Squeezing Citrix
Application portability is critical amidst the backdrop of ransomware attacks, and a wide swath of startups is enabling greater portability & performance than ever before.
Happy New Year! I’ve recently been spending a lot of time in application streaming, both from a security isolation and a network architecture perspective. Thinking about similar things? Feel free to ping me at rgarg@baincapital.com, or @rak_garg on Twitter!
In 2009, I was in middle school using Wine and VirtualBox to run Photoshop on a Xubuntu machine with a Pentium 4 and laughable graphics. It wasn’t fast, or very flexible, but I never had to configure Windows or upgrade my computer. That’s huge, both for a kid using a relic, and for the hundreds for millions of people working in governments, healthcare, universities, corporate labs, and more. If you were an IT person in 2009, and a pandemic forced your employees to work from home, you’d probably turn to Citrix (NASDAQ:CTXS, $12B mkt cap) to make all of your critical apps and resources available to your newly distributed workforce without compromising on security.
Citrix was an incredible growth story, enabling secure, distributed work, without upgrading user devices, especially in environments with device sharing. But, advances in data streaming, web app architecture, and edge proliferation, coupled with declining hardware costs and broader zero-trust security adoption, are squeezing Citrix from every direction. Expectations of native experience have intensified. Value creation is shifting downwards, towards best of breed infrastructure, creating opportunities for upstarts.
The promise of portability
Source: Citrix blog.
Two decades before I’d realize the promise—and problems—of application portability, Ed Iacobucci & a team of OS/2 architects at IBM would jump ship in 1989 to execute on one question: what if you could run anything, anywhere? Ed raised $3m in seed funding ($6.7m in 2022 dollars), and built Citrix, a play on Citrus and UNIX, to help companies run apps in a data center and stream them to employees everywhere. Ed & team’s critical discovery was 30 years ahead of its time: users don’t care where the app is running. They care if it feels native.
Citrix caters to companies averse to public clouds, with some workforce distribution, shared devices, and a Windows stack. The need for secure, high performance access to collaborative apps is universally felt, encompassing the Citrix target market and more. As web infrastructure improves, application security and performance will follow suit. This post focuses on that core infrastructure, and how it will enable a faster, more collaborative universe of enterprise software than what’s possible today.
An on-prem endocarp
Citrix users maintain a secure web gateway, SD-WAN, an app store service, an auth layer, load balancers, shared data stores, and hypervisors to run apps and their host operating systems. Setting all of that up is a policy management nightmare and a long engagement with a solutions engineer.
You could subscribe to Citrix Cloud, but then you’d need to configure all of your internal and external apps to work on Citrix Workspace. That’s a tall order, and early data suggest customers agree. Citrix ARR grew only 13% YoY in Q3 2021, and <15% of the install base has migrated to cloud.
Citrix saw the writing on the wall and acquired project management platform Wrike for $2.5B in March 2021, shifting corporate strategy towards becoming a digital workspace over an application delivery network. The problem is that the browser is the modern workspace, not the desktop.
The browser is the modern workspace
Apps aren’t installed, they’re visited. Security policies don’t live on appliances, they’re set via cloud-hosted control planes. Collaboration is real-time, and bad performance is intolerable no matter your distance from a data center. Each of the components Citrix operates is sublimating into the cloud and competing with specialized solutions.
Browser security
The browser is evolving. Mighty streams a browser running on a high-performance cluster in the cloud, solving local memory and performance challenges. Talon and Island secure the browser layer directly, restricting data exfiltration, securing user activity, etc. If the browser is the modern workspace, then browser security and performance are non-negotiable. Chrome’s rapid rise against Internet Explorer, Safari, Firefox, and Opera, proves the value of performance, speed, and security in supplanting even pre-installed options.
Network security
Citrix invests in a gateway+VPN offering to ensure secure network access. Two new regimes, ZTNA (Zero Trust Network Access) and SASE (Secure Access Service Edge), provide secure, software-defined networks without any need for costly, tough-to-maintain appliances. In addition, both avoid the latency problems of centralized hub-and-spoke VPNs and provide identity-awareness.
ZTNA
Companies like Loophole Labs, Tailscale, Twingate, and their peers have built cloud-orchestrated, identity-aware mesh networks with intuitive control planes. Adopting one of these solutions obviates the need for Citrix Gateway, and can handle secure access for every web service, not just Citrix services.
SASE
Zscaler, Cato Networks, and Netskope have invested in delivering a suite of security products (CASB, DLP, VPN, SD-WAN, Firewall, ZTNA) as a cloud service. SASE companies can become the holistic fabric of an enterprise network. Routing all traffic through a SASE offering dissolves the need for a traditional de-militarized zone and strategic placement of resources behind the firewall.
Web app architecture
WebAssembly lets developers write performant C++/Rust code and run it at native speed on the web, allowing demanding desktop software to finally be ported to the web with very little detriment to performance. Large volume data streaming and compute-intensive apps in video and photo editing can run in a browser and offer a first-class experience like Figma. Companies like WasmCloud expand the universe of cloud-native app deployments by making it easier for developers to harness the power of WebAssembly.
Real-time collab
Enabling real-time collaboration is technically challenging because of issues with data consistency and conflict resolution. CRDTs (conflict-free replicated data types) guarantee strong eventual consistency without data loss, but engineers have to build them into each app. Citrix uses CRDTs to enable realtime collaboration for file editing, but we’ll find collaboration as a first-class feature in more apps going forward, thanks to developer-focused companies like Replicache, Logux, and Tiny. Some believe CRDTs might displace traditional client/server communications, providing real-time functionality up and down the stack.
App streaming
Lighter-weight, modern application streaming companies offer high performance access to demanding software with minimal lag. Playing games on Rainway, which powers Xbox Cloud Gaming, is indistinguishable from playing on a local Xbox, with the distinction of playing in Chrome and from anywhere in the world. Rainway and similar companies like Parsec (acq by Unity for $320m), Shadow, and NeverInstall, offer faster performance and more flexibility, with less security/admin overhead, compared to running software locally. For companies with serviceable endpoints but stringent data security requirements, Hysolate bifurcates storage and compute, leveraging the cloud for the former and local resources for the latter.
Edge proliferation
Finally, companies enabling edge deployments and geo-distribution like Macrometa, Fly.io, and Cloudflare, offer high performance to users regardless of where in the world they are. Centralized networks like Citrix rely on edge nodes supplied by hyperscalers like Azure, GCP, and AWS, which increase vendor lock-in and offer subpar developer experience. The proliferation of the edge will further intensify demand for performance, and relegate higher-latency models to history.
Winning what matters
Citrix is a juggernaut with 100m+ users, only 12.2m of which are Cloud subscribers today. There is a long runway for the company to migrate, monetize, upsell, and cross-sell that user-base. However, as the world migrates to the cloud, aided by each of the previously mentioned tailwinds, net new users may find they have no need for a virtual app platform.
Citrix proved the value of streaming apps securely across an enterprise network. New companies are perfecting the mission piecemeal, with a focus on end-user productivity, developer joy, and admin ease-of-use. Collaborative, edge-delivered web apps, accessed from secure, fast browsers sitting atop secure, software-defined networks, have never been easier to create.
If you’re building in this space or have thoughts, I’d love to hear from you! Reach out at rgarg@baincapital.com or @rak_garg on Twitter.
We moved from citrix VDI to SURF security enterprise browser