The MFA Blind Spot of Legacy Applications

Home » Blog » The MFA Blind Spot of Legacy Applications

Despite the surge over the past few years to move all resources to the cloud, the use of legacy, on-prem applications isn’t disappearing. In a typical enterprise, these applications support the day-to-day operational processes in almost all verticals from finance and manufacturing to healthcare and hospitality.

While legacy applications are vital for organizations to function, they do introduce security risks. One of the most prominent ones is in the identity attack surface, as legacy applications typically don’t support MFA protection. This makes legacy applications a gaping blind spot in organization’s security architecture, exposing its sensitive data to any threat actor that obtains compromised user credentials.

This post examines the identity security implications of legacy applications and how to fix the MFA blind spot with these applications.

What are Legacy Applications?

The typical organization uses many different types of applications to run its day-to-day operations. A considerable amount of these applications is known as ‘legacy’, which – while based on older technologies – are still part of the organization’s operations. In many cases, the operational overhead and cost of migrating these applications to the cloud is too high, making them a permanent on-prem resource. Also, they introduce various security issues as they were not designed for today’s security controls and best practices.

From the identity protection aspect, legacy applications do not support MFA protection, making them exposed to threat actors that employ compromised credentials in their attacks. This MFA gap creates a blind spot in organizations’ security architecture, preventing them from efficiently protecting the sensitive data in these apps and the operational continuity that relies on them against incoming attacks. This risk is now increasingly drawing security stakeholders’ attention to the need of comprehensive MFA protection for legacy applications.  

Why Can’t Legacy Applications be Protected with MFA?

Legacy applications were developed long before MFA technology was widely available, so they don’t natively support its implementation in their default authentication process. To integrate MFA into a legacy application, organizations would need to make changes on the application’s code which could cause friction to their operational continuity. It is therefore not considered to be a viable option by most organizations.

Moreover, legacy applications typically authenticate to Active Directory over NTLM and Kerberos protocols, which – unlike modern authentication protocols that SaaS and web applications use – also don’t support MFA. This leaves legacy applications without a practical MFA protection option.

Lack of MFA on Legacy Apps Exposes Organizations to Data Loss and Disruption of Operations

MFA is the most effective security measure in blocking threat actors from using compromised credentials for malicious access. According to Microsoft, MFA can block over 99.9 percent of account compromise attacks. The steep increase in this type of attack – which is seen in 82 percent of data breaches and ransomware attacks – makes the lack of MFA protection for legacy apps a critically exposed attack surface.

How does this exposure translate to an actual scenario? Once a threat actor has infiltrated a targeted environment and compromised a set of valid credentials, they’ll gain uninterrupted access to the legacy apps and all they contain. This access would be followed by either exfiltration of sensitive IP or extortion under threat of shutting down operations.

Furthermore, not placing MFA protection for legacy applications can create compliance issues for organizations that seek to meet their industry’s regulatory frameworks and cyber insurance requirements

Current Identity Protection Alternatives are Not Enough

Some organizations attempt to compensate for the deficit in MFA coverage by closely monitoring users’ access and activity on their legacy apps to capture any anomalies that might indicate a compromise. However, this approach has two main flaws. First, it is reactive by nature, always responding to detected threats rather than preventing them. Secondly, it is extremely resource heavy, requiring a manual integration of the legacy app to an SIEM or some other centralized log collector, as well as a fully staffed security team to perform the actual monitoring. This makes it an impractical choice for most organizations.

As we’ve explained before, rewriting the apps’ code or migrating them to the cloud is also not an option. So, it seems we’ve reached an impasse: on one hand MFA is required, but on the other it seems impossible. How can that be solved?

The Solution: Silverfort’s Unified Identity Protection MFA

Silverfort has pioneered the world’s first Unified Identity Protection platform that extends MFA and modern identity security to any user and resource, including the legacy applications that couldn’t be protected before.

This architecture obviates the issue of whether the application natively supports MFA or not, because the only thing that matters is if it authenticates to AD. If it does – which is the case for most to all of legacy applications – than Silverfort can analyze it, trigger MFA if needed, and pass the verdict to AD as we’ve explained above.

Once the Silverfort platform is installed in the environment, Active Directory forwards every incoming access request for risk analysis prior to allowing or denying access. Silverfort‘s risk engine inspects the access attempt and determines if it can be trusted or if MFA verification is required. If further verification is needed, Silverfort connects to the MFA service – either its own or any third party one – and challenges the user to prove its identity. Based on the response, Silverfort tells AD whether the access request can be trusted or not.

In this way, Silverfort overcomes all the challenges we’ve described in the previous sections:

  • It doesn’t require any code changes to the app itself.
  • It doesn’t require installing any agents on the app’s servers.
  • It covers all access attempts that utilize Active Directory.
  • It provides proactive, real-time prevention of any attempt to use compromised credentials to access the legacy app.

Learn more about MFA blind spots and how to protect them in Silverfort’s eBook: Re-evaluate your MFA Protection.

Stop Identity Threats Now