IT Systems Management: Stay Current or Stay Old?
Friday February 26, 2021
In the course of our work, we get to see a lot of IT networks that have been essentially unmanaged, sometimes for years. This often leads to a strange mix of hardware and software. It reminds me of that Jonny Cash song “One Piece at a Time”, where an auto worker builds a Cadillac from spare parts over 2 decades. I can imagine how disastrous that would look, and how inefficient and marginally operational it would be. Yet, many small businesses seem comfortable letting their networks be a corresponding version of this piecemealed Cadillac.
Of course, there are many sound (and profitable) reasons to be keep all systems current. Here are a few of them:
Cyber Security: In this age of organized cybercrime, vulnerability in software and hardware is one of the most widely used ways that cyber-criminals penetrate a company’s network. By keeping all the software and hardware current, those vulnerabilities are patched, denying the criminals that entry point. Moreover, it’s not just the firewall either, although that may be the most important. It’s the entire electronic ecosystem: workstations, office versions, switches, access points, server firmware, OS updates, etc.
Productivity: Imagine how unproductive a worker would be if they had to use a new version of an application every day, or if they had to constantly make changes to how they save work so that others could open it? Yet that is the problem that faces the employees of many businesses that use different versions of an application. Employees are usually the biggest expense of a company. Keeping applications updated and consistent can mean big cost savings.
Compatibility: As new hardware and software is released, sometimes they are incompatible with older systems. This may be because of poor implementation in the original coding on the older system, or there may be new or modified standards that has be implemented to make the older system incompatible. The invisible culprit here is that often, if the incompatibility is not corrected, it will still work, but in a degraded or less secure manner. Enough of these together in a network can cause real performance and/or security issues. But in other cases, some software will just stop working at some point if an upstream product becomes incompatible (e.g., Outlook 2013 and older versions will likely just stop working with Microsoft 365 later this year when new minimum-security protocols are enforced).
Bug Fixes: No one’s perfect, including the coders who implemented whatever software or firmware that is in use. As the product gets used, bugs are discovered and corrected. By installing these updates, the experience of using the product is improved.
Despite all the reasons above, sometimes there is a solid business need to keep an old version of software or hardware around. For example, an XP or Windows 7 OS may contain a controller for a 6-figure piece of manufacturing equipment and the controller software only works on that OS. Another example is when a company owns a perpetual license for mission critical software and there is a business reason to not upgrade. This could be unacceptable licensing term changes, loss of critical features in “upgraded” product, or the publisher may have simply gone out of business.
Any of the above cases present a quandary for a business that is conscientious of their cybersecurity as the older system likely presents a highly vulnerable target for Cyber Criminals. One option is that the company freezes everything by creating a physically isolated segment network that has the old system and the dependent systems, and another network for those machines that need access to the internet.
In this scenario the company keeps the isolated, physically separated, or air-gapped, network completely static; frozen at a point in time. No updates are ever applied, no new software is ever added, and, unless necessary, no new computers are added. This is advised because as the systems get older, introducing anything new can potentially be the thread that starts to unweave the entire fabric. For example, updating a hardware driver, may require a new OS package, which may require an updated OS, which may not communicate properly with the mission critical item. It can all quickly unravel. Since these machines are old, it may also not be possible to revert back to the original system or replace it if it becomes unusable.
Of course, with some software, being disconnected from the internet can be nearly impossible. The software may require some internet connectivity to validate its license or upload/download critical data. In such cases, the supplier may provide an “offline” option. Alternatively, it might just have to operate in a diminished capacity and a workaround must be found. Luckily, there is a third option.
If an isolated network also has a critical need for some outside network access, there is another possibility. In that case, the solution is to put an internal firewall between the business network, and the isolated network. This should be a highly configurable firewall that can be finely tuned. In this situation, both incoming and outgoing traffic needs to be highly restricted and follow a model of anything that is not expressly permitted, is forbidden. Very precise communication rules are added that allow communications only between the source IP/port and the destination IP/port. These access rules are also periodically reviewed to remove any that are no longer needed. In this model, the internal firewall is kept current and updated, but anything behind it stays frozen in time.
By following the above frameworks, a business can keep dated, mission critical infrastructure operational, while also running as securely, efficiently, and reliably as possible (or as reliably as it can with older, unsupported systems). Of course, SpotLink can help you implement networks that meet these goals.
CEO & Founder