We may be living in the age of the cloud, but many organizations still rely on legacy or custom applications for some of their most critical operations. Whether it's a case of "if it's not broke, don't fix it" or understandable concern about the risk and cost of replacing them, these apps aren't going away anytime soon.
There's just one problem: security. Sure, these apps are behind the firewall, but they're typically protected only by a username/password combination. At a time when 81 percent of hacking-related data breaches leverage stolen or weak passwords, that can spell trouble. All it takes is one hacker to get through the firewall with stolen credentials for a potentially disastrous breach to occur.
Adding multi-factor authentication may seem like an obvious solution, but that's easier said than done in some cases, because legacy and custom apps aren't likely to support standard authentication protocols like SAML or RADIUS. Therefore, multi-factor authentication has to be custom-coded. And the more apps there are, the more costly and time-consuming it becomes to add multi-factor authentication—to the point of being difficult to justify. Organizations can end up in the unenviable position of trying to decide which apps merit the effort and which they're willing to risk leaving less protected.
The alternatives haven't been great: bite the bullet and undertake a significant development effort to manually add multi-factor authentication to some or all of the legacy and custom apps—or keep security limited to a credentials-based approach, and hope for the best. Go with the first, and you'd better be prepared to devote the time and money for development and tolerate trade-offs with other business priorities that also need your development resources. Or go with the second, and accept that you're going to be alarmingly unprepared for the fallout when a hacker attacks.
A Better Way: Next-Generation Firewall and MFA Integration
What if instead of having to add multi-factor authentication at the application level, where development time and costs can be prohibitive, you could do it at the network level—through a next-generation firewall integration? The thinking behind this is to equip the firewall to enforce multi-factor authentication, so the user's identity and access privileges can be confirmed at the network level before access is granted. That way, the firewall provides an authentication gateway for applications, eliminating the need for the apps themselves to be updated with multi-factor authentication capabilities.
This approach not only improves the security of legacy and custom apps, but also helps support compliance with regulatory mandates for controls to protect sensitive information—particularly personal data, which is subject to a growing number of regulations.
Next time you find yourself feeling like there are no good choices for increasing the security of your legacy and custom apps, consider a next-generation firewall with integrated multi-factor authentication capabilities. It will save you a tremendous amount of development time and expense and, ultimately, a lot of worry.
# # #
This is the last in a series of posts about transforming secure access in five key areas to address today's changing access landscape. Visit the RSA website to learn more about multi-factor authentication to secure access from cloud to ground, and check out the RSA webinar series Access Transformation in Action.
Author: Tim Norris
Category: RSA Fundamentals, Blog Post
Keywords: Access Management, Legacy Application, RSA SecurID Access, Security, Multi-Factor Authentication, MFA, Authentication, Application Security, Custom Application Security, Next-generation Firewall