Citrix bolstered its security services edge (SSE) offering today with the launch of its zero-trust network access (ZTNA) platform.

The cloud-delivered service, dubbed Citrix’s Secure Private Access, is designed to protect access to applications and services regardless of whether the end user is working in the branch, remotely, or from a managed or unmanaged device.

The service is available as a standalone ZTNA platform or as part of a full-featured SSE, complete with secure web gateway (SWG), Cloud Access Security Broker, and data loss prevention (DLP).

“What we’re excited about now is brining zero-trust network access to the internal apps,” Pankaj Gupta, senior director of production management at Citrix, told SDxCentral in an exclusive interview. “That's a huge transformation from the old-school VPN model.”

While ZTNA is broadly applicable for applications running on or off premises, typically these are applications with web front-ends accessible via a browser, he explained. Citrix’s approach to ZTNA opens the door to any on-premises Application, including those operating on ports other than Transmission Control Protocol 80 or 443 or over User Datagram Protocol.

According to Gupta, Secure Private Access offers many of the advantages of VPN-based access, including support for client-server applications, but without the security compromises.

“Most ZTNA solutions in the market are focused on web and Software-as-a-Service,” he said, adding that while most companies are migrating to these kinds of apps, many are still saddled with supporting a litany of homegrown legacy client-server applications.

The ZTNA service offers granular access to applications and employs a combination of multi-factor authentication — including popular identity providers like Okta and Microsoft Active Directory — and device posture insights using Citrix’s endpoint agent.

“We bring the adaptive and contextual access so we can look at the identity of the user, we can look at the location of the user, and the device posture,” Gupta said.

This kind of contextual access is critical in a world where cybercriminals can easily buy passwords and usernames on the grey market. Using this approach, who can access an Application is predicated on more than credentials and takes into consideration location, device posture, and identity, reducing the likelihood of unauthorized access.

And for customers deploying the Citrix’s endpoint agent, the service can also integrates with leading endpoint protection services to determine whether the user’s system has already been compromised, Gupta added.

The platform also features what Vishal Ganeriwala, VP of product marketing at Citrix, previously described as a “ZTNA dimmer Switch.”

“Either you as a user have access to an Application or you don’t,” he said. “We looked at this problem slightly differently. … What if we change that from this on and off Switch to more of a dimmer Switch?”

The approach allows customers to define policy to limit access to specific features — copy and paste or screen sharing for example — based on user context, and employs anti-keylogging capabilities in the event a system is compromised.

Much of this is predicated on an endpoint agent running on user devices, but Citrix also supports clientless deployments.

These capabilities have helped Citrix win over heavily regulated markets, including those in the insurance and health care industries. Gupta touted HDI Global’s Brazil branch, which has already deployed the company’s ZTNA platform to support more than 2,000 remote workers.

“No other city or country would be a better example of remote working than San Paulo. San Paulo is the largest city in Brazil with 20 million people,” he said. “What is legendary there is many hours of traffic jams. Typically it takes three hours for them everyday, due to traffic jam, for commute.”

With the Switch to remote worker, HDI also pivoted to a bring-your-own-device model and, in many cases, deployed remote browser isolation functionality to secure workers using non-compliant networking gear.

Meanwhile, Wisconsin-based health care provider Aspirus tapped Citrix to ease the transition for new employees following a string of mergers and acquisitions throughout the Midwest.

“With Citrix Secure Access, we can provide M&A targets with access to core systems and applications, such as EHR and ERP, months in advanced of traditional activities such as network, domain, user, and workstation migrations to keep business moving,” Chris Fallin, VP of systems technology at Aspirus, said in a statement.