Contextual access to Enterprise Web and SaaS applications – Tech Preview

In today’s ever changing situations, application security is vital for any businesses. Making context-aware security decisions and then enabling access to the applications reduces the associated risks while enabling access to users.

The Citrix Secure Workspace Access service contextual access feature offers a comprehensive zero-trust access approach that delivers secure access to the applications. Contextual access enables admins to provide granular level access to the apps that users can access based on the context. The term “context” here refers to users, user groups, and the platform (mobile device or a desktop computer) from which the user is accessing the application.

The contextual access feature applies contextual policies to the applications that are being accessed. These policies determine the risks based on the context and make dynamic access decisions to grant or deny access to the Enterprise Web or SaaS apps.

How it works

To grant or deny access to applications, admins create policies based on the users, user groups, and also based on the devices from which the users access the applications.

The contextual access policies take precedence over the application specific security policies that are configured while adding the SaaS or a Web app in the Secure Workspace Access service.

For example, consider that the Microsoft Word app is subscribed to users, Emp1 and Emp2. The enhanced security options such as restrict printing, restrict downloads, and display watermark are enabled for the application while adding the app in the Secure Workspace Access service.

In this case, the admin needs to create a policy to apply app level policy. If the contextual policy does not match based on the context, it automatically falls back to app level policy. Then, the admin can create another policy with no contextual security controls for Emp2.

In this scenario, the enhanced security options are applied when the Emp1 accesses the app. However, for Emp2, the contextual access policy overwrites the app level policies and hence the enhanced security options are not enforced for Emp2.

The contextual access policies are evaluated in three scenarios:

  • During Web or SaaS app enumeration from the Secure Workspace Access service – If the application access is denied to this user, the user cannot see this application in the workspace.

  • While launching the application – After you have enumerated the app and if the contextual policy is changed to deny access, users cannot launch the app even though the app was enumerated earlier.

  • When the app is opened in an embedded browser or Secure Browser service – The embedded browser enforces some security controls. These controls are enforced by the client. When the embedded browser is launched, the server evaluates the contextual policies for the user and returns those policies to the client. The client then enforces the policies locally in the embedded browser.

Customers entitled for contextual access

Customers who are entitled for the Citrix Secure Workspace Access service get the contextual access feature at no additional cost. In addition, the contextual access feature must be enabled for that customer.

Create a contextual access policy

  1. On the Secure Workspace Access service tile, click Manage.
  2. Click the Manage tab and then click Contextual Access.
  3. Click Create Policy.

    Create contextual access policy

  4. FOR USERS OF THESE APPLICATIONS - This field lists all the applications that an admin has configured in the Secure Workspace Access service. Admins can select the applications to which this contextual policy must be applied.

  5. IF THE FOLLOWING CONDITION IS MET - Enter the users or the user groups for whom this contextual access policy must be evaluated.

    Conditions

  6. In addition to users or user groups, admins can add another condition to define the device from which the user is accessing the applications. The device can be a mobile device or a desktop computer.

  7. Click Add Condition and in Select Condition, select the device from which the user accesses the application.

    An AND operation is performed on the user or users group and the device, and then the contextual policy condition is evaluated.

    Deny or allow access

  8. THEN DO THE FOLLOWING - If the set condition matches, admins can select the action to be performed for the users accessing the application.
    • Deny access – When selected, access to the apps is denied. All other options are grayed out.
    • Allow app access with the following security controls – Select one of the preset security policy combinations. These security policy combinations are predefined in the system. Admins cannot modify or add other combinations.

    To apply a different preset security policy to the same set of applications that you have selected, then admins have to create a policy and the select the security policy combination. Launch an application through the secure browser – Select this option to always launch an application in the Secure Browser service regardless of other enhanced security settings.

    Note:

    • The options Preset 4, Preset 5, and Preset 6 are enabled only for Enterprise web apps. If an admin has selected a SaaS app along with web apps in the list of apps, then the options Preset 4, Preset 5, and Preset 6 are disabled.

    • Admins can select a preset security policy and also select the option to launch an application through the secure browser in the same policy. >Both the conditions are independent of each other.

  9. In POLICY NAME, enter the name of the policy
  10. Turn the toggle switch ON to enable the policy.
  11. Click Create Policy.

Contextual access based on user risk score

User risk score is a scoring system to determine the risks associated with the user activities in your enterprise. Risk indicators are assigned to user activities that look suspicious or can pose a security threat to your organization. The risk indicators are triggered when the user’s behavior deviates from the normal. Each risk indicator can have one or more risk factors associated with it. These risk factors help you to determine the type of anomalies in the user events. The risk indicators and their associated risk factors determine the risk score of a user. Note that the risk score is calculated periodically and there is a delay between the action and the update in the risk score. For details, see Citrix user risk indicators.

To configure a contextual access policy with risk score, user the Create a contextual access policy procedure with the following changes.

  • In IF THE FOLLOWING CONDITION IS MET, select User risk score.

  • Configure the contextual access policy based on the following three types of user risk conditions.

    • Preset tags fetched from CAS service – LOW
      • MEDIUM
      • HIGH
    • Threshold types
      • Greater than or equal to
      • Less than or equal to
    • A number range
      • Range

Contextual access policy based on user risk score

Example policy based on user risk score

View the list of configured contextual access policies

  1. On the Secure Workspace Access service tile, click Manage.
  2. Click the Manage tab and then click Contextual Access.
  3. All policies that are configured for contextual access are displayed here.
    • Priority – The priority for the policy, lower the number higher the priority. You can modify the priority based on your requirement. Select the policy and drag-and-drop the policies by clicking the arrow icon.
    • Name – Name of the contextual access policy.
    • Status – Status of the contextual access policy that determines whether the policy enabled or disabled. You can use the toggle switch to enable or disable the policy.
    • Modified – The date when the policy was last modified.

    View configured contextual access policy

Contextual access to Enterprise Web and SaaS applications – Tech Preview