Lifting and shifting legacy applications is a cyber-security essential

By Mat Clothier, CEO at Cloudhouse.

  • 4 years ago Posted in

The WannaCry attack of 2017 exposed just how vulnerable large organisations are when they run applications on unsupported operating systems that remain unpatched. The WannaCry ransomware crypto-worm exploited unpatched Windows operating systems to infect 230,000 computers around the globe, causing major disruption to the National Health Service (NHS) in the UK. The impact on day-to-day healthcare operations in the UK was enormous.


This type of attack can hit any organisation running legacy operating systems such as Windows XP. Last year, Microsoft released fixes for a vulnerability in Remote Desktop Services, which could have allowed “wormable” malware to spread between machines without user intervention just like WannaCry. The severity of the challenge compelled Microsoft to implement special fixes for Windows XP and Server 2003.

The recommended move for enterprises and large organisations is to transfer their applications from these old operating systems onto either Windows 10 or into the cloud, as part of a digital transformation strategy. In practice, however, it’s not that easy. Most enterprises have critical applications built to perform specific business functions such as tax or accounting. They function perfectly well but their dependence on unsupported operating systems means they remain a major cause of security vulnerability for even the most digitally ambitious organisation.

The vulnerabilities caused by legacy applications

Very often developed more than a decade ago, these applications were built to run on operating systems or through unsupported browsers such as Windows Server 2003, Windows XP or Internet Explorer 7. The result inevitably, is that organisations are open to ransomware, malware, DDE attacks and many other threats. The problem is about has become even more severe. While security patching for Windows XP and Windows 2003 stopped some years ago, Windows 7 and Windows Server 2008 R2 moved out of support on January 14. Bear in mind that about three-quarters of computers in the US are still running Windows 7, while in the UK, IDC reports that Windows 7 still has a percentage market share in mid-30s. Understand that, and the scale of the issue becomes evident. Other estimates place Windows Server at approximately 70 per cent of server OS installations with about 40 per cent of those on Server 2008/2008 R2.

Many large enterprises still prefer Windows 7 because they have concerns that complex legacy applications will be disrupted by migrating to Windows 10 or the cloud, regardless of the provider.

And their fears are largely justified. Incompatibility between locally installed browser releases, application libraries and operating systems remains a severe problem. Applications built for legacy systems frequently fail to function on Windows 10 or in the cloud on Windows Server 16 or 19. Legacy applications moved on to Windows 10 are often impaired by its regular security updates.

Approaches that are no real solution

Hitherto the problem has seemed intractable. Despite paying increasingly high fees to Microsoft for extended support, the service does not include patching and security updates. Microsoft has, for example, been ready to sell paid Windows 7 Extended Security Updates (ESUs) on a per-device basis to enterprise users with volume-licensing agreements. Yet this is costly, with the price increasing each year to January 2023 – a tough sell-in for any IT department to take to their CFO.

The alternative has historically been to shoulder the great cost of recoding and refactoring. But this can be time-consuming, often requires access to considerable expertise and is very expensive.

For cloud migration, virtualisation and layering solutions have also proved to be inadequate, producing applications that at best only fulfil a narrow range of their original functions. While virtualisation simplifies deployment and addresses some application-to-application conflicts, it fails to resolve compatibility problems between the application and the cloud-provider’s platform.

Application compatibility packaging keeps applications secure and evergreen

The solution to these difficulties lies in application compatibility packaging. This fast-advancing technology lifts and shifts the application and its underlying environment to the new system, allowing the application to fully function without recoding or refactoring. Applications do not conflict with other applications on the desktop or server.

Deploying applications on to new operating systems almost always requires repackaging and retesting the application, which can take teams hours or days. However, compatibility packaging technology means applications only need to be packaged once, with the redirection and isolation engine ensuring applications can be deployed to the latest, supported Windows platforms, no matter whether they are running on-premises or in the cloud. The technology abstracts the application from the underlying operating system, also preparing it for Windows-as-a-Service.

By enabling applications to run on modern, secure and supported platforms that receive regular security patches, administrators improve the security within their organisation while migrating applications dependent on less secure platforms.  

Application compatibility packaging offers a solution that future-proofs applications and workloads, excluding viruses from containers from the outset, while retaining the organisation’s anti-virus and firewall protection. It also requires the least possible local administrator privileges, thereby reducing risk and adhering to security best practice. In simple terms it means the underlying environment can be kept up-to-date without impacting the application - delivering true evergreen IT. 

As organisations seek to complete their digital transformation strategies, legacy applications become a real problem. They threaten to act as a drag on progress, leaving enterprises vulnerable to the proliferating threats that exploit well-known vulnerabilities in unsupported operating systems. Application compatibility packaging technology will resolve all these difficulties, leaving organisations secure into the future.

 

-End-

 

By Barry O'Donnelll, Chief Operating Officer at TSG.
By Dr. Sven Krasser, Senior Vice President and Chief Scientist, CrowdStrike.
By Gareth Beanland, Infinidat.
By Nick Heudecker, Senior Director at Cribl.
By Stuart Green, Cloud Security Architect at Check Point Software Technologies.
The cloud is the backbone of digital cybersecurity. By Walter Heck, CTO HeleCloud
By Damien Brophy, Vice President EMEA at ThoughtSpot.