Citrix Secure Private Access: A Better ZTNA Alternative Than Zscaler .


White PaperCitrix Secure Private Access:A better ZTNA alternativethan Zscaler Private Access.A feature-by-feature comparison.

Citrix Citrix Secure Private Access: A better ZTNA alternative than Zscaler Private Access. A feature-by-feature comparisonWith the recent surge in remote work, IT has beentasked with enabling thousands of remote users withsecure access to applications and data. Rather than afew users accessing the corporate networks via VPN,entire organizations now work outside the office.This has flipped the entire security posture ofcountless organizations.While a few use cases may require traditional VPNsolutions, these are disappearing as applicationsare rebuilt for the web and moved into the cloud.Additionally, in the race to provide remote accessfor employees and contractors, VPN clients are nowrunning on unmanaged and untrusted devices. This hasexposed organizations to many risks, as IT lacks insightinto the health of these devices or the contextualcircumstances of users accessing their networks.Further, VPN solutions are inherently more proneto lateral movement and zero-day attacks.While many organizations still use traditionaltechnologies like VPNs, ZTNA (Zero Trust NetworkAccess) is the most modern choice for secure accessto IT applications. VPNs may still be needed for ITadministrators to manage behind-the-firewall assetssuch as servers and infrastructure systems. However,more than 90% of users do not need VPNs to accesstheir applications and data—and ZTNA is the betterchoice. This means you need the flexibility to moveworkloads off of VPNs at the pace that works bestfor your business.Now that we have established why VPNs should not bethe norm for remote access to enterprise resources,let’s investigate why not every security provider candeliver the comprehensive protection you need.If you’re looking for a Zero Trust Network Access(ZTNA) solution, there’s a good chance you’recomparing Citrix and Zscaler. You may have heardabout exceptional features promised by products likeZscaler Private Access. But do those offerings provideeverything you need to protect against data loss?As you determine which option is the best fit for yourbusiness, it is vital to look at core capabilities. Thispaper discusses why Zscaler Private Access (ZPA)does not fulfill all of the requirements to providesecure and reliable access to all of your applicationsand how Citrix Secure Private Access has an edgefor enabling a VPN-less zero trust architecture.2Choice of connectivity forIT-sanctioned applications Citrix offers multiple options for securing accessto applications, including VDI, DaaS, and VPN. Andwith Citrix Secure Private Access, you’ll have amodern way to provide access to IT applicationsusing a cloud-delivered ZTNA solution. This hidesapplication IP addresses and resources from theInternet, also known as anonymous network. Zscaler offers only one way to access ITsanctioned applications with Zscaler PrivateAccess, which does not cover the entire enterpriseapplication spectrum.Support for Application TypesWeb Applications – Citrix Workspace and ZscalerPrivate Access enable access to on-premises webapplications. These applications are accessible via abrowser, but are not ready to be exposed to the publicinternet as it hosts company confidential data. Citrix Workspace Browser – Citrix Secure PrivateAccess enables IT to apply granular securitycontrols to prevent data exfiltration. Thesesecurity policies regulate user operationsbased on user access context and deviceposture check. They can enforce controls likerestricting copy/paste, printing, downloads, oradding a watermark to the web application. Secure Browser hosted in Citrix Cloud – IT can beconfident that end users can securely navigate theweb with this browser without introducing risk tothe corporate environment. Threats that may beintroduced by visiting malicious websites areisolated off the corporate network and devices.In addition, the browser is discarded at the end ofthe session, ensuring that any malicious softwareencountered while browsing the web never reachesyour infrastructure. Native Browser – Native OS browsers can be usedin clientless scenarios using DNS-managed directconnect capabilities within Citrix Secure PrivateAccess, enabling trusted devices to access internalapplications natively.

