For many organizations, particularly those that may be considered legacy, or older existing enterprises, the recent COVID-19 pandemic may be pushing them to further progress into the realm of cloud services. With the global population asked to quarantine or shelter-in-place during the pandemic spread of 2020, many businesses that were able to function with their workforce remotely had no choice but to do so. Having information systems available with true remote access capabilities was a must. For those organizations who had already moved to a cloud-based model, they found themselves in a far better situation than those firms who still had traditional server-based or “legacy” applications still in use. In a poll from ScienceLogic and Forrester, 86% of more than 200 IT professionals across a variety of business and government entities, still use at least one legacy tool with regard to infrastructure and application monitoring. This leaves a tremendous opportunity for cloud providers and may demonstrate that the movement for many enterprises to a true remote operation of critical applications during the COVID-19 pandemic may have been a bumpy one, and continue to be difficult. It is even possible that enterprises are still struggling to deal with having legacy applications used in critical functions. A legacy application can be defined as one architected in a traditional model requiring on premise hardware and software implementations. In comparison, a modern platform, based on the cloud, would be of the service models: Software as a Service (SaaS); Platform as a Service (PaaS); Infrastructure as a Service (IaaS).
By Stanley Mierzwa, M.S., CISSP, Director and Lecturer, Center for Cybersecurity, Kean University
This article will discuss how widespread legacy applications are still being used, and in what main sectors, along with possible reasons why cloud adoption may not be pursued. In addition, the article will cover resources that organizations can use to evaluate and analyze a cloud service or vendor to ensure they are appropriately implementing security safeguards to protect those moving to their services will be provided.
Background on Legacy Application Use
Many organizations that have been considered mature in both operation and business for many years, with continued evolvement and growth can contain systems and applications written for older hardware and software operating platforms. There may be a number of reasons for continuing to operate such legacy systems, including significant prior investment into these custom developed systems, and they would not be practical candidates for movement to the cloud. In a proceedings and technical report, researchers have estimated that between 180-200 billion lines of legacy code are in current use. With such a vast amount of intellectual property, there is a strong possibility that some of these applications will simply remain in a legacy model. In these cases, a cloud hybrid deployment model might be valuable. In a hybrid approach, a mix of an on-premise solution and equipment can be integrated with a cloud-based private or public platform. In such a design, integrating the legacy custom solution that has a large amount of investment and intellectual property capital could possibly be leveraged.
A survey conducted by O’Reilly of 590 practitioners, managers, and CxOs from around the world resulted in several key findings related to companies moving to the native cloud. These included:
- 27% of survey respondents whose organizations have not moved to native cloud have no plans to do so.
- 32% of survey respondents not having moved to cloud native infrastructure, were asked why they haven’t, and the main reasons were: 1) Lack of skills 2) Company culture 3) Migrating from monolith architecture.
Industries that have moved into cloud native environments, be they either new, early, or sophisticated users, were led by the software industry, finance & banking and consulting and professional services. The industries with the lowest percentage of cloud native experience were government, telecom, retail/e-commerce and health care.
In a July-August 2019 cloud migrations trends survey provided by CISO MAG, when participants were asked how far their organizations have gone with migrations to the cloud, over 25% said they were assessing their migration strategy and just under 20% said they were not migrating to the cloud at all. One of the most critical factors for deciding on a cloud service provider from the survey was ensuring that compliance requirements are met. In the same CISO MAG survey, another key cloud challenge reported was having the ability to detect and respond to security incidents in the cloud.
