Legacy tech could undermine 'zero trust' push

State and local governments may be determined to implement so-called zero trust cybersecurity strategies, but legacy technology and infrastructure could present a major obstacle.

Zero trust is a security framework based on the principle of never trust, always verify. It is designed to protect users, applications, infrastructure and data, whether systems reside in an agency data center, in the cloud or in a hybrid environment. 

Many government agencies still use legacy systems to manage complex, critical business functions like benefits programs, and mission-critical business functions and processes. But because these systems were developed before cybersecurity was a major concern, they lack features that can make them more secure. 

It all adds up to a big headache for state and local governments that must balance their need to defend themselves against evolving threats with managing legacy assets that cannot easily be upgraded or migrated to the cloud.

One way agencies try to protect their legacy systems against modern threats is by adding features to address specific vulnerabilities, but that approach has drawbacks. 

“Government is always good at fighting the last war,” said Matt Keller, vice president of federal services at cybersecurity company GuidePoint Security. “We always go in and look at what has happened in the past, and then build requirements to fight that last war.”

The biggest challenges state governments face when it comes to securing legacy technology is a lack of documentation about how any of the infrastructure works or how the applications can be tweaked. Chris Montgomery, a government and cybersecurity industry strategist at cloud computing company VMware, said it can be a “daunting task” to figure out how code has been embedded.

“You pull the wrong thread,” and everything could crumble, he said. “The coding is not nimble, there's embedded code, and often we've seen passwords put into code.” 

Upgrading from legacy technology to a zero-trust future is also affected by procurement policies. Keller said that staying on a legacy system can become “a contractual issue more than anything.” Those contracts are often long, and vendors are unable to “morph or change their product as quickly to migrate to those zero trust initiatives.”

Separate from legacy technology but also part of the challenge of modernization is the need to ensure IT employees have the right skills to implement a zero trust strategy. Additionally, government often loses skilled staff to the private sector, which can lead to stagnation, Keller said. Montgomery said that agency employees’ “fear of change” may prevent new, innovative solutions from being implemented. 

“Some of these [government] places have gotten so mundane and so cumbersome, compared to some of the technology firms,” Keller said. Agencies saddled with legacy systems are “missing out on a lot of the pushing on the culture and migrating to the next best thing and next capability.”

Political considerations may also weigh on agencies looking to modernize legacy technology. Some state IT leaders are political appointees, and Montgomery said that modifying critical systems, even for upgrades, can seem like a “high-risk decision.”

“You can get beat up for not modernizing, but you can certainly lose your job over unexpected downtime or extended downtime,” he said.

The best place to start when aligning a legacy technology upgrade with zero trust goals is with a risk assessment, Montgomery said. That way, governments can establish what applications and infrastructure they have and how to isolate systems to ensure they can be safely upgraded while not affecting other business processes.

But, he warned, that evaluation must lead to actions and deliverables, otherwise assessment may never end.

“Sometimes folks get overly caught up in the analysis and don't actually break ground,” Montgomery said. “You have to carve out your proof of concept or your sequence in terms of your implementation plan into manageable bite-sized pieces.”

Sean Frazier, federal chief security officer at Okta, said any such risk assessment must consider how quickly technology has evolved, and will continue to.

“It doesn't matter whether you're a government agency, or whether your company has been around for 14 years, or whether you're a brand spanking new company,” he said. “You’ve got legacy on day two.”

And if they want to ensure their employees are on board, governments must have a positive vision for how they will upgrade legacy systems and implement zero trust, Montgomery said.

“Organizations really can make or break themselves on attacking this with the right mindset,” he said. Agency leaders must position changes “as a path forward, not necessarily punitive. [For] any of the folks who were around with the original system, it's got to be seen as a collaborative, positive effort,” Montgomery added.

Governments looking to make the transition away from legacy technology and implement zero trust need not pursue a “big bang approach,” Montgomery said, urging leaders to be systematic in their approach, rather than try to do everything all at once. Frazier echoed that view. “It's the old adage of, how do you eat an elephant? One bite at a time,” he said.