Citrix Citrix Secure Private Access: A better ZTNA alternative than Zscaler Private Access. A feature-by-feature comparisonClient/Server Applications - Monolithic andclient-server applications require clients locallyinstalled on the devices. Such applications are tactical,but still tend to serve a critical purpose. Citrix SecurePrivate Access provides Zero Trust Network Access(ZTNA) to all private corporate applications, whetherthese applications are web, SaaS, TCP, UDP, or VDI andvirtual applications, are deployed on-premises or onany public cloud, or accessed from within or fromoutside of the Citrix Workspace App. However,because these applications can also requiresubstantial bandwidth and perform poorlywhen delivered through a ZTNA or VPN,Citrix DaaS may be a better option.Citrix Secure Private AccessZscaler Private AccessCitrix Secure Private Access provides Zero TrustNetwork Access (ZTNA) to all private corporateapplications, whether these applications are web,SaaS, TCP, UDP, or DaaS (Desktop as a Service)and virtual applications, are deployed on-premisesor on any public cloud, or accessed from within orfrom outside of Citrix Workspace.Zscaler Private Access does not offer UDP or aDaaS solution for latency or bandwidth sensitiveapplications that may affect user experience.Native adaptive authentication and access policiesThe way people work is changing, and traditionalsecurity architectures can’t keep up. As your usersbecome more distributed, and as more applications aredelivered from the cloud, you need to protect againstmodern-day attacks looking to exploit applications andAPIs. One of the best ways to strengthen yoursecurity posture is intelligent authentication withmulti-factor authentication (MFA). By continuallymonitoring sessions for anomalous behavior,you can ensure your applications and data staysecure—without compromising the userexperience or hindering productivity.Citrix Secure Private AccessZscaler Private AccessCitrix Secure Private Access features a nativeframework for adaptive authentication. Accessis monitored at the application level based onfactors such as geolocation, device posture,risk profiles, and more.Zscaler Private Access lean heavily on deviceposture and 3rd parties for risk profiles, not offeringconsistent policies across products and services. Asa result, Zscaler Private Access administrators mustcreate and maintain different policies acrossdifferent products.Further, Citrix Secure Private Access adaptiveauthentication provides consistent policiesthat work across ZTNA applications andDaaS (Desktop-as-a-Service) already inuse by Citrix customers.3

Citrix Citrix Secure Private Access: A better ZTNA alternative than Zscaler Private Access. A feature-by-feature comparison4Session securityBoth Citrix and Zscaler offer outbound connectionsand provide network and application isolation. Unlikewhat occurs with VPNs, both Citrix Secure PrivateAccess and Zscaler Private Access do not allow thelateral movement of privilege from one application tothe next. The connection is strictly outbound brokered.However, once an application session is established,Zscaler does not protect corporate data frombeing exfiltrated.Internal web appsSharePointMicrosoftDynamics* 365Your datacenterand clouddeployed appsSecure Private AccessZTNA Authentication and Access PoliciesRoleZero Trust NetworkAccess to ALL ITsanctioned appsRiskLocationClient server / IP-Port groupsCitrix Secure BrowserServiceDeviceSecure access to ITsanctioned apps from BYOand unmanaged devicesBusiness AppsSpecific Business AppsDev tools, servers,code accessCannot be on corporate networkCorporate devicesAgent-less access perferredPublic Cloud Appsand Remote BrowserIsolationAccess from BYO devicesKeylogger and screen capture protectionWith remote work on the rise, people are spendingmore time on public networks and personaldevices—ones that can’t be closely monitored by IT.That makes the risk from devices infected withkeylogger and screen capture malware a constantconcern. To protect against data exfiltration, it’simperative to have a security strategy in place thatspecifically addresses these threats.

Citrix Citrix Secure Private Access: A better ZTNA alternative than Zscaler Private Access. A feature-by-feature comparisonCitrix Secure Private AccessZscaler Private AccessCitrix Secure Private Access offers enforcingcontrols that prevent hijacking of user credentialsor taking screenshots of applications accessedthrough Workspace app using keyloggers andscreen capturing malware. These policies aremainly applicable for unmanaged and BYOdevices that are exposed to anyexternal threats.Zscaler Private Access does not protect againstmalware looking to intercept and steal accessto sensitive information. To protect againstthese threats, you’ll need to buy a completelyseparate service.Enhanced security policies and integrated remote browser isolationAs the use of BYO devices increases, existing solutionslike traditional VPNs fall short. These traditionalremote access technologies don’t provide theprotection you need. Because they requiredevices to be managed at all times, frustrated endusers often go around IT when accessing corporateresources on personal devices.Citrix Secure Private AccessZscaler Private AccessWith Citrix Secure Private Access, granularsecurity policies let you control what users cando within applications based on which devicesthey’re using. For example, you can provide fullfunctionality on corporate-owned devices whiledisabling downloads or the ability to copy andpaste from unmanaged and BYO ones. And withintegrated remote browser isolation technology,users can securely access corporate applicationsfrom unmanaged devices or without a ZTNAplugin. Local sessions are also automaticallyredirected to a cloud-hosted browser, ensuringany malicious code on infected BYO deviceswon’t reach your application workloads.Zscaler Private Access does not includeany in-session security controls apartfrom multi-factor authentication for BYO orunmanaged devices. It also requires a ZTNAplugin to be installed before a user can accesseven browser-based applications. And forgranular security policies, Zscaler will pushyou to buy a completely new service such asZscaler Internet Access, which can be costly.5

