Many large enterprises still run critical applications on legacy Linux and Unix platforms. Much like the fabled Energizer Bunny, these old computing OSes keep going and going and going. Some of these are not even in production any more.
Upgrading these systems is no simple matter, partly because the organizations using them cannot simply turn off servers containing customer or financial data. Still, ever-increasing regulatory agency edicts to safeguard customer data often require some level of retrofitting to remain compliant.
The down economy adds one more layer of challenge to working with legacy computing systems. Companies have to weigh their needs to update these Linux/Unix environments with the harsh realities of budgetary cutbacks.
Pity the poor IT manager with a computer farm of OS/2, SCO Unix, Novell NetWare, Windows NT 3.5, and Xenix. Many of these legacy platforms are still used in production environments. More likely than not, they are unpatched and ripe for intrusion.
“We still have a lot of customers fully dedicated to keeping Unix and Linux fully around for as long as they can foresee. It becomes an incredible mess to manage,” Jeff Nielsen, director of development at Symark, told LinuxInsider.
Symark is one of numerous software developers that specialize in products addressing the legacy system issue. The company makes identity and access management solutions for heterogeneous environments, specializing in managing privileged access. Businesses running a wide array of early platforms rely on such vendors to keep them going.
“We often get requests from potential customers for product demos to work with very old systems like NCR machines. These requests come from banking and insurance firms, health care and credit unions,” Ellen Libenson, vice president of product management at Symark, told LinuxInsider.
Helping legacy customers meet compliance mandated by regulatory agencies involves hanging a lot of stuff on the older platforms. Often, convenience trumps compliance for all things beyond the PCI (Payment Card Industry) regulations, according to Libenson.
For instance, if you are a hotel using NCR, you probably are not going to get off that system. So you have to have some kind of access control for that operating system, she explained.
Maintaining legacy platforms is a growing problem. Typically, old systems do not get unplugged when they retire. In many corporate cultures, the concept of rip and replace does not exist.
“First, organizations almost never sunset their systems. They just make them available as Internet-facing services. Over time, an organization goes from a single legacy platform to many disparate interoperating legacy platforms. Second, security expertise and tooling focuses on newer languages, not older ones,” John Steven, senior director, Advanced Technology Consulting for Cigital, told LinuxInsider.
Aging systems make the problem worse. So Cigital pioneered a process it calls “static analysis” to build a consistent process for reviewing and uncovering vulnerabilities in legacy software. As static analysis and penetration testing tools evolve, they look forward from Java and .Net to Ajax, Flash, and similar, not back to Cobol, Scada, or Mumps, explained Steven.
The problem is growing, not shrinking. As a result, organizations have to address it manually, without much help in terms of tools and automation, he said.
A common mindset among customers is that as long as the legacy setup is running reliably, they see no need to modernize it, noted Nielsen. A poster child of that standpoint is the air traffic control system.
That industry is still running the equipment they set up in the 1960s and 1970s. While they have made several efforts to move forward, it’s a very difficult thing to do, he explained, noting many of Symark’s customers are in the same situation.
Some companies still using legacy hardware and software run financial systems worldwide around the clock. Upgrading the hardware would be a very costly and time-consuming effort, and it would mean a huge disruption factor.
“The cost of the hardware upgrade is inconsequential. The big cost is the business interruption. We have some customers using their existing systems reliably,” he said.
Tackling the upgrade process is often more of a business hassle than managers deem necessary. For instance, IT first has to undergo a test effort and then achieve company-wide acceptance. To complete the deployment, the company has to schedule a business outage to put the new hardware in place.
Accumulating a collection of legacy platforms is often the result of growing the business itself. For instance, large organizations with numerous acquisitions and mergers are faced with a Unix farm that has all different types of operating systems rather than a homogeneous situation.
The older the Unix OS system is, the less secure it is. Unix itself was not designed for the level of security needed today, Libenson said, noting that Unix and Linux are not going away soon.
“The Linux kernel is starting to get stronger now, so you might start to see people migrate to it around 2011. In a lot of cases, Unix still has a slight edge over Linux for processing power. But that gap has really closed tremendously. And Linux machines are less costly,” she said.
