Adaptive access and security controls for Enterprise Web, TCP, and SaaS applications

In today’s ever changing situations, application security is vital for any businesses. Making context-aware security decisions and then enabling access to the applications reduces the associated risks while enabling access to users.

The Citrix Secure Private Access service adaptive access feature offers a comprehensive zero-trust access approach that delivers secure access to the applications. Adaptive access enables admins to provide granular level access to the apps that users can access based on the context. The term “context” here refers to:

  • Users and groups (users and user groups)
  • Devices (desktop or mobile devices)
  • Location (geo-location or network location)
  • Device posture (device posture check)
  • Risk (user risk score)

The adaptive access feature applies adaptive policies to the applications that are being accessed. These policies determine the risks based on the context and make dynamic access decisions to grant or deny access to the Enterprise Web, TCP, or SaaS apps.

How it works

To grant or deny access to applications, admins create policies based on the users, user groups, the devices from which the users access the applications, the location (country or network location) from where the user is accessing the application, and the user risk score.

The adaptive access policies take precedence over the application-specific security policies that are configured while adding the SaaS or a Web app in the Secure Private Access service. The per-app level enhanced security controls are overwritten by the adaptive access policies.

The adaptive access policies are evaluated in three scenarios:

  • During a Web, TCP, or a SaaS app enumeration from the Secure Private Access service – If the application access is denied to this user, the user cannot see this application in the workspace.

  • While launching the application – After you have enumerated the app and if the adaptive policy is changed to deny access, users cannot launch the app even though the app was enumerated earlier.

  • When the app is opened in an embedded browser or a Secure Browser service – The embedded browser enforces some security controls. These controls are enforced by the client. When the embedded browser is launched, the server evaluates the adaptive policies for the user and returns those policies to the client. The client then enforces the policies locally in the embedded browser.

Create an adaptive access policy

  1. On the Secure Private Access service tile, click Manage.
  2. In the Secure Private Access home page, click Access Policies in the navigation page.
  3. Click Create Policy.

    Note:

    For the first-time users, the Access Policies landing page does not display any policies. Click Create Policy to create a policy. Once you create a policy, you can see it listed here.

Add a policy

  1. For these applications - This field lists all the applications that an admin has configured in the Secure Private Access service. Admins can select the applications to which this adaptive policy must be applied.

  2. If the following condition is met - Select the context for which this adaptive access policy must be evaluated.

    Policy

  3. Click Add Condition to add extra conditions, based on your requirement. An AND operation is performed on the conditions, and then the adaptive access policy is evaluated.

    Deny or allow access

  4. Then do the following - If the set condition matches, admins can select the action to be performed for the users accessing the application.
    • Deny access – When selected, access to the apps is denied. All other options are grayed out.
    • Allow app access with the following security controls – Select one of the preset security policy combinations. These security policy combinations are predefined in the system. Admins cannot modify or add other combinations.

      To apply a different preset security policy to the same set of applications that you have selected, the admins have to create a policy and then select the security policy combination.

    • App access from Citrix Workspace desktop clients only - Select this option to allow users to access apps from the Citrix Workspace desktop clients only.
    • Launch an application through the secure browser – Select this option to always launch an application in the Secure Browser service regardless of other enhanced security settings.

    Note:

    • The options Preset 4, Preset 5, and Preset 6 are enabled only for Enterprise web apps. If an admin has selected a SaaS app along with web apps in the list of apps, then the options Preset 4, Preset 5, and Preset 6 are disabled.

    • Admins can select a preset security policy and also select the option to launch an application through the secure browser in the same policy. Both the conditions are independent of each other.

  5. In Policy name, enter the name of the policy.
  6. Turn the toggle switch ON to enable the policy.
  7. Click Create Policy.

Adaptive access based on users or groups

To configure an adaptive access policy based on users or groups, use the Create an adaptive access policy procedure with the following changes.

  • In If the following condition is met, select Users or groups.

  • If you have configured multiple users or groups, then select one of the following as per your requirement.
    • Matches any of – The users or groups match any of the users or groups configured in the database.
    • Does not match any – The users or groups do not match with the users or groups configured in the database.
  • Complete the policy configuration.

Adaptive access policy based on user group

Adaptive access based on devices

To configure an adaptive access policy based on the platform (mobile device or a desktop computer) from which the user is accessing the application, use the Create an adaptive access policy procedure with the following changes.

  • In If the following condition is met, select Desktop or Mobile device.
  • Complete the policy configuration.

Adaptive access policy based on device

Adaptive access based on the location

An admin can configure the adaptive access policy based on the location from where the user is accessing the application. The location can be the country from where the user is accessing the application or the user’s network location. The network location is defined using an IP address range or subnet addresses.

To configure an adaptive access policy based on the location, use the Create an adaptive access policy procedure with the following changes.

  • In If the following condition is met, select Geo-location or Network location.
  • If you have configured multiple geo-locations or network locations, then select one of the following as per your requirement.
    • Matches any of – The geographic locations or network locations match any of the geographic locations or network locations configured in the database.
    • Does not match any – The geographic locations or network locations do not match with the geographic locations or network locations configured in the database.

