Professional Documents
Culture Documents
Classification:: Should Cybersecurity Be Merely Treated As Response or A Design Principle
Classification:: Should Cybersecurity Be Merely Treated As Response or A Design Principle
Principles of Cybersecurity
When implementing cybersecurity, there are two specific goals to be attained: first, confidential
information must be kept out of reach of potential cyber attackers and other unauthorized individuals.
Second, cybersecurity measures must not hinder authorized users' access to the information. The
following are the three main principles of cybersecurity.
Confidentiality - Cybersecurity should ensure that the information to be secured is only accessible
to authorized users and prevents the disclosure of information to unauthorized parties. For example,
to implement confidentiality of company information on a cloud-based Customer Relationship
Management (CRM) system, access can be restricted to users with the right username-password
combination. Most systems also implement confidentiality through data encryption, which is an
additional layer of security. Decryption of the data requires an individual or system to attempt access
using the requisite key.
Integrity - Cybersecurity efforts should ensure information remains accurate, consistent and not
subject to unauthorized modification. For example, from the CRM example provided, integrity is
Classification: For Official Use Only
achieved when measures are put in place to ensure that email communication between a sales
representative and a customer is not intercepted and modified by an intruder when it is still in transit.
Availability - Efforts to secure information in cyberspace should not hinder its access by an
authorized party. Additionally, cybersecurity implementation has to provide for redundancy access in
case of any outage. For example, the company using the cloud-based CRM system can implement
proxy servers and firewalls as a security measure against Denial of Service (DoS) attacks, which
would create system unavailability if successful.
- What are compliance challenges in upgrading legacy systems? How should it be addressed?
Maintenance and support
The costs of legacy system maintenance operations includes Updates and changes. Legacy
systems are typically quite large in terms of code base as well as functionality. You cannot just
change or replace one system module. A small update might result in multiple conflicts across
the system. Any change or update to the legacy system requires time and effort, neither of
which come cheap
Integration and compliance
Modern software platforms often rely on third party APIs to access a few capabilities, such as
geolocation, user authentication, data sharing, and transactions. For example, careem relies on
the data provided through the Google Maps API for its core functionality within the UAE – an
ability to find and track cars nearby. Modern technologies are integration-ready by default.
Vendors typically provide support for most of the programming languages and frameworks out
of the box. Yet, Legacy or rare lack the compatibility. Connecting a legacy software to a third-
party tool or service often requires a significant amount of custom code. In addition, there is still
a chance that the final integration will not work as well as intended or that it will work at all
Another aspect of legacy systems that comes at a high cost is compliance. This is especially
true for heavily regulated sectors, such as the Energy sector. For example, noncompliance with
new standards set by NESA the standard is based on identified real-world threats; non-
compliance almost certainly leaves your organization exposed to attack, having far greater
significance than any penalties that could be imposed. Meanwhile, The Standards set by
regulation bodies is much harder to achieve in legacy IT environments.
Security
According to the 2018 State of Cyber Resilience, legacy infrastructure is one of the top threats
to cyber security. Indeed, legacy systems are usually less resistant to cyber-attacks, harmful
programs, and malware, which is only logical. If the software solution had been around for
years, the attackers most likely had enough time to get familiar with the code and find its
vulnerabilities.
Another reason for this is that the vendor might no longer support-outdated software. This
means that no patches are provided and no one keeps the system compliant with the latest
security requirements
Classification: For Official Use Only
Despite the compliance challenges related to the legacy systems, Modern approaches and
techniques allow for lowering the cost and complexity of legacy systems. In this process, it is
very important to choose the appropriate strategy according to the defined levels of usage of
existing applications assets and movement toward better technology environment