XenTegra - The Citrix Session

The Citrix Session: Citrix Features Explained: Adaptive authentication and access in Citrix Secure Private Access

July 19, 2022 XenTegra / Andy Whiteside / Bill Sutton Season 1 Episode 110
The Citrix Session: Citrix Features Explained: Adaptive authentication and access in Citrix Secure Private Access
XenTegra - The Citrix Session
More Info
XenTegra - The Citrix Session
The Citrix Session: Citrix Features Explained: Adaptive authentication and access in Citrix Secure Private Access
Jul 19, 2022 Season 1 Episode 110
XenTegra / Andy Whiteside / Bill Sutton

Every employee in your hybrid workforce is unique. They have their own devices and home networks, their own remote work preferences, and their own workflows in how they get their best work done. However, all hybrid employees need reliable and secure access to essential business apps and data from wherever they work — and while every employee wants this access process to be simple, each employee also has different access needs, capabilities, and endpoints.

Because IT security policies are not “one size fits all,” Citrix Secure Private Access offers adaptive access and authentication for hybrid employees. Adaptive policies enable your organization to determine the appropriate levels of access for all employees, then automatically enforce these IT security policies without disrupting the hybrid work experience.

Host: Andy Whiteside
Co-host: Geremy Meyers

Show Notes Transcript

Every employee in your hybrid workforce is unique. They have their own devices and home networks, their own remote work preferences, and their own workflows in how they get their best work done. However, all hybrid employees need reliable and secure access to essential business apps and data from wherever they work — and while every employee wants this access process to be simple, each employee also has different access needs, capabilities, and endpoints.

Because IT security policies are not “one size fits all,” Citrix Secure Private Access offers adaptive access and authentication for hybrid employees. Adaptive policies enable your organization to determine the appropriate levels of access for all employees, then automatically enforce these IT security policies without disrupting the hybrid work experience.

Host: Andy Whiteside
Co-host: Geremy Meyers


00:00:02.639 --> 00:00:07.980
Andy Whiteside: hi everyone and welcome to episode 110 of the citrix session i'm your host Andy whiteside i've only got.

00:00:08.610 --> 00:00:18.000
Andy Whiteside: Only got one guests with me today but very important guests and honestly a good friend of integrals and the citrus Community JEREMY myers JEREMY what's your official title these days.

00:00:18.420 --> 00:00:28.410
Geremy Meyers: My official title is senior sales engineering manager for the commercial team and the southeast and East central so if there's an acronym it's a mouthful but yeah that's that's what I do these days.

00:00:29.550 --> 00:00:32.160
Andy Whiteside: You know what sometimes it's better just to say, and then to come up with.

00:00:33.690 --> 00:00:34.320
Geremy Meyers: That so.

00:00:35.340 --> 00:00:44.040
Andy Whiteside: You and I were just talking about things that citrix and how things are going, and I thought, what you said right it's all about building culture and community and maintaining and maintaining cultural community that's.

00:00:44.130 --> 00:00:54.930
Andy Whiteside: A lot of people are about good about building stuff and not maintaining stuff and I think it's one of the things that looks like your team has done a good job of working on and keeping together over there.

00:00:55.620 --> 00:01:03.060
Geremy Meyers: I would agree some I like to call same page that's right it's we're all on the same page we all like what we do and just maintaining that.

00:01:04.110 --> 00:01:04.440
Andy Whiteside: yeah.

00:01:04.920 --> 00:01:08.910
Andy Whiteside: yeah there's parts of there's parts of the IT world that I see that happening in parts, I don't.

00:01:10.470 --> 00:01:11.310
Andy Whiteside: You guys for that.

00:01:12.570 --> 00:01:18.270
Andy Whiteside: Alright, so the blog that we are covering today as a yet another one, though by Steve bills bells.

00:01:19.650 --> 00:01:30.720
Andy Whiteside: This one is yet another one in the line of features explain so citrix features explain from a knife adaptive off and access in the citrix secure private access.

00:01:31.350 --> 00:01:42.390
Andy Whiteside: And access in citrix secure private access, so you want to give us just a intro into what adaptive why this blog exists and why we need to explain adaptive off.

00:01:42.990 --> 00:01:54.180
Geremy Meyers: yeah i'm actually pretty excited about this one so adaptive off is a few things from the on Prem world that we've had for a while, things that have been a part of like the on Prem ATC for a while.

00:01:54.570 --> 00:02:00.600
Geremy Meyers: That have made it into you know the cloud service so listen, we got a lot of options around authentication.

