The list of companies that have experienced data breaches in 2022 continues to grow, including Meta, Samsung, Twilio, Twitter, Uber and more. If these companies – with their large, dedicated cybersecurity teams – are vulnerable, so is every other company. No wonder the cyber insurance market is expected to grow at a compound average rate of almost 25 percent per year through 2026, reaching nearly 28 billion U.S. dollars.
However, the rising cost of claims related to breaches is forcing cyber insurance companies to raise premiums and impose new security process requirements on companies to obtain a policy, including multifactor authentication (MFA).
In my last post, I explained the challenges businesses face in trying to add MFA to self-hosted applications that don’t support modern single sign-on (SSO) protocols (SAML, OIDC/OAuth). I also offered some insights into the pros and cons of the different strategies companies are using to bring MFA to these applications. This post offers a set of questions you can put directly to your security and development teams. The answers will help you determine the fastest and most cost-effective path for your organization to take.
If your company has standardized on a modern Identity as a Service (IDaaS) solution like Microsoft 365 (Azure AD), Google Workspace or Okta, then you can easily turn on MFA for your modern SaaS-based applications, like Salesforce, Zendesk, Workday, Slack, DocuSign, etc. However, you most likely also rely on several highly valuable self-hosted applications that don’t easily connect to your IDaaS. These may include critical enterprise applications you use to run your business (e.g., Oracle EBS, JDE, Peoplesoft), the homegrown apps your teams have built to offer or manage your differentiated products and services, and the open source tools your development teams use for coding and testing.
By cataloging the number and type of self-hosted applications in use at your organization, you can assess which ones are critical and which ones can be replaced – at what cost, over what timeframe and with what level of distraction and frustration for your users and customers. You can then determine the number and type of applications you must keep – and for which you must find a way to add MFA.
Make sure you and your IT team fully understand the options for adding MFA to self-hosted applications. By understanding the pros and cons of each, you can challenge your IT team to settle on the best option for your organization.
- DIY approach – Developers can use SDKs provided by the IDaaS solution provider to integrate each self-hosted app with the IDaaS.
- System integrator – You can pay a system integrator like Accenture to connect all self-hosted apps to your IDaaS.
- Hardware gateways – You can purchase new equipment to modernize your legacy applications.
- Cloud-native service – You can use no-code proxies that don’t require a development project or new hardware
Many IT teams, especially those with strong developer groups, default to internal coding projects as the fastest, cheapest and safest way to solve a problem. That’s why it’s imperative to challenge this tendency. These projects almost always take longer than expected – often months for each application – so it’s vital that IT be realistic about its capabilities, resource levels, timeframe for implementing MFA, and the impact on strategic projects.
How many developers will be dedicated to the SSO/MFA integration project and for how long? What will the impact be on each strategic project? Is the team prepared for ongoing maintenance of the SDKs, such as when moving from Java 8 to Java 11? Are the developers already familiar with the SDKs provided by the IDaaS provider, or will there be a steep learning curve? How much security expertise does the team have and how familiar are they with modern security protocols? Have they coded related projects in the past?
A lack of expertise in these areas increases the risk of vulnerabilities appearing in the code. If the team has challenges or needs support, how easy is it to obtain help from the IDaaS provider? Have they sought this type of help from the IDaaS provider before? Where else can they go for assistance, and what will it cost for reliable advice?
Companies with deep pockets should at least consider this approach. However, there are several factors to keep in mind. What will the cost be – not just for the initial integration for each application, but also for the ongoing maintenance? What will the turnaround time be and how will that impact the timeline for obtaining cyber insurance?
While using legacy gateways can work, this approach will require input from other IT teams to assess the impact on the infrastructure, including application performance. This can also be a very expensive approach to delivering MFA for your self-hosted applications because it requires security expertise to implement, and the devices demand constant maintenance. So are there other benefits the IT team expects to receive from the new hardware?
I know I’m biased about the benefits of Datawiza, so don’t take my word for it. Challenge your IT team to explore the pros and cons of our approach. We are security experts, and we’ve adopted a proxy-based no-code strategy for safely, securely and rapidly adding SSO and MFA to all your applications. We’ve also just announced a new integration with Microsoft 365 that makes it especially easy for businesses to deploy MFA for mission-critical Oracle business applications.
Datawiza works with any IDaaS platform – you simply deploy super-lightweight, cloud-native and container-based proxies at the front end of each self-hosted application to automatically create a bridge between the application and your IDaaS solution. With Datawiza, your team can download, configure, test and implement the solution in just a few days, providing universal and near-instant SSO and MFA for all your self-hosted applications – all with no coding, and no changes to your infrastructure.
Your path to cyber insurance runs through MFA
No matter what your long-term plan is to modify or replace all your self-hosted applications, you need MFA now to obtain cyber insurance. By having your IT team answer the six questions above, you can ensure your organization will take the smartest path forward. If you or your team would like more information on how Datawiza can help your company, we have technical blogs and videos that are definitely worth checking out.