Adaptive access and security controls for Enterprise Web, TCP, and SaaS applications

In today’s ever changing situations, application security is vital for any businesses. Making context-aware security decisions and then enabling access to the applications reduces the associated risks while enabling access to users.

The Citrix Secure Private Access service adaptive access feature offers a comprehensive zero-trust access approach that delivers secure access to the applications. Adaptive access enables admins to provide granular level access to the apps that users can access based on the context. The term “context” here refers to:

• Users and groups (users and user groups)
• Devices (desktop or mobile devices)
• Location (geo-location or network location)
• Device posture (device posture check)
• Risk (user risk score)

The adaptive access feature applies adaptive policies to the applications that are being accessed. These policies determine the risks based on the context and make dynamic access decisions to grant or deny access to the Enterprise Web, TCP, or SaaS apps.

How it works

To grant or deny access to applications, admins create policies based on the users, user groups, the devices from which the users access the applications, the location (country or network location) from where the user is accessing the application, and the user risk score.

The adaptive access policies take precedence over the application-specific security policies that are configured while adding the SaaS or a Web app in the Secure Private Access service. The per-app level security controls are overwritten by the adaptive access policies.

The adaptive access policies are evaluated in three scenarios:

• During a Web, TCP, or a SaaS app enumeration from the Secure Private Access service – If the application access is denied to this user, the user cannot see this application in the workspace.

• While launching the application – After you have enumerated the app and if the adaptive policy is changed to deny access, users cannot launch the app even though the app was enumerated earlier.

• When the app is opened in an Citrix Enterprise Browser or a Secure Browser service – The Citrix Enterprise Browser enforces some security controls. These controls are enforced by the client. When the Citrix Enterprise Browser is launched, the server evaluates the adaptive policies for the user and returns those policies to the client. The client then enforces the policies locally in the Citrix Enterprise Browser.

Create an adaptive access policy

1. On the Secure Private Access service tile, click Manage.
2. In the Secure Private Access home page, click Access Policies in the navigation page.

3. Click Create Policy.

   Note:

   For the first-time users, the Access Policies landing page does not display any policies. Click Create Policy to create a policy. Once you create a policy, you can see it listed here.

1. For these applications - This field lists all the applications that an admin has configured in the Secure Private Access service. Admins can select the applications to which this adaptive policy must be applied.

2. If the following condition is met - Select the context for which this adaptive access policy must be evaluated.

   Important:

   The Users or groups condition is a mandatory condition to be met to grant access to the applications for the users. In User/user groups, select the following conditions.

   • Does not match any - All users or groups except those listed in the field are allowed access.
   • Matches any of - Only the users or groups that match any of the names listed in the field are allowed access.

   

3. Click Add Condition to add extra conditions, based on your requirement. An AND operation is performed on the conditions, and then the adaptive access policy is evaluated.

   

4. Then do the following - If the set condition matches, admins can select the action to be performed for the users accessing the application.
   • Allow access - Allow access without any preset conditions. Note: This option is applicable for browser-based applications only.
   • Deny access – When selected, access to the apps is denied. All other options are grayed out.

   • Allow access with restrictions - Select one of the preset security policy combinations. These security policy combinations are predefined in the system. Admins cannot modify or add other combinations. When you choose Allow access with restrictions, you can select the security controls as per your requirement. The following security restrictions can be enabled for the application.

     • Restrict clipboard access: Disables cut/copy/paste operations between the app and system clipboard
     • Restrict printing: Disables ability to print from within the Citrix Enterprise Browser
     • Restrict navigation: Disables the next/back app browser buttons
     • Restrict downloads: Disables the user’s ability to download from within the app
     • Restrict uploads: Disables the user’s ability to upload within the app
     • Display watermark: Displays a watermark on the user’s screen displaying the user name and IP address of the user’s machine
     • Restrict key logging: Protects against key loggers. When a user tries to log on to the app using the user name and password, all the keys are encrypted on the key loggers. Also, all activities that the user performs on the app are protected against key logging. For example, if app protection policies are enabled for Office365 and the user edit an Office365 word document, all key strokes are encrypted on key loggers.
     • Restrict screen capture: Disables the ability to capture the screens using any of the screen capture programs or apps. If a user tries to capture the screen, a blank screen is captured.

   Note:

   For TCP applications, both Allow access and Deny access options are available.

   

5. In Policy name, enter the name of the policy.
6. Turn the toggle switch ON to enable the policy.
7. Click Create Policy.

Adaptive access based on users or groups

To configure an adaptive access policy based on users or groups, use the Create an adaptive access policy
procedure with the following changes.

• In If the following condition is met, select Users or groups.

• If you have configured multiple users or groups, then select one of the following as per your requirement.
  • Matches any of – The users or groups match any of the users or groups configured in the database.
  • Does not match any – The users or groups do not match with the users or groups configured in the database.
• Complete the policy configuration.

Adaptive access based on devices

To configure an adaptive access policy based on the platform (mobile device or a desktop computer) from which the user is accessing the application, use the Create an adaptive access policy
procedure with the following changes.

• In If the following condition is met, select Desktop or Mobile device.
• Complete the policy configuration.

Adaptive access based on the location

An admin can configure the adaptive access policy based on the location from where the user is accessing the application. The location can be the country from where the user is accessing the application or the user’s network location. The network location is defined using an IP address range or subnet addresses.

To configure an adaptive access policy based on the location, use the Create an adaptive access policy
procedure with the following changes.

