It seems like only yesterday that the world’s CEOs were frantically joining the rush to the cloud, sometimes chastising those who ignored the trend as they did so. Now, talk is of ‘cloud repatriation’, i.e. a return to on-premise deployments, because not only is the cloud not a magic bullet, it can also be hard to reconcile with some workflows, company policies and legacy systems. Of course, some organisations have resolutely remained on premise throughout their existence: government bodies, banks and healthcare organisations running mission-critical applications, along with businesses in areas that lack reliable internet access, are better assured of 24/7 functionality, service provision and regulatory compliance if they stay on premise.

However, networks of all types require robust user authentication and access management: this is also referred to as identity and access management, or IAM. Fortunately, solutions from third-party providers like SecurEnvoy allow on-premise users to apply robust and customised access management with a choice of MFA options, and provide pinpoint control over all aspects of data access. In this blog we will explore the case for sticking with on-premise servers, the IAM requirements that are specific to on-premise users and discover how to optimise on-premise access management in a world that is increasingly data-driven.

A growing volume of data — and regulation

Over the last decade, the digitalisation of homes and workplaces has triggered massive and ongoing growth in the volumes of data that must be managed. Now, during each minute of every day, 241 million emails are sent, cybercriminals launch 30 DDOS attacks, ChatGPT users send 6,944 prompts and the average person produces 102 MB of data.¹ These numbers continue to increase: the total amount of data created, captured and consumed worldwide hit 64.2 zettabytes in 2020 and is predicted to exceed 180 zettabytes in 2025.²

Data is more than a business asset: for many organisations – from SMEs and PLCs to national governments and international bodies – it embodies the essence of their work and purpose. Thus, governmental bodies and organisations are highly concerned that foreign powers might access their citizens’ data. Such risks may arise not only from those with clearly malicious intent, such as cybercriminals, but also from the behaviour of the data holders’ staff, or those of their professional partners or allies. Consequently, the fundamental nature of data is increasingly reflected in legislation and regulation designed to protect and localise personal data. Breaching these rules can have catastrophic effects on any organisation involved.

Data protection primarily seeks to ensure two forms of data integrity. These are data sovereignty – the idea that any item of data is governed by the regulations applicable in the nation or region within which it was collected, i.e. the location in which the data was collected retains sovereignty over that information – and data residency – the physical/geographical location(s) in which data is stored.

Thus, the tendency of public SaaS platforms to move data around and store it in multiple and/or unspecified locations may be incompatible with an organisation’s need to ensure both data sovereignty and data residency. Furthermore, where an organisation operates internationally it may have to act to ensure and prove compliance with data protection regulations in multiple jurisdictions.

In this context, maintaining data on-premise with a custom-configured on-premise IAM solution can be an important safety measure, since an on-premises setup is much less visible to attackers than any well-known SaaS platform, and its security is more customisable. Indeed, public SaaS platforms may be particularly attractive to cybercriminals, who know that a single platform may serve many customers, and thus the exploitation of a single known vulnerability may expose a wealth of potentially lucrative data. Notably, in 2023 more than 80% of data breaches were of information stored in the cloud.³ In contrast, for cybercriminals an on-premises solution offers a much lower reward for the more extensive efforts required to breach it and can be hidden behind customised security barriers. This should include a custom MFA solution that takes into account the need for data sovereignty and residency and can be adapted to meet the demands of multiple regulations.

Finally, of course, any cloud-based system is useless when the internet connection dies — which is a major issue for the many organisations operating in regions with poor connections, and those for whom any unscheduled downtime might spell disaster. For these organisations, entirely on-premise or hybrid architecture may be the only viable solution.

Compliance requirements and on-premises data storage

Organisations in very highly-regulated sectors, such as defence, government, healthcare and finance, often favour the tight security and access controls that on-premise setups provide. Indeed, many have little choice but to stay on-premise if they are to comply with the stringent regulatory and insurance-related requirements that apply in these industries.

