What to consider from an on-premise MFA solution
On-premise MFA still critical for organisations
While the cloud might be the obvious choice for many companies looking to reduce the cost of managing applications there are a few reasons why others are opting out of public cloud.Data Security – Moving data to the cloud means that you are reliant on the security and access controls provided by the cloud supplier and organisations that need to protect sensitive personal data, such as health information or other highly confidential information may need to have tighter control.Data Sovereignty – With diverse data privacy legislation in different countries, some organisations may need to keep certain data on-premise to ensure that it does not exit the country of residence. If your Zero Trust policy does not allow data to be transferred abroad, you need to be wary of cloud applications that are conducting back-ups to data centres in other countries.Resiliency – No cloud provides 100% availability and for mission critical organisations just an hour’s outage can be critical. With more and more security breaches of cloud-based solutions, is the cloud safe enough for your data?For government organisations with sensitive data that cannot be compromised, insurance and healthcare organisations that handle large amounts of sensitive data, transport networks and national infrastructure that need to ensure services are kept running, or organisations that cannot risk security in any way…on-premise is the safest option across all aspects of your solution, including authentication.Alternatively, you might find that you still have a mix of on-premise applications and are looking to move to the cloud as part of a hybrid architecture. The need for on-premise MFA is still there, alongside the need for it to provide the same functionality in the cloud.When is an MFA solution really on-premise?The challenge facing plenty of these businesses is that many of the MFA solutions available today are cloud-based software-as-a-service – with the security and data control risks this poses. When vendors do offer both on-premise and cloud solutions, the downside can be that there are two separate code-bases, which often limits the features that are available across both on-premise and cloud. Other vendors may have on-premise solutions, but are moving their code-base to the cloud.From the point of view of authentication, some methods rely on an internet connection to send a request to a mobile phone, for SMS or Push OTP, so if you need a fully on-premise solution, it is best to consider using an OTP app on the phone or hardware tokens.Even with the mobile phone, you may need to consider whether users can use a mobile phone. Often there is a situation where some users cannot use a mobile phone for safety reasons. Also, some environments are very sensitive where a mobile phone may affect equipment or cleanliness of an environment.The added complication is that organisations should be very sensitive to the wishes of their employees. Often employees express a wish not to have corporate material on their personal devices or use it for corporate functions. It’s beyond this article to discuss the validity of this but overcoming the problem by supplying corporate devices can be an expensive solution. The best approach is not to rely solely on mobile phone-based authentication.Enrolment of new users in a tightly secure environment, should be kept on-premise. Enrolling on the web could expose some security risks. For example internal directory passwords are often entered into a cloud service and validated against it using some form of agent. What happens to that password, is it stored securely, is the agent 100% safe? To be honest, most are likely to be safe but it’s still a potential vulnerability, as there are no guarantees.It is therefore advisable to consider doing enrolment internally on the local area network rather than on the web.What to look for with on-premise MFAThere are some key questions that should be considered when looking for an on-premise MFA solution, to get an understanding as to whether it will really fit the bill and provide the functionality and future-proofing needed:- Does the MFA vendor offer truly on-premise MFA. Also, can it handle different authentication types including hardware tokens.
- Mobile phone authentication may not be suitable for everyone or all users. You may not be able to have connectivity to a push service or users simply cannot or will not be able to use a mobile device. The solution needs to provide a wide range of tokens to cover all users.
- If you are using on-premise now, will you be able to move to the cloud and have the same MFA features available in a hybrid architecture?
- Is the MFA solution able to let you adapt to the distinct needs for on-premise and cloud in different countries or meet changing data privacy regulations or security postures?
- If security is a critical concern, can you enrol employees and administration staff on-premise to reduce the risk of breaches through web-based enrolment?
Published: 21 September 2022
Category: Industry News, Industry Research
2FA / MFA / On-premise
Multi-Factor
Authentication
(MFA)
Any user. Any device.
Anywhere.
For companies that take authentication seriously.
Learn more about SecurEnvoy MFA
Hear more from
our security
experts