00:02:01.170 --> 00:02:06.480
Geremy Meyers: Inside of you know workspace today, so if any of you guys are very familiar with how that works, and you can go pick.

00:02:07.080 --> 00:02:15.330
Geremy Meyers: You know, a list of authentication options when you're configuring In fact we just added one last week around Google as an IDP which is pretty slick but.

00:02:15.660 --> 00:02:23.910
Geremy Meyers: You know I think what a lot of folks have used in the past are things around device posturing and you know secure our smart access and.

00:02:24.510 --> 00:02:33.960
Geremy Meyers: Being able to provide some level of contextual access based on based on some of those policies and we have made that an integrated that into the cloud now so that's a service that anyone with.

00:02:34.530 --> 00:02:44.100
Geremy Meyers: daz premium, which was seabed service premium in the past, so talking about some versions that you got access to so it's something that if you're a customer today, you can go turn on and start using.

00:02:45.210 --> 00:02:53.430
Geremy Meyers: But what's new about, that is, it also works with SBA so secure private access we can front end secure private access with that same.

00:02:53.970 --> 00:03:07.140
Geremy Meyers: adaptive authentication service, which again completely hosted by citrix and it's basically it opens up anything you can throw authentication wise at the solution adaptive authentication can handle and that's pretty exciting.

00:03:08.070 --> 00:03:19.170
Andy Whiteside: So I guess i'm, I guess, maybe i'm starting to understand it, so that the author is author can understand variables real time and make determinations based on those variables.

00:03:20.310 --> 00:03:25.860
Geremy Meyers: um it can so it's a combination of a couple of different things right, so it is.

00:03:26.490 --> 00:03:41.250
Geremy Meyers: it's definitely for sure that front end login point but being able to you know consume things like security analytics to make some of those real time decisions is a part of it i'm not going to say that that is all the way there yet, but I think you know, especially from an initial.

00:03:42.390 --> 00:03:47.580
Geremy Meyers: You know initial solution it's being able to turn on multi factor right out of the cloud be able to do the posture scanning.

00:03:47.940 --> 00:03:56.910
Geremy Meyers: You know what we used to call endpoint analysis, you know, out of the cloud doing some of that contextual policy driven off of the call so, for instance, being able to pass tags back into your.

00:03:57.240 --> 00:04:02.640
Geremy Meyers: Your dad's platform to say hey because you didn't pass your GPA you can't see certain Apps you know things like that.

00:04:04.440 --> 00:04:09.420
Geremy Meyers: And then obviously just having a custom login page, which is pretty slick to so you've got.

00:04:10.080 --> 00:04:21.600
Geremy Meyers: A lot of the functionality we've had an htc is the depth of all, I mean just being very transparent, you know it's Netscape color is front ending adaptive also a lot of what we can do on Prem does now in the cloud as a service.

00:04:22.800 --> 00:04:29.940
Andy Whiteside: And it's not just limited you virtual APP and desktop and APP publishing it's all a lot of the citrix services.

00:04:30.600 --> 00:04:34.410
Geremy Meyers: Correct right, so I mean so be specific, what do you, what do you thinking.

00:04:37.260 --> 00:04:48.780
Andy Whiteside: Well, that means private access the the all the zero trust related things that are typically more thought of it a network layer that citrix has gotten into and brought into the application world.

00:04:49.890 --> 00:04:58.860
Geremy Meyers: So I mean, I would say this is this is very much a big part of the zero trust solution so when we talk about adaptive authentication.

00:04:59.610 --> 00:05:10.110
Geremy Meyers: That is that contextual access, that is, the posturing that is feeding into the analytics engine, I mean that all makes up the zero trust approach, but it is front ending your virtual Apps it is front ending.

00:05:10.560 --> 00:05:14.880
Geremy Meyers: Those SAS Apps that are not being delivered through like as an ABS and desktop.

00:05:15.420 --> 00:05:30.240
Geremy Meyers: or DAS service, but everything else as well yeah so when you hit workspace So when I type in my workspace URL before i'm allowed to hit any of that application stuff I can take you through this authentication process which can be pretty pretty granular.

00:05:31.200 --> 00:05:36.750
Andy Whiteside: And then I can keep looking through you know security analytics and if something changes or seems.

00:05:38.640 --> 00:05:43.710
Andy Whiteside: You know, out of whack I can then inject some type of additional new policy on the fly.

