IT architects and information security leaders face a complex dilemma. On one hand, regulatory requirements and threat dynamics demand an immediate transition to a Zero Trust architecture. On the other, legacy components—outdated billing systems, monolithic databases, and applications developed long before modern security standards—often remain at the heart of corporate infrastructure. Rewriting them from scratch would halt critical business processes for years. Leaving them as-is exposes the organization to unacceptable risks.
Traditional "castle-and-moat" network security no longer works. If an attacker compromises even one node within the perimeter, they gain unrestricted access to legacy systems that cannot independently verify request context or user identity at the application layer. The solution is infrastructure retrofitting using Identity-Aware Proxy (IAP) and network microsegmentation, which allows for the protection of legacy environments without changing their source code.
Anatomy of vulnerability: lateral movement and weak protocols
Legacy systems were developed in an era when trust in the internal network was absolute. Basic Auth, lack of support for MFA, SAML, or OIDC make such corporate software an ideal target for lateral movement after an initial perimeter breach.
The scale of the problem is confirmed by the Cisco Cybersecurity Readiness Index 2025, based on a double-blind survey of 8,000 cybersecurity leaders across 30 markets. According to the study, only 27.7% of organizations have a mature level of network resilience, while 53.7% point to significant difficulties in developing Identity Intelligence when integrating systems into a unified security perimeter.
The situation is particularly critical in the telecommunications sector and critical infrastructure facilities. According to the ENISA Threat Landscape 2025 report, the exploitation of legacy signaling protocols, such as SS7 and Diameter, remains a significant risk for mobile networks. These protocols cannot independently verify the sender, allowing attackers to intercept traffic. When an attack reaches an internal segment, the lack of microsegmentation allows for the unhindered exploitation of known vulnerabilities in older systems.
Identity-Aware Proxy (IAP): modern IAM for legacy applications
Identity-Aware Proxy (IAP) acts as an intelligent gateway. Instead of direct network access to a server, all traffic is routed to a proxy node. IAP intercepts the request, verifies the user via a centralized identity provider, evaluates the access context (device status, IP address), and only then allows the traffic through.
For the legacy application itself, this process remains transparent. After successful authorization, IAP forwards the request, injecting the headers required for the legacy system to function. The application receives the request as if it had passed its own basic authentication, but the actual strict control occurred at the external level.
Conceptually, a similar approach to authentication retrofitting can be seen in telecommunications. The FCC First Caller ID Authentication Report and Order describes the STIR/SHAKEN framework. Although STIR/SHAKEN is a specific solution exclusively for voice networks and is not universal for IT, it illustrates an important principle: adding an Identity header within SIP INVITE messages and verifying it using a public key allows for subscriber validation without a major overhaul of legacy end-user switches.
Microsegmentation: isolation at the network flow level
If IAP protects the application layer (L7), then microsegmentation limits interaction at the transport and network layers. In traditional architecture, servers are often grouped into broad segments. Microsegmentation creates individual micro-perimeters around each workload based on the principle of least privilege: a server is allowed to interact with others only via clearly defined ports, and any unauthorized attempts are blocked.
For legacy systems running on operating systems that no longer receive security patches, microsegmentation becomes a critical barrier against the exploitation of known RCE vulnerabilities from neighboring network nodes.
Retrofitting algorithm: from analysis to Zero Trust
Implementing Zero Trust for legacy systems is an iterative process that requires adherence to a clear architectural sequence:
- Gap analysis: Assessing system non-compliance with security requirements. For example, the NIST Cybersecurity Framework (CSF) 2.0 introduces the "Govern" function, which requires treating cyber risks as a component of corporate governance. Analysis identifies exactly where legacy systems violate access control or audit requirements.
- Flow mapping: Before enabling microsegmentation, traffic is analyzed to identify and document all legitimate connections.
- IAP deployment: Configuring the proxy node for external and internal access to interfaces with MFA enforcement.
- Microsegmentation implementation: Gradually transitioning transport layer rules to enforcement mode, starting with the least critical segments.
Platform foundation for modernization and protection
Implementing the combination of IAP and microsegmentation satisfies the basic requirements of modern standards, such as NIS2 and ISO/IEC 27001, regarding business continuity and access control.
To implement a Zero Trust architecture and modernize legacy systems, the Intecracy Group alliance offers the expertise of the Softengi team in designing integration layers and custom development. The technological foundation for building secure gateways and new business applications is the full-stack JavaScript low-code platform UnityBase (a joint development of Intecracy Group companies, where InBase is a key, but not the only, developer).
Using the mechanisms of the UnityBase platform allows for the integration of legacy infrastructure with modern security and audit requirements. For high-load systems or projects with heightened security requirements, commercial editions (Enterprise or Defence) are deployed, providing flexible Row-Level Security (RLS), Access Control Lists (ACL), detailed audit trails, and the ability to operate in fully isolated on-premises environments.
| Criterion | Traditional VPN | Identity-Aware Proxy (IAP) | Microsegmentation (L4/L7) |
|---|---|---|---|
| Access granularity level | Network segment (broad access) | Specific application/URL (contextual access) | Specific ports and service connections |
| Impact on legacy system code | None | None (authentication at proxy node) | None (control at hypervisor/agent level) |
| Protection against lateral movement | Weak (network is open after authorization) | Medium (protects web interfaces only) | High (blocks unauthorized server-to-server connections) |
| Context verification (device, geo) | Only at connection | Continuous at every request | Usually absent (traffic-oriented) |
Combining microsegmentation and contextual authorization via IAP creates a reliable, layered defense, allowing companies to safely operate legacy components without disrupting critical processes or violating regulatory requirements.
FAQ
How to configure Identity-Aware Proxy for legacy applications with Basic Auth?
IAP acts as an external barrier. The user undergoes modern verification (e.g., OIDC with MFA) at the proxy node. Afterward, IAP generates and injects Basic Auth headers or special tokens when accessing the legacy application, masking the actual credentials.
Is it possible to implement microsegmentation without the risk of network downtime?
Yes, implementation is carried out via a learning mode. Traffic is not blocked but analyzed. After verifying and mapping all legitimate service flows, rules are carefully transitioned to active enforcement mode.
Which security standards requirements do IAP and microsegmentation help satisfy?
This architecture meets technical risk management requirements (the "Govern" function in NIST CSF 2.0), limits the blast radius during incidents, and ensures strict access control to critical infrastructure, aligning with NIS2 and ISO/IEC 27001 criteria.