How to Secure Legacy Systems

Challenge: An Expanding Attack Surface

Cloud environments and the introduction of automation and Internet of Things (IoT) devices have greatly expanded the attack surface. “There are a lot of points of entry now,” said Raghurama Pantula, Director of Information Security for Karsun Solutions, a modernization company that applies innovative approaches to help achieve agency missions. “So, there’s a high residual risk.”

One of the most important goals of zero trust is to prevent the kind of credential compromises that hackers have been exploiting in ransomware and other attacks by requiring continuous authentication and authorization of identities – human and non[1]human – on the network. “If I were to put it in a single phrase, it’s trust upon verification,” Pantula said.

But legacy hardware and software, which abound in government agencies, can create a barrier to implementing zero trust. “Legacy applications never were focused on anything like zero trust, because that was not a philosophy that existed at that point of time,” he said.

A Government Accountability Office report issued in June 2021 noted that most of the federal government’s $100 billion fiscal year spending on IT went to maintaining and operating existing technology, including old, unsupported systems with known vulnerabilities.

Among the key challenges:

• Centralizing identity and access control with application-aware policies
• Unifying access controls into a single dashboard
• Strengthening security through comprehensive endpoint posture and automated penetration testing
• Reducing website exposure with intelligent Forcepoint technology
• Achieving high performance at scale

The Solution: A Service Mesh Approach

A service mesh approach can enable agencies to incorporate legacy applications and systems into a ZTA with minimal retrofitting.

In a containerized environment, like those built on Kubernetes, a service mesh solution has two distinct component behaviors: a data plane and a control plane. Every instance of a service is associated with a proxy, which delivers a dedicated domain[1]agnostic infrastructure layer (abstraction) for capabilities like observability, traffic management and security without adding them to your code. The data plane is a collection of such proxies. The proxies are deployed alongside each instance of a service to communicate with the other services in the system, handling all calls to and from a service, including authentication and authorization, encryption and others.

The control plane is responsible for managing the configuration of the data plane proxies. It provides an interface for a human user to configure the behavior of the proxies and makes that configuration available to proxies via another application programming interface (API).

Until now, non-containerized legacy applications required a lift-and-shift approach necessitating migration to a virtual machine. Now, new tools like HashiCorp Consul allow even these non-containerized apps to follow the same principle applied to containers.

A service mesh approach, by performing tasks abstracted from existing applications, allows agencies to implement the principles of zero trust across the enterprise. It enables enterprise[1]managed accounts, while ensuring that activity on the network is consistently tracked and assessed through regular logging, monitoring and auditing.

It also can help ensure that:

• Network traffic between and within isolated agency systems is reliably encrypted
• Enterprise applications are tested internally and externally, and can be made available to staff securely via the Internet
• Federal security and data teams can work together to develop data categories and security rules to automatically detect and ultimately block unauthorized access to sensitive information

Implementing a ZTA with a service mesh infrastructure can be aligned closely with CISA’s five pillars of zero-trust maturity:

Identity: Ensuring only validated access to networks.

Devices: Implementing compliance monitoring, access controls and asset management to all devices.

Networks: Maintaining network segmentation while allowing authorized communication between components.

Applications and Workloads: Conducting testing and vulnerability assessments of applications.

Data: Allowing agencies to inventory, categorize and label all data.

This article appears in our report “Getting Legacy Systems Up to Speed With Modern Security.” To learn more about how agencies are protecting their existing systems and applications that may not be made for a distributed, cloud-based environment, download the report.