Digital environment has brought flexibility and efficiency to business by having multi-cloud environments, and scalable cloud-hosted applications. However, it becomes a nightmare for Technical Operations (Tech Ops) to understand and comply with licensing and contractual obligations put in by vendors. While implementing new infrastructure, Tech Ops is generally under pressure to make sure that implementation happens smoothly and at a quick pace, so that the business teams start utilizing it ASAP. Tech Ops also inherit some legacy applications.
When the vendor contract comes to end, the decommissioning of applications can be a significant burden for an enterprise. This may be due to a lack of contractual obligations between vendor and enterprise about the roles in decommissioning, or lack of documentation about application and infrastructure architecture, or licensing issues if any proprietary databases are used, etc.
In many cases, since the application is not decommissioned after the contract period, the vendor claims that enterprises are violating contractual obligations and licensing norms and thus claim damages which may result in legal battles.
Enterprises should clean the “dead” applications in a timely, orderly manner to free up resources and save costs. Such legacy applications especially in cloud environments, depending upon the configuration can consume high volumes of resources when set in autoscaling mode and result in high costs. Enterprises should adopt a strategic approach for systematically removing outdated, legacy applications while ensuring no impact on business needs, operations, and compliance requirements.
It is important for enterprises to maintain an updated inventory of all such applications and their expiry dates. To plan the decommissioning of applications, enterprises should maintain a decision matrix involving different stakeholders from Tech Ops, IT, InfoSec, Legal, Business, etc., and must account for licensing obligations, contractual terms, user experience, and business processes. The enterprises may also consider if the data and logs need to be retained in the old system or archived for regulatory compliance or to support any legal proceedings in the future.
It is essential to estimate the cost of decommissioning as there is no direct correlation with the original cost of implementation. The cost estimation can be done by evaluating the cost of ownership, scope, retention, complexity, and dependencies, etc.
In case of legal disputes, the forensic approach to decommission helps as all the steps taken to decommission the application and underlying infrastructure is recorded along with time stamps. Also, the forensic auditor can verify by performing log and data analysis, if there has been indeed any violation of contractual terms or over-usage. It is also equally important to remove all traces of the legacy application while implementing a mechanism to access data that must be retained for regulatory, legal, or historical purposes. An independent forensic professional can also guide enterprises in establishing and following correct processes during the decommissioning activity.
In some cases, if the application and infrastructure architecture is not readily available with the tech teams, it becomes difficult to extract the data for archival. In such cases, experts can help enterprises by using innovative technology and scripts which help extract data from difficult legacy systems. A full chain-of-custody audit trail is maintained for the data as it’s extracted and maintained by adhering to all security, privacy, retention, and other compliance standards in archival. The professional can also help enterprises secure the termination of software licenses and service agreements. Considering the various data privacy regulations in different geographies, the professionals guide while dealing with personal data. The experts can help by advising appropriate data localization, anonymization, encryption norms, and technologies when the data is retained or archived.
Forensic professionals also document the entire process in form of a report which can be produced in the legal proceedings if needed.
Following a forensic approach to decommissioning tech infrastructure by appointing an independent forensic auditor and data retention can consume resources and increase costs. Also, it may not provide a direct return on investment. However, this helps in indirect benefits like risk avoidance and saving on penalties in the future.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.