CloudSphere has released the results of its new EOL Management and Risk for IT Assets: An Enterprise User Survey, which reveals the level of confidence individuals have regarding which End of Life (EOL) or near-EOL applications pose the greatest risk to businesses. The survey further identifies the areas of greatest concern regarding the risk of running EOL applications within their IT environment.
We sat down with Keith Neilson, CloudSphere to chat about the report's findings, the cyber risk of EOL apps, and what organizations can do to mitigate their risk.
Why is it important for businesses to monitor End-of-Life (EOL) or near-EOL applications within their IT estate?
End-of-Life (EOL) software and asset support may not always be top-of-mind for organizations, but EOL plays a surprisingly strong role in both the efficiency and security of the enterprise’s IT estate.
By gaining a better understanding of where and how EOL is affecting a company’s tech stack, businesses can safeguard against several major risks.
Risks include service and support from the software vendor stopping. This means any future patches for security vulnerabilities in the application code or libraries will no longer be updated to counter any possible threats in the future. The application (app) is then vulnerable to threats that continue to develop and exploit in new ways.
Another risk is the increased out-of-support license costs. Software vendors will provide "out of support" maintenance to a point, it is no longer general release, but companies can get major patches on a per-account basis, but this is often priced at a premium which quickly sends shockwaves through IT budgets.
Out-of-date and End-of-Life software can manifest itself from an Operating System (OS) perspective. The risk here aside from the cost to get support (if eligible) is that each and every application that runs on top of that OS is now undermined and exposed to its very foundations being unsupported. The result is leaving threats on the doorstep of each app and its corresponding users and data.
Other risks include a lack of support for hardware devices that the business might need for an application to integrate with and consume along with the potential for serious compliance gaps. Think manufacturing and production lines stopping due to incompatible drivers and applications. Another risk, compliance failure. Most Operating Systems and applications in use are known by industry-specific regulations that will stipulate software in use to be supported and compliant with regulations. Once End-of-Life, the organization will fall out of compliance rendering the entire IT stack a threat - data, network, app layer, etc.
In an EOL survey commissioned by CloudSphere in July of 2022, the results highlighted that IT stakeholders have some visibility into their assets, but a limited grasp of where EOL may be a factor and the possible adverse impacts these scenarios could have on their IT estates.
What risks do unaccounted-for EOL or near-EOL applications pose to companies’ tech stacks?
While 73% of survey respondents from the report said they were confident they were aware of all the applications and cyber assets currently running within their IT environments, only 65% felt confident they knew of all cases of applications at or near EOL within those environments.
Companies who are unaware of running EOL applications may experience problems ranging from lapsed licenses and lack of vendor support to broken applications and major security gaps that may persist from a lack of patching support. Not to mention the commercial exposure for sector-specific compliance, which can result in very large fines.
Which departments within an organization's IT infrastructure are most vulnerable to the
threats of running EOL applications?
This really comes down to specific business units and those running the most business-critical applications. Typically challenges manifest as the enterprise struggles to have a completely straight line of support for operating systems being used as older apps have dependencies.
At times you will have some apps not perceived to be crucial on out-of-support software. If they are not connected apps there might not be a concern but more often than not, there is something critical, sensitive, handling regulated data which is where enterprises get stuck, panic, and then must deal with.
While organizations prioritize certain departments as more vulnerable than others, it is important to remember that EOL can pose a significant risk to all departments, including downtime from broken applications, wasted spending on lapsed or unused licenses, gaps in data security and reporting that can prompt regulatory violations and fines.
How can businesses ensure they are confidently tracking current EOL or near-EOL applications?
Cyber Asset Management solutions allow for the discovery and identification of software packages and operating systems within the estate. There are reports and alerts within this solution that highlight and help plan the migration and remediation of EOL software.
What are the overall benefits of integrating a robust cyber asset management strategy within an organization?
By integrating a robust cyber asset management strategy, companies will not only have the capabilities to manage the risks of running EOL applications more effectively but will also inform overall better decisions within their tech stack. This includes, weeding out costly redundant systems, or dropping software that may be nearing End-of-Life to avoid unnecessary licensing costs and support gaps. ###