8 min read

Top 5 Problematic Applications for Securing Digital Transformation


It can be hard to let go of tried and tested enterprise applications. In particular, legacy applications are often intrinsically integrated into business processes, making them difficult to replace or upgrade.

In fact, by 2025, Gartner expects that 90% of current applications will still be in use and have insufficient modernization investment to take them forward.

At the same time, digital transformation is changing the face of the enterprise as networks expand to encompass remote employees, supply chains, cloud applications, and edge devices. Application ecosystems are changing along with the digitally-transformed business, but legacy systems cannot always fall into line. Security gaps can sneak in when legacy applications lack support for modern security protocols and standards. This is especially true in industrial environments, which frequently depend on legacy systems to keep operations running.

NCCGroup found that 45% of organizations inherited legacy security issues during a transformation project, resulting in a downgraded security posture. This insidious problem increases cyber risk and results in non-compliance with current regulations.

Legacy App #1: Oracle

Oracle has promised continued support for its legacy applications, including E-Business Suite (EBS), PeopleSoft, and WebLogic. This is great for companies that want to move from these applications during a digital transformation project but need to proceed slowly. However, it is unlikely that Oracle will update and innovate around these products; this means that support for improvements in access control and zero- trust enablement are unlikely to be a priority for Oracle.

Security Problems

EBS does not have native support for single sign-on (SSO). PeopleSoft does not support identity protocols, security assertion markup language (SAML), or open ID connect (OIDC), limiting its use in modern use cases, including federation. Organizations must therefore modernize access to Oracle legacy applications using third-party platforms.

Legacy App #2: Microsoft SharePoint

On-premises SharePoint supports certain types of businesses, for example, heavily regulated industries, where cloud collaboration is seen as less secure. For organizations such as these, security is crucial, and control of data access is an essential part of regulatory compliance and data protection. However, as Microsoft has a strategic focus on cloud applications with Office 365 at its core, legacy on-premises instances of SharePoint may not maintain modern access control options.

Security Problems

SharePoint for on-premises deployments will certainly lag on cloud-based updates. While the latest version of SharePoint Server Subscription Edition has some modernization features added to help with authentication, including support for OIDC, turning these features on require a specialist and can be complex to achieve. Expansion may be required to fully support a zero-trust approach to controlling access to SharePoint-held resources. Microsoft recommends taking a zero-trust approach to ensure robust SharePoint access control.

Legacy App #3: SAP

SAP systems are widely deployed and support many business-critical applications. Many of these deployments have generic username and password combinations that multiple people all will share. This is not done maliciously; users are just trying to get their work done - and this insecure setup happens to be the easiest way to do that. Still, without visibility into who is actually logging in at a particular time and doing what, it becomes impossible to track which specific user accesses the application. This can lead to serious challenges when conducting forensics after a security incident, and it also creates a nightmare for compliance.

Security Problems

Legacy SAP deployments can result in a lack of cohesion when it comes to controlling access to critical business resources. Integration with a zero-trust access platform can prevent unauthorized access and enforce least privilege access rights as well as prevent lateral movement that enables malicious control of SAP systems.

Legacy App #3: Mainframes

You would be surprised how many are still out there! Research has found that 44 out of the top 50 banks, healthcare, and government agencies rely on IBM Z mainframes for business-critical applications. Mainframes may cause security problems during digital transformation as business-critical data must be available to cloud-connected users.

Security Problems

Mainframes are often based on decades-old technology. These systems are not agile enough to easily support modern identity authentication or security protocols and best practices. Still, mainframes remain critical to a business and therefore need an identity and access control strategy to ensure their security.

Legacy App #5: Homegrown Applications

Homegrown applications may have been kicking around an enterprise for years, but the original coders are likely long gone. A lack of expertise in secure application coding can lead to inherent vulnerabilities in custom-built apps. In addition, these apps are unlikely to have included support for modern identity and access management needs, such as secure remote access, continuous identity validation, multi-factor authentication (MFA), and SSO. Support for modern identity protocols is also a specialist area of knowledge, making homegrown apps unlikely to support modern access control requirements.

Security Problems

Homegrown legacy applications will need an agile solution that can bridge the gap between an older code base, human users, and modern zero-trust architectures. The best solution is a zero-trust access platform, such as Cyolo, than can overlay MFA and SSO capabilities without compromising the user access experience or disrupting operations.

5 Recommendations to Ensure Legacy Apps are Secure

1. Know Your Legacy

Start with a thorough accounting of all systems and applications to identify which applications will cause your proposed infrastructure security issues. Extend this audit to include suppliers’ legacy applications to prevent them from disrupting your digital transformation program. This audit will lead to the next major security exercise.

2. Create a Security Improvement Plan (SIP)

According to a Ponemon report, 82% of organizations have experienced at least one data breach during digital transformation. A security improvement plan (SIP) is a series of guidelines that develop procedures to reduce risk and maintain regulatory compliance and should have specific actions for challenging applications. Digitizing operational processes within a hybrid (cloud and on-prem) environment makes the smooth transition a security challenge. By referring to the SIP an organization can minimize the risk associated with digital transformation projects that include legacy applications.

3. Move to a Zero-Trust Model

A zero-trust model that incorporates your legacy applications is the best practice for modern identity authentication. Your digital transformation initiative will likely involve a hybrid environment. To ensure that data and resources remain secure, you must prioritize access control by implementing MFA and standardization of password quality across your organization, including external consultants, freelancers, and other third-party users.

4. Maintain Compliance

The need to comply with regulatory or insurance requirements is a common driver of the shift to a zero-trust framework. As you transform the security model, ensure that your regulatory obligations continue and compliance is maintained. While many systems will easily fit the model, some will not. Carry out risk assessments and Privacy Impact Assessments that include legacy application access. Zero-trust access solutions that overlay modern authentication and authorization protocols will ensure that security and privacy compliance are maintained.

5. Implement an Identity-Centric Zero-Trust Platform

A zero-trust access platform will secure and administer access to your ‘problematic’ applications. For example, there may be a long lead time for a legacy application to move from on-prem to cloud and even longer for the deployment of a modern replacement. During this time, security gaps must be controlled. Using a zero-trust access platform, you can overlay access control and security measures, including MFA, SSO, least privilege, auditing, and Just-in-time (JIT) access for third-party vendors and other high-risk users.

The Cyolo Approach to Securing Legacy Applications

Cyolo understands the challenges of securing legacy and homegrown applications.

We designed our zero-trust access platform for all systems and applications, including those that do not natively support modern secure access control options. With Cyolo, the applications you've long depended on can continue to empower your business without adding risk or increasing the attack surface for bad actors.

The Cyolo Identity Access Controller (IDAC) is placed on-site and integrates with your existing identity infrastructure and connects to your network resources and applications. In this model, a user will continue to use their existing workflows, but will first be authenticated by the Cyolo IDAC, which uses the existing identity infrastructure to validate identity. Because the IDAC does not send traffic outside the company network, nor does it store any access information, there is no risk of compromise for users, applications, or services.


While digital transformation has greatly improved organizational security in many ways, significant gaps remain and must be addressed. With a firm understanding of what problematic applications or services exist in your environment, the work of applying modern security methods to them can begin. The desired balance between user experience and security controls is ultimately achievable, even for business-critical systems that historically do not support modern identity authentication.

Cyolo exists to help organizations thrive by securely connecting people to their work and bringing modern, zero-trust access to all applications and systems, even the ones other tools struggle to secure. Founded by a CISO and two ethical hackers, Cyolo empowers you to connect anyone from anywhere with the confidence that the entire digital system is protected.