Weaving Security into your Legacy Systems

For decades, client/server systems were developed and deployed as the operational backbone for enterprises around the country. Most systems operated in a closed-loop environment, adding new equipment and technology as the business needs evolved.  The problem we face today is that these legacy systems were not designed with the today’s security needs in mind and are very inflexible to change.

Cloud computing has given us the speed and flexibility needed for modern architectures but legacy systems are still operating many of our critical infrastructures.  Some business leaders today challenge the idea of migrating their legacy applications to cloud-based technology because they fear the transition will interfere with routine operations and workflow, decreasing output while increasing overhead. Many legacy systems that have been adapted to integrate into the modern architecture and are now vulnerable to attack.

The process to update legacy applications is long and expensive, therefore the aggregate disappearance of legacy systems is not imminent.  But, because these legacy systems are vulnerable to attack, organizations do need to weave proper security controls into the legacy architecture.

Legacy System Security Issues

In two words: It’s complicated. It’s onerous to retrofit a legacy system with comprehensive security protocols. Issues such as the failure to consider equipment upgrades, expanded services, and the human element (i.e. incomplete or faulty employee training) create unique challenges for IT security strategists.

Every new technology added into the mix brings a new set of digital relationships; and, every new relationship expands the attack surface. The addition of web-enabled devices and mobile applications also brings new security concerns. Consolidating servers and failing to fully understand the implications of new virtualization platforms could result in increased vulnerability. For example, if routers or firewalls aren’t fully compatible, it can cause unintentional consequences due to misconfiguration.

Taking Action: Security Optimization Strategies

To provide a robust and secure environment, IT professionals must understand the mechanisms, processes and users they serve and the internal and external pain points. An optimized company-wide security architecture strengthens security at each layer of the business, closing gaps in the information and data protection chain. In addition, aligning actual business risks to specific security controls and security solutions through use of tools such as a Risk Register, helps organize and simplify the job of the security architect.

IT teams can enhance legacy systems security by:

• Diligently exploring external relationships; vetting third party vendors thoroughly and considering their relationships.
• Weaving security protocol for every new device, application or software upgrade into the overall protection plan as it enters the network.
• Consistently applying vendor patches to applications and the supporting solution stack.
• Establishing a revolving password protocol that restricts password sharing and includes “what if” guidelines for key employees who exit the company suddenly or take extended leave.
• Reviewing policies that allow passwords/keys in system files. Shared system files pose added risks when an enterprise transitions from a closed-network to an open-network.
• Hiring an experienced systems integrator, who is capable of assisting your in-house IT team to develop an IT Security Strategy built around your true business risk profile.

Working with experts

Many IT security strategies primarily focus on tactical operational challenges and checking compliance check boxes by purchasing point solutions.  DynTek security experts take a holistic approach to weaving security into your legacy system by helping you to get a handle on your overall business risk profile, and mitigating the most critical of those risks through best-in-class technologies.