Last year, Citrix announced Secure Browser, and there was largely a “so what?” response from the market. After all, why would you want to access a browser in a Citrix environment (and pay for it!) when you could very easily use the browser on your workstation? As a follow-up to Gabe Knuth’s write-up about Citrix Secure Browser, this article will explain why you may wish to reconsider the applicability of Citrix Secure Browser for your corporate web-based applications.
Certainly, many corporate IT departments are moving towards SaaS and web-based applications. Tools such as HR software (e.g., Workday) and CRM (e.g., Salesforce) are common applications that users access from a browser. Access the web site, login, do your work, and logout. Any user can access from any device that has a browser, so it’s easy and secure, right? Not always.
In a nutshell, there are two key reasons why Citrix Secure Browser may be required: browser compatibility is a mediocre reason and endpoint security is a key reason.
Users typically have a preferred browser and may not even have other browsers installed on their endpoints. Currently, Google Chrome has the highest market share, but that doesn’t necessarily mean that all web-based applications are compatible with Chrome, much less every version of it.
Although largely being phased out, some applications require specific versions of Java, Flash, and/or Silverlight, and these plug-ins can be a cause of frustration because users typically don’t understand the related error messages or non-performance.
Rather than having the user call the Help Desk to advise that a web-based application isn’t launching or working properly, Citrix Secure Browser can take responsibility for automatically displaying the application as a tab within the user’s preferred browser. Behind the scenes, a supported browser and version is embedded so that the user can access the application. (Shhhh… It would be okay to let the users think of it as magic. :)
Of course, SSL ensures that data between the endpoint and the web site is secured, but that doesn’t mean that users always log out gracefully or that web sites don’t deposit bits of data on the local device. How often do users see these types of notices when exiting personal banking web sites?
"We recommend that you close your browser when you have finished your online session.
"The account information screens that you just viewed will remain in your browser’s memory until the browser is closed."
And even Microsoft Office Online presents this message:
"You signed out of your account.
"It’s a good idea to close all browser windows."
Although not used as much these days, Java, Flash, and Silverlight have each been subject to security vulnerabilities, and users may not update these plug-ins methodically.
Web-based applications store artifacts on the local computer. In addition to cookies, history and temporary internet files can unknowingly be written to the local drive during internet browsing. Further, some SaaS and web-based applications intentionally store temporary data on the computer, such as print jobs. While much of this data does not present a security risk, there are scripts and data hiding on the user device that may be concerning.
Browsers typically cached data, cookies, history, scripts, and much more in the C:\Users\[username]\AppData\Local folder, with specific suffixes to the browser. For example, Internet Explorer stores browser-related data in the C:\Users\[username]\AppData\Local\Microsoft\Windows\INetCache folder. While these folders are hidden, they can nonetheless be accessed by anyone that knows the specific string. It’s not rocket science.
By default, local browsers don’t take advantage of private browsing, wherein history, temporary internet files, and cookies would otherwise be deleted automatically. Although each browser provides configuration options that control tracking protection, installation of add-ons, and logins, most users never modify the default configuration of their favorite browser and as a result, data may be unknowingly stored on the local device.
Wrap-up: Do you need Citrix Secure Browser?
Admittedly, when I first heard about Citrix Secure Browser, I struggled with the use case for this functionality and wondered why anyone would need it. But for IT organizations that subscribe to web apps exclusively, the low cost for Citrix Secure Browser may indeed be warranted as there is no guarantee that all SaaS or web-based applications will function correctly with all browsers, and there is no guarantee that they don’t inherently leave remnants of non-public data on the local machine.