For example, a regulated organisation may have to guarantee that all of its data remains within the country of origin or another strictly-defined geographic location. This can be hard for cloud providers to guarantee since many use geographically diverse servers and backup arrangements. Conversely, data that lives only on the local area network is verifiably in one place and one place only. Thus, an in-house solution with on-premise access management allows regulatory compliance and gold-standard ID and access control at all times.

Additionally, many organisations use legacy or specialist systems that are not cloud-native or even cloud-compatible, but must nonetheless be secured to the greatest extent possible. Many, perhaps most, companies that were not founded in the cloud (i.e., are not cloud native) will have legacy infrastructure that makes a wholesale move to the cloud either impractical or very expensive. In these cases, retaining at least partial on-premise provision and ensuring highly robust on-premise access management makes perfect sense.

Potential vulnerabilities with external providers

When Microsoft ceased to offer its MFA Server on-premises solution, the company advised those affected to use its replacement (but cloud-based) services, or to install a third-party on-premises access management solution.⁴ Using third-party MFA solutions can give users pinpoint control over their data, allowing administrators to ensure data sovereignty and security and verify that all data remains within any relevant geographic boundaries.

Clearly, all organisational data — whether on-premise or cloud-based — must be secured, and access to it controlled, to the greatest extent possible. But equally clearly, any organisations seeking to purchase on-premises access management solutions must consider their options carefully, because third-party providers can vary in terms of the protection and other advantages they offer.

What to look for when choosing on-premise access management

When choosing their third-party MFA and access control provider, organisations’ needs will vary according to their regulatory, legal and practical environments and their preference for entirely on-premise vs. hybrid vs. entirely cloud setups. However, all organisations would do well to consider the following before choosing their on-premise Access Management solution:

• Flexibility. Ideally, an Access Management solution will offer an extensive range of authentication options, such as biometrics, hardware tokens, mobile authenticators and passwords. Such variety allows the user to select the options most suitable for their environment, and to vary these by user group as appropriate.
• Integration. The chosen solution must integrate with legacy and modern technologies, to ensure complete coverage and seamless deployment. Ensuring compatibility with relevant operating systems, databases, applications and network infrastructures is a key component of the purchasing decision.
• User experience. A straightforward user experience is crucial to effective implementation and use of the solution. This is particularly important for administrators, who must be able to log in, manage user access and reset passwords without disrupting normal business.
• Scalability. Businesses inevitably grow and change: a third-party Access Management solution must be able to flex with this and make it easy for administrators to scale or modify the system in line with business and/or regulatory change. Furthermore, it should be possible to scale and adapt the system without compromising the quality of service, and without significant disruption, reconfiguration or capital investment (e.g. in upgraded hardware).
• Reporting and analytics. A high quality Access Management solution should feature user-friendly dashboards with ample information. This ensures real-time awareness and control of network access while providing the audit trails and evidence required to prove regulatory compliance. A solution that provides accessible, readable data and allows the user to generate custom reports also allows administrators to identify access patterns (and any potentially dangerous departures from those patterns), and to spot and mitigate security risks.
• Cost. The ideal Access Management solution is based on a simple, cost-effective licensing model. There should be no hidden fees; customers should understand the lifetime cost of ownership and any additional investment required for setup, maintenance and potential scaling/upgrades, from the outset.

With a little research and planned implementation it is entirely possible to apply gold standard security and information access management controls to on-premise data, while retaining the option to flex with business and infrastructure changes going forward. Even in a world that seems obsessed with cloud provision, there is no reason whatsoever for organisations to compromise when it comes to on-premise access management and wider IAM provision.

Sources 1 DOMO, ‘Data Never Sleeps 11’, available at: https://www.domo.com/learn/infographic/data-never-sleeps-11 2 Statista, available at: https://www.statista.com/statistics/871513/worldwide-data-created/ 3 Harvard Business Review, ‘Why Data Breaches Spiked in 2023’, available at: https://hbr.org/2024/02/why-data-breaches-spiked-in-2023#:~:text=But%20in%20spite%20of%20those,around%20this%20uptick%20are%20disturbing. 4 Microsoft, 23 October 2023, available at: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-server-settings

Published: 10 Juni 2024

Category: Industry News

Insider Threat Protection / MFA / Remote Working