    Note:

    • If you select Geo-location, the source IP address of the user is evaluated with the IP address of the country database. If the IP address of the user maps to the country in the policy, the policy is applied. If the country does not match, this adaptive policy is skipped and the next adaptive policy is evaluated.

    • For Network location, you can select an existing network location or create a network location. To create a new network location, click Create network location.

    Adaptive access new network location

  • Complete the policy configuration.

Adaptive access policy based on location

Adaptive access based on the device posture

The Citrix Secure Private Access service provides adaptive access based on a device posture by using an on-premises Citrix Gateway or a Citrix hosted Citrix Gateway (adaptive authentication) as an IdP to Citrix Workspace. The Enterprise Web, TCP, or SaaS apps can either be enumerated or hidden from the end user based on the EPA check results and the configured smart access policy.

Note: Adaptive authentication is a Citrix Cloud service that enables advanced authentication for users logging in to Citrix Workspace. Adaptive authentication gives a gateway instance running in cloud and you can configure the authentication mechanism for this instance, as required.

Prerequisites

Understanding the flow of events

  • User enters the Workspace URL into a browser or connects to a Workspace Store using a native Citrix Workspace App.
  • User is redirected to the Citrix Gateway configured as an IdP.
  • User is prompted to allow an EPA check to be performed on the device.
  • Citrix Gateway performs an EPA check after the user consents to scan the device and writes the smart access tags to CAS against the device ID.
  • User logs in to Citrix Workspace using Citrix Gateway IdP and the configured authentication mechanism.
  • Citrix Gateway provides smart access policy information to Citrix Workspace and Secure Private Access.
  • User is redirected to the Citrix Workspace home page.
  • Citrix Workspace processes the smart access tags provided by the Citrix Gateway configured as an IdP, and then determines the apps that must be enumerated and displayed to the end user.

Configuration scenario – Enterprise Web, TCP, or SaaS app enumeration based on device posture scans

Step 1: Configure smart access policies using Citrix Gateway GUI

  1. Navigate to Security > AAA-Application Traffic > Policies > Authentication > Advanced Policies> Smart Access > Profiles.
  2. On the Profiles tab, click Add to create a profile.

Create a profile for device posture check

  1. In Tags, enter the smart access tag name. This is the tag that you must enter manually when creating the adaptive access policy.
  2. Navigate to Security > AAA-Application Traffic > Policies > Authentication > Advanced Policies> Smart Access > Policies.
  3. Click Add to create a policy.

Create a policy for device posture check

  1. In Action, select the previously created profile and click Add.
  2. In Expression, create the policy expression and click OK.

Step 2: Create an adaptive access policy

Perform the steps detailed in Create an adaptive access policy procedure with the following changes.

Adaptive access match conditions

  • In If the following condition is met, select Device posture check.
  • If you have configured multiple smart access tags, then select one of the following as per your requirement.
    • Matches all of – The device ID matches all of the smart access tags written against the device ID when you log in to Citrix Workspace.
    • Matches any of – The device ID matches any of the tags written against the device ID when you log in to Citrix Workspace.
    • Does not match any - The device ID does not match against the device ID when you log into Citrix Workspace.
  • In Enter custom tags, manually type the smart access tag. These tags must be similar to the tags configured in Citrix Gateway (Create Authentication Smart Access Profile > Tags).

Points to note

  • Posture evaluation occurs only when you log on to Citrix Workspace (only during the authentication).
  • In the current release, continuous device posture evaluation is not done. If the device context changes after the user logs on to Citrix Workspace, then the policy conditions do not have any impact on the device posture evaluation.
  • Device ID is a GUID generated for each end user device. Device ID might change if the browser used to access Citrix Workspace is changed, cookies are deleted or incognito/private mode is used. However, this change does not impact the policy evaluation.

Adaptive access based on user risk score

Important:

This feature is available to the customers only if they have the Security Analytics entitlement.

User risk score is a scoring system to determine the risks associated with the user activities in your enterprise. Risk indicators are assigned to user activities that look suspicious or can pose a security threat to your organization. The risk indicators are triggered when the user’s behavior deviates from the normal. Each risk indicator can have one or more risk factors associated with it. These risk factors help you to determine the type of anomalies in the user events. The risk indicators and their associated risk factors determine the risk score of a user. The risk score is calculated periodically and there is a delay between the action and the update in the risk score. For details, see Citrix user risk indicators.

To configure an adaptive access policy with risk score, use the Create an adaptive access policy procedure with the following changes.

  • In If the following condition is met, select User risk score.

  • Configure the adaptive access policy based on the following three types of user risk conditions.

    • Preset tags fetched from the CAS service

      • LOW 1–69
      • MEDIUM 70–89
      • HIGH 90–100

      Note:

      A risk score of 0 is not considered to have a risk level “Low.”

    • Threshold types
      • Greater than or equal to
      • Less than or equal to
    • A number range
      • Range

Risk score condition

Risk score

Adaptive access and security controls for Enterprise Web, TCP, and SaaS applications