There is an old story told about boat ownership. The best two days in a boat owner’s life are the day they buy their new boat… and the day they sell it.
There is a good argument to be made of a direct corollary with IT systems.
Organizations invest significant resources when planning and deploying new systems. They ensure these meet operational objectives, are secure, conform to all relevant compliance requirements meet cost guidelines, and much more. What happens after is typically relegated to “operations” and that wraps up the formal cycle of deployment?
Should it really end there?
One of the biggest functions operations perform is maintaining and updating a system during its operational life or for as long as updates remain available. But what happens when a system is still in use after updates are no longer available or a system is no longer supported? Most organizations assume that as systems become older or unsupported, new systems are automatically deployed to replace them. But that isn’t real life.
IT systems build connections to capabilities and data provided by other IT systems. Reusing assets is the natural state of IT, but it causes issues as well. Over time a complex web of interdependencies arises, and simply turning off a system because it is not current is a difficult proposition and often not even a possibility without a lot of heavy lifting.
As a result, many systems are left operating because of various reasonable business and IT process justifications, and over time silently drift further and further away from being current. This creates a growing risk of exposure to cyber attacks.
Few organizations actively manage these “undead systems” – systems that for all reasonable intents and purposes should not be active, but find a way to remain so.
Then there is the simple fact that these systems are typically not routinely top of mind within IT or Security. Limited bandwidth and resources are primarily focused on the ongoing and urgent needs of the most visible, active and in demand systems. Once a system drops off this list, it is often relegated to a “best effort” support approach, which makes it the perfect target for attackers.
Instead, “undead systems” should be closely monitored as part of a special category of systems that require additional attention, not less, than systems that continue to be supported as part of regular operations functions.
Could We Migrate Now?
The top priority for this category of systems should be to perform a regular review to assess the possibility of migrating the capabilities and data to a current platform.
Perhaps when the system initially went out of date there were no reasonable or viable alternatives, or another project had higher priority, or the costs were too great. However, as technologies and capabilities evolve, so do options to transition to supported platforms. An approach that was too costly five years ago may not be today.
One factor many organizations neglect to consider is the ongoing costs and impacts to the organization for providing the additional layer of security that protects these systems from current threats. Often the cost to create this additional security infrastructure and the added complexities to manage and operate it over years can offset the migration costs.
Additional security infrastructures also limit the types of interactions these systems can have with other assets. Broadening this interaction could provide new business value if supported and could be the justification to perform the migration.
Organizations should also factor the impact of a fully depreciated asset with ongoing support costs to the organization – this is where working with the finance team can potentially yield accounting methods that could be a pathway to help green-light a migration.
What are the Current Cyber Drift Risks?
If a system simply cannot be migrated at this time, regular security assessments need to be performed to understand the current threat landscape against the system. Findings from the assessment are used to create a framework of comprehensive compensating controls that will adequately protect these systems from risks.
Often, assessments are performed once when the system is first transitioned and never repeated. What was true of the security threat landscape to a system three years ago is certainly not applicable now. Organizations need to formalize and prioritize these assessments on an ongoing basis.
One way to do this is to follow a traditional approach doing periodic threat assessments. While these are good, they only offer a snapshot point-in-time view, are valid only on the day they were performed, and only include what was determined to be applicable for the assessment. This can bring a false sense of security and can lead to unforeseen exposures as threats evolve between assessments.
A more valuable and sustainable approach is to use an intelligence-led approach to dynamically assess systems as threats evolve. This disciplined approach leverages threat intelligence findings against system configurations to identify matches that can then be prioritized and addressed. This approach also provides the added benefit of creating a universally applicable framework that brings into view all systems – active and retired-but-active – within the environment and can also include the security tools and compensating controls that were put in place to protect the total environment. This approach ensures no stone is left unturned for a bad actor to hide under.
There are many legitimate-at-the-time reasons for continuing to use unsupported systems; however, organizations should not assume these reasons remain valid in perpetuity.