Citrix Security Summit Recap

“Innovations for today’s security needs.”

Cloud Summit Workspace Summit Security Summit


The last installment of the Citrix Summit Series concluded on October 29th and represented a bittersweet moment.  On one hand, we’re excited about the series of announcements that Citrix has made, the role they will play in driving positive employee experiences, simplifying life for IT, and supporting the fluid business.  On the other hand, we’re reflective.  In past conferences, the end of the conference always culminated in some form of celebration – the closing party – a time to be with friends and colleagues; a time to share excitement and gossip about the features and functions we all just heard of; and a general time to unwind and have fun.  Without a defined end, it was a stark reminder of the global pandemic, the unimaginable impacts to lives around the world, and the continental divides that have kept us apart.

Conferences bring communities together.  We miss that.  We hope, for all humanity and for those who have sacrificed and lost so much, for the chance to see you all again – in crowded hallways, on passing escalators, in lengthy lineups for wristbands or headshots, in packed, overbooked restaurants, and around the coffee stations in between breakouts.

Following Cloud and Workspace, this Summit Series is focused on Security.

“Excuse me?  Security?  Isn’t this a Citrix conference?” 

Unless you have been living under a rock – which is quite possible considering #2020 – Citrix has long been a proponent and critical backbone of IT security.  Think about it… centralizing applications and desktops and delivering them, securely, from the data center with the ability to eliminate bridging of client devices and the secure network?  This simple yet inherently secure method of delivering resources to end users is, essentially, the basic concept that created Citrix Multiuser.

“With Citrix Multiuser, users can connect and simultaneously run character cell-based applications from remote serial terminals. To prevent users from interfering with each other, it adds security permissions to devices and files.”

And look at acquisitions – including Net6 (to bolster remote access security through proxy and SSL VPN), NetScaler (the application delivery controller we all know and love), Teros (what became part of app firewall), Orbital (what evolved through CloudBridge to SD-WAN and, now, the intelligent edge), Apere (for SSO security), to name a few – all while Citrix continued innovation across their product line with a strong focus on bolstering security controls.

Though Citrix does not explicitly call themselves a security company, security is a fundamental design element critical to their product strategy.  As a result, Citrix has gained permission to speak to how their products and solutions provide a more secure method of delivering services, and the Security Summit was a testament to their capabilities.

In the “collective IT miracle of 2020”, Henshall notes that businesses took more risks than they would typically take – implementing shortcuts for remote work such as VPN and BYOD (or BYOPC).  These “knee jerk” reactions, albeit warranted considering the circumstances, provided for inefficient and unreliable performance, and exasperated existing security risks.  The rush to remote work provided bad actors with a new opportunity to introduce malware and socially engineer a massive, distributed workforce, leaving many organizations either compromised or in a challenging spot, needing quick risk mitigation.

The global pandemic also accelerated transitions to cloud where more workloads are now being delivered by cloud and more applications are consumed via software-as-a-service.  Data is spreading beyond our four walls at exponential rates with security risk around data management and integrity growing in lock step.

While Citrix can secure and provide consistent delivery of applications, desktops and data, it does not necessarily represent a broad, all-encompassing, or holistic approach to safeguard every possible attack vector.  Rather, a multi-faceted strategy is required to protect the entire environment.

Enter Zero Trust.

Citrix Ready Workspace Security Program was introduced back in 2018, “designed to help customers by building a partner ecosystem of trusted security solutions.”  The program focuses on partner solutions that increase security around access, applications and networks, analytics and visibility, data, and devices.  Citrix recognizes that collaboration with partners is integral to deliver a broader security stance, especially to align with Zero Trust philosophy.

Citrix now sees the expansion of the existing program to include Zero Trust to provide granular, contextual, and continuous security across Secure Workspace access, Citrix Endpoint Management and Citrix Analytics for Security.  The addition of Zero Trust allows Citrix to share and receive insight from immediate partners Google Cloud, Microsoft, Okta, and Cisco to deliver a more comprehensive and secure solution.

Succinctly, Zero Trust is where we assume no knowledge or trust about a user or application.  As users provide more valid information, we increase the trust of that user and provide more access.  This is conversely different to the “castle and moat” approach found in VPN where once the key has been used, users are granted access to the castle.

Having cross-organization collaboration is imperative for customer success, especially when deploying Citrix solutions that heavily rely on other technology stacks.  With validation from Citrix and partners alike, customers can feel confident that their design, deployment, and integration strategies will be supported and, importantly, secure.

Securing your Workforce

Citrix’s holistic approach to securing the workforce involves securing local and remote employees; secure infrastructure (such as the network edge and devices); securing virtual, web, and SaaS applications; and providing a continuous assessment of access and usage behaviour.

“Instead of protecting everything around the user, protect the user by protecting the Workspace.”

Think of hockey.  Boards, goal posts and the puck are not wrapped in protective gear.  Instead, each individual player is protected by equipment – pads, helmet, gloves.  We are equipped to take the brunt of play and continue without significant risk.  However, fail to equip one component, such as a helmet for your head, and the risk of harm is exponentially greater.  Citrix Workspace is the hockey player, a secure container designed to skate through the risks surrounding it with a low, or negligible, chance of harm.

Now, imagine having the equipment manager on ice with you, inspecting your gear for deficiencies, assessing risk of harm from the play around you, and course correcting your playing style to avoid collision.  This, too, is Citrix Workspace.

