Chris Martin, Head of Solution Architecture at SecurEnvoy, explores the options for organisations that are unable to use cloud-based authentication
We are often approached by organisations that depend on on-premise applications and data storage, who are looking for a multi-factor authentication solution, but are unable to move to a cloud-based solution for authentication. Government organisations, for example, need strict control over their data. Mission-critical utility companies cannot tolerate even an hour of downtime. For businesses that are pursuing a gradual approach to cloud migration, on-premise is either the only option or part of a hybrid on-premise/cloud approach.
By “on-premise” we’re specifically looking at applications that are housed within the physical confines of an organisation in a data centre on a server or private cloud, rather than being remotely hosted on servers or in the public cloud.
On-premise still critical for organisations
While the cloud might be the obvious choice for many companies looking to reduce the cost of managing applications there are a few reasons why others are opting out of public cloud.
Data Security – Moving data to the cloud means that you are reliant on the security and access controls provided by the cloud supplier and organisations that need to protect sensitive personal data, such as health information or other highly confidential information may need to have tighter control.
Data Sovereignty – With diverse data privacy legislation in different countries, some organisations may need to keep certain data on-premise to ensure that it does not exit the country of residence. If your Zero Trust policy does not allow data to be transferred abroad, you need to be wary of cloud applications that are conducting back-ups to data centres in other countries.
Resiliency – No cloud provides 100% availability and for mission critical organisations just an hour’s outage can be critical. With more and more security breaches of cloud-based solutions, is the cloud safe enough for your data?
For government organisations with sensitive data that cannot be compromised, insurance and healthcare organisations that handle large amounts of sensitive data, transport networks and national infrastructure that need to ensure services are kept running, or organisations that cannot risk security in any way…on-premise is the safest option across all aspects of your solution, including authentication.
Alternatively, you might find that you still have a mix of on-premise applications and are looking to move to the cloud as part of a hybrid architecture. The need for on-premise MFA is still there, alongside the need for it to provide the same functionality in the cloud.
When is an MFA solution really on-premise?
The challenge facing plenty of these businesses is that many of the MFA solutions available today are cloud-based software-as-a-service – with the security and data control risks this poses. When vendors do offer both on-premise and cloud solutions, the downside can be that there are two separate code-bases, which often limits the features that are available across both on-premise and cloud. Other vendors may have on-premise solutions, but are moving their code-base to the cloud.
From the point of view of authentication, some methods rely on an internet connection to send a request to a mobile phone, for SMS or Push OTP, so if you need a fully on-premise solution, it is best to consider using an OTP app on the phone or hardware tokens.
When enrolling new users in a tightly secure environment, it is also advisable to consider doing this internally on the local area network for new users, rather than on the web with the risk of security breaches.
What to look for with on-premise MFA
There are some key questions that should be considered when looking for an on-premise MFA solution, to get an understanding as to whether it will really fit the bill and provide the functionality and future-proofing needed:
- Does the MFA vendor offer truly on-premise MFA? Also, can it handle different authentication methods including hardware tokens or an OTP app on the phone to avoid connecting to the internet?
- If you are using on-premise now, will you be able to move to the cloud and have the same MFA features available in a hybrid architecture?
- Is the MFA solution able to let you adapt to the distinct needs for on-premise and cloud in different countries or meet changing data privacy regulations or security postures?
- If security is a critical concern, can you enrol employees and administration staff on-premise to reduce the risk of breaches through web-based enrolment?
An evolution of MFA
To really ensure that you are able to meet all your security requirements and satisfy the needs of different parts of your organisation and different users you need more than just MFA. “Modern authentication” verifies authentication via signals such as location, network, time of day and browser, for example, to determine whether a user should have access – regardless of whether the user has correctly verified themselves via one of the different authentication methods and devices available to them. Modern authentication gives you the ability to select the most appropriate technology to address different use cases and security levels in your organisation and the added assurance that your on-premise (or cloud) data is safe and sound.
SecurEnvoy provides cyber security solutions which deliver verifiable trust and data protection to millions of users worldwide. The SecureIdentity & Protection Suite of solutions delivers a unique combination of trusted identity and access management with complete data loss prevention – giving you the power to identify, control and protect any user, any data, on any device, whatever the location. www.securenvoy.com/mfa