Cloud services have truly been a great leap forward in computing technology over the last decade or so. The features and functionality they provide is simply dazzling and best of all organisations need little or no infrastructure to use these services. Marketing departments from vendors would have us believe that cloud is the only way forward and on-premise MFA is simply on the way out. Cloud First and only cloud. Then it is only about protecting the cloud because anyone can access it.
Our experience at SecurEnvoy shows that this may not be exactly true. We are often approached by organisations that depend on on-premise applications and data storage, who are looking for an MFA solution, but are unable to move to a cloud-based solution for authentication.
Government organisations, for example, need strict control over their data. Security, mission-critical utility companies cannot tolerate even an hour of downtime. For businesses that are pursuing a gradual approach to cloud migration, on-premise is either the only option or part of a hybrid on-premise/cloud approach.
On-premise MFA still critical for organisations
While the cloud might be the obvious choice for many companies looking to reduce the cost of managing applications there are a few reasons why others are opting out of public cloud.
Data Security – Moving data to the cloud means that you are reliant on the security and access controls provided by the cloud supplier and organisations that need to protect sensitive personal data, such as health information or other highly confidential information may need to have tighter control.
Data Sovereignty – With diverse data privacy legislation in different countries, some organisations may need to keep certain data on-premise to ensure that it does not exit the country of residence. If your Zero Trust policy does not allow data to be transferred abroad, you need to be wary of cloud applications that are conducting back-ups to data centres in other countries.
Resiliency – No cloud provides 100% availability and for mission critical organisations just an hour’s outage can be critical. With more and more security breaches of cloud-based solutions, is the cloud safe enough for your data?
For government organisations with sensitive data that cannot be compromised, insurance and healthcare organisations that handle large amounts of sensitive data, transport networks and national infrastructure that need to ensure services are kept running, or organisations that cannot risk security in any way…on-premise is the safest option across all aspects of your solution, including authentication.
Alternatively, you might find that you still have a mix of on-premise applications and are looking to move to the cloud as part of a hybrid architecture. The need for on-premise MFA is still there, alongside the need for it to provide the same functionality in the cloud.
When is an MFA solution really on-premise?
The challenge facing plenty of these businesses is that many of the MFA solutions available today are cloud-based software-as-a-service – with the security and data control risks this poses. When vendors do offer both on-premise and cloud solutions, the downside can be that there are two separate code-bases, which often limits the features that are available across both on-premise and cloud. Other vendors may have on-premise solutions, but are moving their code-base to the cloud.
From the point of view of authentication, some methods rely on an internet connection to send a request to a mobile phone, for SMS or Push OTP, so if you need a fully on-premise solution, it is best to consider using an OTP app on the phone or hardware tokens.
Even with the mobile phone, you may need to consider whether users can use a mobile phone. Often there is a situation where some users cannot use a mobile phone for safety reasons. Also, some environments are very sensitive where a mobile phone may affect equipment or cleanliness of an environment.
The added complication is that organisations should be very sensitive to the wishes of their employees. Often employees express a wish not to have corporate material on their personal devices or use it for corporate functions. It’s beyond this article to discuss the validity of this but overcoming the problem by supplying corporate devices can be an expensive solution. The best approach is not to rely solely on mobile phone-based authentication.
Enrolment of new users in a tightly secure environment, should be kept on-premise. Enrolling on the web could expose some security risks. For example internal directory passwords are often entered into a cloud service and validated against it using some form of agent. What happens to that password, is it stored securely, is the agent 100% safe? To be honest, most are likely to be safe but it’s still a potential vulnerability, as there are no guarantees.
It is therefore advisable to consider doing enrolment internally on the local area network rather than on the web.
What to look for with on-premise MFA
There are some key questions that should be considered when looking for an on-premise MFA solution, to get an understanding as to whether it will really fit the bill and provide the functionality and future-proofing needed:
- Does the MFA vendor offer truly on-premise MFA. Also, can it handle different authentication types including hardware tokens.
- Mobile phone authentication may not be suitable for everyone or all users. You may not be able to have connectivity to a push service or users simply cannot or will not be able to use a mobile device. The solution needs to provide a wide range of tokens to cover all users.
- If you are using on-premise now, will you be able to move to the cloud and have the same MFA features available in a hybrid architecture?
- Is the MFA solution able to let you adapt to the distinct needs for on-premise and cloud in different countries or meet changing data privacy regulations or security postures?
- If security is a critical concern, can you enrol employees and administration staff on-premise to reduce the risk of breaches through web-based enrolment?
Next Generation MFA – Modern Authentication
Modern MFA is really more than just adding a second factor. “Modern authentication” verifies authentication via signals such as location, network, time of day and browser. This helps determine whether a user should have access – regardless of whether the user has correctly verified themselves via one of the different authentication methods and devices available to them.
Modern authentication gives you the ability to provide fine grain controls by applying very strict policies before access is granted. For example, access to a payroll can only be performed from a certain location, set time of the month and a certain IP address. The additional rules combined with more traditional MFA provides a more secure and resilient solution.
Overall, modern authentication gives you the ability to select the most appropriate technology to address different use cases and security levels in your organisation and the added assurance that your on-premise data is safe and sound.