Citrix Blogs

A practical approach for risk transference

Risk transference is when an organization chooses to pay someone else to accept risk. This framework is often applied to protect from low-probability, high-impact events.

Insurance for Virtual Apps and Desktops Delivery

There’s always an element of risk transference associated with cloud computing. But the amount of risk you can truly transfer depends on the cloud deployment model you choose for your cloud migration.

This is important to remember when thinking about Citrix Cloud, which offers a PaaS-type deployment model where the management of the OS for the infrastructure components (Delivery Controllers, Director, Databases, Licensing Server, and, optionally, Workspace (replacing StoreFront), Gateway (replacing Citrix Gateway)) is offloaded to Citrix Cloud, while the OS of the workloads lies within the control of the cloud customer. This is the ideal zone for customers who are wary of transferring too much risk and control to a cloud provider.

Because the infrastructure components stay within the control of Citrix Cloud operations, cloud customers can transfer the risk of keeping key components of the Citrix Virtual Apps and Desktops delivery patched, updated, and highly available to avoid security flaws. This form of risk transference is also ideal for business continuity and disaster recovery because of the flexible architecture.

Control Identity and Access Management Without Owning All the Risk

It’s common for customers to also adopt cloud access security brokers (CASB) for offloading risks associated with identity and access management (IAM). Citrix Cloud not only offers cloud customers the flexibility to adopt the Citrix Cloud as their CASB for delivering a secure workspace experience, it also offers integrations with all major CASB providers to further broker IAM.

One of the cons of a higher degree of cloud adoption is risk of vendor lock-in. Most of our customers manage this risk by hosting workloads across multiple clouds while keeping some workloads on-premises. The Citrix Cloud PaaS solution gives customers this flexibility without adding complexity to their architecture. This is also true for choosing a CASB. After all, the Citrix Cloud Identity platform enables integration with multiple CASB providers.

Transfer Risk, Maintain Standardization

The increase in adoption of SaaS applications, where the organization relinquishes even more control over company data in favor of risk transference, has also contributed to the difficulty in transferring the risk to a cloud provider. Security policies applicable to virtual apps and desktops and web-based intranet applications may not be enforceable on SaaS apps, leaving customers at the mercy of cloud providers to apply enhanced security controls.

The Citrix Cloud-hosted Citrix Access Control service closes this gap by providing a common policy framework for SaaS applications, as well as Citrix Virtual Apps and Desktops and web-based intranet applications when delivered from Citrix Workspace.

Balance Risk and Control to Avoid Lock-in

DNS protection is often ignored. But when DNS is attacked, it may have the largest impact on the availability of your critical systems. On-prem DNS infrastructure has been a standard so far. But the impact of DNS unavailability during an attack and the negative impact it has on resilience has led to the trend of relinquishing control of the DNS to cloud-based DNS providers, resulting in increased adoption of CDN-hosted DNS services.

This puts a customer at risk, though, of a vendor lock-in with the content delivery network, which already doesn’t have a pulse on the health of the origin/source of the applications. Citrix Intelligent Traffic Management (ITM) offers GSLB-as-a-Service and acts as an authoritative DNS that combines visibility inside the data center with ITM’s unique view of the internet (ISPs, CDNs, cloud providers) to reliably resolve hostnames of your critical systems without risking a vendor lock-in.

Isolate Risk Before Transferring It

Sometimes customers try to provide a secure browser experience by publishing browsers as virtual apps. However, this doesn’t help isolate threats from entering the application server that publishes the browser.

Customers have seen a lot of value in leveraging the Citrix Secure Browser service on Citrix Cloud, transferring all the risk to containerized browser experiences delivered via a managed browser from Citrix. Users can’t bring down attack vectors from the internet via insecure websites or infected legitimate websites on their own devices or into the organizations’ networks via a browser accessed from their VDI or virtual application. The only way to browse out to the internet is via the use of the Citrix managed Secure Browser service.

Exit mobile version