With all the talk about digital transformation and IT modernization, you’d think that everyone was all-in with the cloud at this point. But there are many legacy systems still in production, even at enterprise organizations.
There are plenty of reasons to maintain your legacy IT infrastructure and applications. They might not be compatible with virtualization or your chosen cloud platform, requiring significant investment to be rebuilt in cloud-native form. You might be planning to replace them with a different system at the end of the lifecyle. They might still meet acceptable goals for performance and productivity, leaving little reason to update them. Or you might just have fallen into the sunken cost fallacy and are in too deep to give up on them now.
Regardless of why you still have them, there are almost certainly legacy systems within your IT ecosystem, and keeping them secure is of paramount importance, especially if they’re past their support lifecycle and have become exposed to potential vulnerabilities.
If your legacy apps have passed their End of Life and are no longer supported by the vendor, they will remain unpatched from now until they’re breached or stop working (or are replaced). Your IT team may also put off patching a legacy system to avoid rocking the boat.
Over time, integrations and configurations may have become a “duct-taped” hodgepodge of disparate components and upgrades — a sensitive ecosystem that could be broken with a patch. For critical systems, patching often gets avoided for this reason. Eventually this can lead to technical debt, where it becomes more and more expensive to perform the patch or update.
It’s also possible that everyone who knew the system like the back of their hand has retired or moved on from your company.
Sometimes a system upgrade is more costly than the labor and licensing involved in updating. Bumping from Windows XP to Windows 7, or from 7 to 10, also comes with increased system requirements. Software updates could necessitate hardware upgrades alongside them, and your budget may not allow for all of it at once.
There may be some vulnerabilities that you don’t even know about. Network attached devices like printers, scanners, and even network devices like routers and switches can all hide vulnerabilities that allow access to your network and potentially even unrelated systems.
Time to upgrade...
Unpatched software that is past its support lifecycle runs a relatively simple risk: it is no longer protected against known exploits and zero day vulnerabilities. Various security holes have almost certainly been engineered or discovered. Older systems are much more likely to be infected with malware.
Depending on the age of your legacy infrastructure, it could have hardcoded passwords as well. These aren’t easily changed and their documentation may be publicly available. Other systems may have default passwords that are readily available as well. If possible admin passwords should be changed; if you can do so on a regular schedule, even better.
As the organization changes over time (and gets acquired, partners with external organizations, or integrates systems with new applications that connect via public internet), internal applications can become exposed to the outside world. A previously secure internal app could have its data leaked via a third party connection. You may wish to implement encryption if a legacy app moves from a private closed network to a public open one.
A legacy app may also be maintained for other reasons – rollback, testing, looking up outdated records, etc. While your IT department recognizes this, the end user may not. They might assume data on the legacy app is still backed up or components are still redundant and will failover if broken. Vital data can be lost if an end user is not aware their legacy application is no longer supported. It is vital to decommission or limit access to legacy apps that are no longer officially supported for daily use.
These compiled vulnerabilities can add up to serious costs. They’re more expensive to update the longer you put them off; they cause compliance headaches and potential fines if you’re found in violation or suffer a breach; they even could raise your insurance premiums.
If a legacy system must remain in place, be sure to be extra vigilant when it comes to IPS/IDS, antivirus/antimalware layers, firewalls, and network monitoring. You should isolate it on the network as much as possible. Start making your case today for its eventual upgrade.
By pointing out the potential risk and associated costs, you can make the capital expense of updating more palatable to executives. A legacy system may work fine today but be faced with a zero day vulnerability tomorrow. With no one watching out for it, you may not know that vulnerability exists until you’ve been breached.