Citrix Citrix Secure Private Access: A better ZTNA alternative than Zscaler Private Access. A feature-by-feature comparison6Enhanced SecurityWith Citrix Secure Private Access, granular security policies let you control what users can do withinapplications based on which devices they’re using.AnalyticsThere is a common saying in the security world:“You can’t protect what you can’t see.”for IT, provides timely enforcement, and reduces riskof breaches.Citrix Secure Private Access provides basic insightsinto users’ actions such as application access (Web,SaaS, TCP, UDP and Virtual), domains visited, filesaccessed and/or downloaded, and more.For more details on Citrix Analytics for Security, pleasevisit here.Citrix Analytics easily integrates with Citrix SecurePrivate Access, providing comprehensive insights intouser behavior, applications, devices, and networks. Ituses machine learning algorithms to detect anomaloususer behavior, troubleshoot user sessions, and viewoperational metrics for users in an organization thatuses Citrix products. This helps reduce manual workCitrix Secure Private Access offers both client-basedand client-less ZTNA solutions. This enables access toapplications on any device platform without having todownload and install an agent, providing an excellentsolution for both managed, unmanaged, andtrusted devices.Ease of deployment

Citrix Citrix Secure Private Access: A better ZTNA alternative than Zscaler Private Access. A feature-by-feature comparisonCitrix Secure Private AccessZscaler Private AccessClient-less – When accessing without theSecure Access agent using OS-native browsers,security policies defined by the administratormay automatically redirect the user to a securehosted browser in Citrix cloud. This provides aweb isolation solution, Secure Browser, thatlaunches any web, SaaS, or virtual app whilemaintaining air gap between the device andthe application.Zscaler Private Access provides Zero TrustNetwork Access (ZTNA) only to web privatecorporate applications and does not supportChrome OS or Linux platforms.Client-based with Secure Access Agent –When accessing with client-based Secure Accessagent, all private corporate applications can beaccessed whether these applications are web,SaaS, 2, UDP, or VDI and virtual applications, aredeployed on-premises or on any public cloud, oraccessed from within or from outside of CitrixWorkspace. Secure Access agent supportsWindows, and macOS.Client-based with Citrix Workspace app – Whenaccessing with the Citrix Workspace App, privatecorporate applications can be accessed whetherthese applications are web, SaaS, or VDI andvirtual applications, or are deployed on-premisesor on any public cloud. The Citrix Workspace appsupports iOS, Android, Windows, macOS, ChromeOS, and Linux platforms, and provides the sameexperience as a browser-based HTML5 client.The Citrix user experienceMany point solutions try unsuccessfully to fit yourapplication and users' requirements into what a pointproduct is capable of delivering. Citrix has an extensiveportfolio of features and services that best fit yourorganization's multiple needs and enable IT tomove at the speed of your business.Furthermore, the client-based agent provides ZTNAand VPN access (via Citrix ADC), which enables alimited VPN footprint for organizations migratingfrom VPN to ZTNA in a phased manner.7

