Information Security 6 min read

Zero Trust for legacy systems: protection architecture via IAP and microsegmentation

How to protect legacy infrastructure from unauthorized access and lateral movement without major code refactoring using Identity-Aware Proxy and microsegmentation.

IT architects and information security leaders face a complex dilemma. On one hand, regulatory requirements and threat dynamics demand an immediate transition to a Zero Trust architecture. On the other, legacy components—outdated billing systems, monolithic databases, and applications developed long before modern security standards—often remain at the heart of corporate infrastructure. Rewriting them from scratch would halt critical business processes for years. Leaving them as-is exposes the organization to unacceptable risks.

Traditional "castle-and-moat" network security no longer works. If an attacker compromises even one node within the perimeter, they gain unrestricted access to legacy systems that cannot independently verify request context or user identity at the application layer. The solution is infrastructure retrofitting using Identity-Aware Proxy (IAP) and network microsegmentation, which allows for the protection of legacy environments without changing their source code.

Anatomy of vulnerability: lateral movement and weak protocols

Legacy systems were developed in an era when trust in the internal network was absolute. Basic Auth, lack of support for MFA, SAML, or OIDC make such corporate software an ideal target for lateral movement after an initial perimeter breach.

The scale of the problem is confirmed by the Cisco Cybersecurity Readiness Index 2025, based on a double-blind survey of 8,000 cybersecurity leaders across 30 markets. According to the study, only 27.7% of organizations have a mature level of network resilience, while 53.7% point to significant difficulties in developing Identity Intelligence when integrating systems into a unified security perimeter.

The situation is particularly critical in the telecommunications sector and critical infrastructure facilities. According to the ENISA Threat Landscape 2025 report, the exploitation of legacy signaling protocols, such as SS7 and Diameter, remains a significant risk for mobile networks. These protocols cannot independently verify the sender, allowing attackers to intercept traffic. When an attack reaches an internal segment, the lack of microsegmentation allows for the unhindered exploitation of known vulnerabilities in older systems.

Identity-Aware Proxy (IAP): modern IAM for legacy applications

Identity-Aware Proxy (IAP) acts as an intelligent gateway. Instead of direct network access to a server, all traffic is routed to a proxy node. IAP intercepts the request, verifies the user via a centralized identity provider, evaluates the access context (device status, IP address), and only then allows the traffic through.

For the legacy application itself, this process remains transparent. After successful authorization, IAP forwards the request, injecting the headers required for the legacy system to function. The application receives the request as if it had passed its own basic authentication, but the actual strict control occurred at the external level.

Conceptually, a similar approach to authentication retrofitting can be seen in telecommunications. The FCC First Caller ID Authentication Report and Order describes the STIR/SHAKEN framework. Although STIR/SHAKEN is a specific solution exclusively for voice networks and is not universal for IT, it illustrates an important principle: adding an Identity header within SIP INVITE messages and verifying it using a public key allows for subscriber validation without a major overhaul of legacy end-user switches.

Microsegmentation: isolation at the network flow level

If IAP protects the application layer (L7), then microsegmentation limits interaction at the transport and network layers. In traditional architecture, servers are often grouped into broad segments. Microsegmentation creates individual micro-perimeters around each workload based on the principle of least privilege: a server is allowed to interact with others only via clearly defined ports, and any unauthorized attempts are blocked.

For legacy systems running on operating systems that no longer receive security patches, microsegmentation becomes a critical barrier against the exploitation of known RCE vulnerabilities from neighboring network nodes.

Retrofitting algorithm: from analysis to Zero Trust

Implementing Zero Trust for legacy systems is an iterative process that requires adherence to a clear architectural sequence:

  1. Gap analysis: Assessing system non-compliance with security requirements. For example, the NIST Cybersecurity Framework (CSF) 2.0 introduces the "Govern" function, which requires treating cyber risks as a component of corporate governance. Analysis identifies exactly where legacy systems violate access control or audit requirements.
  2. Flow mapping: Before enabling microsegmentation, traffic is analyzed to identify and document all legitimate connections.
  3. IAP deployment: Configuring the proxy node for external and internal access to interfaces with MFA enforcement.
  4. Microsegmentation implementation: Gradually transitioning transport layer rules to enforcement mode, starting with the least critical segments.

Platform foundation for modernization and protection

Implementing the combination of IAP and microsegmentation satisfies the basic requirements of modern standards, such as NIS2 and ISO/IEC 27001, regarding business continuity and access control.

To implement a Zero Trust architecture and modernize legacy systems, the Intecracy Group alliance offers the expertise of the Softengi team in designing integration layers and custom development. The technological foundation for building secure gateways and new business applications is the full-stack JavaScript low-code platform UnityBase (a joint development of Intecracy Group companies, where InBase is a key, but not the only, developer).

Using the mechanisms of the UnityBase platform allows for the integration of legacy infrastructure with modern security and audit requirements. For high-load systems or projects with heightened security requirements, commercial editions (Enterprise or Defence) are deployed, providing flexible Row-Level Security (RLS), Access Control Lists (ACL), detailed audit trails, and the ability to operate in fully isolated on-premises environments.

Comparison of architectural approaches to legacy system protection
CriterionTraditional VPNIdentity-Aware Proxy (IAP)Microsegmentation (L4/L7)
Access granularity levelNetwork segment (broad access)Specific application/URL (contextual access)Specific ports and service connections
Impact on legacy system codeNoneNone (authentication at proxy node)None (control at hypervisor/agent level)
Protection against lateral movementWeak (network is open after authorization)Medium (protects web interfaces only)High (blocks unauthorized server-to-server connections)
Context verification (device, geo)Only at connectionContinuous at every requestUsually absent (traffic-oriented)

Combining microsegmentation and contextual authorization via IAP creates a reliable, layered defense, allowing companies to safely operate legacy components without disrupting critical processes or violating regulatory requirements.

FAQ

How to configure Identity-Aware Proxy for legacy applications with Basic Auth?

IAP acts as an external barrier. The user undergoes modern verification (e.g., OIDC with MFA) at the proxy node. Afterward, IAP generates and injects Basic Auth headers or special tokens when accessing the legacy application, masking the actual credentials.

Is it possible to implement microsegmentation without the risk of network downtime?

Yes, implementation is carried out via a learning mode. Traffic is not blocked but analyzed. After verifying and mapping all legitimate service flows, rules are carefully transitioned to active enforcement mode.

Which security standards requirements do IAP and microsegmentation help satisfy?

This architecture meets technical risk management requirements (the "Govern" function in NIST CSF 2.0), limits the blast radius during incidents, and ensures strict access control to critical infrastructure, aligning with NIS2 and ISO/IEC 27001 criteria.

Data sources

Sources & materials

Materials and sources used in this article.

  1. FCC First Caller ID Authentication Report and Order — docs.fcc.gov
  2. Cisco Cybersecurity Readiness Index 2025 — newsroom.cisco.com
  3. ENISA Threat Landscape 2025 — enisa.europa.eu
  4. NIST Cybersecurity Framework (CSF) 2.0 — nist.gov