3 reasons enterprises are modernizing the security and identity strategy for legacy apps

By Dan Seyer, CMO, Edgile

Enterprises have a major investment in legacy apps—client-server apps, mainframe apps, web apps, and web apps connected to mainframe apps via queuing technology or modern APIs. They are often created in-house so there are no ongoing license fees. Legacy apps tend to be precisely crafted for one particular area of a specific company and fine-tuned for that enterprise’s needs. For decades, legions of employees and contractors have been trained on these apps and it all works wonderfully.

But as beloved as legacy apps are, they bring along a large number of serious security and compliance issues. Many were written a long time ago when the security assaults of today were not a concern. That’s one reason why the apps don’t have appropriate self-defenses, instead relying on the firewall and DMZ. They are often using an older OS or platform, which makes proper security patching problematic. And most critically, the coders who crafted these apps are often no longer with the company or in the same roles. New developers can certainly make changes but documentation is often missing so this requires a more robust development and QA process with adequate test plans and path-to-production environments.

Don’t fear legacy apps. Instead, embrace them by layering on modern security. You can indeed enjoy the best of both worlds. Many of our clients are investing in Microsoft security and access capabilities across their enterprise once they understand the security suite in E5. The challenge is integrating those modern capabilities in a way that seems effortless to users and administrators.  -Raul Andaverde, Edgile Director/Architect

Here are the three big reasons leading enterprises are modernizing the security and identity strategy for their legacy apps.


Security and compliance is much more important today due to an increasing number of aggressive and sophisticated attacks against a dramatically larger attack surface. The expansion of the remote workforce is growing this attack surface exponentially. Work from home (WFH) policies are likely to continue even as the COVID-19 threat dissipates over time. Consider that companies including Facebook, Twitter and Square have already pledged to sharply boost WFH for the foreseeable future, if not permanently.

The most practical way to deal with these security challenges is to place modern intelligent security control protections in front of the legacy applications. Cloud security controls such as AADP are another critical defense element.

But placing 2020 security defenses in front of 1990s apps can bring new security and compliance headaches. Enterprises that are still requiring VPN access today are seeing how this stresses the planned infrastructure. Fortunately, there are proper ways to add modern front ends to these apps.

All legacy apps should be behind robust continuous authentication, which leverages AI ML, biometrics (sometimes) and behavioral analytics. Behavioral analytics specifically looks at everything the user has done and looks for pattern deviation such as databases typically accessed, time of day of access, location of typical access, and other factors. When the network is being accessed via a mobile device, behavioral analytics can be even more effective, examining typing speed, number of errors per 100 words, the angle the device is being held, gate speed, and more. Mobile also provides an easy way to incorporate biometrics—typically facial recognition or fingerprints—for an even more effective authentication system.

No authentication system would be complete without MFA. But many default MFAs—such as plain text numeric strings sent directly as a text—are insufficient, especially against man-in-the-middle attacks. Using an encrypted app, such as Microsoft Authenticator, is a better approach. Instead of using a single MFA protocol, adaptive MFA allows the enterprise to choose different levels of authentication for different situations. An example would be high security for a wire transfer and low security to see terms of service or other non-sensitive documents.


The same type of adaptable approach can be used for real-time, risk-based access. For example, organizations with Azure AD Premium P2 licenses can create Conditional Access policies incorporating Azure AD Identity Protection risk detections.

In an increasingly mobile world, device compliance is a critical issue. Very few legacy apps have a way to deal with this. The security team decides what mobile device requirements it is comfortable with, such as minimum OS or the use of disk encryption. Then rules and settings are created to determine what actions will happen when requirements are not met. It might be an alert or an outright block. More likely, it will specify different actions with non-compliant devices depending on the authenticated user’s privileges level as well as the sensitivity of the database that the device is trying to access.


It’s critical that an enterprise’s modernization efforts improve security and compliance while seamlessly adding new capabilities for users, IT and Security teams. Building an API layer for the enterprise is the first step when embarking on a robust modernization journey.

A key consideration is location-based access—often done with IP addresses. This is an ideal area where multiple defenses deliver the best security, as most good attackers can fake any one of these metrics but few can mimic all of them. For instance, many VPNs include the ability to select the geography IP address where you will appear to be coming from, even if you are in a forbidden area.

VPNs are not always the best route. Enterprises must improve remote access to legacy apps to specifically allow secure non-VPN access by authenticating at the app level versus the perimeter. And yes, despite much progress on the perimeter-less enterprise, some forms of perimeter defenses are still widely used.

Another massive change since the days when these legacy apps were written is the number of non-employees that require access, including contractors and partners. Even customers need varying levels of access for things like self-service, inventory/ordering systems, supply chain status and tracking. For many enterprises, the non-employee authorizations can outstrip those of salaried employees. This forces enterprises to continuously innovate and build new capabilities using on-prem resources.

To learn more about how you can modernize applications, join us at our upcoming app modernization webinar.

You might be interested in our upcoming webinars

Visit edgile.com/webinars for more information.