Citrix Citrix Secure Private Access: A better ZTNA alternative than Zscaler Private Access. A feature-by-feature comparisonCitrix Secure Private AccessZscaler Private AccessDesktop as a Service – We have longknown specific applications like client-serverapplications produce a poor user experiencewhen accessed from a network that presentssignificant latency or loss. When users are noton the same network as these applications,their productivity will decrease, or in worst-casescenarios they will run into application issues.Users need a protocol built to deliver applicationsacross poor network conditions, enabling theapplications to run as they were designed. Forsuch scenarios, Citrix Desktop as a Servicewith HDX offers the perfect remotesecure access solution.Zscaler Private Access support Single Sign-On(SSO) for accessing only web applications withIdentity Providers, including SafeNet, Okta,OneLogin, Ping, Active Directory.Citrix HDX displays a protocol to run acrossany network, no matter how much latencyexists or how many packets are lost. Itoptimizes audio, video, graphics, and evenreal-time communications. This also providesa great user experience, even when thenetwork isn’t very reliable.Single sign-on (SSO) – Citrix SecurePrivateAccess offers Single Sign-On (SSO)to access web applications, DaaS and virtualapplications, and document repositories. Thissimplifies access for end-users, as they get asingle pane of glass for all their applicationsand files. Citrix Secure Private Access acts asa broker and integrates with all major IdentityProviders (Okta, Azure Active Directory, ActiveDirectory, Google IdP, Cisco Duo, etc.), includingproviding support for SAML v2.0 that allowadmins to plug any IdP of their choice andset up SSO from within the Citrix cloud. If yourorganization already has SSO and conditionalaccess setup Citrix Secure Private Access willhelp expand existing conditional access policiesand VPN with Contextual Access – While ZTNAis the most modern choice for secure access8

Citrix Citrix Secure Private Access: A better ZTNA alternative than Zscaler Private Access. A feature-by-feature comparisonCitrix Secure Private AccessZscaler Private Accessto IT-sanctioned applications, VPNs may stillbe needed for IT administrators to managebehind-the-firewall assets such as servers andinfrastructure systems. This means you needthe flexibility to move workloads at the pacethat works best for your business. Citrix ADCis a full-featured VPN solution (additionallicensing req.) that can be deployed in parallelto Citrix Secure Private Access. As a leaderin virtualization, only Citrix helps you accessVDI and non-VDI applications using the latestZTNA technology.SummaryWhen it comes to securing your hybrid remoteworkforce, there’s a lot to consider. You need toprotect unmanaged and BYO devices, control accessto applications, and block malware that could exfiltrateFeatureClient server appsWeb appsApplication TypesSaaS appsDesktop as a ServiceVPNdata—all while providing an outstanding userexperience. Though there are plenty of providers thatspecialize in individual categories, managing multiplevendors can be cumbersome and costly.Citrix SecurePrivate AccessZscaler PrivateAccess9

Citrix Citrix Secure Private Access: A better ZTNA alternative than Zscaler Private Access. A feature-by-feature comparisonCitrix SecurePrivate AccessFeatureZscaler PrivateAccessAnonymous NetworkSession login monitoring of geolocation,device posture, risk profiles, etc.Outbound app to app tunnelSession SecurityBrowser navigation controlIntegrated security analytics forcontinuous authentication andrisk assessmentData Protection: Watermarking, clipboardaccess etc.Anti keylogger and screenshot protectionAccess without a native clientEase of DeploymentAccess with a native clientClient for iOS, Android, Windows and macOSUser ExperienceNetwork optimization forDesktop as a ServiceSingle sign-onLimited capabilitiesAdditional licensing requiredRelying on a solution such as Zscaler Private Accesscan also set the stage for overages and new chargeseach time you need another product or package. This isnot the case with Citrix.As the industry’s most comprehensive offering,Citrix Secure Private Access provides ZTNA to allapps (virtual and non-virtual) with a single solution,offers different connectivity types (VPN, VPNless,103rd Party Vendor solution requiredmicro VPN, and HDX) depending on the use case,and gives you integrated security analytics forcontinuous authentication and risk assessment.This empowers you to efficiently address the fullrange of zero trust capabilities while delivering anexceptional user experience—with no hidden costsor unexpected extras.

Citrix Citrix Secure Private Access: A better ZTNA alternative than Zscaler Private Access. A feature-by-feature comparisonEnterprise SalesNorth America 800-424-8749Worldwide 1 408-790-8000LocationsCorporate Headquarters 851 Cypress Creek Road, Fort Lauderdale, FL 33309, United StatesSilicon Valley 4988 Great America Parkway, Santa Clara, CA 95054, United States 2020 Citrix Systems, Inc. All rights reserved. Citrix, the Citrix logo, and other marks appearing herein are propertyof Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered with the U.S. Patent andTrademark Office and in other countries. All other marks are the property of their respective owner(s).11

Zscaler offers only one way to access IT sanctioned applications with Zscaler Private Access, which does not cover the entire enterprise application spectrum. Support for Application Types Web Applications - Citrix Workspace and Zscaler Private Access enable access to on-premises web applications. These applications are accessible via a