What is Citrix Secure Private Access?

Back in June 2021, Gartner forecasted that 51% of global knowledge workers would be remote by the end of the year with 72% of those surveyed indicating they would like to work remotely at least 2 days a week. This probably comes as no surprise if you’re one of the thousands of organisations that found a way to make home working happen for Covid19 which, in turn, set the precedence for a long term hybrid work model – we could return to our offices full time, but do we really want to?

When lockdown kicked in, many of us contributed to an industry wide increase SaaS adoption as we looked for ways to keep productive with new apps and services (like Zoom) with ‘as-a-Service’ billing revenues up over 33% predicted in the period 2020 to 2022 according to the same Gartner report.

So here’s the challenge. Not only are the users on the move but the services they are consuming are also on the move which in turn creates a massive headache for IT – how do you control who can access apps and data now that the internet became your new LAN? How do you keep that data secure now that it’s distributed across the clouds in places like Salesforce, OneDrive, that project management app and the HR ‘aaS’ solution? How do you stop users having to endlessly type user name and passwords as they navigate around their virtual workspace and how do you do all of the above without completely trashing user experience and ultimately productivity. Here’s a hint, it sure as hell isn’t a VPN.

Citrix Secure Private Access =

Zero Trust Network Access

Firstly, the definition of Citrix SPA from Citrix Web site:

Citrix Secure Private Access provides the Zero Trust Network Access (ZTNA) to private web apps within your data centre and private cloud. With adaptive authentication, adaptive access, and single sign-on to IT sanctioned applications, organisations can meet modern security standards without compromising employee productivity.

We’re going to break the above statement down in to it’s key components but first, if you think you’ve seen a Zero Trust Network Access (ZTNA) message from Citrix before, you’d be right as Citrix Secure Workspace Access, a foundation feature of any Citrix Workspace subscription, has offered a Zero Trust solution to access Web and SaaS applications via a browser in a VPN-less like manner for a couple of years now.

Note the term VPN-less, one of the fundamental things we’re trying to do here is stop giving users access at a network level when all they actually need is access to applications and data…

Citrix Workspace

Citrix Secure Private Access (SPA) is a cloud based Zero Trust Network Access (ZTNA) service.

Citrix Secure Private Access (SPA) is a cloud based Zero Trust Network Access (ZTNA) service based on Citrix Workspace (above) with new capabilities to enable TCP and UDP-based application delivery. It then combines adaptive authentication and adaptive access control to balance risk  and security with user experience and productivity. The result shown  below, is a set of security controls that allows users secure and controlled access to their corporate resources no matter the location or their choice of device, be it managed or BYO.

Citrix SPA security features


Zero Trust Network Access

Citrix SPA is designed to replace existing VPN solutions. It provides a cloud native offering for users to remotely connect to any on-premises application without the need for a VPN plugin on the end user device, with or without the Citrix Workspace App. This is a more secure way to access IT sanctioned applications and does not require a layer3 access to the entire network, thereby providing a better security approach.

Adaptive Authentication

End user device scanning, such as user identity, geolocation, and device assessment, can be assessed to define how users authenticate and access their applications. For example, a trusted user with a trusted device may be given greater access privileges than the same user with a BYOD end point trying to access the same corporate services. Administrators can continually monitor the user actions throughout the user session and automate security policy amendment based on any anomalies detected.

Adaptive access and security controls

Only Citrix SPA provides users with secure remote access to Citrix Virtual Apps and Desktop service without deploying Citrix Gateway or reconfiguring firewalls. In addition to providing secure access to Citrix environments, these policies protect the access to any application, whether they are deployed on-premises, in the cloud, or delivered as SaaS.

Many of the on-prem Web and cloud delivered SaaS applications lack the security policies and governance needed by IT to meet their security standards. Citrix SPA enables IT to apply granular security controls to prevent data exfiltration. These security policies regulate user operations based on user access context and device posture check and can enforce controls like restricting copy/paste, printing, downloads, or adding a watermark to the web application.

Single SignOn (SSO)

Citrix SPA integrates with existing ID services to offer Single Sign-On (SSO) to access all web apps, virtual apps and desktops, and document repositories. This simplifies access for end-users, as they get a single pane of glass for all their applications and files.

Browser Isolation

The internet poses many threats to network security so the browser isolation feature looks to protect users from malicious web based threats by allowing the user to open an ephemeral web browser in the cloud and view it remotely on their own device using SPA. This in turn means that any malicious content in the website is completely isolated from the company network, with any executed attack remaining in the cloud, not the user’s local browser.

It’s a very clever way to stop malicious traffic reaching the corporate network and also a great way to extend secure access to IT sanctioned apps and services for BYOD scenarios.

Visibility and monitoring

Citrix SPA offers complete end to end monitoring and visibility of all user traffic to all apps. Customers who have multiple access solutions can struggle with having multiple dashboards for monitoring all their user traffic. Citrix SPA provides the benefit of having a single dashboard that helps simplify monitoring as well as it helps unify siloed environments. Machine learning and AI recognise what usual behaviour looks like automatically detecting, alerting and potentially adapting security policy automatically to respond to the increased risk.


Citrix Secure Private Access is a VPN-less solution that delivers Zero Trust access with adaptive authentication and SSO to web, SaaS, client-based and virtual applications. It provides security controls for managed, unmanaged and BYO endpoints thus giving end users the option to choose their own device while improving the overall user experience.

Citrix Secure Private Access is a cloud-based solution, making it easy to deploy, manageable and scalable. Also, as Citrix SPA is cloud-based, it can be considered as an “evergreen” solution, continuously being updated with the latest firmware and protections, enforcing security controls in real time.

Useful Citrix Blogs on Citrix Secure Private Access and Citrix Secure Workspace Access can be found at the following links:




If you would like to discuss the benefits of Citrix Secure Private Access and how it can enable zero-trust access to private web apps within your data centre and private cloud call 0330 010 3443 or email email hello@clouddnagroup.com.