Despite the IT industry's efforts to improve the standard of operating systems used in the enterprise, a significant number of users choose to stick with apparently outmoded operating systems for some of their most critical applications.
Legacy server operating systems from suppliers such as Hewlett-Packard, IBM, Microsoft, Tandem and Unisys still power important applications in banking, travel and the public sector.
Many banks rely on core systems built in the late 1970s and early 1980s. Every time a bank customer makes a money transfer, the transaction passes through a legacy platform, says Julian Dobbins, director of product management at legacy software firm Micro Focus.
And despite the fact that these systems are frozen in time, he sees nothing wrong with this. "One investment bank I know started life on Wang then moved on to AIX, which it is still running. As long as these systems are still serving the business and there are the skills available and a user can find support, then why not?"
Outdated platforms often survive because of the risk and cost of replacing them, according to financial services analyst TowerGroup. Legacy replacement projects can fail, not only damaging the credibility of the IT department but also the careers of the managers put in charge of them.
The time and cost involved in system testing and the prospect of a massive end-user retraining programme can prove daunting too. Against this, a stable platform with tried-and-tested processes can look extremely appealing.
Dharmesh Mistry was, until recently, closely involved in technology strategy at Natwest and Lloyds TSB. "We felt that if it was not broken, why fix it?" he says. "If you look at the lines of code involved in migrating to something new, why bother?"
Mistry, who is now chief technology officer for software company edge IPK, points out that money for upgrades is difficult to obtain because budgets are divided between keeping the show on the road and providing new functionality. Legacy systems upgrades can often only be achieved at the expense of investment in newer systems elsewhere.
Increasingly, users are migrating their business functionality onto newer platforms in a mid-tier of systems, Mistry says. They are moving away from old-fashioned green screens and turning back-end legacy systems into file servers and archives. "First they say let's re-face the system then they pull out the business logic so that it is separate from the legacy systems," Mistry says.
Liverpool Victoria is one example of a company that has successfully integrated mainframe systems with a browser-based front end in this manner. The insurance company's car business suffered from a website that mapped directly on to mainframe data. By separating the mainframe processes from the front end, the company introduced more user-friendly pages and made it easier to add features in the future.
So it is not surprising that many users choose to modernise their platforms rather than replace them. The dilemma is neatly summarised in a recent survey of insurance firms by BT Global Services. The firm's researchers reported that, Although legacy systems were affecting the ability of insurance firms to generate new business, only 42% said they would rather adopt new systems. Some 37% said they planned to upgrade old systems.
Users who go for modernisation can take advantage of tools such as XML-based web services, middleware technology and portal frameworks that enable them to increase the life of operating systems from the early eighties such as VMS, AS/400 and Unix.
"We can now wrap these up in a standard access layer, re-label them as 'heritage' systems, and look forward to squeezing another decade of service out of them," says Dale Vile of Freeform Dynamics.
Integrating operating systems from different eras is not as difficult as it used to be. Tools such as IBM's WebSphereMQ message broker can cater for as many as 50 operating systems, providing a convenient way of passing messages between applications running under incompatible operating systems.
However, integration still poses a number of challenges. Modern computing is based on the concept of sessions, conversations that may involve several different systems. This approach to computing was unheard of when IBM 360 ruled the roost and communications took place on a much more limited scale.
Not only does the difference in transaction styles throw up compatibility issues, but communications involving legacy systems can consume more network bandwidth than their modern counterparts, owing to the serial nature of their output.
There are problems too with security. At the most basic level, mainframe password protocols can make it difficult to change passwords or to have more than one password. More seriously, maintaining security on legacy systems can be difficult, since users cannot expect automatic protection from new threats.
"Users of legacy operating systems do have to confront the fact that they will not have security patches delivered to them," says Vijay Samtani, manager in Deloitte's security and privacy services. "So, to go alongside their patching strategy, they need to develop a strategy to manage the risks of having unpatched software in their enterprise."
They will have to weigh the benefits of keeping a legacy operating system against security worries and the cost of protecting it by means other than patching. "Supporting a legacy operating system in your enterprise is as much about risk management as it is about traditional IT service management," says Samtani.
Sometimes the very age of a system can increase its security. For example, it is unlikely that an ATM system running on Windows NT4 over an IBM SNA network will be troubled by viruses or hacking.
Increased regulation in many industries and an emphasis on corporate governance also makes an impact on data storage. Many authorities insist data be kept in a certain way or that it be available for inspection within a given timescale.
"There are challenging issues around the way data is stored in a legacy system," says Tom Saunders, who has run many IT departments as an interim manager. "When you want to bring it back recovery can be a nightmare. Most organisations opt to extract data into flat files before it is stored."
The cost of running elderly software is often inflated by the outdated hardware it is mounted on. However, virtualisation has helped cut the umbilical chord between legacy systems software and the hardware it was originally designed to run on, allowing users to replace their hardware and consolidate legacy systems on a single server.
However, although shrouding older applications in web-services-based interfaces helps systems integration and the user experience, it does not particularly help with the growing challenge of maintaining legacy skills or the availability of ongoing support from suppliers, says Vile.
Skills are a hot potato. "There is definitely a skills shortage," says Alan Rodger, senior research analyst at Butler Group. "It is a ticking clock because you cannot expect to be able to find people with specific legacy skills for ever. Legacy skills are not attractive ones to have."
Rodger gives the example of a contractor who specialises in the Pick operating system, a 1970s system developed during the Vietnam War. The contractor has several clients who are completely dependent on him, which means he must be contactable at all times. He earns enough money to work a three-day week, but will not be around forever.
Although few IT shops will find themselves relying on individuals like the Pick specialist, there are plenty of personnel problems associated with legacy systems. Users can end up dependent on a small number of older staff to maintain their systems, people who inevitably move on or retire, taking their knowledge with them. Service companies may be able to fill the gap, but ultimately they too are struggling to find experts with the right skills.
Supplier strategies play a key role in creating legacy systems and determining their longevity. Users determined to avoid upgrades can end up in tussles over support with IT companies. Microsoft takes one of the hardest lines in the industry, branding all versions of its operating systems except the current one as legacy. The stance has sparked user rebellions in the past.
But even companies more at home in the datacentre are keen to edge users on to an upgrade path. Negotiations over support for legacy systems can be tough, with suppliers demanding extra payments for maintenance and trying to impose cut-off dates while customers hold back for a better deal.
Mainframer Unisys is sensitive about the whole idea of legacy operating systems. "People have tried to associate legacy with IBM z Series and ClearPath," says Bob Tillotson, vice-president and general manager of Global ClearPath sales at Unisys. "But the term legacy is inappropriate as we are delivering appropriate systems. It is a pejorative word to position something as old."
Tillotson points out that operating systems are living longer than they did in the 1970s, and only a handful have terminated, as he puts it, since then. Unisys has extended the length of support for its operating system releases and put new policies in place so customers do not have to keep moving from one version to another, he says. The company is not alone in keeping its legacy systems alive. The IBM mainframe has evolved to the modern zSeries and the AS/400 to the equally up to date iSeries.
It is difficult to generalise about legacy operating systems. Not only are there many reasons for sticking with them but many different ways of managing them. One constant theme is that no legacy operating system can go on forever.
One day the cost and inconvenience of maintaining a legacy system will tip the balance in favour of an upgrade. The trick is to know when that time has arrived.