6: The Citrix Session – Access Control for SaaS and web apps from on-prem StoreFront

Nov 26, 2019

This session highlights the following Citrix Blog:
https://www.citrix.com/blogs/2019/05/23/access-control-for-saas-and-web-apps-from-on-prem-storefront/

Host: Andy Whiteside
Co-Host: Bill Sutton
Guest/Author: Chris Fleck

Chris Fleck is the Citrix Vice President and Technical Fellow. A self-professed tech instigator, he’s a devotee of Mobility, IoT, VDI, Clouds, & Innovation.

Speaker 1:
0:00

Everyone and welcome to. I think this is episode six of the Citrix session podcast I'm your host Andy Whiteside. And as usual I have with me the director of services as Integra Bill Sutton Bill. How's it going.

Speaker 2:
0:12

Going well today Andy how about yourself.

Speaker 1:
0:15

I'm doing great. I may stumble a little bit in this. I took a red eye home from Salt Lake last night so I've only slept two hours and that two hours on the airplane. So if I if I stumble a little bit please forgive me.

Speaker 3:
0:28

Well if you fall asleep we'll yell at you.

Speaker 1:
0:30

I definitely won't fall asleep because we're very lucky today to have Chris Fleck with us. Chris is the vice president and Technical Fellow at Citrix and is of his title here on the author side on the Citrix blogs it actually says a self professed tech instigator which I really like. And Chris before you jump into that straight now I screwed up about your title I just want to talk real quick about how you impacted my Citrix career. You were the first person I ever saw. Talk about the Citrix Urbana phone which is this idea that we can take a phone and make it our one and only device and because of Citrix technologies we can access the world of of Microsoft an 86 windows and 86 applications. And I I. Started. Trying that myself with the old Windows Mobile phone I knew at the time my Citrix environments and I think all the red fly which would extend the Windows Mobile phone. And one of the guys at Citrix my. Previous manager David Hanna he saw me doing that at a conference one time and within three weeks I was hired at a citrix sales engineer and so that was that was very impactful to me. I don't know that but you do know I did not know that.

Speaker 4:
1:43

And I'm smiling as you as you talk about that because I'm happy to hear it. And yeah it may have been a little ahead of its time back then but certainly we're now seeing that capability with with Apple and Samsung and a number of devices. And yeah it's definitely rewarding to see some of these things that we anticipated a long time ago actually become a reality.

Speaker 1:
2:15

And you know the Citrix side of that equation probably was pretty close to the prime time. Then it's the devices and the networks that's caught up right.

Speaker 5:
2:22

Yeah exactly yeah.

Speaker 4:
2:24

That's been the the obstacle in the past was the device limitations and the video out and and mice working with OS and a whole bunch of things that over time in some cases we've solved the that the issues or in other cases the hardware vendors themselves have done some things. So yeah. And as maybe we'll talk about today you know there's a lot more that we have in the queue including not just future. Things but things that are shipping now that are dramatically improved and broadened in terms of what Citrix can do.

Speaker 6:
3:07

Yeah. Just a quick note on that I mean I hear people all the time talking about other players in this space and how they they've caught up to Citrix or they're catching up with Citrix I'm like I don't know guys third 30 years and I want to ask you about your 30 year reunion you guys had this week 30 years of what I call scars on your knuckles is that's pretty hard to catch up to.

Speaker 4:
3:24

Yeah yeah. The reference here is the 30 year anniversary for Centrex and we had a great event this week and we had actually Roger Roberts Mark Templeton and David Hensel altogether on a panel that I had the honor of moderating and asking the questions and it was great hearing way back to when Roger Roberts met with Jack Obuchi and I saw some of the opportunity and got things started obviously went through some roller coaster kind of startup learnings and yet because of the company and the culture that was built and the ecosystem actually there was quite a number of the original Citrix resellers solution advisors et etc. that you know build careers built businesses around Citrix that were there and then there was there's actually a lot of saturates alumni as well like yourself where they just feel really good about the company and the experience they had there and I think that's because of the special culture that was built and continues on. David Hensel did a great job talking about kind of maintaining that culture and growing it as well as our next big thing. Our next big hag are big hairy audacious goal which is we want to go after a billion users. We want to expand beyond being the best in the virtual environment which we are and continue to evolve the enhancements with virtual desktops and virtual apps. But we want to capture everybody else that has a job quite frankly because the chances are if you've got a job you're probably using devices and applications to get that job done. And when you look at what are those applications that includes mobile devices mobile applications and we've had offerings there for a while around our Zen mobile product that now are Citrix Endpoint Management to enhance and secure mobile applications. But what's new and it's really significant is the Citrix workspace and what we're doing there. And it's much more than just a name change from receiver and I know that a lot of longtime Citrix folks that they recognized receiver and they might think well Citrix is just changing the name again which we've been accused of before right. And no doubt we're guilty of that. But what we're doing now is much more than that. And that's both in terms of the functionality and the security aspect as well as the productivity enhancements. And I think for the purposes of this podcast we wanted to go a little deeper on the security side and what what we're doing there to expand what I.T. organizations can do to protect and manage web and SAS applications. And that's something that in many cases organizations are deploying outside of Citrix.

