Citrix Secure Private Access

Why Citrix Secure Private Access?

82% of organizations still use legacy VPN despite its limitations. VPN gives full network access - one compromised user means entire network. Lack of granular controls increases attack surface. Remote work requires a better approach.

Citrix Secure Private Access is Zero Trust Network Access as a VPN replacement. Adaptive authentication and contextual policies control access at application level, not network. Browser isolation protects against web-based threats.

How does it work?

Zero Trust Architecture

Verify, then trust:

• Per-session verification
• Application-level access
• No network-level exposure
• Continuous assessment
• Least privilege principle

Adaptive Authentication

Context-aware security:

• Device posture check
• Location awareness
• Risk score integration
• Step-up authentication
• MFA enforcement

Browser Isolation

Secure web access:

• Remote browser rendering
• Malware protection
• Phishing prevention
• Data loss prevention
• Clipboard control

Key Features

Private App Access

• Web applications
• Client-server apps
• TCP/UDP support
• Agentless access option
• Split tunneling elimination

SaaS Security

• CASB-like controls
• DLP for SaaS
• SSO integration
• Shadow IT discovery
• Usage analytics

Watermarking

• Screen watermarks
• Print watermarks
• User identification
• Deterrent for data theft
• Forensic capability

Device Posture

• Endpoint compliance check
• Certificate validation
• Antivirus status
• OS patch level
• Block non-compliant devices

Secure Private Access vs VPN

	SPA (ZTNA)	Traditional VPN
Access scope	Application	Network
Trust model	Zero Trust	Implicit trust
Attack surface	Minimal	Broad
User experience	Seamless	Client required
Scalability	Cloud-native	Hardware limits

Deployment Architecture

Cloud-Delivered:

• SPA service in Citrix Cloud
• Connector appliances on-prem
• No inbound firewall rules
• Outbound-only connections
• Global PoPs

Access Flow:

1. User authenticates to Workspace
2. Device posture verified
3. Risk score calculated
4. Contextual policy applied
5. App-specific access granted

Who is it for?

• Organizations implementing Zero Trust
• Enterprises wanting to eliminate VPN
• Companies with BYOD and contractor access
• IT needing granular access control

Benefits

For security: Zero Trust, reduced attack surface, continuous verification

For users: Seamless access, no VPN client hassle, better performance

For IT: Simplified infrastructure, cloud-delivered, unified management

Specifications

Model	Cloud-delivered ZTNA
Authentication	Adaptive, MFA, contextual
Apps	Web, SaaS, client-server
Isolation	Browser isolation included

FAQ

How is SPA different from VPN? VPN gives network access - user sees entire network. SPA gives application access - user sees only approved apps.

Do I need Citrix Workspace? SPA is part of Citrix Workspace. Users log into Workspace and get access to approved apps.

How does it work without VPN client? Agentless mode uses browser. Agent (Citrix Secure Access) optionally for client-server apps.

What is browser isolation? Remote browser in cloud renders pages. Malware and exploits don’t reach endpoint.

Does SPA protect SaaS applications? Yes. SSO, DLP, watermarking, usage analytics for M365, Salesforce, other SaaS.

How does adaptive authentication work? Different auth requirements based on risk - low risk = MFA, high = step-up + device check.

Can I migrate gradually from VPN? Yes. SPA and VPN can run in parallel during per-app migration.

How does device posture work? Agent checks: AV status, patch level, certificates, firewall. Non-compliant = blocked or limited access.

Does SPA support on-premises apps? Yes. Connector appliances on-prem route traffic to internal applications.

What about support? Citrix support for SPA service. nFlo offers Zero Trust assessment and deployment services.