The successful attack on Twilio reminds us that cyberattacks, especially in the form of ransomware, continue to soar, leading to significant costs and brand damage. For many CEOs, their worst nightmare is seeing the company logo emblazoned on a Wall Street Journal article about a large ransomware payout or a successful hack and leak of sensitive customer information. Most companies have responded to this challenge by upping their cybersecurity game and investing in modern Identity as a Service (IDaaS) solutions, such as Microsoft 365 (Azure AD) and Okta, which support stronger security strategies like multifactor authentication (MFA). Corporate boards and CEOs also often insist on obtaining cyber insurance to offset the costs of a successful attack. However, shocked CISOs regularly find that despite their investment in a new IDaaS solution, meeting cyber insurance requirements is still challenging.
Why? Because after the White House Executive Order on cybersecurity mandated MFA for all federal agencies, most insurers also began requiring it. But modern IDaaS solutions support MFA only for modern SaaS applications, while most companies continue to rely on dozens of “non-standard” (by today’s standards) but still critical applications, such as on-premises Oracle/SAP apps, homegrown apps, open source tools and more, that do not support the modern security protocols (SAML and OIDC/OAuth) that enable MFA. Retrofitting these applications to support MFA can place a tremendous cost, time and resource burden on a company, significantly delaying the ability to obtain cyber insurance.
If your company faces this hurdle, here’s a look at your options and how Datawiza can make it fast and painless to deploy MFA for these non-standard but critical applications.
Executive mandates to implement modern cybersecurity strategies often seem to imply an immediate and complete move to modern applications that support MFA and other related security strategies like Single Sign-On (SSO). Of course, this is wishful thinking. There’s a good reason Cisco’s 2022 Global Hybrid Cloud Trends Report concludes that 82% of organizations have adopted a hybrid cloud strategy, with workloads running on-premises and across multiple public cloud providers. Most companies won’t abandon their non-standard solutions anytime soon because they continue to deliver significant value to the organization, and replacing them would involve significant time and costs, as well as disruption for both IT and users. Yes, companies will eventually replace these solutions, but they should do it when the time is right, not in some mad scramble to meet the MFA requirement for cyber insurance.
So if replacing non-standard applications isn’t feasible, what options exist for bringing MFA to them?
Many companies automatically take a DIY approach, thinking it will be quick and painless to rewrite their apps by using SDKs to enable MFA/SSO. However, this approach always takes longer than developers imagine, often months for each application. This distracts developers from their more strategic projects, and if they don’t have the required security expertise and familiarity with modern security protocols, they may allow vulnerabilities to creep into their code.
Some deep-pocketed companies turn to system integrators to modernize all their applications to enable MFA/SSO, but this is far too expensive for most organizations. Others deploy legacy hardware gateways to modernize their legacy applications and their IDaaS solutions. These approaches can work, but they are expensive to deploy, require security expertise to implement, and demand constant maintenance.
A CISO of a financial services company said her team of developers spent two years adapting their 50 pre-SaaS solutions to support modern security protocols and MFA by using the SDKs provided by the IDaaS. This is critical for businesses to understand. SDKs are very difficult to use, and it’s almost impossible to get support for them from large vendors (e.g. Microsoft, Okta). Teams can query the developer community, but this is time consuming and can lead to bad advice. Finally, updating the SDK (e.g. moving from Java 8 to Java 11) requires another coding project. So there’s both a short-term development challenge and a long-term maintenance problem, especially if the developers who originally worked on the SDK have left the team. Long-term maintenance is also especially hard on companies that hire system integrators because of the high ongoing costs.
The lightweight, cloud-delivered Datawiza platform relies on super-lightweight, cloud-native and container-based proxies deployed at the front end of non-standard applications – legacy, homegrown, open source – to create a bridge between the application and the IDaaS solution of choice. In just a few minutes, companies can deploy and configure Datawiza and begin requiring MFA to log into every non-standard application.
Even companies with a long-term plan to replace all these applications find that Datawiza offers an ideal stopgap for immediately implementing MFA to obtain cyber insurance.
The benefits of Datawiza include:
- “Instant application protection” – Meet cyber insurance requirements now. Do a proof of concept in a couple of days, then integrate each application in minutes.
- Extend the life of mission-critical investments in existing applications – Obtain all the required security without ripping and replacing.
- NO-SDK/No-code – Configure each new application with MFA in minutes.
- Created by security experts – No need for new security expertise, no risk of introducing vulnerabilities.
- Easy integration – Works with cutting-edge cloud-native technologies, such as containerization and Kubernetes.
- Increased security – Protects individual applications even during a network breach.
To determine the best approach to MFA for you organization, start by answering the following questions:
- What is the status of your attempt to obtain cyber insurance? Is it on hold because of MFA?
- Which applications currently support MFA, and which do not?
- If you have deployed a modern IDaaS solution, what is the timeline for requiring MFA for all applications? Does this timeline introduce an unacceptable risk because of the delay in obtaining cyber insurance?
- If you want to rely on internal resources to rewrite your non-standard apps, how long will it take and what will the impact be on your strategic projects? What is the team’s level of security expertise?
- If you hire development or security consultants to modernize your legacy apps, what will the cost be and how long will it take?