Speaker 7:
6:55

They may be using a published browser on Citrix OMS an app in some cases but in many cases they're just using a standard browser to connect to a web or SAS app and yet there's lots of potential issues there. And doing so and what we've done is we've come up with a new service called Citrix access control. So the Citrix Access Control Service relies on a new component of Citrix workspace app again which is the new version of receiver and what is included there is a embedded browser and that embedded browser it's based on chromium. And what that does is it allows us to allows I.T. to deploy a web and SAS apps to run natively. So it's actually not in a native session that's actually running the browser component is actually running locally on the P.C. or Mac or whatever. And therefore it gives the local performance. And it doesn't require any back end CPE use cycles or infrastructure but it still gives I.T. the ability to control and secure those web and SAS applications and we can do things like copy paste control we can do print control we can do download control we can add a watermark we can do a lot of the things that I.T. has been traditionally using an app for we can now apply to web and SAS applications without adding a hop without adding infrastructure without adding log on times. We can do all of that in a fashion that we think is really opens the door to the next billion users so Chris let's set you up for that even though you just really good job just now jumping into it.

Speaker 8:
9:03

So you wrote a blog called Access Control for SAS and web apps from on premise store front and I definitely want you to go into that a little bit. But you know Bill and I were talking prior to prior to getting you on this podcast you know we're we're pretty hardcore Citrix guys and. And we. Know Citrix. Access control mechanisms from the days of M Sam and an Access Gateway advanced where when someone was coming through a gateway we could we could tag it and we could turn off channels and we could disable printing we could disable the devices and peripherals and and we want to kind of talk to you about you know how all the different things Citrix has done in that space to get to the point where you're talking about now where we're now you're attacking attacking. Now you're providing a solution not only for the virtual app a desktop guy but for the rest of the user population that might be kind of rogue Lee or organically using browsers to go all kinds of places right. So can you kind of walk us through the MSM. I think was an acquisition all the way up to now where we've got embedded chromium as well as a browser service plus other things going on Yeah well.

Speaker 5:
10:17

So some of the earlier iterations around MSM and cloud Gateway and some of the early earlier incarnations of of trying to expand beyond just virtual was to add access controls right to the authentication process. And if you will. And it's obviously a value add to be able to do that and to be able to enforce multi factor authentication if you're outside the network and maybe allow it inside the network without multi factor and to inspect the endpoint. And so there's a number of things that that you've been able to do over time but what what's really been missing we believe is the the full session control for a web versus app. And that's what's new here is the ability to say All right we're going to allow I.T. to make apps available to their employees like Salesforce or workday or service. Now add this layer of control that they didn't have before. One of the things that I'm sure yourselves and many of the Citrix longtime audience have been familiar with for a long time was the content publishing where you could use your existing store front and your Citrix infrastructure. And if you wanted to just publish a link to an internal resource for example you could do that and instead of launching there's an app session it would actually just go to a U or L or your eye that you pointed to. And that was kind of you remember that. Right. And a lot of folks you know unfortunately we deprecated that for a little while and then we had a lot of people push back to say hey that was an awesome feature and depend on it. We've actually got customers that they say they've got literally hundreds of apps slash Web sites slash resources that they deliver to employees with that mechanism. And so we brought it back and we made it available now as a it's something that you can provide with your existing store front using some powerful commands to be able to configure it. So that is there but what that does is it really just does the first step which is organize and talk about organize and secure and automate it and really trying to add value beyond just organize. And what we we actually did with this new access control service is we've added a there's two two methods to get it. In one case if you buy the Citrix Cloud Access Control Service with the control plane in the cloud and Citrix and the store front in the cloud then it's just there you basically just have to you can configure from the Citrix cloud and then utility and you plug in you know Salesforce or workday or whatever you are your Ls you can. Ideally what you want to do is make Citrix Cloud Identity Service the central broker for those services. And that way you're kind of preventing the backdoor method to get to those services. And by virtue of the simple configuration then users basically have to go to Citrix cloud they authenticate and then they get a single sign on to all of these whether it's their existing virtual apps and desktops or it's these new SaaS web apps and then they get the benefit of these this added layer of security again things like print copy paste watermark etc. and then also things like the content filtering. So if you've got a link inside your SAS app we also filter that and if it's on a if it's categorized unacceptable for like H.R. policy. We can block it and if it's on categorized like potential malware or real security risks what we do is we redirected to our secure browser or service where it can open there and a user can still be productive and see what that link leads them to but it won't open up locally. Guys since Clark.

