Legacy system guidance
Guidance on replacing or retiring legacy systems and technology and how to manage risk during the process.
The Digital Public Service call to action
Moving away from legacy systems is included in the New Zealand government’s Strategy for a Digital Public Service. It calls for integrated services instead of siloed, individual agency services. It supports investment in modern systems that make it possible to reuse data, rules and transactions.
What are legacy systems
Legacy technology can refer to an organisation’s ICT infrastructure including systems, hardware, and related business processes.
In general, a legacy system is an outdated computer system, application program or software that is still in use today. It is a part of a software program or system that is obsolete.
Technology becomes legacy if it is:
- considered an end-of-life product
- out of support from the supplier
- impossible to update
- no longer cost-effective
- considered to be above the acceptable risk threshold
- diminishing business utility.
Reasons to move away from legacy systems
Maintaining and using legacy technologies and systems can be inefficient and create risk.
The following are key reasons to replace or retire legacy systems.
Legacy systems are expensive to maintain
Lowering cost is one of the largest benefits of moving infrastructure or applications from legacy systems to cloud-based or other modern platforms. Legacy systems are expensive to maintain, which can cost more than replacing them.
Legacy systems are complex and inflexible
Some legacy systems need to be replaced because newer technology systems cannot interact with them.
Legacy systems are often not compatible with mobile and web applications, and other enterprise programs such as cloud capabilities and modern security framework.
New systems may not integrate properly or easily with older technologies and, even if possible, it’s expensive to do so.
Legacy systems rely on institutional knowledge
Legacy system processes and necessary technical information are often not documented, either internally or by suppliers. Organisations often rely on the institutional knowledge of employees instead, which can make disaster recovery and business continuity difficult or impossible if that legacy knowledge is lost.
Maintaining and expanding systems also becomes difficult due to the lack of understanding of how older systems run.
Legacy systems are insecure
The lack of security patches with older systems means increased vulnerability to security issues.
Legacy systems have low performance
A legacy system running for many years often performs slowly, consumes more resources and fails more often. This leads to a lack of efficiency and productivity. Older systems grow more unstable over time and the rapid pace of new software development strongly affects legacy systems.
Identify and understand your legacy systems
The first step to move away from legacy systems is to identify the systems, software or programs that are considered obsolete, and develop a migration plan to move away from them.
Guidance on understanding the environment, context and risk of legacy systems, as well as how to manage legacy systems, can be found on the CERT NZ website.
Manage legacy system risks
All government agencies must meet minimum technical and security standards to ensure all systems — including legacy systems — are secure. Find out what is required and what measures to take to meet best practice.
Whether keeping or replacing legacy systems, both options require time, money and resources and have risks that organisations need to consider.
- Keeping legacy systems poses the risks listed under ‘Reasons to move away from legacy technologies and systems’. Problems and security vulnerabilities in the systems can also be exploited.
- Replacing legacy systems poses the risk of affecting critical processes.
CERT NZ (Computer Emergency Response Team NZ) explains these risks associated with legacy systems, and offers guidance on the choices organisations have in moving away from legacy systems.
Mitigate risk: remove, replace, restrict
Risks associated with legacy systems can be mitigated by either removing or replacing the systems, or restricting access to them. CERT NZ provides further guidance on this.
Read CERT NZ’s section ‘Managing legacy systems’ to take additional steps to be able to better detect and action any incidents.
How to migrate away from legacy systems
Before migrating away from legacy systems, it’s important to understand and address the blockers. Information on technical and non-technical blockers can be found on the GOV.UK website.
Once the issues are understood, public sector organisations can adopt a principle-based approach to plan its migration by using the following principles developed by the UK government as useful considerations.
- Aim to use continuous improvement planning to keep your technology up to date.
- Build a complete and accurate register of your data assets.
- Know the full extent of your systems and infrastructure.
- Build skills and capabilities of your IT team.
- Have a flexible and responsive service model which can adapt to changing technology.
- Consider your organisation’s business needs, processes and culture.
Find more detailed guidance on the principles for managing legacy technology on the GOV.UK website.
UK Central Digital and Data Office provides detailed information in designing, building and acquiring technology.
Technology Code of Practice — GOV.UK
Guidance on the principles of modern software design published by the United States government.
Budgeting and overseeing tech projects — 18F De-risking Guide
NZ government investment principles to support government organisations in their development of digital and data investments.
Aligning digital, data and ICT investment to digital public service outcomes