migrating applications to hybrid cloud computing · cloud platforms and integrating public cloud...

Integrity.Excellence.Results.

Migrating Applicationsto Hybrid Cloud Computing:Five challenges to realise the benefits of cloud

www.citihub.com

1 Introduction ..........................................................................................................

2 Cloud Suitability .................................................................................................. 2.1 Strategic Objectives ................................................................................. 2.2 Enablers .................................................................................................... 2.3 Risks .........................................................................................................

3 Cloud Adoption App3 Cloud Adoption Approach ................................................................................... Challenge 1: What applications are suitable for migration to cloud computing? ........................................................................................ 3.1.1 Application Usage Patterns .......................................................... 3.1.2 Migration Approach ...................................................................... 3.1.3 Application Design Patterns ..................................................................... 3.1.4 Suitability Considerations ............................................................. 3.1.4 Suitability Considerations .............................................................

Challenge 2: Is there sufficient business justification for migrating an application? ................................................................................ 3.2.1 Cost Analysis ............................................................................... 3.2.2 Service Levels .............................................................................. 3.2.3 Business Value .............................................................................

Challenge 3: What is the best technical approach for migrating an application? ................................................................................ 3.3.1 SaaS Migration ............................................................................. 3.3.2 PaaS Migration ............................................................................. 3.3.3 IaaS Migration .............................................................................. 3.3.4 Technical Approach ...................................................................... 3.3.5 Design Patterns ........................................................................................ 3.3.6 Technical Challenges ....................................................................

Challenge 4: What integration solutions are needed to support an application on the cloud platform? ............................................... 3.4.1 Integration Types .......................................................................... 3.4.2 Integration Principles .................................................................... 3.4.3 Technical Approach ......................................................................

Challenge 5: What security & compliance risks or obligations need to be addressed? ................................................................. 3.5.1 Cloud Risk and Security Concerns ........................................................... 3.5.2 Cloud Risk and Security Benefits .................................................... 3.5.3 Risk Mitigation Approach .............................................................

4 Conclusion4 Conclusion ............................................................................................................

5 About Citihub Consulting and the Author ................................................................

3

5667

8

9910111313

1616181819

2020202121232323

26262627

2929293031

33

34

Contents

Migrating Applications to Hybrid Cloud Computing: Five Challenges to Realise the Benefits of Cloud 2

In recent years there has been a proliferation of strategic hybrid cloud adoption programs across the financial services industry, with the result that many firms have been rapidly building or buying private cloud platforms and integrating public cloud services. However, there has been relatively slow progress in migrating applications and business processes onto these platforms. Cloud computing can deliver significant benefits, but many firms have found that it also presents complex challenges that are preventing or slowing mass adoption.

InIn order to accelerate the adoption of cloud computing for applications, without increasing business risk or impacting customers, firms should take a strategic and methodical approach. This approach should address the following five distinct but interrelated challenges to ensure successful mass adoption:

Challenge 1:What applications are suitable for migration to cloud computing?

Challenge 2:Is there sufficient business justification for migrating an application?

Challenge 3:What is the best technical approach for migrating an application?

Challenge 4:Challenge 4:What integration solutions are needed to support an application on the cloud platform?

Challenge 5:What security and compliance risks or obligations need to be addressed?

1 Introduction


Cloud Suitability: describes some aspects of the objectives, suitability and risks that should be considered when migrating enterprise applications to cloud computing, and provides some guidance on the different types of applications that are best suited for migration to cloud computing

CloudCloud Adoption Approach: describes five key challenges that must be addressed when migrating a large portfolio of complex applications to cloud computing, and suggests a structured methodology for identifying suitable applications with guidance on activities to plan and implement a successful cloud adoption roadmap

•

•

These challenges and the complexities involved in addressing them should be understood by the entire business and IT community, in order to address questions on cloud adoption from three perspectives:

Business: Why is moving my business to the cloud so complicated, slow and costly?

Application: What should I be considering when planning to migrate applications to cloud computing?

Infrastructure: How can I help accelerate or enable mass adoption of cloud computing while maintaining compliance and a competitive cost base?

ThisThis paper is aimed at IT and business decision makers, with a large portfolio of complex applications, to help answer these three questions and provide guidance on how to tackle the five challenges with best practices and activities to plan and implement a hybrid cloud adoption roadmap.

The paper assumes the reader is familiar with basic cloud computing concepts and the associated terminology. There are two main sections to the paper:


There is often a complex mix of motivations for an enterprise to adopt hybrid cloud computing as an IT strategy. The objectives and the expected benefits must be clearly understood and articulated in the business and IT strategy that is driving the cloud adoption. The objectives are often conflicting, so the strategy must also describe policies and guidance on what to optimise for when planning the cloud adoption roadmap and migration approach for applications.

