Cloud and Infrastructure the Legacy of Legacy—The Ultimate Drag

Cloud and infrastructure The legacy of legacy—the ultimate drag on condensing into a cloud About the series services, managing this broad range requires a view Contents on how much can change by when, an appropriate Overview operating model, and a balanced perspective on In order to enable new business and preserve existing what should be developed and controlled, and what About the series value, global Information Technology (IT) executives needs to be monitored and governed. should address the growing dichotomy between the Background agility companies want, and the stability they need. To help equip the IT executive in forming those views This dichotomy is becoming exacerbated as legacy and making those judgements we present points of Some existential threats 2 data centers becomes farther and farther removed view on key trends and topics. from the cloud and from mobile end users. Meanwhile, Determining a new landing platform 3 delivering data to devices and taking advantage of platforms often means giving up some control over Innovating the way 3 Background operating systems, hardware, and data centers. It’s 9 a.m. on Monday. Do you know where your data is? There are aging back office behemoths with little Refresh, transform, or replace 4 source code, no original developers, and growing Introduction operational risks. They are not cloud ready, or even Don’t forget the plumbing 5 As IT executives look to provide value from their IT refresh ready. We consider the legacy of legacy—a portfolios, they are balancing a mix of emerging, material part of the corporate landscape. Not Testing 5 current, and legacy technologies. With the world of confronting it is likely an existential threat. Mission technology ever evolving at pace, the gulf between critical transaction processing engines and back office Conclusion 5 emerging and legacy continues to widen. The systems may be on mainframes, or on large stand- consumer market drives advances in end user devices alone midrange systems with proprietary operating and end user expectations. Many service vendors systems. The hardware, operating, and database invest in cloud, virtualization, and orchestration, while systems may be outdated and unsupported. The manufacturers attempt to deliver more compute application interfaces and data transfer will likely be horsepower at lower cost. Behind the tablets, clouds, built in a way that binds them closely to the technology. and chips, there still sits a data center and a room full of legacy infrastructure waiting for refresh. The code, if available and documented correctly, has programming interfaces that need to be used and This widening gap between end user devices, data are not straightforward to change. The knowledge mobility, cloud services, and back office legacy of the application and interfaces may be in a small systems challenges the IT executive to manage and set of people. Data processing is likely started maintain technology in a complex array of delivery through overnight batch processing, perhaps using capabilities. From mobile apps to mainframe MIPS, customized job, event, and interface handling. and from in-house servers to sourced vendor

1 More than one IT executive has looked at his ageing Staff skills Data damage legacy systems, thought about how to get them Access to skills and institutional memory and Legacy infrastructure and data centres were to x86 virtualized platforms and concluded—“too knowledge fade and reduce as time passes. often built without considering some modern difficult to think about, on to the next problem.” Education, training, and practice largely maintain threats. Electronics and magnetic media are currency with technology trends. So as technology susceptible to electromagnetic phenomena. In this article we discuss how not confronting this ages, so do the skills and resources available to Over time electromagnetic events from solar now can be an existential threat to the enterprise. support it. Skills and knowledge shortages limit the activity are a certainty. Less certain, but no less We also offer some practical approaches for taking ability to get enough of the best people, lowering the threatening, are other sources, natural or manmade, on the legacy of legacy. probability that systems are properly maintained and of electromagnetic pulses. From any source, that incidents and problems are effectively managed. these events threaten electronics, including all Some existential threats This drives up the risk of more serious and sustained IT Infrastructure and magnetic storage media. service disruptions. Sufficiently strong events destroy data. Mitigation techniques are available. Data centers without some The possibility of a digital dark age looms ahead. levels of protection leave open the possibility of Technology advances at pace, and the gap between NASA in shortage of people with sudden and dramatic losses. legacy and emergent technologies grows. Data over time FORTRAN skills becomes unreadable, and then indecipherable as storage NASA requires engineers to communicate and archive media change or become unstable, software with the two Voyager crafts launched in White House preparing for catastrophic and operating systems evolve, and skills become extinct. the 1970’s and are unable to find people solar flares Aging hardware and software ultimately become over- with a skill set that includes command over John P. Holdren, asst. to the president for challenged with the size and performance needs of Fortran and the ability to control a 64KB Science and Technology, and director, Office modern data and interfaces, can no longer be compiled, memory machine. 2 of Science and Technology Policy, admitted patched or supported, and/or eventually hit the set of that solar flares pose a “significant conditions from which they are unable to handle or challenge” to technology. Studies estimate recover, and they fail. For some that archived data and Opportunity costs that such an incident would cause a loss of information is for all intents and purposes lost, as there is Ageing systems can become management and $2.6 trillion in the US alone. 3 no ability to restore it, nor to run software that can use it. money distractions. As support and maintenance increase in complexity, and as costs potentially rise to keep things running safely and securely with the right The passage of time and the evolution of technology The digital dark age skills, focus is distracted from other opportunities. are threats to the ability of ageing information Vint Cerf, one of the fathers of the Internet, When IT Executives and their teams are spending technology to do its job. And in today’s economy that stated that one might soon enter the “digital too much time and money on legacy, they likely job can be no less than the ability of a business to dark age” as old formats of data and documents are not spending enough on other opportunities function. It can be an expensive and difficult path to may not be readable due to unsupported to add value to the business. Lack of business ditch the legacy and maintain technology currency. backward compatibility of devices. 1 enhancements may also drive business lines and Lengthy outages, security failures, or irrecoverable employees to form their own shadow IT. system and data losses will likely cost even more.

