Businessman using smartphone showing cyber insurance and multi-factor authentication

How To Satisfy the Cyber Insurance Requirement for Multi-factor Authentication for Critical Self-Hosted Applications

No one likes paying for health insurance, but we know it takes only one health issue to wipe out a family’s financial resources. Welcome to the new business requirement for cyber insurance.

Cyberattacks continue to soar, and a report commissioned by insurance provider Hiscox and conducted by Forrester Consulting found that 20% of firms say a cyberattack threatened their solvency.

However, it can be difficult to obtain cyber insurance thanks to the requirement to implement multi-factor authentication (MFA) for all applications and APIs. Modern identity platforms (e.g., IDaaS solutions like Microsoft Azure AD and Okta) support MFA only for cloud-based applications that support modern security protocols (SAML and OIDC/OAuth). This means they don’t enable MFA for critical “self-hosted” applications like on-premises Oracle (JD Edwards, PeopleSoft, E-Business Suite, etc.) and SAP; the homegrown line-of-business (LOB) apps you use to run your business; and the open source tools most developers use.

So if you need cyber insurance, and you need it now, what is the fastest and most cost-effective path to connecting all your self-hosted apps to your identity platform and enabling MFA? To find the answer, ask these 6 questions of your IT team.

1. What’s the scope of our MFA challenge?

The greater the number of self-hosted apps your company relies on, the longer and more arduous the MFA journey will be if you take the wrong approach. Only a thorough audit of all the applications accessed by your employees can tell you which are self-hosted, which can be replaced with modern equivalents, how long such replacements would take, and what the impact would be on users and customers. Now that you know the number of self-hosted apps that must be connected to your identity platform to enable MFA, you can look at the options and assess the costs, time requirements and level of complexity.

2. Isn’t using our existing development team to code the connections the fastest and cheapest alternative?

Maybe, but probably not. Coding a connection between just one application and the identity platform can take months of effort, distracting the dev team from strategic projects. The team will need to acquire and learn to use an SDK, learn about modern SSO protocols (OIDC/SAML), and go through a typical dev-test-debug-production lifecycle. And the cycle starts again for each new app. Each connection also needs to be maintained forever as platforms and protocols are updated and the needs of the business evolve.

3. If we do this ourselves, do we have enough security expertise?

This can be a tricky question to get answered. Cloud security expertise is hard to come by, and even if your company has a strong cloud security team, their knowledge doesn’t typically flow to developers, who may have no experience at all with cloud-based security protocols and can therefore code vulnerabilities into the connections.

4. Why can’t we hire a third-party consultant or system integrator to implement MFA?

You can. IT just needs to keep the following in mind. This is the most expensive approach you can take. Turnaround time needs to be negotiated, and the faster the turnaround, the more expensive the project. And you won’t be paying just for the implementation. There’s also ongoing maintenance costs – with no end in sight.

5. Is there a one-time hardware purchase that would do the job?

Yes. Legacy gateways are available to connect self-hosted apps to modern identity platforms. However, you’ll need input from your infrastructure team on the costs, for both the hardware, which can be significant, and the integration project. IT also needs to consider the impact of such an approach on overall network and application performance.

6. Isn’t this a common step in every cloud journey? Isn’t there a cloud-native service for this?

Yes. New cloud-native services are available that can connect applications to identity platforms and manage the connections over time. Look for a no-code, SDK-free approach that’s easy to deploy and use. A proof of concept should be fast and simple to implement, and configuring each new application should require only a few mouse clicks. Maintaining the connection between applications and the identity platform should also be automatic to eliminate any concern about product updates or changing business requirements. Make sure the solution works across your environment, including with other cloud-native technologies, such as containerization and Kubernetes. And ensure the service was built with the security-first approach.

#Cyberinsurance providers wants to be sure that the company is proactively managing their #cybersecurity risk and one of the requirements is to implement multi-factor authentication (MFA) for all applications and APIs. #respectdataClick to Post

When it comes to health insurance, no matter how much you spend on it, you still want to take responsibility for your own health. Prevention is always better than remediation. The same is true with cyber insurance. You’re implementing MFA to protect the financial health of your business and your reputation, but remember, MFA isn’t a panacea for all cyber vulnerabilities. It’s just one important step – a necessary one for cyber insurance – in your comprehensive approach to cybersecurity.