Explore how to effectively govern browser activity within your organization and enhance security with Citrix solutions, addressing unseen risks in the digital workspace.
There's a question I've been asking in customer conversations lately that tends to produce an uncomfortable silence:
"How are you governing what actually happens inside the browser today?"
Not the network or device -the browser. The thing your people spend most of their day inside. Generally, the silence is telling, because most organisations have spent the last several years investing heavily in Zero Trust — verifying identity, checking device posture, granting least-privilege access to specific applications. All of that is the right work, but it stops at the door. And the risk doesn’t live at the door anymore; it lives in the room.
The door and the room
Here's the problem with ZTNA as its typically deployed. It's very good at controlling who gets through the entrance. It’s a point in time assessment of whether we trust the user and device, which is like the door staff ensuring you meet all the requirements to get in. Absolutely right and necessary.
What it doesn't see is what happens once the user is inside. A legitimate user, properly authenticated, sitting inside a SaaS CRM with a clean device posture score — what stops them copying a customer list into a personal Gmail draft? Downloading the pipeline report onto an unmanaged laptop? Pasting next quarter's forecast into ChatGPT to "tidy up the language"?
In most environments: nothing does. The ZTNA layer has done its job. What happens next is invisible to it. The better SSE platforms — Zscaler, Netskope and others — have a partial answer here with in-line CASB and DLP. And to be fair, that catches some things. But traffic inspection and browser-layer control are not the same thing. An in-line CASB sees the conversation between the browser and the SaaS domain. It doesn't see the user copying text between tabs, a malicious extension reading every page, or a screen capture being taken. Those things happen inside the browser, before traffic ever leaves the device.
This is where most Zero Trust conversations quietly stop — not because the question's been answered, but because it’s never really been asked.
Figure 1: The door and the room
SPA, CEP, and why the combination matters
The SPA and Chrome Enterprise Premium combination exists for exactly this problem. SPA is the access layer: cloud-delivered ZTNA, no VPN required, adaptive policy based on identity and device posture. CEP is the browser layer: DLP enforced at the surface where work actually happens, covering copy/paste, downloads, printing, screen capture, extension behaviour, and URL filtering at render time.
What makes the combination worth a serious look — rather than just another "better together" vendor story — is that these two products are engineered to work together by design, not stitched together after the fact. And if you're a Citrix customer, SPA is already in your licensing. The conversation isn't about buying something new. It's about using what you already have, properly.
There's also a Google dimension that's easy to undersell. Chrome Enterprise Premium's threat intelligence isn't drawn from a security vendor's feed — it's drawn from Google's unmatched view of global internet activity. Safe Browsing protects over five billion devices and assesses more than 10 billion URLs and files every day. When a new phishing campaign emerges on a Tuesday morning, Google has typically seen it, classified it, and pushed protection across that footprint before most security operations centres have finished their first coffee. That's not a feature. That's what it means to be Google.
One platform, five types of users
The other objection I hear — usually from partners who've been selling Citrix for a long time — is some version of: "doesn't this cannibalise DaaS?" It doesn't. It completes the picture.
Figure 2: Five user personas, one platform
Most organisations have a mix of the personas shown above. The VDI user who needs a full sealed desktop; The web apps user who lives entirely in a browser; The hybrid user, the largest group in most enterprises who needs SaaS alongside the odd legacy Windows application that's never going to move to the cloud; and the client/server user with thick client applications that need governed back-end connectivity. (I’m deliberately ignoring the Developer use case in this blog but wanted to include it in the diagram to highlight that it’s another use case that can benefit from the same review of access and security).
Citrix Workspace presents all of the delivery modes through a single browser-based interface. SaaS, internal web apps, published Windows applications, and full virtual desktops; one pane, one identity, one consistent experience. No ZTNA-only vendor can offer the published application or the virtual desktop.
When a customer's roadmap eventually hits that Windows app that won't die — and it always does — those vendors have no answer. Citrix does.
The question worth asking
I'm not suggesting the answer is always Citrix. Customers have existing investments, existing relationships, existing architectural decisions that deserve respect. Rip-and-replace is rarely the right advice, and partners who lead with it rarely win.
But "how are you governing what happens inside the browser?" is a legitimate question that most customers have never been properly asked. Their ZTNA vendor hasn't really asked it, the answer doesn't benefit them. Their endpoint vendor hasn't asked it, they're focused on the device. Their CASB vendor might gesture toward it, but traffic inspection isn't the same thing, and the more technically honest ones will admit that.
Find two or three customers where the BYOD issue, the contractor access problem, or the shadow AI concern is already live and walk in with the right question.
The browser has been the most important surface in the enterprise for years. It's also been the least governed. At some point, those two facts were going to collide. That’s exactly where we are!
In the next blog of this series, we will look deeper at questions need to be asked when it comes to deploying a secure browser, and how the browser is the last mile in a truly end to end ZTNA solution
To find out more, please reach out to our CXANZ team.
Sources:
*5 billion devices: https://safebrowsing.google.com/
**10 billion URLs: https://blog.google/products-and-platforms/products/chrome/google-chrome-safe-browsing-real-time/