TheThe hybrid cloud strategy should consider both business and technical factors, including the business and IT strategic objectives, the suitability of applications and business processes to benefit from cloud, and the risks of migration. These are described in more detail in the following sections.

TheThe suitability of an application or business process for cloud is a combination of the business value that can be created by migrating to cloud, the level of risk involved and the technical fit of an application or process. These can be determined by considering the characteristics and capabilities of the target cloud platform, and how these will enable applications or business processes to benefit from migrating to the cloud platform. The characteristics and capabilities of the cloud platform will vary depending on the specific implementation of the target deployment model (Private or Public), and the target service model (IaaS,(IaaS, Paas or SaaS). Some of these common characteristics are described later in this section, with some guidance on the types of applications that are best suited to benefit from these characteristics.

CloudAdoption

CloudServices

Business & ITStrategy & Objectives

Cloud StrategyReference architecture, target state & roadmap

Business Objectives Program & Strategy

GRC & Security

Capability iterationCapability iteration

Governance,Risk & Compliance

Information Security

Reduced or re-allocated

cost

Greater financial flexibility

Business agility

and flexibility

Greater competitive

didifferentiation

IT ObjectivesAligning IT costs with

business demand

Improved security

Improved responsiveness

Improved availability

IT agility and flexibility

GGreater innovation and

value creation from IT

RisksGovernance & Risk Management

Commercial Risks

Technology Risks

Operational Risks

Enablers

Self-service

Elasticity

Bursting

Pay-per-use

As-a-Service

Enterprise InfrastructureSuitability

Technical suitability for

target cloud services

Business value of migration

Risk involved in migration

Estimate effort/cost

Migration app Migration approach

Application & Data

.

.

.

.

.

.

.

.

ServiceProvision

ServiceRequirements

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

2 Cloud Suitability

Figure 1: Developing a Hybrid Cloud Strategy


2.1 Strategic ObjectivesThe motivations for migrating an application to cloud computing, may include some of the following objectives:

2.2 EnablersSome of the common characteristics of cloud computing are described below. These are enablers for the strategic objectives, and the suitability of an application for migration to cloud computing will, in part, be determined by the application’s ability to benefit from these characteristics:

Elasticity & burstingElasticity provides the ability for infrastructure usage to scale up or down based on demand, on a “pay per use” basis. Applications that are designed to scale horizontally, by distributing their workload over many servers, can take advantage of the elasticity of cloud computing, by rapidly scaling their resource usage to match the business demand.

BurstingBursting provides the ability to quickly add additional resource from the cloud platform to an “always available” baseline infrastructure. So an application’s infrastructure does not need to be scaled for peak usage, but can be scaled for average usage, with the knowledge that additional resources can be rapidly made available when required for peaks in demand.

ApplicationsApplications that have unpredictable or cyclical usage patterns, such as document search, data mining for fraud detection with map-reduce, value at risk analysis with grid computing, and end of day batch processing, are particularly well suited to take advantage of cloud elasticity and bursting. With the result that the infrastructure cost associated with an application can be minimised and more closely aligned with business demand, while the application can often achieve significant improvements in performance and availability from the seemingly unlimited amount of resource available on-demand from the cloud platform.

Pay-per-useWithWith the cloud “pay per use” model, firms no longer need to make large, up front capital investments in order to develop or grow businesses. This can significantly reduce the cost of entry and the cost of innovation for new business, which can benefit both large and small enterprises alike. Migrating applications off fixed cost, enterprise owned dedicated servers, onto “pay per use” vendor owned cloud platforms, will help make costs more flexible and more closely aligned with business demand.

As-a-ServiceMakingMaking use of the application services provided by cloud platforms, such as “Database as a Service”, “Messaging as a Service”, “Storage as a Service”, etc., can significantly reduce the need for specialised in-house IT skills and remove some of the non-value-add challenges. Freeing up developers, engineers and operators to focus on business problems that provide value-add or business competitive advantage.

Business Objectives• Reduced or re-allocated cost• Greater financial flexibility• Business agility and flexibility• Greater competitive differentiation

IT Objectives• Aligning IT costs with business demand• Reduction in fixed-capital• IT agility and flexibility• Improved security• Improved responsiveness•• Improved availability• Greater Innovation and value creation from IT


2.3 RisksThere are a number of risks or concerns that may be barriers to cloud adoption and need to be considered when assessing the suitability of applications for cloud migration. These can be grouped into four main categories: Governance and Risk Management; Commercial Risks; Technical Risks; and Operational Risks. These risk categories are described below.

