Connections on the internet are not secure by default, and bad actors frequently take advantage of users accessing organizations’ applications and resources from remote locations, to burrow into corporate networks.

Experts recommend picking a remote access management solution and adjusting the settings to the organization’s individual access control policy to establish remote connections securely.

Doing this right can make accesses immutable across the board, and there are scores of off-the-shelf solutions that provide decent security coverage to that end. But iron-clad protection based on hardcore zero trust principles, which is considered a requirement, is still amiss in generic solutions.

VPN for example, gives users unchecked access to the entire network estate by means of secure tunnels. Privileged access like this opens the network up to lateral movement attacks.

“On a rainy day, [a user] can easily hop on to some of the back-end resources getting access to a lot more than you would usually want,” warned Shivam Saggar, product manager at Citrix.

Citrix is trying to remediate the situation by layering in security across the users’ access journey. The goal is make it harder for malicious users to gain access to back-end applications hosted in private and public data centers.

Citrix Secure Private Access (SPA) which became generally available in July last year includes a host of safety features that gives employees, contractors, third-party vendors and partners, access to company resources from managed or BYO devices without compromising network safety.

“We are not only doing access management based on just the usual credentials of end-users. We go a lot more granular,” said Saggar, while detailing the product capabilities at the recent Security Field Day, a Tech Field Day event, in California.

SPA protects corporate data and the back-end applications by enforcing a zero-trust model, giving enterprises the trifecta of control, governance and visibility all in one solution, informed Saggar.

“Because there’s so much differentiation in the number of use cases, the users and the types of applications they are accessing, [organizations] over the years, end up in a situation of amalgamation and proliferation of solutions which is, not only difficult to manage, but also raises the costs greatly.”

Citrix SPA can potentially replace this ballooning stack with a single solution. “To each of the concerns, the Citrix Platform brings the Citrix Secure Private Access solution,” he said.

As one would expect, the foundation of this solution is the “never trust, always verify” policy which is a core element of zero trust network access (ZTNA). It works by checking and rechecking the trustworthiness and privileges/permissions of users and devices.

“At no point are you actually trusting the user because all points and variables that would deem an end-user trustworthy are being tested.”

Users are provisioned least privilege access by default ensuring that everything that is beyond their level of access remains that way. For example, saggar said, “To a user coming in from the finance department, you will only give access to the applications which they really need, the finance application, in this case.”

If a user tries to overreach, and “anything changes or breaks, the access changes or breaks too.”

“This is not only being done once. You keep checking them continuously through the entire access journey of the end user,” Saggar stressed.

Citrix shrinks the attack surface with per-application connections that prevent rogue users and compromised endpoints from gaining access of the entire network. All users are verified against a common set of metrics, some examples being identity, role within the organization, the devices they are using, and resources they have access to.

At a more granular level, Saggar said, SPA performs device posture checks to determine the authenticity of the device. Things like compliance and configuration are scanned to judge the legitimacy of the device before granting access into the network.

SPA further allows administrators to ask questions and dig deeper. “Some of the questions they can ask are – does the device have the right operating system installed? does it have the right OS version? the right anti-malware and antivirus, the right certificates to know if it’s a managed or a BYO device? or the right registry key settings that the admin would want on a certain device accessing corporate applications.”

Saggar highlighted that SPA is contextually aware. The solution has the ability to sense geolocations and network locations of users which makes it hyper-vigilant.

SPA’s one-console management system offers a unified and cohesive experience to administrators by allowing them to “access, manage, create or delete everything in one place.”

Through Citrix Monitor, a monitoring tool, the console offers oversight of the applications and accesses happening across the network in real time. The complete environment including “all back-end applications, virtual apps, desktop, web, SaaS, and TCP UDP applications” are made visible for management and control.

Today Citrix SPA has three access models, namely Secure Access Agent that Saggar pointed out is “a use case for customers looking for a VPN replacement” with an added layer of protection with per-app connections.

The second agent-based option is the Enterprise Browser that is evidently a browser mechanism that packs data loss prevention (DLP) controls, masking, anti-screen sharing, screen printing and download restrictions.

“[It] can help create air gaps between the users’ desktops and the back-end applications and help containerize the movement of data,” said Saggar.

The third touchpoint is an agentless mode designed for customers who have access requests coming in from a lot of BYODs that they do not have the capacity to install agents on. For them, the agentless access method offers the ability to securely access applications through native browsers like Chrome, Firefox, and Edge, using ZTNA.

Citrix has a point of presence (PoP) infrastructure that spans the globe allowing users to access back-end applications “in the most performant way”, no matter where in the world they are, assured Saggar.

“We provide a lot more flexibility whether you want to route your access through our infrastructure, over through the SPA service node or your own corporate network, or the Internet,” he added.

Watch Citrix’s demo of Secure Private Access from Security Field Day to get a deep dive.