How to Secure Your Company's Legacy Applications

You don’t need to be told that the tech landscape is changing rapidly and that businesses are constantly trying to keep up with innovative solutions. Consider how regularly Apple rolls out its newest version of the iPhone—older models that still work feel obsolete to the user looking at a new phone with flashy cameras and impressive facial recognition software. When it comes to the technologies businesses use, the stakes of using outdated systems are a bit higher than for the individual user. In fact, using outdated systems puts an organization’s cybersecurity at risk. We call software that was designed for an older platform (or is not internet enabled) a legacy application. These systems may still work as intended, but there are measures that need to be taken to ensure their continued security.  

Here’s What Your Business Can Do to Secure Your Legacy Applications:

What Are Legacy Applications, and Who Uses Them?

Most businesses have legacy applications in use for one reason or another. In certain industries, often healthcare, government, and manufacturing, technology is created to fulfill a certain function and doesn’t need to be updated. Think of an MRI machine— isolated, extremely expensive, and specialized technology (in both development and use) that does not require security patches or updates. This also tends to occur in local government offices—isolated databases and software are being used that haven’t received an update in years because, “If it ain’t broke, don’t fix it,” especially when “fixing it” requires expertise and money. Some industry-specific software may still work as intended, but if it was written on a platform that’s no longer receiving security patches, then the application’s security is at risk. 

In such cases, there wasn’t enough funding to update systems over time, or there wasn’t a security-first approach taken in the software’s development, and now it’s too expensive (or impossible if the organization does not own the source code for a third-party legacy application) to bring up to modern security standards. You may remember, for example, in 2018, the IRS experienced an issue with a legacy system that caused an outage for over 10 hours when people needed to use it the most-- on tax day. The deadline for filing taxes had to be extended as a result of the outage, and there was widespread criticism of the IRS's failure to update systems over the many decades of its existence.

The IRS is notorious for its use of antiquated technologies, but almost all businesses that are older than a few years old probably either interact with or utilize legacy applications themselves. This is often the case with applications needed for an organization’s day-to-day operations. “Always up” apps are difficult to update since they’re always in use. Updating or replacing these systems often involves extremely complicated (and therefore expensive) processes. And generally, the longer a system goes without updates, the harder and more expensive it will be to bring it to modern standards.  

What Makes Legacy Applications Vulnerable?  

When legacy applications run on outdated platforms, they’re running on platforms which no longer receive security patches. This means those applications are highly vulnerable to cyberattacks, which are proliferating in today’s technology landscape. Often, these systems do not comply with regulatory guidelines and security best-practices. Using unsecured legacy applications not only puts data at risk, but also risks unpleasant feedback on an audit from an insurance company or regulatory agency.

There's good news for companies still using legacy applications—they CAN be secured as effectively as any other modern application. It’s useful to think of all of this in physical terms, so consider an old car in a garage. Imagine an extremely valuable, rare vintage car. You want to keep and drive the car because it’s still quite useful, you enjoy it, and it isn’t being produced any more. Perhaps you’re concerned about the safety of the old car compared to your new car with advanced security technology (think electronic passwords to unlock the car, intelligent alarms and alerting systems, tracking, etc). To keep the old car safe, you might like to put it in a garage. While you can’t necessarily make the car itself more secure (though there may be options available to you here as well depending on your resources), you can make the garage secure with advanced technology. The same goes for legacy applications—while you may not be able to directly secure an app, you can build walls around it that makes it just as secure as any other application. 

Steps You Can Take to Secure Legacy Applications

There are many ways to build virtual walls around your legacy applications. Ultimately, the goal is to create a silo that allows the application to function, without increasing the vulnerability of your other digital assets. Here are our top recommendations:

1. Use multi-factor authentication and single-sign-on to authenticate user access to legacy apps. 
   
   
2. Limit network access to legacy applications. You can house them in a private network (VPN) or protect them via proxy settings. When you need to use the internet for the applications, use firewalls to restrict accessibility.   
   
   
3. Update legacy applications as much as feasibly possible. Even if the most advanced antivirus software available for the application is severely outdated, it will be better than an even more outdated version.
   
   
4. Once legacy applications are updated, decide how much of a workflow must be performed on the legacy application. Sometimes you can extract parts of a workflow (see microsegmentation below) and move them to a modern system more easily than you can migrate to a completely new application.
   
   
5. Microsegment components of the application if possible to limit access to other systems. Instead of using a centralized codebase, separate components of the applications that are deployed, updated, and run independently.  
   
   
6. Transition to the cloud. Most cloud providers utilize security best practices and offer software to move and protect data from on-premises servers to the cloud. Once legacy applications exist in the cloud, you can require modern security measures to access the applications. For example, Microsoft offers secure migration of on-premises apps and apps that use legacy authentication to Azure Active Directory (Azure AD). With Azure AD, you can modernize access to all apps, including those that support legacy authentication. Azure AD protects legacy apps with conditional access, identity protection, and multi-factor authentication. It also centralizes access to cloud and legacy apps with single sign-on. 
   
   
7. Consider an outsourced IT partner to assist with securing your legacy applications. Whether you need to install a VPN or migrate systems to a cloud service, a service provider like iCorps will offer the expertise needed to carry out your personalized security goals at a fraction of the cost of an in-house employee.  

If your business still uses legacy applications, you aren’t alone. We know securing access to legacy applications is a big challenge for many businesses, but it’s a challenge everyone will have to tackle sooner or later. We recommend sooner. Reach out to iCorps today for a free consultation!