Governance & Risk Management(accountability, responsibility, and regulatory compliance)

Accountability for all risks stays with the institution even though a proportion of responsibility may be delegated to a provider.Governance and decision making related to public cloud risks needs careful consideration with decisions taken at appropriate levels in the organisation.Industry regulators will expect to see strong governance and evidence of appropriate risk management within the regulated entity.

Commercial Risks(transparency, T&Cs and vendor lock-in)

Public cloud commercial terms are less favourable or tailored than traditional outsourcing.Restricted audit rights and supply chain visibility for public cloud vendors.Potential for decentralised Cloud Service Provider engagement, particularly for services that are engaged directly by the business.Different approach and consequences for demand management and protection against unintentional over consumption of resource.OnceOnce a cloud service from provider is adopted, it may not be easy to change to an alternative provider. Emerging technology solutions and standards are helping to increase the portability and interoperability of systems across cloud service providers, and will reduce or eliminate this risk.

•

•

•

Technology Risks(integration, security and availability)

The nature of multi-tenancy and external hosting increases data security risks and the threat of data leakage and system manipulation. Technologies exist that can make cloud computing safe to use, however, these often require new concepts and skills that will take time to acquire.Application availability management changes due to the nature of abstraction and a shift in responsibility into the application layer.There is a heavy reliance on APIs to deliver and control services. Issues could have wide reaching effects.

•

•

•

Operational Risks(loss of control)

Transfer of control of hardware, software, security, etc. to a third-party cloud service provider (CSP). The operating model between CSP and customer needs bridging to maintain sufficient control. The CSPs work in a utility model, exposing APIs for the customer or an integrator to create workflow and tooling links.The customer will have a number of critical integration points which need heavy control e.g. console access or encryption key management.

•

•

• • •

•

•


When migrating applications to cloud computing, it is important the that the level of service provided by applications on the cloud platform is comparable or better than the existing platform. The suitability of an application and the approach taken for migration are key factors that will determine the level of service that can be achieved with cloud computing. Migrating applications that are not suitable or using an approach that does not account for the application’s suitability, risks or costs could ultimately result in higher costs or reduced performance, reliability or security, diminishing the potential benefits of cloud computing.

InIn this section we outline a structured and methodical approach for planning a cloud adoption roadmap. This approach will help accelerate the successful migration of existing applications to cloud computing, and help an organisation realise the potential benefits of cloud computing.

The cloud adoption approach described in this section involves tackling a series of distinct but interrelated challenges that must be addressed to ensure successful migration:

Challenge 1:What applications are suitable for migration to cloud computing?

Challenge 2:Is there sufficient business justification for migrating an application?

Challenge 3:What is the best technical approach for migrating an application?

Challenge 4:Challenge 4:What integration solutions are needed to support an application on the cloud platform?

Challenge 5:What security and compliance risks or obligations need to be addressed?

An approach for addressing these challenges is described in the following sections, along with some guidance on best practices, and activities to plan and implement a cloud adoption roadmap.

3 Cloud Adoption Approach


1What applications are suitable for migration to cloud computing?

Challenge

Assessing applications and workloads for cloud suitability will identify and prioritise candidate applications and data that can potentially be migrated to a cloud computing model, and determine what types of cloud (IaaS, PaaS, or SaaS), cloud services, or delivery models (public, private, or hybrid) can be supported. The assessment process can be broken down into the four key stages summarised in Figure 2 and described below.

Low

Low High

High

Suitability

Risk

TransformRefactor,Redevelop

MigrateV2V, Re-host,Re-package

MitigateNot Suitable

Y1 Y2 Y3 Y4

EarlyAdopters

MassAdopters

Laggards

Approach

Effort/Cost

Benefits

Data AnalysisApplication & Services

Portfolio

AssessmentRisk &Suitability

DesignApproach &Business Case

PlanningPipeline &Timescales

Data AnalysisDefine decision criteria and validate data needed to assess the application portfolio.

WhenWhen embarking on a strategy of cloud adoption for a large portfolio of complex applications, it often makes sense to start with the lowest-risk applications—those with minimal customer data and other sensitive information—or applications that are most suitable and will benefit the most from cloud computing. It also makes sense to first identify the applications you do not want to move to cloud computing. Before identifying and prioritising suitable candidate applications, the cloud adoption policies and decision criteria need to be defined, although these may be refined as the assessment progresses. It maymay also be necessary to review and validate the data sources needed to evaluate the application portfolio (e.g. CMDB, existing IT platform specifications, application architecture, etc.)