Speaker 8:
15:43

I do want to try one thing real quick here and I think both you guys go you go. You guys will agree after I say this. Chris I'm glad you jumped into the content redirection concept which a lot of people didn't take nearly enough advantage of. But I do want to highlight something and you actually have your blog a lot of people I've interacted with through the years. They just published the browser in the published app with a with a with a link as part of the actual published app executable and where a lot of our listeners. That's what they think of when they talk about using a browser and Citrix and then you don't have the content redirection and now we're talking about the evolution of all of that in the solution.

Speaker 2:
16:22

Yeah. I think what you're saying Andy and to walk it back just a little bit.

Speaker 3:
16:27

Chris was talking about the concept of of you know back in the early days of store front and even web interface you could publish those Web links like you mentioned Chris a lot of customers do that or did that and maybe still do but that that plus the published published app or the browser as a published app that ending speaking of that only got the customer so far if that if that app required authentication the user had to enter their credentials right by leveraging the access controls and leveraging Citrix cloud as the symbol or identity provider. Then we we can essentially federate or enable single site on for the user to access apps that require authentication and then the security around that is multifold. Obviously one of the things is as I.T. or the business can manage access to those apps since it's tied to their aid credential not tied to an individual credential. They set up for themselves and then obviously the other significant security issues that you mentioned Chris are things like embedded browser watermark. So it's an evolution but you know the old way of doing it had significant limitations when it came to the world we live in today and I think what I'm Brad in the blog article it really kind of seems to indicate that we're taking that the next step and allowing the Federation of the authentication and then the other security controls.

Speaker 5:
17:46

Would that be a fair statement absolutely. It's really it's an evolution from one point of view but it's a pretty dramatic step up because it absolutely.

Speaker 9:
17:58

Because I think a lot of cases like you guys brought up where traditionally web apps with Citrix meant published a Zen app browser. And that still makes sense by the way. You know for a number of use cases but it comes with a cost. Right. It comes with a cost from a a back and infrastructure perspective licensing perspective then a Microsoft licensing perspective and a user performance penalty. You know if it has a log on cycle. So I think users and I would like to be able to run those web and native SaaS apps locally but and often they're doing doing that today but then they're doing it in a risky way. And so what we can do is effectively the best of both worlds which is let them run it locally or natively but do it inside this embedded browser that provides local performance no overhead on the back end and a really comprehensive set of security policies over the entire session not just the authentication end to go a little deeper on the blog on the blog. What I'm highlighting there is that we now have a mechanism that allows existing Citrix customers to leverage what I'm talking about here this access control service without moving everything to the control plane and specifically without moving Citrix storefront to the control plane because we know that even though ultimately you know that's a lot more efficient than infrastructure makes sense to be able to do that. Well we know there's lots of customers that are not able to or not ready to do that.

Speaker 5:
19:54

That's significant a step. And what we've done here is created a hybrid deployment method that allows customers to keep their existing store front on prem and therefore zero impact to their existing remote access through a gateway or zero impact to their internal users if they they see their store front they click on a Zen app or see that app it just launches directly and there's no happening out to the cloud or anything else. And so that that they can they can keep all that as is but they can now add SAS apps so right alongside those those Zen app or see that apps virtual apps that they've got published in store front their existing store front they can now see Salesforce and service now and Workday and all those apps as well as internal apps. And that's that's actually a really big opportunity is all of the intranets and SharePoint sites and all of the internal resources that you'd like to be able to make available to your employees and you know a lot of cases do it both internal inside the network or more specifically outside the network and do it without a VPN for example and we're able to do that now with this hybrid configuration. So. So we've created a utility that basically runs alongside your store front server that synchronize is the SAS and web app configuration that you've done in the cloud and uses the the old content publishing technique and inserts those weapons ass apps into your DDC and makes them visible to users in storefront. So as an ad man you can assign groups assign users just like you do with virtual apps but you're doing it with the SAS apps now and the web apps and you're now then deploying it with these added security controls but again no overhead which we think is a big deal. Right.

