We currently have a VPN deployed for remote users accessing applications on our network. We would like to eliminate the VPN and deploy Citrix Secure Gateway instead because of the large potential cost savings, no client installation & management, etc. What are the security risks, if any, of moving this direction versus a VPN? Are the clients still vulnerable to attacks?
As with any infrastructure change it is good that you are thinking about the risk of changing a platform. Clients will still be vulnerable to attacks, though these may be of different types than you current VPN setup. Without detailed knowledge of the proposed configuration it is a bit difficult to list the risks, but there are several areas to consider. Citrix provides many advantages, but care must be taken since it enables many users to map and share files through a common system. Authentication and authorization must be sufficient to isolate the users from each other, and restrict them from accessing items they shouldn't. This is largely an administrative function. Anti-virus is crucial, as one infected user has the potential to infect many clients indirectly and directly.
I would recommend that you list the controls, and risks of the current system, and then review how the proposed system meets the same requirements, and assess where deficiencies may be.
Dig Deeper on Network Access Control
Risk & Repeat: Will Rule 41 changes become cybersecurity law?
How can incorrectly configuring VPN clients lead to a security breach?
How secure is a VPN? Exploring the most secure remote access methods
Citrix's announces "XenVault" a secure corporate storage location on insecure non-corporate laptops