Figure 2: Summary of Application Assessment Methodology


AssessmentEvaluate applications and workloads for suitability and risks to determine an appropriate migration approach.

WithWith the decision criteria defined and the relevant information available, a large portfolio of applications can be quickly assessed to identify and prioritise potential candidates for migration based on their suitability and the risk of migration. This assessment can be achieved using either a high-level pattern based assessment, or a more detailed deep dive assessment. The assessment approach used will need to be determined for each application and application component.

TheThe high-level assessment uses patterns to group applications into categories with similar requirements and assess each category as a whole. The pattern based assessment can significantly reduce the time needed to evaluate a large portfolio of applications, however, it is often the case that applications cannot be easily categorised in this way. In these cases, it will be necessary to perform a deep dive analysis of applications or components to determine the suitability and risks of migrating to cloud. This deep-dive analysis will usually rely heavily on application teams to perform the evaluation, or provide input to the evaluation process which can add to the cost and time needed.

AtAt this stage it might be possible to identify early adopters that can be accelerated through the remainder of the process for a pilot migration to test and refine the assessment and migration process.

DesignDetermine the migration approach and business case.

Once the potential candidates are identified they can be evaluated in more detail to determine the migration approach and the potential costs and benefits of migration.

PlanningPProduce a prioritised pipeline of migration candidates and timescales.

With a proposed migration approach and business case defined for the candidates, they can be prioritised and the migration plans drawn up. The planning must be done in conjunction with the application teams to ensure suitable resources and budget is allocated to execute the plans. The plans should consider who will be executing the migration (app teams or centrally funded team), and whether sufficient business priority been given to the migration.


3.1.1 Application Usage PatternsDuring the assessment pDuring the assessment process it may be possible to determine an application’s suitability based on the type of application or how the application is used. This approach can also identify applications that are less suitable for cloud migration. Removing these from the candidate list early on in the process can accelerate the assessment and avoid unnecessary work. The tables in Figure 3 describe some of the common application types that may be suitable, and some that may be less suitable for migration to cloud computing.

Figure 3: Example applications types that are suitable and are less suitable for migration to cloud computing. Note that the suitability will be dependent on many factors and could vary for different organisation and situations.


3.1.2 Migration ApproachThe main objective of the application assessment is to determine the best approach for migrating applications to cloud computing. The assessment process will determine the suitability and risk of migrating an application or pattern of applications. These, in turn, can be used determined if an application or pattern of applications should be migrated, and if so, the best approach for migration.

TheThe migration approach can be summarised into four categories. These categories, and the relationship with risk and suitability, are described below and shown in Figure 4.

Applications that run infrequently and need significant computing resources with running, e.g. Grid

Applications that run for a predefined scheduled period of time, e.g. EOD reporting

Applications that are loosely couple and have a service oriented architecture (SOA)

DevelopmentDevelopment and testing environments for applications that may or may not run on the cloud platform for production

Applications whose primary user interface is accessed in a web browser via the public internet

ApplicationsApplications that use sensitive data, particularly when there are statutory compliance considerations. The handling of sensitive data in cloud computing does need careful consideration and appropriate mitigation

Applications that are very sensitive to performance, particularly network latency sensitive applications, such as electronic pricing and trading applications

ApplicationsApplications that access large volumes of data from an existing database or file system that cannot easily be migrated to cloud computing

Applications that currently run on hardware or an operating system that cannot easily be ported to the cloud computing platform, e.g. Mainframe

ApplicationsApplications that require specialist hardware or acceleration technology that will not be supported by the cloud platform, e.g. GPU, FPGA

Latency

Data Affinity

IncompatiblePlatform

Specialist Hardware

Suitable for Cloud Migration

Usage Pattern Example

Less Suitable for Cloud Migration

Bursty

Batch

SOA

Development& Test

Internet

Sensitive Data

Figure 5: Typical Approaches for Migrating and Transforming Applications for Cloud Computing


TransformThe application has low suitability and low risk, so there are some technical barriers to migration that must be overcome by re-factoring or re-developing the application.

Not SuitableTheThe application has both low suitability and high risk, and should not be migrated to cloud computing in the short or medium term. However, applications in this category may need to be re-evaluated at a later date once the organisations cloud migration experience and skills develop, or the cloud platform capabilities mature.

MigrateMigrateThe application has high suitability and low risk, so there are no technical or risk barriers to migration, the application can be migrated to the cloud platform, with minimal changes.

MitigateThe application has high suitability and high risk, so there are no technical barriers to migration, however, there are some risks associated with the migration that must be mitigated, e.g. risk of sensitive data being moved to a cloud service.

