As organisations embrace the zero trust security model, legacy tech has created some roadblocks. In fact, replacing or rebuilding existing legacy infrastructures is the biggest challenge to implementing zero trust, according to a recent study.
General Dynamics’ 2022 Zero Trust Research Report surveyed 300 IT and program managers across federal, civilian, and defence agencies, which are mandated to adopt a zero trust model under a 2021 presidential executive order in the US.
Of note to the rest of the world, the survey found that 58 per cent of them listed the legacy tech challenge ahead of determining what set of technologies are needed (50 per cent), lack of IT staff expertise (48 per cent), and cost (46 per cent).
It’s not just government IT facing such challenges. Cyber security leaders surveyed for the report Zero Trust Strategies for 2022 from cyber security software and services company Optiv likewise cited legacy tech as a challenge to their zero trust roadmaps.
Some 44 per cent of the 150 respondents, who spanned across various industries, cited too many legacy technologies that do not support zero trust as a major obstacle. It was the no.2 factor impeding the zero trust evolutions within their organisations. First was “too many internal silos/stakeholders for different components of zero trust,” cited by 47 per cent.
Imran Umar understands the challenges that legacy tech presents adopting a modern security framework.
“Legacy technologies in general tend to be very static in nature and not designed to handle the dynamic rule sets necessary to enforce policy decisions,” says Umar, who as a senior cyber solution architect with the professional services firm Booz Allen Hamilton and is spearheading zero trust initiatives across the firm in support of the US Defense Department, federal civilian agencies, and the intelligence community.
As such, legacy tech is complicating many organisations’ plans for implementing and maturing zero trust practices even as interest in the security approach soars.
Some 97 per cent of the organisations surveyed for The State of Zero Trust Security 2022 report from identity and access management software maker Okta said they either have a zero trust initiative in place or would have one in place in the coming 12 to 18 months. That’s up from just 16 per cent four years ago.
The zero trust approach to enterprise cybersecurity eliminates that notion of implicit trust. In theory, that means the organisation shouldn’t trust any user, device, or connection until it verifies itself as trustworthy.
Zero trust believes all users, devices and software systems must establish trust through various mechanisms before connecting to the enterprise IT environment; zero trust also calls for all users, devices and software systems to re-establish that trust as they seek to access other networks and systems as well as enterprise data after gaining initial entry into the enterprise IT environment.
That’s in theory; all those principles are hard to implement in day-to-day practice. That brings us back to legacy tech, which can be a barrier to implementing a zero trust practice within an enterprise because the technology itself doesn’t readily support or work well with the practices and technologies needed to verify authorised access and restrict unauthorised access.
“Zero trust is the way organisations need to move, but it’s not a simple prospect,” says Tony Velleca, CISO of UST, a digital transformation solutions company.
Legacy constraints on zero trust stem from perimeter defence
Zero trust is replacing an older security model that relied on perimeter defences. That defence strategy, as veteran CISOs know, basically builds a wall around the enterprise IT environment to shut out the exterior world while enabling extensive and in some cases nearly unlimited access to anyone within the wall.
However, the enterprise tech perimeter has been deteriorating in recent decades, due to a confluence of factors from cloud computing to work-from-anywhere requirements. That deterioration has rendered perimeter defence obsolete.
So instead of trying to lock down the castle, the zero trust approach seeks to ensure only authorised access at the right time to only the needed systems and data.
“So, as you move more of your systems from inside your own network to outside, the ability to validate becomes one of the most important components of your security,” Velleca says, adding that “the whole idea of zero trust is that you’re trying to take a much more granular approach to users, devices, and connections.”
Zero trust does this by addressing security across multiple “pillars” (identity, device, network, application workload, and data) and using policies and technologies to enable or restrict access. Key tools to support and enable zero trust include access and identity management (IAM) software, user and entity behaviour analytics (UEBA), and micro-segmentation.
Proponents of zero trust — who are many — say this approach supports authorised access but at the same time has the best chance of stopping hackers from getting in or, if they do get in, from moving around the enterprise IT environment.