Although there may be hesitations to immediately move all applications to the cloud, there will continue to be a yearning to move them for several reasons. These will include a greater ability to access them via true broad network access, as considered an essential element via the NIST model of cloud computing. In addition, since these legacy applications may have been developed with older coding languages, such as COBOL, there is the risk of a skills shortage in such tools as time evolves. Finally, even if an entire legacy system cannot be migrated to the cloud in one full motion, there may be opportunities to move modules over, one at a time, and thus introduce less reliance on the legacy applications. For example, a legacy organization may have a combination of systems utilized in their enterprise resource and financial operations. As part of this configuration, there can exist older or legacy modules that integrate into the general ledger system, these could be in the form of a timesheet, expense reporting or inventory module. Perhaps the legacy enterprise general ledger system cannot yet be migrated to the cloud, but considering if any of the integrated modules can be moved to the cloud, with connection to the legacy headend system would be a step in the direction of a gradual move to the cloud. In this strategy, one could analyze which legacy applications are most used by the general population of the organization to create a priority module migration plan. In this scenario, the legacy organization can begin their journey to the cloud by using some of the resources freely available to help analyze Cloud Service Providers, as detailed in the next section.
Several Resources for Analyzing Cloud Service Providers
The Cloud Security Alliance (CSA) Trust Assurance and Risk (STAR) is an overarching security program that provides a varied set of tools to help potential cloud customers, cloud providers, auditors and anyone who wishes to pursue cloud solutions, with pertinent background information to aid decision-making.
From the customer’s perspective, one could search for a particular cloud solution in the CSA Star Registry and if the company submitted an entry, the Consensus Assessments Initiative Questionnaire (CAIQ) could be reviewed. The CAIQ is a list of over 300 standardized questions answered by the cloud vendor and transparently provide you their responses. This could be very helpful if there is a particular cloud requirement that your company must meet because you could find a potential answer ahead of contacting the cloud provider. The CAIQ questions are pulled from the Cloud Control Matrix, a spreadsheet that breaks up the questions into 16 distinct categories or domains ranging from application and interface security to datacenter security and mobile security.
With the CSA Star Registry, cloud service providers are able to validate their solutions and offer transparency of their approaches to handling the many Cloud Control Matrix domain areas. Additionally, for those who audit or consult in the cloud sphere, they will have the opportunity to review the specific cloud security approaches and become more familiar with solutions prior to embarking on audits or solution design.
- The STAR program provides for three different levels of registry entries.
- CSA STAR Level 1 – Cloud providers offer a self-assessment, which is to be done annually.
- CSA STAR Level 2 – In addition to the cloud provider’s self-assessment, a rigorous third-party independent assessment is performed.
- CSA STAR Level 3 – Includes a continuous fully automated process that ensures security controls are monitored and validated at all times. This is most rigorous and highly challenging level and results in an issuing certificate.
Other evaluation tools of cloud computing services are available from the United States National Institute of Standards and Technology (NIST) via the Special Publication (SP) 500-322, which is based on the NIST SP 800-145. The NIST SP 500-322 includes a simple worksheet that one can utilize to help determine if a service being provided is actually classified as a cloud service. This worksheet can be helpful to small and medium businesses that may not necessarily have an Information Technology department or specialist available to help guide the firm with such a determination. In addition, for these small to medium businesses, a helpful list of marketing terms often used or profiled with cloud services, is provided in the SP 500-322.
Additionally, the U.S. Federal Risk and Authorization Management Program (FedRAMP), is a program that potential cloud service providers and customers can utilize to both demonstrate security standings as well as compare themselves to other vendors. One of the goals of the FedRAMP program is to help organizations accelerate the adoption of cloud solutions through assessments, authorizations, and consistent security standards. A potential cloud customer can review the FedRAMP Marketplace, where one can review already authorized and approved cloud solutions and vendors, or perhaps those that are in the evaluation process. FedRAMP utilizes the NIST 800-53 baseline security controls as well as additional elements that are cloud computing unique. Similar to the Cloud Security Alliance CAIQ, the FedRAMP process provides a workbook grid of controls that are mapped to the NIST 800-53 controls and what a potential vendor will be required to provide, depending on whether a model of low, moderate, or high security controls are required. An example of the general family of low security controls one will find include:
- Access Control
- Awareness and Training
- Configuration Management
- Contingency Planning
- Identification and Authentication
- Incident Response
- Media Protection
- Physical and Environmental Protection
- Personnel Security
- System and Information Integrity
If an organization is looking to get started with the cloud and requires a more general cloud adoption roadmap, one can be found at the non-profit Cloud Industry Forum. Their Cloud Adoption Roadmap includes guidance and resources breaking up the movement into the cloud into 5 sections and 21 individual and unique stages. The stages include items such as learning about cloud essentials, creation of a strategy, assessing your current and destination environments, evaluating service providers, and reviewing data governance and security.
