Legacy systems of all kinds pose significant cybersecurity risks. Here's how to mitigate them.

Dirk Schrader, Resident CISO (EMEA) & VP of Security Research, Netwrix

September 6, 2023

5 Min Read
The word "legacy" on round wooden tiles
Source: Dzmitry Dzemidovich via Alamy Stock Photo

Legacy systems are the bane of IT pros everywhere. "Legacy" generally is defined as outdated computer hardware and software that remains stubbornly in place because someone somewhere might still use it. IT pros dislike these legacy systems because it's a constant struggle to keep them running and to integrate them with newer technologies.

But productivity issues aren't the only trouble with legacy systems — they also pose a serious risk to cybersecurity. Moreover, in that space, we need to broaden our thinking beyond the definition of "legacy" suggested above. Indeed, there are three more areas to consider:

  • Legacy identities

  • Legacy data

  • Legacy processes

Let's explore each of these areas, revealing the specific issues of and offering strategies for mitigating the associated security risks.

Legacy Identities

Legacy identities are accounts that exist in an organization's identity store (such as Active Directory or Azure AD) despite no longer being needed. Common examples include user accounts for contractors or third-party suppliers who are no longer associated with the organization.

Security Risks

Legacy identities are a significant risk for the organization. Indeed, they are a preferred way for attackers to gain unauthorized access to sensitive systems and data. Adversaries seek to compromise legacy accounts because using those identities is less likely to raise alerts than creating new accounts. What's more, former employees whose accounts were not promptly removed can steal content to benefit their new employer or sabotage data or systems out of ill will or malice.

Legacy accounts for highly privileged users, including IT pros and executives, are particularly targeted because they provide access to valuable data and critical IT systems. The math is simple: The more privileged accounts you have, the larger your attack surface area.

Mitigation Strategies

The key step in mitigating the risks from legacy identities is to conduct regular reviews of the identity store and identify and remove inactive accounts that are no longer needed. Do not limit your attention to identities associated with individuals (i.e., user accounts) — legacy service accounts and computer accounts pose similar security risks.

Ideally, this effort should be part of a comprehensive identity and access management (IAM) strategy. One key IAM process is enabling data owners to regularly review and update access rights to their content, This is necessary to enforce the least-privilege principle as users change roles within the organization, projects are created and completed, the IT ecosystem evolves, and business needs shift. Other important elements in an IAM strategy that can reduce the risk from legacy identities include multifactor authentication (MFA) and privileged access management (PAM), especially a zero-standing privilege (ZSP) approach.

Legacy Data

Legacy data is any data an organization stores that is outdated or obsolete — that is, it has outlived its usefulness. However, keep in mind that it can be a complicated task to decide whether a certain data set should be regarded as legacy, especially in highly regulated sectors such as healthcare and finance. Even if a piece of data is no longer relevant or useful, regulations might require you to retain it for a certain period of time.

Security Risks

Legacy data can be a cybersecurity risk. For example, using a 6-month-old threat intelligence feed leaves the organization vulnerable to more recent threats, and old address data might result in confidential information being sent to the wrong recipient.

Additionally, legacy data may not be encrypted or protected by other access controls, making it more vulnerable to data breaches and theft. And if the legacy data is actually protected, the work involved might be diverting the organization's limited resources away from securing other sensitive data.

Mitigation Strategies

Organizations need a thorough understanding of what data they store, including the type of data, when and why it was collected or created, how often it is accessed, and when the last update happened. This information can help determine whether the information is accurate and still of value to the organization.

Of course, data is constantly being collected and created, and the relevance of a particular dataset depends on the organization's evolving needs. Accordingly, organizations should conduct regular reviews of their data to identify areas that need improvement and prioritize the updating of high-value datasets.

Legacy Processes

Processes and procedures that are not kept up to date through regular review and practice should be deemed as legacy. Legacy processes are often a result of a lack of resources, time, diligence, or expertise.

Security Risks

Legacy processes are a security risk because they may fail to address threats and other issues that have arisen since the process was implemented. For example, running a vulnerability scan once a quarter might have been appropriate years ago when that process was created, but it is sorely inadequate in today's rapidly evolving threat landscape. Similarly, legacy processes can hamper an organization's ability to respond quickly to cybersecurity incidents — even a well-crafted incident response plan is not of much value if it has simply been stored away in a file instead of being regularly rehearsed and revised as your IT environment, business priorities, organizational structure, and other realities change over time.

Mitigation Strategies

To mitigate these security risks, organizations should regularly conduct a comprehensive review of their processes to identify legacy processes, analyze their weaknesses, and involve all stakeholders in determining how best to modernize or replace them. (Yes, that is a process in itself to maintain!)

In addition, modernizing legacy processes can deliver significant cost savings. Legacy processes can be both time-consuming and labor-intensive, and updating them can streamline operations and improve productivity. 

Conclusion

Legacy systems of all kinds pose significant cybersecurity risks. To mitigate those risks, start by identifying the legacy identities, data, and processes in your IT ecosystem, and repeat this inventory process on a regular schedule. Update, remove, or replace legacy systems whenever possible, and take steps to minimize the risk posed by any legacy systems you need to retain.

About the Author(s)

Dirk Schrader

Resident CISO (EMEA) & VP of Security Research, Netwrix

Dirk Schrader is Resident CISO (EMEA) and VP of Security Research at Netwrix. A 25-year veteran in IT security with certifications as CISSP (ISC2) and CISM (ISACA), he works to advance cyber resilience as a modern approach to tackling cyber threats. As the VP of Security Research, Dirk is working on focused research for specific industries like healthcare, energy, and finance. As the Field CISO EMEA he "speaks the language" of Netwrix's customers and prospects to facilitate a fit for purpose solution delivery.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights