The MFA Blind Spot of Legacy Applications
Despite the surge over the past few years to move all resources to the cloud, the use of legacy, on-prem applications isn’t disappearing. In a typical enterprise, these applications support the day-to-day operational processes in almost all verticals from finance and manufacturing to healthcare and hospitality.
While legacy applications are vital for organizations to function, they do introduce security risks. One of the most prominent ones is in the identity attack surface, as legacy applications typically don’t support MFA protection. This makes legacy applications a gaping blind spot in organization’s security architecture, exposing its sensitive data to any threat actor that obtains compromised user credentials.
This post examines the identity security implications of legacy applications and how to fix the MFA blind spot with these applications.
What are Legacy Applications?
The typical organization uses many different types of applications to run its day-to-day operations. A considerable amount of these applications is known as ‘legacy’, which that while based on older technologies, are still part to the organization’s operations. In many cases, the operational overhead and cost of migrating these applications to the cloud is too high, making them a permanent on-prem resource. Also, they introduce various security issues as they were not designed for today’s security controls and best practices.
From the identity protection aspect, legacy applications do not support MFA protection making them exposed to threat actors that employ compromised credentials in their attacks. This MFA gap creates a blind spot in organizations’ security architecture, preventing them from efficiently protecting the sensitive data in these apps and the operational continuity that relies on them against incoming attacks. This risk is now increasingly drawing security stakeholders’ attention to the need of comprehensive MFA protection for legacy applications.
Why Can’t Legacy Applications be Protected with MFA
Legacy applications were developed long before MFA technology was widely available, so they don’t natively support its implementation in their default authentication process. To integrate MFA into a legacy application, organizations would need to make changes on the application’s code which could cause friction with the operational continuity of these applications and is therefore not considered as an option by most organizations.
Moreover, legacy applications typically authenticate to Active Directory over NTLM and Kerberos protocols which – Unlike modern authentication protocols that SaaS and web applications use – don’t support MFA as well. This leaves legacy applications without a practical MFA protection option.
Lack of MFA on Legacy Apps Exposes Organizations to Data Loss and Disruption of Operations
MFA is the most effective security measure in blocking threat actors form using compromised credentials for malicious access. According to Microsoft, MFA can block over 99.9 percent of account compromise attacks. The steep increase in this type of attacks – in 82% of data breaches and ransomware attacks – makes the lack of MFA protection for legacy apps a critically exposed attack surface.
How does this exposure translate to an actual scenario? Once a threat actor has infiltrated a targeted environment and compromised a set of valid credentials, he’ll gain uninterrupted access to the legacy apps and all they contain. This access would follow up by either exfiltration of sensitive IP or extortino under threat of shutting down operations.
Furthermore, not placing MFA protection for legacy applications, can create compliance issues for organizations that seek to meet the their industry’s regulatory frameworks and cyber insurance requirements.
Current Identity Protection Alternatives are Not Enough
Some organizations attempt to compensate for the deficit in MFA coverage by closely monitoring users’ access and activity on their legacy apps to capture any anomalies that might indicate a compromise. However, this approach has two main flaws. First, it is reactive by nature, always responding to detected threats rather than preventing them. Secondly, it is extremely resource consuming requiring to manually integrate the legacy app to a SIEM or some other centralize log collector, as well as a fully staffed security team to perform the actual monitoring. This makes it an impractical choice for most organizations.
As we’ve explained before, rewriting the apps’ code or migrate them to the cloud is not an option as well. So, it seems like an impasse – on the one hand MFA is required but on the other it seems impossible. How can that be solved?
The Solution: Silverfort’s Unified Identity Protection MFA
Silverfort has pioneered the world’s first Unified Identity Protection platform that extends MFA and modern identity security to any user and resource, including the legacy applications that could never have been protected before.
Once the Silverfort platform is installed in the environment, Active Directory forwards it every incoming access request to for risk analysis prior to allowing or denying access. Silverfort‘s risk engine inspects the access attempt and determines if it can be trusted as is or if MFA verification is required. If so, Silverfort would connect to the MFA service – either its own or any 3rd party one – and challenges the user prove its identity. Based on the response, Silverfort would tell AD whether the access request cab rusted or not.
This architecture obviates the issue of whether the application natively supports MFA or not, because the only thing that matters is if it authenticates to AD. If it does – which is the case for most to all of legacy applications – than Silverfort can analyze it, trigger MFA if needed, and pass the verdict to AD as we’ve explained above.
By that, Silverfort overcomes all the challenges we’ve described in the previous sections:
- It doesn’t require any code change to the app itself.
- It doesn’t require installing any agents on the app’s servers.
- It covers all access attempts without exceptions, since every access attempts passed through AD.
- It provides proactive, real-time prevention of any attempt to use compromised credentials to access the legacy app.
Learn more on MFA blind spots and how to protect them in Silverfort’s eBook: Re-evaluate your MFA Protection.
The post The MFA Blind Spot of Legacy Applications appeared first on Silverfort.
*** This is a Security Bloggers Network syndicated blog from Blog - Silverfort authored by Zev Brodsky. Read the original post at: https://www.silverfort.com/blog/the-mfa-blind-spot-of-legacy-applications/