00:05:44.520 --> 00:05:47.220
Geremy Meyers: I will security analytics will do that for you, so a lot of that.

00:05:48.330 --> 00:05:51.270
Geremy Meyers: You know in process or I guess in session.

00:05:52.440 --> 00:05:55.740
Geremy Meyers: You know that happens from security and alexa, for instance, you know once you're in your session.

00:05:57.120 --> 00:06:03.030
Geremy Meyers: You know, we can do things like you, you doing something that requires that you're doing from you know, for instance.

00:06:04.500 --> 00:06:05.250
Geremy Meyers: I just had a good one.

00:06:06.540 --> 00:06:13.920
Geremy Meyers: You know something that he maybe you're downloading files too often you get a security analytics engine, I mean just figuring out like my kickoff like a session.

00:06:14.730 --> 00:06:22.590
Geremy Meyers: You know session recording session right so that's not necessarily depth of off at that point you're inside of security analytics which is taking some of those proactive actions but.

00:06:23.130 --> 00:06:33.330
Geremy Meyers: adaptive off is really sort of the front door into the solution, and then, once you're in security analytics takes over a lot of the posturing in session and can take some proactive actions as well.

00:06:34.830 --> 00:06:39.630
Andy Whiteside: So is that would that be considered part of adaptive authors all about that entry into the system.

00:06:40.770 --> 00:06:44.400
Geremy Meyers: it's really more about often into the entry into the system, you know, out of the game.

00:06:45.720 --> 00:06:54.180
Andy Whiteside: So in steve's blog here, he talks about how adaptive all works to improve access security means that, basically, what we've been discussing.

00:06:54.690 --> 00:06:58.770
Geremy Meyers: As what we've been discussing right so i'm looking through this right now.

00:06:59.940 --> 00:07:08.760
Geremy Meyers: I mean just imagine in a hybrid scenario, you could be connecting from a corporate device you could be connecting from some sort of personal device to device.

00:07:09.300 --> 00:07:14.910
Geremy Meyers: And so you know, in the past with workspace, in particular, there really was no good way of.

00:07:15.480 --> 00:07:22.230
Geremy Meyers: You know deciphering between the two unless you use the certain you know you put an ABC in your data Center or in the cloud.

00:07:22.620 --> 00:07:32.040
Geremy Meyers: He said hey i'm going to use that for authentication now we're sort of precluding that and say hey you know what we get the service that will do that, instead, so we can take different good posture that device differently and do everything out the cloud.

00:07:33.090 --> 00:07:36.930
Geremy Meyers: As opposed to having to stand up you're on a PC with a lot of folks, to be perfectly honest, I don't want to manage.

00:07:37.920 --> 00:07:40.140
Andy Whiteside: So JEREMY to put that in perspective.

00:07:40.170 --> 00:07:50.430
Andy Whiteside: If I looked around where i'm at right now i've got my windows machine which is windows enterprise 10 which is going to my azure ad.

00:07:51.090 --> 00:07:53.280
Andy Whiteside: got a Lenovo.

00:07:54.060 --> 00:07:57.720
Andy Whiteside: laptop running I gel os.

00:07:58.800 --> 00:08:06.900
Andy Whiteside: Computer in front of me is an all in one running idle os it all in one the one beside me, as a.

00:08:08.160 --> 00:08:14.970
Andy Whiteside: 10 plus year old laptop running chrome os for the nonprofit that I have and then one behind me, is a.

00:08:16.080 --> 00:08:16.650
Andy Whiteside: Is a.

00:08:17.880 --> 00:08:28.350
Andy Whiteside: Microsoft surface go running windows I literally have used all three of those to access my citrix environment today yeah crazy.

00:08:28.920 --> 00:08:29.580
Geremy Meyers: It is crazy.

00:08:31.680 --> 00:08:39.840
Geremy Meyers: If we're comparing devices so i've got a surface laptop studio I think that's what they call this anyways it's the next iteration of the surface book.

00:08:40.890 --> 00:08:51.630
Geremy Meyers: That I primarily work from I also have a surface pro that i'll travel with, and occasionally just so I can relate to folks i'll pull up my macbook and connect using that but.

00:08:52.080 --> 00:09:01.770
Geremy Meyers: You know, being able to say you know posture each of those devices and provide different tiers of access, depending on what you're connecting from and maybe the you know, maybe what from an EPA scan returns.