Citrix Secure Workspace Access provides a continuous risk-based analysis of the user and device, and provides the right access to the right application at the right time.  And, if during use of the application deviations in expected behaviour are detected, automation can “course correct” to mitigate risk to the user, to data, and to the business.  This is done through access and app control to protect users from keyloggers and phishing attempts and preventing sensitive information residing on the endpoint; through web isolation that separates risky website visits from the device and reducing the attack surface; through built-in device management, providing choice of mobile device management (MDM) or mobile application management (MAM) providers including Microsoft Intune; and through support for integrated multi-factor authentication and single sign-on (SSO) including Microsoft, Ping, Okta, Yubico, and more.

Granted, not all services can be delivered within Workspace and customers want choice, knowing that regardless of what application matters to the business, Citrix can deliver the service securely.  As a result, Citrix realizes that certain applications may always exist outside of Workspace – think of Microsoft Outlook – where we would lose control, visibility, and degrade the approach of Zero Trust.

Enter Citrix Secure Internet Access (SIA) – protection for the workforce when they are off the ice – a comprehensive cloud delivered security service that includes secure web gateway, cloud access security broker (CASB), next-generation firewall, malware protection, network sandbox, and simplified management.  SIA is designed to provide the best application experience and complete security in one integrated service to ensure consistent security for all users, all locations, all applications and all devices.

SIA pulls threat intelligence from more than ten feeds, facilitates global coverage via 100+ points of presence to simplify governance and orchestration of security threats, and is delivered as a unified security stack for rapid deployment, automated updates, and deep forensics.

When SIA is coupled with Citrix SDWAN, customers can deliver a Secure Access Edge Service (SASE), and Citrix is the only solution that delivers all of Gartner’s core and recommended SASE functionality today.

Aside:  As Gartner’s content on SASE is rather paywalled, an article from August 2020, “Gartner Says Bring Your Own PC Security Will Transform Business Within the Next Five Years” provides a great read and brief explanation of the importance of BYOPC (wasn’t this BYOD before?) and SASE.

The power of Citrix SASE on it’s own is quite impressive; however, devices can still remain quite a challenge as Citrix SASE fails to address endpoint reliability and that’s no strike on Citrix but, rather, the expected failures of endpoint devices.  Here’s where cross collaboration shines.

Endpoints are critical to a holistic Workspace strategy, just as design around security is.  Neglecting to understand endpoint strategy and account for something as simple as endpoint failures can be the downfall of a well thought out Citrix Workspace platform.  Our deep partnership with IGEL is where we can truly articulate an end-to-end strategy that encompasses both Zero Trust principles and, importantly, account for failures across the entire platform, even on endpoints.  IGEL’s Cloud OS, especially when delivered in UD Pocket form, expands on Zero Trust through absolute distrust for endpoint hardware, even hardware that has failed.  This is an extremely important consideration for a highly distributed workforce where it may take days, or weeks, to replace endpoint hardware.  Anyhow, we digress.

Securing your Devices

In today’s new world of hybrid work, getting work done across a variety of devices is important.  We are not using just Microsoft Windows devices anymore, but spreading productivity across Apple iOS, Android and other device types, such as IGEL (second plug).  This is fundamentally about business and user choice.  However, devices that need to be protected and governed are not just user endpoints – we are now challenged to protect IoT, cameras, point-of-sale systems, and other “non-Workspace” applications.  Traditional hub and spoke models succumb to the increased demands on the network.  Further, SaaS providers advocate a branch exit model from wherever employees are using services, such as the branch office, yet businesses have neglected this approach in most cases as it introduces additional complexity and greater security risk.

Citrix’s Integrated Workspace Security and Delivery Fabric is designed to overcome these challenges and concerns, providing secure workspace access to applications and data and coupled with SDWAN Cloud Services to ensure security and a consistent experience regardless of user location.  Tying it all together and providing visibility and granular control is Citrix Analytics, which harnesses telemetry across all enforcement points and drives intelligent actions through machine learning to understand, detect and respond to risk without added resources.

Securing your Apps

Modern application architectures may speed up innovation for businesses; however, fragmentation across multiple clouds, services, and deployment models have made them more difficult to secure.  As a matter of fact, 92% of reported vulnerabilities are in the application, not the network, according to the National Vulnerability Database maintained by NIST.

Citrix’s Web App and API Protection Service can broaden business’ ability to protect any application including monolithic applications, on-premises applications, cloud applications, and microservice-based applications.  Provided as a cloud delivered security solution that is simple to setup and scales to meet application requirements, Web App and API Protection Service provides holistic layered protection through web application firewall, DDoS mitigation and, to be released soon, bot management.

  • Web App Firewall protects applications for all attack types highlighted by OWASP; protects against SQL injection and cross-site scripting attacks; leverages extensive signatures for known attacks; and employs machine learning to defend against zero-day attacks.
  • DDoS Mitigation protects against volumetric and intelligent layer seven attacks and provides continuous protection to maintain online presence of applications.
  • Bot Management, slated for release soon, filters known bots and uses signatures, device fingerprinting and behaviour analytics to block, challenge, or rate limit bot activity.

Web App and API Protection provides quick time to value through simple install, minimized operational overhead, and through constant protections and updates and is delivered via a simple and predictable consumption model based on throughput required.

Until Next Year

Thanks for joining us and the Citrix Summit Series over the past several weeks.  As we tended to focus on the broad announcements, we invite you to view all the remaining content available on-demand until the end of the year, including customer and partner spotlights, as well as the immense volume of materials provided.

We’re certainly excited about the innovation coming out of Citrix as of late; however, though you may feel the Summit announcements were a little vague, remember that Citrix is constantly releasing product updates and feature enhancements in Cloud Services.  Though the Summit Series may not have provided a ton of immediately useful features and functions (i.e. PVS on Azure – what happened?), it did remind us of and stamp the commitment Citrix is making in ensuring and delivering on positive employee experiences, both for IT and our employees.

And that we are both trying to “Better the World through Technology.”

Take me to Summit

Contact Us

All Posts