Discuss about the Legacy System Evaluation, Security Risk & Continue Usage Acceptance.
A legacy application is any business application that is based on older technologies yet continues to support core business functions of an organization (NASCIO;2008; Survey Section 2.1). This paper explains the constraints in using the legacy systems and the necessity of modernizing the legacy system. It briefly covers different approaches towards modernizing the legacy systems. The paper intents to evaluate a Legacy system, describe security risk associated with a legacy system. We will also cover a counter (Jones; 2010; The Closure Rule) thought as to why Legacy systems do not pose a problem.
National Association of State Chief Information Officers
Application Development & Maintenance
Service Oriented Architecture
Enterprise Application Integration
Return on Investment
What are Legacy Systems?
Often Legacy systems are defined by the age of the IT system set up and grossly older IT setups are categorised as Legacy System. BUT, this defining criteria is not the sole factor but there are additional factors like supportability, risk, agility, staffing, adequately support 'line-of-business' that need to be factored in as well (NASCIO;2008; Survey Section 2.3). Legacy applications can be defined as a group of functions that share a common set of data and address the business needs for a particular domain. Often time the boundaries of a system are based on historical development not based on business needs. Mostly Legacy systems utilize a variety of non-relational database products are coded in 2nd or 3rd generation languages, and often run on obsolete mainframe computers.
Challenges with Legacy System
There has been a rapid change in the integration scenario in the last two decades. There has been a steady increase of new techniques and products needed to support them. With the rapid emergence of new technologies, businesses are facing a tremendous challenge to balance their current legacy investments, which they had made in the past.
Some of the key challenges (NASCIO; 2008; Survey Section 2.5) faced by larger organisations to maintain and sustain with Legacy Systems are:
Applications running on legacy systems are dependent on specific set of skilled resources.
Retention of operations and skilled team becomes crucial for business.
Maintenance required even for small legacy business system.
Same functionality provided by duplicate set of applications functionality but possibly running on different technologies in isolation within same organization.
Customization leading to different versions of same product.
Cost of IT operation is higher.
Legacy application may not be having good UI and may be difficult and costly to maintain and enhance.
Difficulty in enhancement may lead to non compliance with regard to regulatory requirement.
Difficult to roll out companywide changes as individual modules will be dependent on legacy systems.
Due to legacy nature of the systems, functions like document generation, document printing may be not be achievable.
Modernization of Legacy system
Legacy modernization the term can be described as the practice of understanding and evolving the existing software to high performing assets with low total cost of ownership (TCO) and less investment. This is achievable by either one or combination (NASCIO; 2008; Survey Section 2.7) of the following:
- Data conversion
- Virtualization/ Emulation
- Re-engineer or replace with a COTS software
- Applications wrapping
- Re-hosting/ Re-platforming
- Automated migration
- Renovation/ Re-architecting
- Utilize EAI to encapsulate and link legacy applications
- SOA integration
The modernization process can be as simple as upgrading or enhancing the current legacy application or it can be as complex so that it may end up into high end migration. To summarize the overall purpose is to improve the functionality of IT system to achieve business objectives in a leaner fashion.
Evaluation of a Legacy system
Till now we have covered the different aspects of Legacy applications, challenges, requirement to modernise and benefits of modernization. Let us evaluate a Legacy IT system. The system we are going to analyse is an in-house system build in Mainframe/ COBOL code and is used as Core Banking Platform for a Large European private wealth management bank. The Legacy environment is an application sending screen images then receiving keyboard responses to and from a fixed function terminal. The terminals are usually 3270's with the screen images being 3270 formats created from BMS (Basic Mapping Services) source members for CICS and MFS (Message Formatting Services) source members for IMS.
Legacy environment Layout
Layer- 1 is an example of a mainframe that is configured to handle requests from 3270 terminals which are like fixed functions, majorly able to scroll text from left to right and from top to bottom. These 3270 terminals have functionality built into hardware.
Layer-2 is an SSCP-PU connection
Layer-3 is an example of set of 2- 3270 controllers.
Layer-4 This layer is connection between the 3270 controller and the 3270 terminal and is LU-2 connection.
Layer-5 Is actual 3270 terminal which is customer facing and has screen of 24 lines and 80 characters. Some customers customize the terminal to allow more rows and columns.
