Authentication in hybrid environments – what makes some protocols “modern” and others “legacy”?

“Legacy” systems

Most organizations, even those making broad use of cloud systems, have a range of on-premises systems running their core business, so-called “legacy” systems. The term “legacy” is sometimes used negatively – as though just being an on-premises system is enough to render a system old-fashioned and due for replacement. I disagree – there are world-class systems running on-premises, particularly systems that have been custom-built for an organization’s particular needs. However, if we focus on the technology being used by some of these systems, we do find some truly legacy technology under the covers – particularly in the area of authentication.

Authentication and security

Authentication is, of course, central to any system’s security – compromise the authentication process, and you can potentially steal passwords or impersonate users. A wide variety of protocols that have a role in authentication are in general use – some are well-known protocols, like NTLM, Kerberos, or OpenIDConnect, and others are not known primarily as authentication protocols at all, like POP3 or SMTP.

We at Oxford Computer Group often find in conversation with our clients, that there are detailed knowledge gaps in this area. What makes some protocols “modern”, and others “legacy”? Without this information, it can be hard to justify a technology upgrade, or a policy initiative, aimed at improving security and flexibility by banning legacy protocols and mandating modern ones.

Understanding authentication protocols

With this in mind, we are currently developing a training course to lift the veil on some of these technologies, not so much from a technical, bits and bytes perspective, but with a focus on understanding the capabilities of the various protocols, their security and operational strengths and weaknesses, where they are in common use, and how to approach their replacement.

To discuss this some more, I hosted a 50-minute webinar about modern and legacy authentication and authorization protocols in hybrid environments in March 2019. I presented an overview of the issues so that decision-makers will have a clearer understanding of what information would be useful to them in developing policy or specifying approaches to authentication in specific systems.

If you’re a technical architect, a decision-maker (architectural or development), or you have responsibility for security analysis and policymaking, you will be interested in what I have to say.