Legacy systems are the new attack vectors for hackers

Have you ever heard the saying “Locking the door but leaving the window unlatched”? It means that your security is only as good as the weakest link. This applies to IT as well.

How does legacy system security compare to cloud security? Google away and you’ll find that survey after survey says cloud security is superior or far superior to security on more traditional systems in data centers.

Why? We keep our legacy systems in our data centers, right? Doesn’t that make them more secure?

Not really. During the past 10 years, R&D spending on public cloud–based security has surpassed investment in more traditional platforms by a lot, both by third-party vendors and of course, the public cloud providers themselves (hyperscalers). Money normally spent on updating and improving legacy security has been funneled to cloud-based anything.

You can’t blame the security technology providers. They need to focus on emerging markets to keep revenue moving upward. However, there is an unintended consequence of this focus on cloud; namely, the lack of attention to legacy systems where as much as 80% of business data is stored today, depending on the company.

In case you missed it from the title of this blog, the weakest link in the enterprise IT security chain is no longer remote systems (using public clouds to gain access to valuable business data). It’s the legacy systems with security technology that has not felt any love in about 10 years and has many more vulnerabilities than the public clouds. Thus, they become the attack vector of choice.

The trouble is that while we focus on attacks coming into the enterprise from the outside, we miss attacks that leverage a connected system, or inter-system attacks. In this case, we miss easy access to the legacy platform, which is connected to the cloud-based platform but is unlikely to have the same defenses around inter-system security.

Thus, legacy systems become the preferred path of hacker attacks, in an indirect way to get to cloud-based systems and data. Breaking into the legacy system is an easier way to access systems and data within public clouds.

This is not new. Home computers have been attacked via smart TVs because they have more lax security. Internet of Things devices, such as robots on a factory floor, have been leveraged to gain access to other internal systems.

What should you do about this? The answer could be to upgrade security on legacy systems, but that may not be possible given the shift of R&D funding to cloud-based systems. However, make sure you’re working with the fewest number of vulnerabilities, and update your security software and security configurations, including testing and audits.

After that, it’s a matter of dealing with inter-system security. I recommend a “zero-trust” approach to all systems that connect to systems in the public cloud. I understand that this adds an expensive layer of complexity when carrying out inter-system communications, such as legacy-to-cloud and back again. But, considering what’s at stake, this is the only way to save our cloud data (the locked door) from the legacy systems (the unlatched window).