Legacy vs. Efficiency
One IT manager’s troublesome legacy system may be another IT manager’s proven workhorse. Often multiple systems live alongside each other and barely get along.
For instance, HP may make its operating system stronger. But that won’t help a company that also has a Sun system. So what is needed is a product that runs on all of those different types of platforms, Libenson explained.
Each of different type of operating system is good at doing a different kind of task, noted Nielsen. For example, Windows is predominant on the desktop. Some Linux is used there, but rarely do you find Unix in that role.
“What Linux and Unix is used for is heavy lifting tasks like running databases and application and Web servers, all that kind of plotting you find running at data centers. Unix and Linux still rule there,” he said.
Out-of-date but still-functioning systems become embedded into an organization’s hardware culture. Rather than seeing security regulations force out legacy setups, a cottage industry of sorts is sprouting up around them.
“Regulation-wise, HIPAA and SOX have driven organizations to inventory sensitive data stored in or processed by legacy systems. SOX has led organizations to buy and integrate or roll their own fine-grained entitlement systems to support better authorization and auditing,” Steven said.
Most organizations still rely on their legacy systems to do the lion’s share of their transaction work, he explained, because it is simply too expensive and slow to move that functionality to modern platforms. The lifeblood of most businesses still goes through legacy systems.
“In the end, Web services and three-tier systems often just inter-connect or act as window-dressing on these core transactional systems,” he concluded.
Banks are particularly prone to suffering from the crippling effects of legacy systems. It is not uncommon to see hardware platforms ranging from seven to nine years old. Software systems are simply not able to scale to accommodate escalating data volumes from today’s tumultuous markets.
With diminished IT budgets, “rip and replace” is no longer an option. New technologies that can scale and easily integrate with existing legacy systems are the answer. One company providing another option is Axis Technology, an enterprise security firm that specializes in a process called “data masking.”
“Through data masking, many of our clients are saving a lot of money and at the same time are securing very sensitive data in legacy platforms while adhering to strict compliance standards,” Mike Logan, president of Axis Technology, told LinuxInsider.
In short, Axis secures development and quality assurance environments by removing confidential data and replacing it with usable, fictitious data. This applies to both production and non-production environments, he explained.
This results in all data being absolutely protected with a method that is more effective than encryption, according to the company. This method also targets companies with legacy systems that are trying to deploy cloud computing or virtualized environments, two areas that leave data most vulnerable, he said.
Symark takes a different approach to keeping legacy computing platforms by controlling who can access what and when it can happen. It is a cure for the root access woes often endemic to Unix and Linux.
Symark’s PowerBroker solves two problems, according to Nielsen. First, it can restrict what somebody is doing while logged in as root. For example, clearing all the printer queues of all the user print jobs in Unix requires root. But that gives whoever is doing this task access to everything. Second, if a problem develops after something is done, PowerBroker lets the IT manager play back everything.
PowerBroker allows administrative tasks such as managing system programs, performing backups and adding new users to be delegated to individuals or groups at a granular level. Its Entitlement Reporting feature enables reporting on the commands that users are authorized to perform on specific systems. Another feature, Access Control Lists, uses lists to enable system administrators to specify the most commonly used access control mechanisms for users.
Cigital offers solutions to deal with securing legacy application and system architecture issues that are holistically based. For instance, it does not matter if a vulnerability existed in brand-new Adobe Flash apps, on the mainframe, or due to how the systems were pieced together if your organization can’t conduct its business because of exploit, according to Steven.
“We look for risk across those apps and systems. We help organizations understand what software and systems run their business and classify the software-induced business risk of that portfolio,” he explained.
Also, Cigital helps legacy platform users model the threat their applications pose, uncovering critical flaws in their architecture. This might include circumstances in which an organization opens a legacy system never intended to see the light of day on their Enterprise Service Bus, making its transactions available to business partners, he said.
The solution blends expertise-driven manual processes and custom tools Cigital built in-house to uncover vulnerabilities in the implementation of legacy systems, just as it would be done in securing more modern equivalents.