Legacy systems have been around for a long time. It's just that no one really notices as they just keep on working.
These resilient, cost-effective systems have remained at the core of many organisations' IT strategies during periods of major change. New technologies have appeared, systems and processes been streamlined and automated, and new customer products implemented around them. Many organisations have also merged, restructured or been acquired.
Legacy systems have survived and embraced the internet and IP connectivity and now deperimeterisation is threatening to transform the landscape again and fundamentally change the security environment. And as if this wasn't enough, HIPAA, SOX, European Data Privacy Directive, FIPS 140-2 Level 2 and so on are all affecting how we look at security.
For organisations that still rely on these core systems, the terminal emulation and host access solutions that were first installed still underpin their connectivity. While these are more than adequate for functionality, they were never designed for today's security needs.
The result is that communications to key assets, applications and databases are often in open session including both the login password as well as the actual data transfer, risking user connectivity to local and remote systems, remote management of servers and file transfers being compromised.
One way to secure legacy sessions is to use SSH (Secure Shell) for encryption and authentication, now increasingly superseded by SSH2, which is in the final steps of adoption by IETF.
With attacks moving to applications and with spyware and ID theft major concerns, it is time to review some of the security of the legacy systems on which too many enterprises rely.