The recent global pandemic forced many organizations to switch to remote computing operations and it is likely that some end users experienced difficulties in accessing their critical information systems. Although the cloud computing as a paradigm movement has been in existence for almost two decades, there are still many opportunities for organizations to make the switch for the purpose of better access, efficiencies, and effectiveness gains. In the O’Reilly survey, almost 30% of respondents said they expect to adopt a cloud infrastructure in the next two years. This finding can point these respondents and organizations to using tools already available to begin to evaluate the credibility and security of certain cloud service providers, and possibly to the Cloud Security Alliance and NIST available resources. At a minimum, using available outfits to start the process of doing “homework” and gaining valuable knowledge about the cloud, can provide a consumer greater situational awareness and confidence.
There are myriad ways to evaluate potential cloud solutions with respect to security, but rather than start from scratch, it would be beneficial to start with a ready-made assessment strategy. The Cloud Security Alliances’ set of tools can be approached to begin your journey into discovering potential cloud options to replace or at a minimum, augment, your legacy applications.
Kean University Background
Kean University enrolls almost 16,000 students and offers more than 50 undergraduate majors and 60-plus graduate options, with four campuses in New Jersey and the only public university in America to have a campus in China. U.S. News & World Report has recently ranked Kean University among the top universities in the northern United States for helping economically disadvantaged students enroll and graduate within six years. Kean is ranked 41st for social mobility out of 170 universities in the region.
- Greig, Jonathan; Just 12% of Companies have fully Transitioned to Modern IT Tools; Digital Transformation – TechRepublic, September 11, 2019
- Forrester; Prevalence of Legacy Tools Paralyze Enterprises’ Ability to Innovate; Forrester Opportunity Snapshot: A Custom Study Commissioned by ScienceLogic, September 2019
- Ganesan, Sivagnana; Chithralekha, T.; A Survey on Survey Migration of Legacy Systems; ACM – ICIA-16: Proceedings of the International Conference of Informatics and Analytics; August 2016
- Magoulas, Roger; McDonald, Nikki; How Companies Adopt and Apply a Cloud Native Infrastructure; O’Reilly; April 30, 2019
- Batlajery, Belfrit, et al.; Industrial perception of legacy software system and their modernization; Technical Report Series UU-CS-2014-004; 2014
- Khadka, Ravi, et al.; How do professionals perceive legacy systems and software modernization; Proceedings of the 36th International Conference on Software Engineering; ACM pp 36-47; 2014
- CISO MAG; Cloud Security Power List, Showcasing the Powerhouses in Cybersecurity; Volume 3, Issue 7, July-August 2019
About the Author
Stanley Mierzwa is the Director, Center for Cybersecurity at Kean University in the U.S. He also lectures at Kean University in the U.S. on Cybersecurity Risk Management, Cyber Policy and Foundations of Cybersecurity. Mierzwa is a peer reviewer for the Online Journal of Public Health Informatics journal, a member of the FBI Infragard, IEEE, ISC(2) and a board member of the global pharmacy education nonprofit, Vennue Foundation. He holds a M.S. in Management Information Systems from New Jersey Institute of Technology and a B.S. Electrical Engineering Technology from Fairleigh Dickinson University, and is also a Certified Information Systems Security Professional (CISSP).
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.