One thing is constant in the IT universe: change. So, when advances take place in society in organizations or as the result of technology, the IT infrastructure is likely to change completely in the course of a few years. IT executives are tasked with keeping on top of every trend and hiring savvy staff that can implement the next big thing.
Legacy Applications and Their Burden on IT Staff
Behind all the glitz and glam lay the no-longer-adored-but-still-necessary workhorses of the organization-the legacy applications and hardware that make essential systems tick. Perhaps it's an airline ticketing system, core banking or financial system, or even a trading platform. However, it could be something more esoteric, such as a SCADA network that is popular with utility companies. Maybe it's an ATM or POS system or another system that the company keeps limping along until a replacement can be written.
While these enterprise-level or support systems are essential in the interim, you'll soon find yourself with an itchy trigger finger on their expiration date. As well as keeping the lights on with existing systems that are going to be around for a while and developing new solutions, this quickly becomes a CIO's least favorite job. Unfortunately, these are essential for running day-to-day processes, so your time and your staff's time quickly becomes bogged down in details until almost zero development is happening.
Worst of all, these legacy systems carry inherent risks. Have you ever heard the term, "you break it, you bought it"? For enterprising developers and techs who decide to get their hands dirty on old tech, it's a well-known axiom. That's precisely why no one wants to work on old systems after the old-timers that understood the system have moved on to green pastures.
Besides being a PITA, legacy systems may expose your entire network to security threats. Needless to say, the protection on these systems isn't going to win any awards for innovation any time soon. If they're secured at all, it's probably through antiquated networking systems that don't gel with modern security protocol.
As a result, although essential to life as your company knows it, these legacy assets are at immediate risk of attack - all the time. It doesn't take long for an adversary to figure out where the weak point is in your infrastructure. May it's a core banking platform that gives away an institution's keys to the networking kingdom, maybe it's something more innocuous. Either way, if bad actors access your system, they can wreak havoc on your systems.
CISO recommends that enterprises follow these steps to secure legacy assets:
Stop doing what you’ve always done. To secure antiquated systems throw out the old rules and don't except the “it's always been this way" explanation. It's important to figure out exactly what the legacy systems do that's so important and why they can't be moved into an easier to maintain solution. Here are a few questions to get you started:
- What vulnerabilities are inherent in each old system? How can they be better remediated?
- What security and compliance controls do older systems fail regularly? Can they be addressed?
- Who still uses them and why?
These seemingly simple questions often don't have easy answers. The business users are bound to give you day-to-day, in-the-trenches answers related to the time and effort required to make a change.
- “Everyone needs access,”
- “The alternatives cost too much."
These are just a couple of answers you can't act upon from an IT perspective. At some point, you'll have to corner a stakeholder to do a cost/benefit analysis so that the decision can be quantified.
Think outside the box. Solving the issue requires creative thinking. Many legacy assets end up having no redeeming quality other than dependence based on convoluted business processes. Can you keep the asset in operation and use a secure "container" architecture that prevents it from compromising other systems? One idea is to use an intermediary like Cloud Security Alliance's SDP (software-define perimeter). Find out if your cloud solution partners know a trick or two to secure a specific application. It's worth the money to bring in consultants to brainstorm the issue for a solution to protect the rest of your network and data.
Compensating controls to the rescue. You will definitely come across systems that are so old that modern tools can't connect to them to solve the problem. However, a consultant may still be able to help. Ask your auditing team to find out if there are other ways to secure the legacy assets. There may be a way to introduce compensating controls to meet regulatory requirements.
Modern security tools are often used to expand the lifespan of assets in decline. However, if it turns out that these applications or equipment can't be revamped or it costs too much to do so, it may be time to dust off your trigger finger. Even the argument that day-to-day business is dependent on a system may not be enough to risk bringing down the entire network due to holding onto a legacy tool that's ready to take its last breath.
Ensure Your Systems Are Secure
How do you start to secure your systems? Well, you'll need the people with the right skills to make that happen. Click below to contact ICS and get started hiring the top talent to help your organization stay safe and secure. The other alternative of doing nothing isn't as appealing in the long run.