One of the standout capabilities announced at Citrix Synergy 2018 was Citrix Cloud Access Control. The more I think about it, the more of a great feature I think this is.
Citrix Workspace App was also announced and released recently, providing access to Citrix Apps (XenApp), Citrix Desktops (XenDesktop), Citrix Secure Collaboration (ShareFile) and SaaS applications from a single pane of glass. Why is this a great thing? Well, let me share my view…
The idea of a single pane of glass presenting apps, desktops and SaaS applications has been around for a while, and Citrix even did it for a while in the form of App Controller. This was very much in the early days of broad SaaS adoption, so gained little traction in the customer base.
The landscape has changed now and most organisations will be consuming some form of SaaS solution – be it Office 365, Concur or Workday to name a few.
You can read more about Citrix Workspace App in my recent blog.
Why Citrix Access Control is going to be awesome
The concept of the Secure Digital Perimeter is that all the resources that a user accesses to comprise their workspace should be governed by a single centrally configured set of policies allowing for consistent application of security with the user being the new security perimeter. But how does this apply to SaaS applications?
Previously, the only solution Citrix had to handle SaaS was Citrix Secure Web Gateway to provide auditing and access control (in an allow/block configuration). What is it that Citrix Access Control gives us?
Using a set of predefined templates for common SaaS applications, administrators can configure SSO to these SaaS applications from within their workspace. This enables users to access these SaaS applications using their Workspace App without having to ever know the credentials for these applications.
This is great for a few reasons:
- Time to value: the predefined templates enable administrators to onboard these SaaS applications with minimal configuration - certainly better than having to follow lengthy “how-to” documents.
- Simplified user identity management: By using SAML authentication with a central identity store (either on-premises AD or Azure AD), you can be sure that users provisioned using SSO will not be able to access the SaaS resources once they leave the organisation.
- Ease of access – by presenting these SaaS applications in the user’s Workspace App it ensures that key SaaS applications are easily accessible alongside traditional applications.
The SSO component is delivered by a combination of the Workspace App service and the NetScaler Gateway service in Citrix Cloud. The NetScaler Gateway service provides the IDP (Identity Provider) capabilities for transitioning the user’s native authentication to SAML/OpenID for consumption by the third party applications.
Note: The SSO templates will also be released as part of the NetScaler (Citrix ADC) Unified Gateway feature in Q2, so for organisations wanting to gain some of these capabilities while remaining “on-prem” there are still options available for you!
This is where things get interesting – actually applying security policies to SaaS applications.
What policy controls can you use?
You can enable:
- Restricted clipboard access (copy/paste)
- Watermarking (displaying username and IP on top of the SaaS application) to catch people using screen-grabs
- Restricting downloads
- Restricting printing
- Restricting navigation (forwards/back)
How does it do this?
When you install Workspace App, a Citrix-customised integrated browser based on Chromium is included. Using this customised browser engine, Workspace app can present the SaaS application to you while enforcing the policy you have defined.
If you are accessing using just a browser and don’t have Workspace App installed, the link will be redirected to the Secure Browser service, where the same policy will be applied, ensuring consistent application of policies in a client-based or client-less deployment.
How is it better than what we can do today?
Some of you may be aware of the product Microsoft Cloud App Security – this has a similar function regarding controlling user activities within SaaS applications. The main limitation with this is that the controls are based on API integration with the SaaS application, meaning that if Microsoft doesn’t have your SaaS app on their list then you’re stuck. And the level of control available will be dependent on the level of API integration that is made available by the vendor and Microsoft, which will vary on an app by app basis.
Cloud App Security also utilises SAML authentication to the SaaS application, but there’s no real control over where you can access things from and how they integrate with the device that you access it from.
How does it actually work?
Say you want to secure your CRM database that is provided by CompanyX.com, you would do the following;
- Configure the application to use only SAML authentication
- In the NetScaler Gateway service, configure the SaaS application template for CompanyX.com (or create a new custom application)
- Configure your security policy
If a user launches the SaaS application from Workspace App, the SaaS application will be loaded in the customised chromium-based browser and the security policies will be applied.
If the user launches the SaaS application from the browser-based Workspace App, the SaaS application will be launched in the Secure Browser service and the security policies will be applied.
If the user tries to log in by going directly to CompanyX.com they won’t be able to log in as firstly they won’t know their credentials, and secondly, only SAML authentication via the NetScaler Gateway service is allowed.
This means that users cannot access the service without having your security policies applied.
Hopefully, this has given you a taste of what Citrix Access Control can do for your SaaS applications in your environment. Please reach out to us if you'd like to find out more or discuss how you can use Citrix Access Control as part of your Citrix Workspace.
- By Andrew McCullough (Solutions Architect)