What is Citrix Secure Internet Access?
In recent times we have seen a rapid change in the way people are working. Users are more mobile, working from home is now normal, branches still exist but in varying forms and there are still traditional head offices out there. Add in the constant evolution of cloud hosting and SaaS consumption for everything from line of business applications to collaboration we’re in a very different place to the service delivery model of 18 months ago.
The challenge facing many organisations is trying to provide a one size fits all security solution that covers all of these use cases. As a result, many organisations are trying to juggle VDI, VPNs, WANs and corporate internet breakout at the data centre with user productivity and while it’s kinda worked, there has to be a better way of tying up the loose ends.
Enter Citrix Secure Internet Access (SIA), a feature laden, cloud delivered security stack that connects users in all locations on all device types directly to the origin of the service they need to consume, without compromising performance and ultimately productivity. In a simple analogy, users connect to the closest Citrix Cloud based point of presence (currently over 100 worldwide), security policies and protections are applied, and they go about their business as usual.
Cloud based, scalability on demand
Being cloud based, Citrix SIA provides scalability on demand. For example, if compute load increases due to increased numbers of supported users or greater volumes of SSL/TLS traffic, then the solution will grow to process that load. In addition, the threat intelligence engines (there are 10+ of them including including Google Safe List, Webroot and Bitdefender) are updated automatically so a threat discovered by any user on any device in any location will be shared to all Citrix SIA PoPs to allow protection against the threat to be applied globally for everyone, without endpoint updates or user intervention. It massively simplifies the cat and mouse game of keeping user internet browsing safe against the wide range of dynamic threats discovered on a daily basis worldwide.
Citrix Secure Internet Access overview
It is important to understand that the Citrix SIA is not a single product but rather a group of products combining to provide users the secure access they need to SaaS and Internet when working from anywhere. SIA includes Secure Web Gateway, Firewall as a Service, Cloud Access Security Brokers (CASB), Data Loss Prevention (DLP) and Sandboxing features, all with their own bespoke configuration capabilities but all working together as a single solution, greater than the sum of it’s parts. A key point to note here is that user traffic does not go through each of these features one at a time as with other vendor offerings as this ‘service chain’ passing from one feature to the next typically increases latency.
Instead, Citrix SIA passes each user session through each protection tool simultaneously, using a single pass architecture, allowing each component to work in parallel which in turn reduces the latency added by the service. Super important with the ever growing list of latency sensitive services like Zoom and Teams consumed by users. There’s lots to read about with each feature but in summary.
Secure Web Gateway (SWG) provides Web Filtering, URL filtering allowing or blocking website access based on company defined rules. Anti-Malware, inspecting both encrypted and unencrypted web content to identify and block all threats. Finally, Application Control, provides visibility into applications being given access and allows granular control to ensure security and compliance.
Firewall as a Service offers bidirectional control to allow only trusted secure traffic to flow between the enterprise network to the internet.
Cloud Access Security Brokers (CASB) helps monitor, secure and manage access to SaaS applications (both allowed and blocked).
Data Loss Prevention (DLP) makes sure sensitive data such as credit card details, social security numbers etc. are not lost or accessed by unauthorised users.
Sandboxing provides an isolated environment in which suspected malicious code can be safely executed and accessed helping prevent Zero Day attacks.
Stronger privacy and compliance
Compliance for GDPR and other regulations can be a challenge for businesses, especially when they consider cloud and global deployments. The Citrix SIA architecture provides for distinct and admin defined cloud gateways and reporting zones, allowing for the segregation of data based on enterprise and location.
Although the Citrix SIA is cloud based, separate and individual Citrix SIA instances can coexist allowing for tight control over services and platform upgrades further extending company security, privacy and compliance.
Detailed forensic capabilities with AI reporting and customisable reporting allow organisations to keep a track of who is doing what from where and perhaps more importantly, maintain compliancy in an increasingly distributed workforce.
Integrates with Citrix SD-WAN
Using Citrix SD-WAN Orchestrator, administrators can automate the setup of tunnels between Citrix SD-WAN appliances and a Citrix SIA local Point of Presence (PoP) with just a few clicks, very similar to the simple automated integration with Office 365. Simply put, the Citrix SD-WAN appliance when configured, connects to a primary and backup Citrix SIA PoP. It continually monitors these PoP’s and if the primary PoP fails the Citrix SD-WAN will redirect traffic to the backup PoP. This ensures Citrix SD-WAN and Citrix SIA together offer automated connectivity between Citrix SD-WAN appliances at branch locations providing resiliency and consistent, optimised application performance.
Steering traffic to Citrix SIA and beyond
How is traffic steered when users are outside of the corporate environment when they are not on the physical premises or behind a Citrix SD-WAN appliance?
A light weight ‘Cloud Connector’ on each end point device securely directs traffic to Citrix SIA. It’s designed to be easy to install by the user, similar to Citrix Workspace Client or Receiver so it can be rolled out quickly with minimal effort from IT administrators. In addition to managing the connection to Citrix Cloud, the connector also authenticates the user as well as installing appropriate certificates for the SSL decryption. Currently Citrix support Apple (iOS and MacOS), Chrome, Android, Windows and Linux operating systems with Proxy PAC files available to provide clientless redirection to the service.
Out of the box support with other vendor products such as Microsoft Intune, Office365 and Splunk helps simplify the integration of Citrix SIA in to existing operational models.
Is Citrix SIA SASE?
Businesses looking at strategic goals to deploy a Secure Access Service Edge architecture will be investigating various vendor offerings to cover the end to end requirement, defined by Gartner as the convergence of networking and comprehensive cloud delivered security with unified management. Citrix SIA provides a key component of a SASE architecture, with Citrix SD-WAN and Citrix Security Analytics delivering a single vendor solution for every user in every location.
Mark our words, this is a game changer.