Speaker 2:
22:25

So leverage is a citrix access control feature in the cloud. Is that correct or.

Speaker 5:
22:30

That's exactly right. Yeah. So in other words you know you may not be ready to put your whole control plane in the cloud. You really like this idea of access control. Now you can have both right. You can. All right. I want an access control. I want this dynamic ability to use a secure browser or service you know where I don't want to take risks if somebody has got malicious links inside their SAS or web app that's being leveraged as well. But. I don't need to move my store from at least not now or whenever you know your schedule fits. You can keep that as is.

Speaker 8:
23:14

So guys walk me through this so I'm a I'm a user. I'm on a Mac. I've got my workspace app and I want and I want to leverage this functionality. Am I connecting that workspace app to the cloud service that I get as part of the workspace service. Am I connecting it to my storefront. What am I connected to and what's the flow of the user experience yeah.

Speaker 5:
23:37

So what what you're connecting to is your gateway. And so you do need it. You need to do a one time setup too if you want to use your credentials for workspace app to connect to the access control effectively. This is does depend on having the workspace app installed and so the workspace app allows you to authenticate simply to your existing Gateway and or my own firm Gateway your on prem Gateway and your on prem store front. And what will happen is. So if you click on again a virtual app there's no change. It's exactly as is. There's no happening to the cloud etc. but right alongside that that virtual at the end user now sees a Salesforce icon and they click on that Salesforce icon and what happens there is they're basically routed out to the Citrix cloud service that the identity service that already is enabled with the single sign on from your sample configuration for Salesforce. Right. And so the user from a user perspective it's like a no brainer. They don't have to do anything.

Speaker 3:
25:11

Yeah I got it. They get it they get into the app there's no other authentication required.

Speaker 10:
25:15

Correct. Correct. Yeah. This sounds to me like some Gateway optimal routing magic that we've been using for other other see that Citrix virtual app and desktop solutions. We're now able to basically just redirect that that session that not session that's a bad word. That connection all right through the service and take advantage of what the service can do for us but it but the.

Speaker 3:
25:39

But all of the icons relative whether they're I think the point here crosses all of the icons are in they on premises store front even though they might go different directions one might go inside to your virtual apps and desktops environment that's on premises. Some of them may go out to access control and be federated via service they are and then launched in the SAS application. So they kind of go. The connection goes different directions but it's all aggregated within the storefront on premises.

Speaker 5:
26:09

Hundred percent correct. Yep. And you know where this is also very relevant is for anybody that has customized their store front. All right. Well we know that in a lot of cases organizations are not willing or ready to move their store front to the cloud because they've done some customizations either for security purposes or for graphics and identity and know visuals and so forth and and therefore they want to you know leverage that or keep that on prem. This works with custom store fronts as well. So it's just the same exact storefront you have now. It's just with some new icons that show up.

Speaker 2:
26:56

So Chris what you may have alluded to it I think but explain just briefly what the what the goal or the objective is of the sync utility.

Speaker 3:
27:04

I think I understand it but for our less listeners try to explain exactly what that's doing I assume that's running in the background or is it kicked off automatically or manually or just a slight a little bit about that.

Speaker 5:
27:15

Yeah. OK. So. So it's it's a it's kicked off when you configure any need but you actually need to run it one time. But we can we can then look for look for updates. But basically what it does is the leverage is the through an API the cloud admin configuration where you're you're actually setting the sample and the security policy for those web apps and SAS apps. So you're doing that like the Salesforce or the internal web apps or the work days. You have to do that from Citrix cloud from your admin account there which is really simple as you guys know but probably others don't know how simple it is it's just a really easy web UI where you do plug ins and you URLs and you just click on the security features that you want or not.

Speaker 6:
28:16

Chris Chris real quick on. So this is actually pulling from Citrus cloud that information into your storefront.

Speaker 5:
28:22

Yeah exactly. So it pulls it from the Citrix cloud service into your store front. And then when the user clicks on their store front you know the Salesforce app icon what it is doing there is it's also then it's then pulling those security policies through the workspace that so when Salesforce launches it has that those security policies enforced like the download controls or print or whatever. And then on top of that what we're doing is not only the access control security policies that I talked about but it's also it's also an opportunity for the analytic service to basically trigger like user behavior problems we can trigger things like excessive downloads. So if you've got users that normally go through their everyday workings download a certain amount of data from Salesforce and then lo and behold you know one day you've got somebody that downloaded you know a terabytes of data from Salesforce. Well you know that's going to set a trigger off for the admin or security or all of the above. And again that's that highlights the importance of having a continuous monitoring after log in you know of everything going through a workspace app through this embedded browser. We have insight too and we can have that insight to the analytic service.

