware that many organisations are still on their own individual Citrix Cloud and cloud-first or hybrid (it’s king for me) journeys and that they may not want to switch to Citrix Workspace at the present moment as IT teams are managing a tsunami of consistent challenges and changes. Citrix provides a method to integrate your Access Control Service resources into on-premises StoreFront environment however, I would like to be very clear here, as of March 2020 it’s a StoreFront-Preview only. If you are interested you can learn more at – https://docs.citrix.com/en-us/citrix-cloud/advanced-concepts/access-control-saas-web-apps.html.

An alternative option is to utilise Site Aggregation (https://docs.citrix.com/en-us/citrix-workspace/add-on-premises-site.html) within Citrix Cloud to aggregate your on-premises CVAD resources into a Citrix Workspace lens. The below tech insight video will provide an overview of this capability however, this does introduce change for your employees to learn. With all the changes happening, it may be too much or, if you simplify the how and why, this may be your best option. But remember, you decide. Effectively, you are telling employees to go to https://<you>.cloud.com/ to get access to SaaS web apps that contain the right vs. relevant security layers and it includes SSO to all of them provided they support modern authentication standards.



Finally, you can actively monitor your employees’ security landscape when using the Access Control Service in conjunction with an add-on called the Citrix Analytics Service (CAS) for Security (https://www.citrix.com/products/citrix-analytics/), which provides the following capabilities: https://docs.citrix.com/en-us/citrix-access-control/monitor-user-activity-and-manage-settings-with-analytics.html#analytics-tab. This provides a unique view into your security landscape of when and how employees are consuming the Citrix Access Control Service. This “App Security” dashboard is one of four, which helps you better visualise top risky access domains vs. corresponding downloads or summarised risks by the risk categories. Why I believe this service is important is that we will most likely see a spike in hacking attempts centered on the topic of COVID-19 or more stealthy targeted attacks on individual companies or even by whole industries.

Citrix Analytics Service - Security**Image credit: Citrix.com



So why Access Control Service and why now?

It’s largely effortless to set up and configure once you have published your first initial Secure SaaS web app with all your desired security features, and thereafter, your next Secure SaaS app is easier and so on.

It doesn’t require your employee devices to be fully enrolled into an MDM or portal backhaul lock-in in order to work, as the security is layered in from Zero Trust, Earned Trust to fully Trusted devices. This is important as employees may not have a company-managed device with them, because it’s in the office locker or it’s on their desk in the office, plugged into dual monitors (Londoner Office Workers) while they are trying to work from home. Keeping your employees productive today, tomorrow is paramount to the continuation of business operations while keeping your desired, or near to desired, security risk profile/posture. Don’t compromise on your organization’s security posture by giving employees access to SaaS web apps to keep productive whilst the lingering macro rising risk of potential hacking attempts coming from bad actors will most likely rise, I’m sure.

The Citrix Access Control Service gives your IT and Security Teams better control of your SaaS web apps inclusive of SSO by providing the right vs. relevant security wrapper(s) for individual vs. all SaaS web apps whist keeping it frictionless for those many employees, who are humans, working from home now.

The views expressed here are my own and do not necessarily reflect the views of Citrix.