Deja Sutherland, Head of Enablement at Cloudhouse discusses how organisations can achieve CE+ compliance without rewriting critical legacy applications.
Cyber Essentials Plus (CE+) is the highest level of the UK government’s Cyber Essentials scheme.
An independently assessed certification for cybersecurity, CE+ goes further than the standard scheme by using a hands-on technical assessment – including internal and external vulnerability scans of the IT network – to verify an institution’s controls against common cyberattacks.
By gaining CE+ certification, organisations can demonstrate a strong commitment to data security, thereby assuring clients and partners that sensitive data is processed with high-security standards.
It helps them meet regulatory requirements like GDPR.
And crucially, it enhances their resilience to threats and the costly damage that can result from cyberattacks.
But it’s easier said than done. Organisations in areas like the public sector, housing and manufacturing are often dependent on outdated applications – such as Civica Keystone, Orchard, Capita One, etc – that are critical to their operations.
These industries can’t afford any downtime.
If they attempt a costly rewrite of applications or major migration projects, they could suffer operational disruption and end up with system vulnerabilities in the interim.
Simultaneously, if they leave apps as they are, they won’t gain the CE+ certification – one of the key requirements for being compliant is keeping all devices and software updated to mitigate vulnerabilities.
Caught between these two issues, organisations can feel that achieving the certification is out of reach.
But with the right software and mindset, these apps don’t have to be a barrier to becoming CE+ certified.
When applications reach their end of life or run on operating systems (OSs) that are no longer supported (like Windows 10 this year), they become an immediate risk.
They no longer receive security patches or updates and this leaves them vulnerable to threats like cyberattacks and data breaches.
But when companies’ internal systems rely on outdated tech, they are faced with three key challenges when attempting to modernise them:
Point two can prove a particular stumbling block.
It’s a frequent challenge we hear from organisations attempting to maintain their critical apps and achieve CE+ compliance.
Silverlight is a discontinued Microsoft plug-in for running rich internet applications and media on web browsers.
Older apps depend on hardcoded dependencies like Silverlight that only run on the original OS and hardware environment. They’re not designed to be portable.
This makes them inherently tricky to modernise through traditional containerisation and virtualisation modernisation methods – these assume a clean, modular architecture and so work well for modern apps built with portability in mind.
Instead of reducing risk, they simply transfer the old environment into a new wrapper.
Consequently, these approaches can result in partial functionality, even outright failure, especially in complex IT environments where uptime is critical.
What companies need to do is remove this dependency from the host environment so it doesn’t run on the OS but still exists to run the application.
The latest specialist migration platforms are specifically designed to keep critical apps like Civica Keystone running securely on modern platforms, without the need to rebuild or redevelop them.
The software can isolate specific OS dependencies and redirect data flows so apps can operate unchanged on new servers.
In doing this, the software packages not only the app but all of its environment-specific behaviours.
This preserves the exact behaviour of the system without extensive refactoring of the code and allows it to be redeployed onto a modern, supported environment.
In particular, these platforms help teams to remove unsupported dependencies like Silverlight from the host environment.
As mentioned, as a standalone product, Silverlight isn’t supported anymore.
But with the migration platform, it’s not installed or exposed on your device.
Instead, it’s encapsulated purely as a dependency required by the application.
This means it’s only accessible within the self-contained runtime of the platform and not by the wider OS.
This has several core advantages.
Firstly, this means no unsupported software is installed or registered on the host system.
As the applications have been redeployed onto a new OS, the OS and browser remain fully patched and supported.
Finally, Silverlight binaries (the files that make up the app) are isolated and can’t be exploited independently.
In practice, these binaries function like application libraries (e.g. compression or encryption modules) and these libraries typically fall outside the scope of CE+, as the framework focuses on endpoint exposure and vulnerability.
So, this approach makes them compliant.
I’ve worked with many UK public sector, housing and financial customers who have achieved and kept their CE+ certification by running their apps in this way, packaged with a specialist modernisation platform.
CE+ is the highest badge of honour an organisation can attain for the cybersecurity practices.
It gives partners and clients a level of assurance and confidence that their data will be secure and the organisation confidence in its IT security.
Yet many outdated apps remain critical to operations and a complex modernisation project could cause too much disruption.
So, to gain CE+ status, IT teams need to find ways of securing and modernising their existing apps without changing them.
Instead of undertaking expensive major migration projects, the latest migration software enables them to overcome dependencies like Silverlight so apps can continue to run on modern environments and crucially, receive crucial updates and patches.
Ultimately, outdated apps don’t have to be a barrier to CE+.
Organisations just need to rethink how they can secure them.
