We’re in a time when identity management is becoming central to end user computing and security.
For a few years now, EUC vendors like Microsoft and VMware, and identity-focused vendors like Okta, Ping, and Centrify, have been spreading the identity management message. It’s not just about the value of federation and SSO for SaaS apps, but also about the value of making access decisions based on ever-richer contextual data. Instead of static network or device-based policies, today’s identity and access management platforms take a holistic view of many variables, including device and app compliance, fine-grained location, user travel, DLP and IRM classifications, and user behavior; they then mix in some machine learning, allow multiple authentication options, and ultimately provide a dynamic, user-centric security model.
This whole conversation is underscored by the massive growth of SaaS applications like Office 365, as well as data points such as the Verizon Data Breach Investigations Report, which has found that compromised identities are involved in the clear majority of data breaches. In other words, it’s hard to overstate the importance of identity management these days.
While this identity conversation has been surging, Citrix has been somewhat quiet in it. Yes, they have some federation capabilities built into NetScaler, they’ve done SmartAccess for years, and they’ve done a lot of work to make identity and SSO flow throughout their products. However, their participation wasn’t at the same level as the other EUC and identity vendors I mentioned earlier, especially when it came to SaaS apps and rich contextual access policies.
However, all this changed with the security push at Citrix Synergy 2017 and the announcement of Citrix Workspace Service and Citrix Analytics Service.
Citrix Workspace Service (a.k.a. “Storefront++” as mentioned in the keynote, or as “Project Front Door” as I learned was the internal code name) provides the typical SaaS app SSO portal that you expect from an IDaaS. In this case, it also includes documents from ShareFile, workflows, and access to virtual desktops and apps. Citrix demoed it on a desktop (as part of Receiver) and on an iPad (as a web app in Safari). They’re going to need native mobile app versions of Workspace Service, too, and they’ll have to figure out exactly how they’ll blend it with Secure Hub (formerly Worx Home) and the mobile versions of Receiver, but remember that this is all just in technical preview right now.
Citrix Analytics Service provides the rich, context-aware access controls that, as I mentioned previously, have lately become the hallmark of top identity and access management products. Citrix Analytics Service has insight into user activity in XenApp/XenDesktop, XenMobile, Sharefile, and NetScaler, whether these are on-premises or in the cloud. The analytics service itself runs in the cloud, and it uses machine learning to figure out what typical user behavior looks like, then watches for anomalies. When something suspicious happens, not only can it step up authentication or block users, but it can also take actions within the various Citrix products. For example, it can change data download limits in ShareFile, or do session recording in XenApp/XenDesktop.
I think both announcements are great news, and that Citrix deserves recognition for heading in this direction.
Questions remain, of course, and the first is how Citrix Workspace Service and Analytics Service will be packaged. The SKUs and pricing are yet to be determined, but the idea is that they should be ready for any Citrix Cloud customer to turn on as soon as they become available.
Another question is whether Citrix has ambitions to become an IDaaS player in its own right, and if so, to what degree. As I understand it, Citrix Workspace Service will include some basic federation capabilities, so that customers can set up SSO access to web and SaaS apps. This is powered by NetScaler bits that are now part of Citrix Cloud. Since these are all cloud services, there’s no need to “get NetScaler,” instead, it’s just another feature that gets turned on in your tenant.
At several points, Citrix stated that they’re not going be competing with Okta, Azure AD, or any of the other major IDaaS providers, and that customers could “bring their own identities.” Certainly, the prevalence of identity standards means that Citrix Workspace Service should work with any of these other products without too much effort, and that customers could use these other products to set up federation to SaaS apps.
At the same time, at least one Citrix executive I met with talked about the possibility of selling a standalone IDaaS product based on Citrix’s various capabilities. This is interesting, because it’s easy to see a situation where using Citrix Workspace Services and Citrix Analytics Service in conjunction with another IDaaS could be less than optimal. Both Citrix and your other IDaaS of choice will be pushing the AI-enabled, context-aware, conditional access future that I described in the beginning of the article. Which do you use?
On the other hand, creating a full-fledged IDaaS and putting together a catalogue of supported apps is a lot of work—besides just supporting SAML and OAUTH, one of the keys is doing user account provisioning in SaaS apps, and this can involve other protocols like SCIM, or at times, working with custom APIs.
You can see that Citrix has more to figure out with their identity story. Between the various sessions I watched, and the conversations with product managers, marketers, and executives I had, I sometimes got conflicting answers about what exactly their plans and ambitions are.
I guess this is to be expect to a degree, though. One good thing is that since we’re talking cloud services, we don’t have to wait 6 or 12 months while everything gets crystallized into a monolithic release—rather, the features will come out gradually and a picture will coalesce over time
Overall, the even better news is, again, that this is a significant up leveling in how Citrix is thinking about identity and security, and that the concepts being Citrix Workspace Service and especially Citrix Analytics Service are indeed transformative.