2 Information security Determining a new landing But before we look at some aspects of what to look Information security can be an issue for legacy as platform for in refresh, transform, or replace scenarios, we much as for emerging technology. There is likely will consider first ways an organization can build very little that does not interface and exchange momentum behind a legacy program, and strategic Confronting the legacy of legacy will not be easy, data in some way with a more modern system approaches to mitigating legacy risk. nor quick. IT executives should be considering how or end user capability. Perhaps operating on its to confront the estate and what the target landing own, an ageing mainframe system appears more platform or platforms should look like. secure. But as long as there is some manner for it to Innovating the way communicate with and share data or access to other One first step is to develop a target portfolio mix of systems and users, it is a potential vulnerability. Collaborate with the business technologies and platforms. Some business models may Those people that do harm—intentionally or not— Innovating your way out of legacy is about leveraging be suited to high levels of standardization such that there can exploit the most straightforward path, which the entire firm to think creatively about business could be very few, or even one type of target platform is often ageing mid-range systems or desktop processes and needs. It can be tempting to start or service. Others may require a mix of technologies applications no longer capable of being patched or a traditional legacy refresh program by trying to and platforms each optimally suited to their business supported in ways to prevent vulnerabilities being recreate the current system. Stakeholders may be value and competitive advantage. It may be the case that exploited. Legacy technology may not be in front of beholden to the way they do things and the manner certain workloads are best suited to a highly customized mind on this issue, but can be the most vulnerable in which the system in question serves them. So the solution, are optimal on mainframe, or are not best underbelly of your estate. starting position can often be a design exercise that suited to virtualization. In any case determine across the tries to move the existing legacy functionality to an portfolio the best suited target platform(s) and the target upgraded platform, or to replace it with something ratios of how much you want and where you want it. On an average, 4 percent of all the software that does the same thing in a similar way. A better in every PC in the US is no longer supported question might be—why do I need this in the first At the same time, you should have a realistic by its vendor, leading to security threats. 4 place, or how I can do this differently? understanding of the time and effort required to land on a target platform. If there are no approachable Collaborate with the business and all stakeholders and paths for an application workload to get to a target start with a blue-sky innovation workshop. Set a goal platform, time and cost can increase dramatically. for a radically different answer to whatever problem the Therefore, an analysis of what the possible options legacy system solves, or even question the fundamental are for the legacy estate at the application level problem statement itself. Outcomes could range from a should be performed. For each business function better informed reason to refresh as is, to an easier way or application workload being considered the basic of addressing the issue with new technology, all the way options could be broadly summarized as: to not really needing a replacement at all. • Refresh Look at shared services/industry platforms • Transform It may be worthwhile to consider if there are • Replace capabilities in similar businesses or industries to pool

3 together. Where a business functional requirement the support and maintenance teams as well, and are a variety of offerings that could provide better is common or shared among many, there could incent the leadership of the “bad” division to safely migration paths than attempting to replace the entire be a shared common platform already in place, or wind down legacy. application. If you have legacy RISC/SPARC that you the opportunity to pool resources to create one. have considered moving away from, you are aware There would need to be some common ground and Mergers and acquisition (M&A) that shipments of these technologies do continue an appropriate risk profile. But such an approach A substantial part of any merger and acquisition to decline over time. However there remain vendor could reduce the time and expense of building a business case is the technology integration. and cloud services options that provide updated replacement and reduce on-going operating costs. Businesses that come together bring their assets to versions of these platforms, and could yet avoid a the table and decide what the optimal technology replacement or transformation strategy. Using vendors platforms and solutions are to move forward with. Other businesses want your business and they may Given the potential size of both the costs and A refresh strategy may require changes to interfaces, be willing to invest to get it. Talk to your current benefits to integration activity and future operating configuration parameters, and database and storage suppliers and to other potential ones. Look for costs, it is important for the IT Executive to be at the migration. One should however, attempt to limit ways in which they would be willing to help replace M&A table, and to consider how an opportunity can changes to the application logic—to keep testing and capability and migrate data. Have them compete for mitigate a legacy issue. For some business models migration activity more straightforward. your legacy refresh and offer approaches for how the technology opportunity should be a lead criteria together you can achieve a legacy refresh aim faster in the decision making process. Transform and with less risk. If a refresh is not cost optimal, then a broader transformation may be warranted. Transformation in Good tech/bad tech Refresh, transform, or replace this context is about taking the application logic largely Some firms, for various reasons, separate their as it stands, but changing it enough such that it can non-core business lines or assets with a split that The bottom up work in a legacy program is about function on a different technology stack than it currently creates a good firm/bad firm division. This approach determining the right target platform for each uses. This could be for example from RISC/SPARC or releases the good division to focus on adding business function or application. mainframe to x86, Solaris to Windows, one database value, while the bad division is incentivized to wind system to another, or changing the middleware or down and release assets. Such an approach can be Refresh messaging. You will also need to consider optimizing applied in a variety of ways to technology, and can Not everything necessarily needs to be a web- the storage layer and data lay-out, backup strategies help align costs, incentives, and management focus based Java app. A valid target platform for a legacy and retention, and perhaps be considering converged on resolving legacy issues. system could be to simply refresh it on the same infrastructure options as target platforms. architecture. This model applies when the business For example, one could separate legacy into case aligns to preserving the application and Transformation can involve lengthy changes to a different cost structure, and then ensure architecture as much as possible, but upgrading application logic, interfaces, data management and stakeholders are paying the fully transparent price it to a current and supported technology stack. If system configuration. The requisite testing regime for legacy technology, including the risk premium. you have mainframe technology, then consider that may be intensive. A strategic goal of a transformation Extending that to another step, one could separate mainframes do continue to advance and that there approach should be to get to an architecture.