“There’s a massive desire from all organisations at this point to move to zero trust architecture, the reason being is it resists lateral movement,” says Christine C. Owen, a director in the cybersecurity practice at management consultancy Guidehouse.
But here’s the issue with bringing zero trust to a legacy environment: That tech, much of which was developed and implemented in the era of perimeter defence, doesn’t always have the constructs to work easily — or even at all — with this modern security approach.
Umar points, as an example, to legacy networking equipment that’s heavily reliant on static Layer 4 access control rules to allow or deny access to a resource.
That structure, though, contrasts with a modern zero trust architecture where access decisions are based on dynamic rule sets such as user access location, device compliance, and user identity. He also notes that legacy technologies have limited support for conditional access, a key enabler of zero trust.
Meanwhile, many organisations struggle to identify and classify the data held within their legacy systems so they can add appropriate access controls around the various classification levels, experts say.
“Those systems can be a black box,” observes Ashish Rajan, an enterprise security leader, host of the Cloud Security Podcast, and a trainer with the certification and training organisation SANS. That in turn makes key zero trust components such as micro-segmentation and contextualised access to those systems tricky.
Further complicating the scenario are the performance or user experience issues that arise when organisations try to add zero trust to their legacy tech, Owen says.
“I have found that zero trust can cause friction, and at that point the organisation has to decide if it’s OK to add that friction,” she says. “And once you stand up a new zero trust architecture, you’re going to find that things break."
All these issues also make it challenging for organisations to know where and how to start, says Torsten Staab, chief innovation officer for Raytheon Intelligence Space’s Cyber, Intelligence and Services business unit.
Still, he cautions enterprise security leaders from letting such challenges delay their zero trust journeys. “There are constraints, but there are also opportunities to deploy zero trust even in those legacy environments.”
Take a phased zero trust approach to manage legacy tech hurdles
Other experts echo Staab’s comments, saying legacy technology does not and should not prevent organisations from implementing or advancing their zero trust security model. In fact, they stress that a big selling point of zero trust is its multi-pillared, multilayered foundation.
In other words, it’s not an all-or-nothing approach. “There are things that can be done. Adopting what pieces you can of zero trust to legacy systems makes sense. It will help reduce your risk,” he says.
The key, experts say, is identifying which zero trust components can be added and, more specifically, which ones can be most easily added and then starting with those.
“The general approach with zero trust, whether you’re dealing with legacy or not, is a phased approach,” Staab notes. “With zero trust security, it’s all about multiple levels; it’s not just looking at one. So start with one and then roll out more capabilities.”
He notes, for example, that security teams can often add multi-factor authentication (MFA) to legacy systems without complications. “For many organisations, that’s not a hard lift,” he says.
Experts say organisations can reengineer legacy systems, breaking them up to isolate pieces from each other and create a micro-segmented architecture; add more discovery capabilities to create visibility into assets and activity and then layer in analytics and UEBA; and drop access controls in front of older applications.
“As an organisation moves toward zero trust, they must begin by conducting a zero trust maturity assessment of their current environment, baselining their current capabilities, and then developing a target state architecture and a roadmap to achieve it," adds Umar. "This journey to zero trust also requires a plan to integrate legacy technologies into the zero trust architecture.
“For example, legacy technologies have limited support for conditional access, a key enabler of zero trust. Hence, organisations need to augment them with newer technology to account for these limitations.”
There are, of course, costs to doing all this work. Securing funding is one more obstacle CISOs face when moving to zero trust.
Security experts say that CISOs along with their executive colleagues have to decide where in their legacy environments they face the greatest risks, how much the move to zero trust will cost and then determine whether the returns from reduced risk will exceed the investments.
In this regard, they say, zero trust decisions aren’t really different from those made by CISOs on other security strategy points. Some analysis will show that the benefits of implementing zero trust will exceed the cost, other times it won’t.
“That’s why you have to be very intentional,” Staab says. “You don’t have to do it all at once; no one expects you to be fully compliant in all areas. But the traditional approach — perimeter-based security — is not working, and that should lead you to zero trust security.
"And there are things that can be done, things you can do with your existing infrastructure to move toward zero trust. It’s doable, but you have to have a willingness.”