00:09:02.970 --> 00:09:13.920
Geremy Meyers: I mean listen it's it's pretty powerful, but you know, honestly, one of the simplest ones is just internal external access right, so the idea that maybe for some multifactor for external not internal.

00:09:14.490 --> 00:09:24.450
Geremy Meyers: is one of the simple use cases we get asked about all the time from a workplace workplace prospect workspace perspective know what to do with today was to stand up your own adc to do something like that yeah now they.

00:09:24.840 --> 00:09:27.150
Andy Whiteside: Say simple and doing that, with the look i've.

00:09:27.180 --> 00:09:33.090
Andy Whiteside: got lots of customers when that sailors at sees that they own that i've never made it to the.

00:09:34.500 --> 00:09:37.380
Andy Whiteside: The secure off world.

00:09:38.940 --> 00:09:43.260
Andy Whiteside: Now they can because it's a much simpler service that they never have to learn how to set up on their own.

00:09:44.670 --> 00:09:49.260
Geremy Meyers: yep that's that's correct now what you what you get and i'm not sure if this.

00:09:50.100 --> 00:09:56.940
Geremy Meyers: i'm not sure if this article gets into it so let's scroll down here a little bit, I think this is probably what I just hit on, so why adaptive access is important for security.

00:09:57.480 --> 00:10:07.710
Geremy Meyers: So part of the adaptive access story is is definitely what you see here right so we're looking at policy that seemed to be probably more security analytics but.

00:10:09.810 --> 00:10:10.170
Geremy Meyers: yeah.

00:10:18.210 --> 00:10:34.110
Geremy Meyers: But anyways in this case, you know we're logging in with adaptive access is the front end and once we're in you know, being able to feed some of that data into security analytics and then being able to leverage security analytics for some of the in session posturing is is pretty powerful.

00:10:36.240 --> 00:10:47.490
Andy Whiteside: And as far as configuring that for the administrator you truly are going into your citrix portal turning that on and then saying what applications what workflows you're going to protect.

00:10:48.960 --> 00:10:52.110
Geremy Meyers: or for what the adaptive access or we're we're looking at.

00:10:54.180 --> 00:11:02.790
Geremy Meyers: we're talking specifically adaptive access so when you go turn on the service, first of all there's a new option inside of a workspace authentication.

00:11:03.630 --> 00:11:11.340
Geremy Meyers: where you can enable adaptive authentication and what it does, the first time that it will walk you through a workflow just deploying the service itself and so.

00:11:11.700 --> 00:11:17.760
Geremy Meyers: I mean under the hood it's nets gaylor and so that's what that's what's being enabled and turned on once it's deployed.

00:11:18.390 --> 00:11:29.910
Geremy Meyers: version one of this is very much a net scale or ui right, so you know once you're once you're in you're given an IDP or a an IP address to practice your basic login to Netscape your first time out.

00:11:30.390 --> 00:11:38.760
Geremy Meyers: And you do have access to the to the interface, but in this case you've got a pair citrus because doing a lot of the uplift and keeping it patched.

00:11:39.870 --> 00:11:45.150
Geremy Meyers: version one of this is definitely an adc ui whatever time, I think that will change to be a little bit more streamline.

00:11:47.340 --> 00:11:52.290
Andy Whiteside: So, I guess, maybe i'm so okay so let's walk through the sections real quick make sure i'm.

00:11:52.290 --> 00:11:53.010
Andy Whiteside: Understanding so.

00:11:53.250 --> 00:12:01.980
Andy Whiteside: How adaptive off works to improve access security, this is the user experience side is what Steve showing here right.

00:12:02.340 --> 00:12:07.110
Geremy Meyers: that's what he's showing you yep so the user has typed in the workspace URL.

00:12:07.740 --> 00:12:18.360
Geremy Meyers: And in this case we've got workspace configured to leverage adaptive all so just again going back into those configuration options and so it'll send you to the service and.

00:12:18.900 --> 00:12:28.110
Geremy Meyers: walk through an authentication flow based on whatever you've got teed up, so it could be as simple as just add in two factor that's it and that's Okay, too.

00:12:28.620 --> 00:12:35.280
Geremy Meyers: But you can get pretty granular using if you're familiar with some of the impact or flows, I mean you can make this as granular as you need it to be.

00:12:36.210 --> 00:12:44.100
Andy Whiteside: Now, if I don't have the deploy agent on my end point, am I going to automatically fall into some less less trusted bucket.

00:12:45.810 --> 00:12:46.620
Geremy Meyers: or they can be.

