Get the inside scoop with LoginTC and learn about relevant security news and insights.
March 22, 2022 •
Do you have an existing legacy system still connected to your active network? Perhaps an old financial system or database, something containing integral and sensitive information that either can’t be or is too difficult to port to a newer system.
If you do, you’re not alone. It’s estimated that around 30% of an organization’s technology assets are made up of legacy systems. While legacy systems have been a problem for a long time now, there’s a new dimension to the problems they are causing when it comes to cyber insurance.
If you’ve tried to renew your cyber insurance, or acquire it for the first time, it’s likely that your insurer has asked you questions about what legacy infrastructure exists at your company, and how you’re protecting it, often with Multi-factor authentication (MFA).
Insurance companies are now getting tough on companies that use legacy systems in their network because they can be more dangerous, more exposed, and don’t have modern updates and security measures so they’re asking companies to lock them down hard.
While it can be a difficult task to do, it is possible to secure your legacy systems and keep your cyber insurance premiums low. We’ve laid out three main approaches to protect the company’s legacy systems:
Let’s dive deeper into each one and learn how you can protect your legacy system.
The first approach is isolating the network which your legacy system uses. We like to explain this as connections can be made to it directly, and the only way that you can do this is by controlling access to that portion of the network with a firewall or a jump box, so you can then perform a second factor against the firewall or the jump box to then ultimately access that legacy system. What we like about network isolation is that it does follow with the standard auditing requirements of a second factor or privileged elevated access to these systems because there would be no other way to access it unless you go in through that one door that you open the jump box or firewalls or rules. Typically adding a second factor to a jump box or two a firewall is simple. It is a simple problem to solve because there will be more modern software installed on them.
A second approach that’s sort of similar, but kind of different is rather than isolating at the network level, you take control of the web traffic. For legacy systems that require web traffic, safer administration or for the use of the system like, users are accessing it from their browser or administrators access it on a special port to administer it and you can control that access to that web traffic. What you can do is then configure a network to funnel all of that traffic to a web access manager. So a web access manager is a system that provides authentication, SSO and controls traffic to your down-level system. One use case of a web access manager would be to expose some companies. For example, instead of using the VPN, they’ll just use a Web access manager where the user would log into that and then they would have all of their applications or remote desktops directly rather than connecting their computer or their laptop or desktop through VPN and then accessing individual applications, because now you’re on the network. The Web access manager itself can perform the authentication and you can add a second factor authentication to that Web access manager and you will perform the authentication in that any traffic, any web traffic that is accessing those systems would have had to be authenticated by the Web access manager because it also does session management, so that works great for a wide variety of legacy scenarios, and we’ve seen that deployed quite a bit.
Another approach is protecting your legacy directly with the protocols, like for example RADIUS. RADIUS is a very old protocol, and most systems would support authentication with a RADIUS. So for example, what you can do is you can actually configure the legacy system to perform the authentication say it’s using radius or it’s using a direct connection and rather than going directly to your existing user directory store you could figure it to go through something that’s acting as a proxy. From the legacy applications perspective, it’s simply performing single factor authentication when in fact that proxy is managing both a first and second factor authentication. So this is a way to leverage existing configuration settings inside that system to enable modern two factor authentication. Finally, if the system allows for it, a lot of old systems do, or if it was open source to begin with, you could add a module that leverages an API. For example Login TC has an API where you can perform anything or are connectors do. You can add the module directly on the legacy system to, say, perform this step up authentication when you’re performing a certain action. Although it’s not easy to manage legacy, they do need protection. They do need second factor authentication and these purchases can help achieve that.
While legacy systems prove to be useful for some companies, there are ways to modernize it in order to obtain a good cyber security insurance premium. Companies with legacy systems are deemed high risk and therefore could have higher premiums, however, if you can find a solution that’s compatible with your legacy system, then the challenges are decreased, and so are your premiums.
Contact us today if you have questions about how to protect your legacy systems with MFA!