As Citrix customers seek the transformative power of cloud services, they continue to look to us for guidance in how to successfully navigate that change. To illustrate how Citrix has worked through our own migration to a hybrid cloud approach to IT, I’ve been I interviewing Citrix leaders across the company to share how different teams have worked through this transition in my blog series The Way We Work.
In the move to cloud services, security has been a top concern for years. Are cloud services safe? How can you maintain control of your information when you process and store it outside of your own data center? To answer these questions and more, I recently connected with Mike Orosz, Senior Director, Threat Services and Technology Governance for Citrix.
Since joining Citrix in August of 2014, Mike has been focused on strengthening Citrix physical and IT security. Mike brings more than 20 years of experience in security threat analysis, threat detection and IT governance, including 12 years serving the U.S. Army and six years working for the U.S. Department of Defense. That experience helps Mike oversee multiple layers and levels of security at Citrix.
Joe: Mike, before we begin, please describe your responsibilities here at Citrix.
Mike: I manage cyber threat management, physical security, incident response and business continuity and disaster recovery, all functions of security. Other responsibilities include assessing security risks on a global basis, managing cyber (logical) and physical incident response, cyber security research, business continuity, disaster recovery, patching and scanning our software for vulnerabilities.
Joe: That’s a pretty broad scope of responsibilities. How do you manage physical security, cyber security and threat management?
Mike: In a number of ways the processes are similar. For example, incident response is similar for events and cyber threat incidents, where you need investigate the incident, and then validate your response, and then implement it.
In many ways, we are working to leverage automation to improve our incident response operations, and use technology advances to continuously improve our processes.
Joe: As we’ve been transitioning more processes and applications to the cloud, how has that changed the way you manage security?
Mike: In many cases, the cloud comes with a number of advantages over on-premises infrastructure, which include the fact that it’s always on. For example, last summer when Hurricane Irma approached Fort Lauderdale, I worked through much of it in the front seat of my car, using XenDesktop on a cellular connection.
In many cases, public cloud infrastructure makes it easier to maintain availability, confidentiality and data integrity, because large public cloud providers have greater resources, and are set up to provide those advantages. It can be expensive for individual businesses to implement the same levels of redundancy and security that the large provider manages at scale.
Joe: Given those compelling arguments for public cloud infrastructure, are there times where it might not make sense to move applications or functions to the cloud?
Mike: It really depends on the organization, the scale they can afford to deploy in their own data centers, and sometimes the regulatory environment they face. In some cases, it makes more sense to keep an application in-house.
For some larger organizations, there are instances where it may not make sense to shift everything to the cloud. For example, if you have an infrastructure that already complies with strict regulations, it may be more costly to move that to the cloud, where you might have to re-certify everything.
If you have a applications running in your private data center that work well, it makes sense to keep that deployment in place rather than move it to the cloud. You really need to evaluate what makes the most sense for you and your organization, and that’s what we continue to do for Citrix.
Joe: While you’ve made the case that a public cloud can be as secure — if not more secure — than a private data center, do you follow any practices to ensure our deployments are protected?
Mike: First, it’s important not to assume anything. While your cloud provider can be extremely secure, you still need to perform due diligence to confirm everything meets your standards. We take a “trust, but verify” approach to make sure all the security measures, policies and practices meet our strict standards, and we embrace whichever policies — whether our in-house practices and policies, or the cloud providers — are the most secure.
We also make sure we use the strongest security measures available for each deployment. Some of the largest security breaches have occurred because basic security measures were not used, even though they were available. For example, one high-profile breach in a cloud infrastructure happened because the company failed to implement any access security, not even a password.
We continually analyze everything we manage to make sure the strongest security measures are enabled and protecting our data.
Joe: What about the security of native SaaS applications we’re using at Citrix? How do you monitor application usage when they are happening outside of the Citrix network?
Mike: That’s a good point to consider. We rely on application log data for security monitoring and IP protection. Regardless of how an app landed in the cloud or which cloud it resides in (ours, or someone else’s) is really secondary to what log data we can access. In some cases where a SaaS provider charges a premium on log data, it can lead to added charges, but it’s important to have that data available.
Joe: Do you have any advice for Citrix customers who are navigating their own transition to the cloud?
Mike: Make sure you review the security policies and measures you have in place, and do your due diligence when evaluating cloud or SaaS providers. In many cases, they may have stronger protections in place than you can deploy on your own.
Then make sure you use the strongest protection available, whether it’s yours, or the service providers’.
The bottom line is this: we evaluate where public cloud infrastructure makes the most operational sense, and then we put the strongest security measures available in place.