Cybersecurity… It’s Not Quite That Simple

by in Security

In a recent Wall Street Journal article, “U.S. Companies Learn to Defend Themselves in Cyberspace”, Richard Clark and Robert Knake made a stunning claim:

Cybersecurity.png“One chief information-security officer at a major bank told us that, in five years, his bank will largely be immune to cyberattacks because it is upgrading from legacy systems that are insecure by default to cutting-edge systems that are secure by design.”

There are several things wrong with this.

First, “cutting-edge” and “secure by design” are largely antithetical. Well, OK, maybe a cutting-edge system can be designed to be secure, but thinking that this guarantees that it will be secure is probably foolish. Consider that even with all the testing that goes into a new car design, there are always teething problems with the first few model-years. Software is much harder to perform real-world testing on, and so cutting-edge systems have historically always also had early problems. If it’s a new hardware design, this is even more likely---especially since new hardware will also be running new software!

This bank’s CISO seems to be falling prey to one or both of the assumptions that “This is old and therefore bad” and/or “This is new and therefore good”. The only aspect of a cutting-edge system that likely makes it more secure is that it will be less familiar to attackers. And this is a short-lived benefit.

Second, a bank upgrading from “legacy systems” almost certainly means moving off of the mainframe. While mainframes are not necessarily inherently more secure than other platforms, they do enjoy a tradition of least-privilege access that tends to provide a more secure baseline. More significantly, those legacy systems represent a tremendous amount of stored value in the form of existing business logic. That’s where the real cost of a conversion lies: in trying to reimplement that logic on a new platform. (Yes, many applications are multi-platform, but banking tends to use highly customized products that are tailored to the mainframe, turning a conversion into a rewrite—and even multi-platform products often offer different features for different environments, use platform-specific scripting languages, etc.)

This aspect of any platform conversion is overlooked all too often, and the annals of system conversions are littered with the corpses of companies—or at least careers—that have underestimated its importance. Of course customers under pressure to get off the mainframe are doing so for a variety of reasons: they are moving operations to the cloud, have been acquired by another company whose direction requires migration, or perhaps their mainframe usage has dwindled to the point where only a handful of business-critical systems remain on the platform.

Micro Focus Enterprise Server (ES) can enable the best of both worlds: removal of the mainframe footprint, while allowing the same legacy applications to continue operation. ES lets customers rehost legacy applications—move them to Windows, Linux, AIX, Solaris, et al.—without changing the code. And once the applications have been rehosted, they can be enhanced using modern development tools and processes to support business innovation. The rehosted applications become first-class citizens in the strategic architecture, while retaining the decades of business value and differentiation: a win in every regard!

Learn more about a flexible deployment for Mainframe.


Data security and encryption