The Legacy of Legacy Applications
All things decay over time. So it is with the security of “legacy” software. Antiquated versions of an organization’s Windows and even (gasp!) DOS applications, some even built a decade or two ago, eventually become outdated. Perhaps millions of these applications are still in use out there in the wild, holding sensitive information for which regulations now require protection. Why is that, you ask? Even if these applications were top of the line when first implemented, they are, at this point in time, a liability.
Several factors account for this. Primarily, the evolving threat landscape has made these relic platforms vulnerable. At the time of deployment, our understanding of cybersecurity, the language and algorithms, as well as hackers’ capabilities, were much more primitive compared to today—as will likely be the case with our current knowledge in another ten years or so. Password protection, for example, was considered more sufficient in times gone by, whereas now, reliance on that would be laughable. Hacker toolkits have likewise evolved, to the point where attacks that were once considered the most sophisticated can now be carried out by casual hackers, who may even have access to helpful online tutorials. As a result, legacy software lacks the security mechanisms necessary to combat these advanced cyber threats.
It’s not just the security that’s an issue, however. The vendor of the old product might not be offering support anymore, having moved their focus to developing new software. Or they may even have gone out of business. The legacy products will thus go unpatched, leaving it open to any new vulnerabilities discovered.
Sometimes, the software in question will become a risk simply by operating on an outdated, insecure platform. This was actually a pretty big story several years ago, regarding Internet Explorer 6. In 2011, Microsoft launched a website to discourage people from using IE6, which at that point was a decade old. Even the company itself knew the risks posed by its then-archaic browser, and wanted users to upgrade to one more secure.
Why, then, do organizations continue to use legacy applications, with the dangers so apparent? Well, that’s even simpler to explain. Whatever software a company is using cost them an investment of time and money; they’re hesitant to abandon this investment in favor of something new, which would demand much higher costs due to the cost of more complex systems, not to mention inflation. The same applies for staff training. Employees familiar with the old paradigm would have to be retrained for this significant shift. And these are just a few reasons.
How to resolve this issue? Some have tried to use whole disk encryption, but this has many limitations, especially for multi-user applications. These legacy applications are in use in companies and government agencies around the globe and few are quite sure what to do about it.
Now, I rarely boost our company or products in this blog, but Encryptionizer can secure almost any legacy application or database on the Windows or DOS platforms. Click here for more information.