Legacy Software Support May End, But an Archive is Forever

Here’s a question for you: With SQL Server 2008 ending support in July 2019 and Windows Server 2008 R2 support coming to an end in January 2020, do you have a plan for the legacy applications residing on those servers?

If you are certain this doesn’t apply to you, great, but please don’t kid yourself that it’s a non-issue, as many companies still have applications lingering on these platforms. There are about 240,000 of them publicly facing on the Internet, according to www.shodan.io.  One can only image how many are still lurking behind firewalls

Now, whether you said you have a plan in place to deal with the upgrades, there are a number of other questions that need answering:

  • Is it worth upgrading the database or the operating system for legacy applications that are semi-retired but need to continue to run for the occasional audit?
  • What about the data sets that are only needed for retention policy or legal compliance?
  • How many hours do you expect it will take to plan, test, convert, and test again, in the upgraded environment?
  • How many resources to support these legacy systems?
  • Are the legacy applications even able to run on a newer database or operating system?
  • What are the overall costs associated with the upgrade process from planning to execution?

Understanding the resources, costs, and constraints of the upgrade process for legacy systems may shed some light on the need for an archive solution.

A client recently asked me: “Doesn’t it make more sense just to take a system backup and stash the application somewhere; isn’t that cheaper than archiving?” Generally, yes, it’s less expensive, but, no, it doesn’t make more sense. And, here’s why.


A data back-up, in its simplest form, is merely making a compressed copy of anything in use. In a virtual environment, a backup can include data files, as well as structured data (e.g., a database) or unstructured data (e.g., database files).

These backups cannot be maintained or audited to comply with privacy laws. With a backup, there’s no systematic retention policy management or the ability to apply and enforce legal holds on the data set, leaving it vulnerable to data loss. The data are not easily accessible to respond to eDiscovery requests and through employee attrition the organization may lose the knowledge on how to query the data once it’s restored.

Another drawback, with a database backup, is there’s no guarantees of data integrity. If there is a corrupt backup for any reason most, if not all, of that data could be lost.

Lastly, backups also do not support data analytics. Given the amount of information collected in historical data, leaving it as a mere backup, is a lost opportunity to mine the data for trends, statistics and research.


Another factor to consider, is that data backups are generally not subject to the organization’s Disaster Recovery (DR) plan.

If an eDiscovery request comes in for a data backup, the dataset may need rehydration for discoverability. There are time delays in meeting the demand while the data backup is restored and its integrity verified.  These delays are costly, depending on the required legal response time for discovery.

Another concern with back-ups is the higher cost of compliance. This is true for all industries that collect personal information. For example, noncompliance with the new European Union General Data Protection Regulations (GDPR), and state privacy laws in the U.S. (e.g., California, Ohio and New York) can lead to costly penalties and fines.

Data archiving, on the other hand, is a copy of the data saved in a shared production archive environment for long-term storage and future reference. The original application and all its associated infrastructure are decommissioned after being archived.

An archive is then integrated with Business Intelligence (BI) and Analytics tools. The data and metadata remain fully discoverable and reports are developed with the data as needed.

The archive application is maintained with database and software releases so it will not become a security risk. It becomes a single maintenance point instead of maintaining all the applications in disparate places.

The archive application should comply with all global privacy laws and security standards. It should also comply with all corporate retention policies and legal requirements applicable to the legacy data.


The advantages to data archiving include:

  • Fixed operating costs – It’s a fixed operating expense to the organization deciding to archive its data.
  • Long-term retention – Data archive stores unchanging data that’s no longer in use, but retained for healthcare organizations retention policy or legal requirements. It’s retained for a specific time or indefinitely.
  • Reduced risk of over-retention. If data is purged on schedule it is not retained longer than necessary, hence reducing the eDiscovery risk.
  • Archive application is a production system and can still be made available for replication to a disaster recovery environment, ensuring the data is not lost.
  • Retrieval speed – Getting the data out of the archive quickly is possible.
  • Immutable – Archived data cannot be altered or deleted, so the data integrity remains intact.

The lack of compliance to privacy laws has already resulted in millions of dollars in fines. The European Union alone issued 91 fines in 2018 for failure to comply with GDPR. There are still over 238,000 Windows 2008 servers publicly facing on the internet that will become security concerns at the end of the year and hackers aren’t taking a day off, either.  Knowing the risks, isn’t it past time to start taking action to mitigate them?