4 that creates maximum flexibility and fungibility Don’t forget the plumbing Conclusion for the future. Abstract the application from the infrastructure, automate, and even if an external Confronting the legacy of legacy might at first glance The legacy of legacy is that systems can get more cloud is not the landing platform, get it cloud ready. appear to be a problem of getting application software difficult to deal with as time passes, and that the onto modernized IT infrastructure. But a business risks of ageing and unsupported technologies are Addressing the complexities of transformation could process today is only as efficient as the data transfer existential to the enterprise. Legacy technology must mean a complete reengineering of the application. between the requisite components and stakeholders. be confronted, and in so doing the gap between the Attention will be needed in terms of both how the When considering the legacy issue ensure that the older and emerging in the technology estate can application does, and how it should, integrate and network, from DC LAN to building wireless, has the be shortened, allowing the enterprise to be more communicate with other systems. Look at the interfaces connection availability and throughput required for agile, flexible, and to focus more time and effort on and interaction points, any data entry that is currently current and future growth. Data can only get where it revenue generating business value. manual, and the messaging and queueing mechanisms. goes as fast as the slowest choke point.

If there has been loss of code, documentation, and Testing For more information skills, even reverse engineering could be required. Analyze the need for tools and approaches for data Ranjit Bawa A considerable cost in changing legacy applications analysis and integration, data flow, screen scraping, Principal is testing. If a legacy application does not use fully and/or wrapping and adapting logic or components. Deloitte Consulting LLP automated testing tools with robust regression [email protected] test suites, then manual test regimes of substantial Replace—buy changes will likely be lengthy and complex. Consider There are commercially available software or SaaS Paul Weiss the case for test automation and test coverage. packages that might suit your legacy function. Managing Director Depending on the criticality and down time tolerance Look at what is available to replace a legacy system Deloitte Consulting LLP there could be different testing coverage goals for and how closely that might match the business [email protected] different applications. Having a view on the impact of requirement. Determine if it makes more sense to incidents and service disruptions relative to the cost adopt the off the shelf functionality and process as of testing coverage can help tailor the time and effort Contributor is, or if it requires customization. appropriate to the application. Richard Pone Replace—build [email protected] In some cases it can make sense to start all over from scratch. Design and develop replacement business logic using current languages and platforms, and create something flexible enough to take advantage of emerging techniques and technologies.

5 Endnotes

1 Ghosh, P. (2015, February 13). Google’s Vint Cerf warns of ‘digital Dark Age’. Retrieved from http://www.bbc.com/news/science-environment-31450389

2 Nichols, S. (2015). Think Fortran, assembly language programming is boring and useless? Tell that to the NASA Voyager team.

3 Parry, H. (2015, November 3). White House is preparing for catastrophic solar flares which could wipe out power around the world for months—bringing an end to modern civilization as we know it. Retrieved from http://www.dailymail.co.uk/news/article-3302185/White-House-preparing-catastrophic-solar-flares-wipe-power-world-months- bringing-end-modern-civilization-know-it.html

4 Kolorov, M. (2014, April 3). Forgotten risks hide in legacy systems. Retrieved from http://www.csoonline.com/article/2139382/data-protection/forgotten-risks-hide-in-legacy-systems.html

This publication contains general information only and is based on the experiences and research of Deloitte practitioners. Deloitte is not, by means of this publication, rendering business, financial, investment, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this publication.

About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.