I recently experienced a very interesting scenario related to the failure of an organization (a client of mine) in keeping some of their IT systems semi-up-to-date. The scenario (like many of my projects these days) is PKI related. At this client we (the team that I work with) are in the process of re-building their PKI which involves establishing a new trust hierarchy and issuing a number of certificates to their systems.

Seems simple enough, however, we ran into an issue with their HR system. In this case, we encountered an error when attempting to import the Root CA's certificate into that system's Java KeyStore. Hmmm... odd problem, but then again we also noticed that they were using a very old version of Java (1.3 to be exact). Never mind the fact that Sun dropped support for that version in 2003, but through the wonders of Google we also found that this was a known issue that was corrected in 1.5.

With all of this wonderful knowledge in our hands, and giddy as school children perhaps, we approached the application owner with a solution: "Upgrade your version of Java." The reply: "We can't do that, because our version of the HR system will not support it."

Thus, the tangled web soon became unraveled as we then also learned that not only was their Java version old, unsupported, and out of date. But, the HR system was also no longer a supported version, which also ran on an unsupported version of Oracle, and there were no plans to upgrade (instead they had pinned their hopes on a very long-term system migration to another platform). In other words, there was no solution.

***Scratches Head***
Here is my ode. Why! This is not the only instance where I have seen the failure of organizations to keep their systems current. Examples range from:

• A payroll system running on a single "highly modified" and very dusty Windows 95 machine
• Entire shipping and distribution systems still reliant on the woes of Windows NT 4.0
• Failure to service pack or update enterprise systems out of fear that something might break
• To organizations running mission critical applications from companies that don't even exist anymore
• ...this list really can go on...

Now, I'm all for getting the most of your investment. In addition, I don't advocate always deploying the latest and greatest (it all depends). But, there has to be a middle ground. After all, I tend to consider Information Technology as a piece of infrastructure that most organizations use to run their operations. Thus, like any other piece of infrastructure it should be maintained. If you don't believe me, then watch any of the engineering/architecture shows that on the science channel. Whenever there is a show about some marvel of engineering, which in this case I'm refereeing to a piece of infrastructure (like a bridge, dam, tunnel, etc.). One of the main things that they always point out is the rigorous maintenance schedule for that piece of infrastructure.

Why, anyone would treat IT infrastructure as any different is beyond me. If anything (until SaaS rules and Google has all of my data), IT related stuff requires more diligence in relation to maintenance because of how fast technology moves.

So... if you haven't started looking at the next Linux distro, Windows Server 2008, or that fancy thing called PowerShell, then you might want to get moving. IT is all about evolution, if you don't evolve to meet the needs of a changing and dynamic ecosystem. Then you may as well step away from the big red button!