How to keep legacy systems from becoming liabilities
Connecting state and local government leaders
A recently released report from Washington state creates an enterprise-level modernization roadmap to tackle the problem of updating legacy IT systems.
While plenty of public sector IT systems are moving to the cloud, legacy systems are still the workhorses of many agency IT operations. But greater computing demand from government transparency and mobile or big data programs coupled with frequent technology advances can quickly turn a legacy system into a liability.
A recent report from Washington state creates an enterprise-level modernization roadmap to systematically tackle the problem of updating legacy IT systems.
The report by the Office of the Chief Information Officer (OCIO) examined 45 executive branch agencies. Of the 1,983 IT systems in use, 31 percent were legacy systems, with 55 percent of the legacy systems identified as mission critical. Most of the legacy systems (84 percent) were developed and hosted in-house. Almost half of the legacy systems fell into one of three business areas: financial management, agency specific and licensing/permitting.
The roadmap would be used by the state to mitigate current risks from legacy systems. In order to accomplish that, the state advises that agencies stay current on software versions as well as:
- Identify, categorize and analyze their system (application) portfolio.
- Determine when to modernize or replace systems.
- Determine the best technology modernization approach.
- Build a business case to increase the likelihood of funding the project.
Determining what was a legacy system went beyond age and programming language. “Categorizing a system as 'legacy' was not simply a matter of age or programming language, but rather a combination of views into whether that system could be easily updated, resourced/staffed, posed security risk or other agency-specific determinations such as whether it aligned to a desired enterprise technical architecture or introduced unnecessary complexity to overall business processes,” said the report.
Legacy systems pose a Catch-22 for agencies. They remain in use, the report said, because of the costs associated with migrating the systems to a modern platform. But these systems are also expensive to run; they burden the state’s IT infrastructure, and they carry increased risks for data breaches, theft or service disruption.
This is especially true for citizen-facing systems, the report noted, because many of those applications were designed for use only in a secure internal network and not over the Internet.
And while back-office systems, such as core financials, are critically important to the state’s day to day operations, their visibility is much lower, making upgrades a “hard sell,” the report said. As a result, replacement or upgrade of legacy IT systems often comes only when enhancements are made for new business capabilities or when IT staff has time to make improvements.
Until agencies can phase out their legacy systems, the report recommended steps IT managers can take to reduce risk:
- Improve documentation, capture system information from departing staff and incrementally rewrite or improve system code when possible.
- Provide code developers with tools and training to identify potentially high-risk systems and revise or develop new, secure code.
- Use centralized IT security services provided by Consolidated Technology Services, a state agency for IT services.
- Stay up-to-date on software versions.
- Use pace-layering to identify different types of systems and appropriate modernization strategies.
- Consider migrating to software-as-a-service (SaaS) or commercial-off-the-shelf (COTS) deployment models.
- Migrate from legacy systems to shared or enterprise services.
- Increase standardization.
The OCIO also asked agencies what criteria they used to fund modernization projects resulting in a consolidated list of criteria used by participating agencies. The data included mission alignment, public visibility, risk, alignment to enterprise architecture (such as reducing number of platforms or improving data integration), improving efficiencies and cost savings.
Further, the report noted that modernizing or replacing IT systems is “a moving target. A system that may not be considered legacy this year might become legacy next year due to the pace of technological change, shifting skill set availability and cost, and changing business needs.”
The challenge of maintaining legacy systems is being felt across the public sector. Last year the Texas Department of Information Resources issued its own report and assessment of its legacy systems.
The authors made six recommendations on how tackle the problem: identify and prioritize security risks; develop a legacy modernization roadmap; establish statewide standards for application development; use commercial off-the-shelf solutions, particularly cloud-based services; consolidate reporting and analytics into consolidated business intelligence services; and implement application portfolio management practices.