We all know how hard dealing with the standard estate is; let alone when apps cannot support new OS, hardware will not support the next version, or we can’t stop the production line. And now we have a potential long-term WFH challenge that is accelerating legacy. Here is the conundrum; you cannot just do nothing. So, the question is – how can we reduce this risk? How do we keep business-critical legacy secure? In this blog, we explore how to track and reassess legacy environments to determine the process needed to make them secure.

Why is Legacy a Problem?

While the issue with legacy technology is old news, it has become more prevalent as the pandemic changes how companies do business. Essentially, legacy is a state into which assets fall when they introduce risk, such as those that you never envisaged operating in a networked environment, and those where there is no replacement or upgrade, but the asset remains business-critical.

Technical Services Director at Secrutiny, Deepak Shukla, said: “ Patching is our first level of defence. We’ve got to ensure that patches have been applied; if we do that, we’re doing pretty well without having to spend money.”

Heather Askins, Head of Information Security and Privacy at Google stated in an interview at TechCrunch Disrupt SF, that rather than spending tons of money on technology, we should invest more on talent and have them do nothing but patching. It’s about looking at the legacy devices in our environment that we can’t deal with, and protecting everything else that is around them, so that we can control and mitigate risk.

Unfortunately, the problem with patching is that it’s not always possible. Many organisations are in a situation where their legacy systems have been developed by people who no longer work for the organisation, but the system still works. In other instances, these legacy systems are running 24×7, making it difficult to take care of maintenance tasks.

A study commissioned by endpoint protection specialists, Tanium, revealed that 81% of CIOs and CISOs defer critical updates or patches because it’s ‘too risky’ to stop the machine and stop the business. While true, it doesn’t mean it’s right; housekeeping is crucial; a better plan is needed than just parking these things on risk registers.

What is the Solution to Legacy?

The solution is about continually improving your understanding of legacy devices, starting with why they’re legacy in the first place, what risks they pose and what you can do to detect anomalies. Once you understand what normal operation looks like, you can begin to proactively identify irregularities in your environment. It’s about being as best prepared as you can be. For instance, do you know your legacy issues? Your asset’s criticality, sensitivity, location and lifecycle? And are you blindly keeping something going because it was inherited from a predecessor, when in reality it’s seldom used.

Of course, there is always a technical solution; such as network monitoring, zero-trust, isolation and air gaps, database encryption, network and application segmentation, and application hardening to remove any services not required.

Dee also suggests “segmenting which devices can see a particular server, enabling granular traffic analysis for specific hosts, or simply finding an anti-virus that is not your first choice and has an agent for an old operating system”.

While we cannot achieve, afford or guarantee 100 per cent risk reduction when it comes to legacy environments, one thing we can accomplish is understanding 100 per cent those risks that are in front of us.