There are various limitations with the Legacy System and are summarised below:
- Shortage of skill sets required for supporting the old system
- Technologies or software supports from respective vendors may not be available
- Build on old technologies and scope of improvement on the old technologies are limited
- Non-alignment between business strategies and IT
- Old system is resistant to agility an new changes in business models
- Total cost of ownership is high
Security Risk with legacy Applications
Legacy code imposes an unmeasured & unaccounted risk. While substantial budget is spent on small enhancement and maintenance of legacy applications; sufficient security attention is not paid to them compared to new application development although legacy applications are equally under regulatory scrutiny. Many legacy applications developed for internal use with less focus on security sometimes exposed to internet due to reasons like business pressure, merger & acquisitions, partnership and automation. (NASCIO; 2008; Table 6)
Legacy applications are susceptible to security risk because many were designed with physical access restriction model in focus, at a time when computer crimes were rare and compliance mandates were negligent. Legacy applications exist in every organization and they function perfectly however operating system may no longer supported, patches are not provided the vendor (i.e. ATMs running Windows XP) or supported utilities are no longer compatible with upgrades. The way users interact with systems has changed drastically over the past few decades and each access method raises security concerns for legacy applications spanning across mainframe, desktop, client-server and web 1.0 applications. Legacy applications maintained by less-skilled administrators also poses significant threat as their ability to perform corrective and preventive action in-time is limited.
Following is a list of Top 10 security issues found during our study:
- Data exchange over unencrypted channel makes it susceptible to sniffing attack
- Data stored in unencrypted form which allows unauthorised viewing of business critical and private information
- Decentralized access control applied through client and critical data/credentials are locally stored in weakly unencrypted form
- Buffer Overflow due to improper memory management (applicable to unmanaged code written in C/C++ applications)
- Human error in privilege assignment results in unauthorised users executing important programs/scripts on production data
- In web application, insufficient input and output validation allows web attacks such as SQL Injection and XSS
- Running insecure versions of COTS or open source component, lacking security protections built into newer versions give opportunities to adversary to compromise the server
- Centralized database is accessed to all operating system users. CRUD operations are possible through database client and without application software
- One user’s terminal-emulation client macro is available to another user allowing impersonated execution
- Absence of audit trails / Logs make it almost impossible to investigate security incidents
Why legacy systems do not pose a problem?
Despite various initiatives and reasons highlighted above there are Enterprises that continue to use Legacy Applications. They accept the usage of this Legacy application for Business functionality and invest on the maintenance and necessary patching, upgrade, bug fixes of these legacy systems. Below are some of the reasons that we could identify and these can serve as supporting points in the context of retaining and maintain legacy application considering all the discussions we have done in above heads:
1) Dependency: Business is heaving dependent on Legacy application which becomes a bottleneck
2) Small functionality: Sometimes enterprise develop new modules for new business functions but for old or small business function which are associated with legacy application, they follow the ‘as-is’ approach
3) Transformation project Failures: Due to fear of project failure some enterprise does not take a move for modernization
4) Line of Business: If Legacy application is able to serve the business functionality then the approach is not to disturb the current (legacy) ecosystem
5) Funding: Transformation project are generally mapped to technology enhancement and are not business requirement driven and hence minimal or less funding available.
6) Integration hiccups: If one legacy system is transformed then there may be integration challenges with other dependent legacy system or else enterprise has to revamp whole IT system which is difficult and challenging.
7) Legacy Application Know-how: In order to transform current (legacy) system should be known well so that there are no surprises once the new system is launched. But there is always a lack of Legacy application knowledge because of gap in documentation, knowledge sharing. This is also a challenge.
8) Staff Resistance: staff do not want to come out of comfort zone and hence resist any changes.
9) Data migration issues: Transforming Legacy application inherently brings another project of data migration which needs to be catered from following perspective:
- Data Quality
- Data Cleansing
- Data Mapping
10) Customization: Mostly legacy systems are in-house build and are totally customised as per specific business needs which enterprise does not want to lose.
These are just few of the factors that are drivers for business to retain and maintain legacy system.
Migration of legacy to new infrastructure is an attractive proposal considering the challenges faced in running legacy applications. However, many organisations are deferring capital investments due to tougher economical situations & various other reasons. Added to that, legacy applications are often complex and require good preparation & probably an expensive project for migration to new infrastructures. Therefore, alternate initiatives must be explored. Optimizing legacy applications can be instrumental in reducing IT costs. After necessary cost & system optimization analysis, if it is observed that there is no scope for further optimization, then the migration/transformation can be considered to be one of the options.
Jones.R, 2010, Finding the Good Argument OR Why Bother With Logic?, The Closure Rule
NASCIO, 2008, Digital States at Risk!: Modernizing Legacy Systems, Survey Section 2.1: definition
NASCIO, 2008, Digital States at Risk!: Modernizing Legacy Systems, Survey Section 2.3: criteria
NASCIO, 2008, Digital States at Risk!: Modernizing Legacy Systems, Survey Section 2.5: drivers
NASCIO, 2008, Digital States at Risk!: Modernizing Legacy Systems, Survey Section 2.7: modernization methods
NASCIO, 2008, Digital States at Risk!: Modernizing Legacy Systems, Table 2: drivers
NASCIO, 2008, Digital States at Risk!: Modernizing Legacy Systems, Table 6: Enterprise Risk
Lamb.J, 2008, Legacy systems continue to have a place in the enterprise, Retrieved on Sept 13 from https://www.computerweekly.com/feature/Legacy-systems-continue-to-have-a-place-in-the-enterprise