00:12:46.770 --> 00:12:55.080
Geremy Meyers: If you've got a bucket for specifically that right, so if you are tearing your access and you've got a bucket for just that default you're absolutely correct.

00:12:56.400 --> 00:12:56.730

00:12:57.750 --> 00:13:02.130
Andy Whiteside: Okay, and then the next section is titled why adaptive access.

00:13:03.510 --> 00:13:09.000
Andy Whiteside: Well i'm interested in listening to adaptive access and depth that off is that just interchangeable words, there is a difference.

00:13:09.390 --> 00:13:18.360
Geremy Meyers: Now so adaptive authors that front door authentication piece and adaptive access is you know once you've connected that's the piece that's constantly sort of posturing you in session.

00:13:20.190 --> 00:13:22.980
Geremy Meyers: and potentially updating your your risk or as well.

00:13:23.580 --> 00:13:27.120
Andy Whiteside: Okay, so that's where the security analytics would kick in and.

00:13:28.890 --> 00:13:31.620
Andy Whiteside: If things are where they should be all along the way.

00:13:32.670 --> 00:13:33.300
Geremy Meyers: Correct yep.

00:13:34.020 --> 00:13:34.350

00:13:35.880 --> 00:13:45.360
Andy Whiteside: And then the last section here, it says enable flexible access security with citrix secure private access is that just helping us understand how to go turn it on.

00:13:46.320 --> 00:14:00.120
Geremy Meyers: it's really just more of a it's really just more of a statement that says, you know, regardless of what your security posture is you know what what your requirements are this really does open it up, so we can support, whatever scenario that you're talking about right so.

00:14:01.500 --> 00:14:08.190
Geremy Meyers: You know, for instance, if you've got a mix of X is based on user group you've got access based on you know device posture.

00:14:08.970 --> 00:14:13.410
Geremy Meyers: You know I think we were a little bit limited in the past in terms of what we can enable cloud native.

00:14:13.920 --> 00:14:28.830
Geremy Meyers: And this turns all that flexibility on right so like I said we don't need necessarily need an adc on Prem to support this, you can do this in the cloud, and when if you're a dash premium customer they already have this you just have to go turn it on and start leveraging.

00:14:29.940 --> 00:14:37.410
Andy Whiteside: This where we should give a SIS admins out there, the warning of you doing the test environment doing a sandbox first, or should we just go turn it on.

00:14:37.950 --> 00:14:39.060
Geremy Meyers: um so.

00:14:40.230 --> 00:14:52.290
Geremy Meyers: The nice thing about this, I would not disagree with you and we talked about this a lot I think every customer should have a test Dev environment, in fact, you can do that with your your environment, today, you could carve out some licenses to be test out.

00:14:55.080 --> 00:15:02.730
Geremy Meyers: But having said all that you can enable the service, you can actually go through the process of getting familiar with it without turning it on.

00:15:03.360 --> 00:15:14.760
Geremy Meyers: Is an authentication authentication mechanism so, for instance, you got a lot of options when you log into your workspace config and say hey what I want to use at at with token okta as radio.to dot the Google Google these days.

00:15:15.150 --> 00:15:25.080
Geremy Meyers: One of those is a adaptive authentication so you can turn that on and configure it, but until you actually go say hey I want to use this is not going to do anything right so you're not gonna you're not going to monkey with anything.

00:15:26.640 --> 00:15:34.020
Andy Whiteside: Okay, I think that's covered it, I appreciate you jumping on you're talking about your team was doing some laughing of this stuff up how'd that go.

00:15:35.040 --> 00:15:39.240
Geremy Meyers: we're pretty good in fact this past week, we went through this with a customer and they have a.

00:15:40.470 --> 00:15:55.560
Geremy Meyers: Use case where they need to use duo radius on Prem and so we've gotten that configured with adaptive authentication so we got think a lot of folks would say radius is a little load and yet you know we get a lot of customers using it and it's completely supported so we've got networking.

00:15:56.310 --> 00:15:58.800
Geremy Meyers: yeah it's a it's not bad pretty easy.

00:16:00.450 --> 00:16:08.550
Andy Whiteside: All right, Sir, I appreciate you jumping on and covering this with me and you spend a little bit of your Monday, sharing the sharing the knowledge.

00:16:09.240 --> 00:16:11.490
Geremy Meyers: Training anytime see you next Monday.

00:16:12.240 --> 00:16:12.720
Andy Whiteside: Thank you.

00:16:12.990 --> 00:16:13.320