Cybersecurity threats grow more sophisticated every year. And while the federal government has pushed forward with efforts to modernize IT, some legacy systems pose unique challenges. Often, these systems remain static even as the landscape around them continues to change.
As the federal space makes the jump to the cloud and focuses on attracting young talent, there’s a real fear that these mission-critical systems will become unprotected while the people that understand them become scarce. However, there are plenty of ways agencies can minimize risk to these systems by keeping legacy IT security in mind as they continue to move their entire infrastructure forward.
Understanding system needs
No two agencies are the same, and the various requirements that inform their IT solutions will also differ dramatically. Since there is no one-size-fits-all solution for dealing with legacy systems, preparation and planning are key. In an ideal world, agencies would have the resources and time to rewrite their legacy systems with modern code, ensuring proper integration with the rest of their stack. But realistically, resources will be finite, which means a thorough risk assessment is in order.
What holes do these legacy systems create on your network? Vulnerabilities often slip through the cracks as IT teams focus on addressing more contemporary issues. Many agencies find plugging all of these holes to be an impossible task and opt to isolate the antiquated systems instead. Often, this ends up being the best way to deal with the opaque vulnerabilities a legacy system presents.
Integrate with updated resources
Agencies will need to find every way to ease the burden on these older systems. Luckily, modernization requirements already have IT teams reexamining their technology stacks. Chief security officers should consider their legacy systems’ role in this larger, holistic process.
If you can’t update the code, you can at least have it running on the most up-to-date security hardware and software at your disposal. In this way, we can protect from antiquated attacks like buffer overflows that should be all but eliminated by modern infrastructure. Outside this, look for solutions that complement existing infrastructure, especially monolithic legacy systems.
Proper investment prioritization
Often, CSOs rush ahead with technology that flaunts bells and whistles that do little to protect the vulnerabilities that exist in their stack. Solutions should be comprehensive and include a suite of technology meant to work together to serve many purposes. One of these purposes must be keeping legacy systems isolated or protected.
Network visibility can go a long way to providing some peace of mind concerning older systems, which tend to be elusive and opaque. The old approach to security was to create as thick a layer of security around the network as possible. But more and more we see attacks coming from internal sources like malware or compromised credentials, which allow threats to spread laterally. Legacy systems are especially vulnerable from this perspective and it’s critical to have some mid-level protection to detect anomalies and stop these threats from running rampant on your network.
Baseline user access
With insider threats posing a disproportionately large problem to legacy systems, identity and access management become critical components of an effective security plan. Which users truly need access to these systems? Keeping these systems isolated and as far away from potential threats as possible is a crucial component of keeping them out of harm’s way.
After determining which users should retain access, take extra precautions with them. Many modern security tools allow CSOs to measure baseline network activity for users and flag anomalous behavior, such as excessive data transfer or accessing unexpected locations. These types of solutions can help safeguard legacy systems from malicious intent and mitigate harm done if a threat does slip through.
Deciding how to treat old systems can be incredibly frustrating. Many are mission critical and cannot be eliminated, and agencies often lack the resources to overhaul them at the needed scale. But there are plenty of ways to insulate them against attack by configuring the network in such a way that it provides passive protection. The main thing is to simply keep these systems in mind when reexamining process and solutions. When modernizing, agencies should consider their legacy systems’ role and ensure their security doesn’t slip through the cracks.
Eric Stuhl is director of enterprise networking and security at Force 3.