Speaker 8:
30:09

I'd like to I'd like to bring out links every time we start talking about that. You know just the watermark or the ability to see some guy pull in a ton of data down they normally does it. That's an easy one to talk about the server that it could do for you.

Speaker 5:
30:22

Right. And it's something that you know quite frankly most organizations are taking big risks on today when they deliver apps just through a standard browser they might think that they're protecting them and they are maybe with the upfront authentication but they you know that doesn't help for you know internal bad apples and it doesn't help for a lot of scenarios that we can add value to the Hey Bill you had some you wouldn't say.

Speaker 2:
30:50

Yeah I I agree with everything you've said Chris and I think there's the original concern when it came to these SAS apps.

Speaker 3:
30:57

I think back when they really started to take off was the old the old access or the authentication piece which has largely been solved. But you know a lot of customers are still have it creating local users and passwords usernames and passwords and Salesforce or local usernames and passwords and I say local to the app itself as opposed to federating them you know the original I think the original thinking about Federation was let's create a scenario where we don't have all these usernames and passwords that are written on post it notes underneath the keyboard or something for the Bank of America app or this or they Salesforce app or the investments app that they finance people might use less as Federated then create just a just let them user account but this adds so much more or that wasn't thought out back then like the watermark like the secure browser like the content filtering and I think that's that's that's a piece of it that really adds a lot of value and a lot of compelling reasons to move this direction.

Speaker 5:
31:53

You know I think you know we're running low on time maybe but we should probably do a session also on app protection applies here as well. But just briefly for the listeners another layer of security that we can add to HD ex traditional Citrix virtual apps and desktops plus web apps and SAS apps including in this hyper configuration. Is this feature called app protection and what that does is we can protect against screen capture or keystroke loggers.

Speaker 9:
32:30

So even if the employee is logging in from an unmanaged untrusted device what we can do is again by virtue of this added value we've built in the workspace app we can prevent screen captures from anything launched from workspace app as well as we can protect from keystroke loggers that might even be installed on the machine. Anything you type inside an app that was delivered and running through workspace app is invisible to a keystroke layer.

Speaker 5:
33:11

So that's a big deal. Yes absolutely.

Speaker 10:
33:15

That came up at a meeting yesterday as well. The ability to scrape the screen or capture the keys or as they're being type you know that's that's the final frontier right. We've all thought about that one for four years and preventing them from taking a picture with their phone. I guess that's the last one to thaw. But the screen scrape and the key logger is certainly important.

Speaker 5:
33:35

Yep. And that's in fact the watermark is there for the. Take a picture scenario. So it really does cover the bases.

Speaker 10:
33:45

So Chris you're right we're running out of time but I definitely want to have you back as often as you want to jump on with us. I would love and Citrix Synergy or the summit conference to walk around to the different the different Citrix displays and talk with you through some of this and maybe recorded that that would be awesome it's something I've always want to do but you know looking on your your author side here for the Citrix blogs you know there's several in there a bunch on there that I would love to talk to you about some you know to be honest the concept this podcast came about because myself and Bill and others we just want to learn more and then we thought we'd record it for other people to. Enjoy as well. But you know looking at your list here. Something as simple as the X1 mouse. I know that's trivial for a lot of people but there's a whole lot of people that have no idea how valuable that can be. You know you've got something on here around local app access. I love local app access as my fallback to making anything work inside a virtual desktop if I need or pretend or seem to work inside of virtual desktops. I would love to do this again once a week if you got time but it's whatever fits your calendar.

Speaker 5:
34:50

Sure. I enjoyed it and I do appreciate your efforts getting the word out because it's not your old Citrix anymore. No it's not. No we're not. Just to clarify we're not walking away from virtual we're still the best and we're going to continue to invest there. But in order to reach a billion users we've got to go Web sites local and mobile and we're doing all of the above.

Speaker 10:
35:14

Yeah I've been a big proponent of making sure everybody knows that the old Citrix which a lot of people didn't take full advantage of. There's a ton of features in that that people don't know and haven't used. We try to highlight some of those and in these podcasts. But yeah you've got to we've got to keep going. You know can't stand still but we're going to be the best at both all right.

Speaker 5:
35:34

Great to chat.

Speaker 10:
35:35

All right gentlemen thanks for joining. Appreciate it. And then we'll we'll do it again. Down the road. Thank you.

Speaker 5:
35:39

Sounds good. Thanks again.