• In If the following condition is met, select Geo-location or Network location.
• If you have configured multiple geo-locations or network locations, then select one of the following as per your requirement.
  • Matches any of – The geographic locations or network locations match any of the geographic locations or network locations configured in the database.
  • Does not match any – The geographic locations or network locations do not match with the geographic locations or network locations configured in the database.

  Note:

  • If you select Geo-location, the source IP address of the user is evaluated with the IP address of the country database. If the IP address of the user maps to the country in the policy, the policy is applied. If the country does not match, this adaptive policy is skipped and the next adaptive policy is evaluated.

  • For Network location, you can select an existing network location or create a network location. To create a new network location, click Create network location.

  

  • You can also create a network location from the Citrix Cloud console. For details, see Citrix Cloud network location configuration
    .
• Complete the policy configuration.

Adaptive access based on the device posture

The Citrix Secure Private Access service provides adaptive access based on a device posture by using an on-premises Citrix Gateway or a Citrix hosted Citrix Gateway (adaptive authentication) as an IdP to Citrix Workspace. The Enterprise Web, TCP, or SaaS apps can either be enumerated or hidden from the end user based on the EPA check results and the configured smart access policy.

Note: Adaptive authentication is a Citrix Cloud service that enables advanced authentication for users logging in to Citrix Workspace. Adaptive authentication gives a gateway instance running in cloud and you can configure the authentication mechanism for this instance, as required.

Prerequisites

• Citrix Gateway as an IdP must be configured for Citrix Workspace. For details, see Use an on-premises Citrix Gateway as the identity provider for Citrix Cloud
  .
• Citrix ADC release version 13.0 Build 82.109 or later.
• Smart access tags are configured on the Citrix Gateway appliance.

Understanding the flow of events

• User enters the Workspace URL into a browser or connects to a Workspace Store using a native Citrix Workspace App.
• User is redirected to the Citrix Gateway configured as an IdP.
• User is prompted to allow an EPA check to be performed on the device.
• Citrix Gateway performs an EPA check after the user consents to scan the device and writes the smart access tags to CAS against the device ID.
• User logs in to Citrix Workspace using Citrix Gateway IdP and the configured authentication mechanism.
• Citrix Gateway provides smart access policy information to Citrix Workspace and Secure Private Access.
• User is redirected to the Citrix Workspace home page.
• Citrix Workspace processes the smart access tags provided by the Citrix Gateway configured as an IdP, and then determines the apps that must be enumerated and displayed to the end user.

Configuration scenario – Enterprise Web, TCP, or SaaS app enumeration based on device posture scans

Step 1: Configure smart access policies using Citrix Gateway GUI

1. Navigate to Security > AAA-Application Traffic > Policies > Authentication > Advanced Policies> Smart Access > Profiles.
2. On the Profiles tab, click Add to create a profile.

1. In Tags, enter the smart access tag name. This is the tag that you must enter manually when creating the adaptive access policy.
2. Navigate to Security > AAA-Application Traffic > Policies > Authentication > Advanced Policies> Smart Access > Policies.
3. Click Add to create a policy.

1. In Action, select the previously created profile and click Add.
2. In Expression, create the policy expression and click OK.

Step 2: Create an adaptive access policy

Perform the steps detailed in Create an adaptive access policy
procedure with the following changes.

• In If the following condition is met, select Device posture check.
• If you have configured multiple smart access tags, then select one of the following as per your requirement.
  • Matches all of – The device ID matches all of the smart access tags written against the device ID when you log in to Citrix Workspace.
  • Matches any of – The device ID matches any of the tags written against the device ID when you log in to Citrix Workspace.
  • Does not match any - The device ID does not match against the device ID when you log into Citrix Workspace.
• In Enter custom tags, manually type the smart access tag. These tags must be similar to the tags configured in Citrix Gateway (Create Authentication Smart Access Profile > Tags).

Points to note

• Posture evaluation occurs only when you log on to Citrix Workspace (only during the authentication).
• In the current release, continuous device posture evaluation is not done. If the device context changes after the user logs on to Citrix Workspace, then the policy conditions do not have any impact on the device posture evaluation.
• Device ID is a GUID generated for each end user device. Device ID might change if the browser used to access Citrix Workspace is changed, cookies are deleted or incognito/private mode is used. However, this change does not impact the policy evaluation.

Adaptive access based on user risk score

Important:

This feature is available to the customers only if they have the Security Analytics entitlement.

User risk score is a scoring system to determine the risks associated with the user activities in your enterprise. Risk indicators are assigned to user activities that look suspicious or can pose a security threat to your organization. The risk indicators are triggered when the user’s behavior deviates from the normal. Each risk indicator can have one or more risk factors associated with it. These risk factors help you to determine the type of anomalies in the user events. The risk indicators and their associated risk factors determine the risk score of a user. The risk score is calculated periodically and there is a delay between the action and the update in the risk score. For details, see Citrix user risk indicators
.

To configure an adaptive access policy with risk score, use the Create an adaptive access policy
procedure with the following changes.

• In If the following condition is met, select User risk score.

• Configure the adaptive access policy based on the following three types of user risk conditions.

  • Preset tags fetched from the CAS service

    • LOW 1–69
    • MEDIUM 70–89
    • HIGH 90–100

    Note:

    A risk score of 0 is not considered to have a risk level “Low.”

  • Threshold types
    • Greater than or equal to
    • Less than or equal to
  • A number range
    • Range