Some of the typical approaches for transforming and migrating applications to cloud computing are described in challenge 3 and summarised in Figure 5.

Description

Move existing virtual machines onto the new platform

Move applications onto the new platform with minimal change

Packaging applications inside deployment packages or containers, e.g. PaaS, Docker, or Java Application Container

UpdateUpdate codebase or recompile to support cloud runtime environment, e.g. update OS version supported, or java virtual machine version supported

Re-architect application to eliminate static dependencies on ecosystem and external components

Re-architect applications to eliminate state from within application processes, e.g. move state from process memory, to external shared cache

Re-architect applications to be cloud native, e.g. “12 factor applications”(https://12facto(https://12factor.net/)

Approach

Virtual to Virtual (V2V)

Re-host

Re-package(containerise)

Re-factor

DecoupleRe-develop

StatelessRe-develop

12-Factor/ CloudNative Re-develop

Low

Low High

High

Suitability

Risk

TransformRefactor,Redevelop

MigrateV2V, Re-host,Re-package

MitigateNot Suitable

Figure 4: Determine migration approach from Risk and Suitability


3.1.3 Application Design PatternsWhenWhen categorising applications into similar types for design pattern based assessment, it will be necessary to identify a small number of design patterns that will encompass the majority of applications in the portfolio, and will be easy to assess. Finalising the list of design pattern categories will be an iterative process, starting with an initial set of patterns that can be gradually refined as the assessment progresses. Figure 6 shows some example application design patterns with an indication of the potential suitability of applications that match the patterns.

3.1.4 Suitability ConsiderationsThe application assessment process must determine the risk and suitability of an application or pattern of applications for migration to cloud computing by considering the following areas:

SecurityTheThe security of an application that has been migrated to cloud computing is the joint responsibility of all parties, including the application owner, the cloud service provider, the business and the firm’s IT organisation. For IaaS, the application owner is responsible for security within the application (e.g. authentication and authorisation, data entitlements, etc.), the cloud service provider is responsible for the platform security controls, the IT organisation is responsible for security of the runtime environment and integration, and the business is responsible for ensuring users comply with usage policies. For PaaS the cloudcloud service provider takes responsibility for security of the runtime environment, and for SaaS the cloud service provider takes responsibility for security of the entire technology stack. The application owner and

Description

Applications deployed on existing standard platform offerings or with suitable loosely coupled dependencies, e.g. Grid computing platform, Java app hosting platform, Database farm, Web farm, etc.

ApplicationsApplications with logically separate components that are loosely coupled, e.g. separate presentation, business logic and data tiers, or using SOA or microservices.

Applications with strong dependencies on underlying infrastructure (e.g. physical servers, server clustering).

Applications that database only, providing data source, or storage services for other systems.

ApplicationsApplications with dependencies on specific systems or technologies that cannot be easily migrated or replaced (e.g. mainframe, GPU, hard-coded integration).

Loosely coupled, SOA or microser-vices architecture

Suitability

Existing standardised platform

Infrastructuredependency

Database-only

Complex integrations

Low High

Low High

Low High

Low High

Low High

Pattern

Figure 6: Example application patterns and suitability for cloud migration. Note that the suitability is dependent on many factors and could vary for different organisations and situations


ultimately the business must understand that for any cloud deployment model (IaaS, PaaS or SaaS), they also have accountability for security of the entire system, particularly when there are statutory obligations.

Application ArchitecturePPrevious sections described a number of application types and design patterns, and how they influence an application’s suitability for cloud migration. The architecture of an application is one of the key factors that will determine whether an application can benefit from cloud computing. Is the application designed for horizontal scaling and load balancing? Is the application designed to be stateless? Is the application portable? Can application processes be easily replicated? It may be possible to migrate an application that is not particularly well suited for cloud computing, however, the application may not benefit from cloud capabilities like elasticitcapabilities like elasticity, horizontal scaling, and pay-per-use.

DataThe quality, integrity, control and confidentiality of data must be maintained after an application is migrated to cloud computing. Are there any data confidentiality concerns? Are there any statutory compliance restrictions, e.g. legal or regulatory obligations? The volume and frequency of data transferred in or out of the cloud platform can significantly impact the performance and cost of an application that has been migrated to cloud computing. So a clear understanding of application data classifications, and data flows is needed in order to plan a cloud migration.

Application Development LifecycleWhatWhat is the rate and complexity of change for the application? Can the application be re-developed or re-factored for cloud computing? Is the application expected to be retired soon? Is there a scheduled refresh for the application or existing platform that could be used to migrate the application to cloud computing? Is the application managed using DevOps or similar methodologies, like continuous deployment or automated release and deployment? Could the application be replaced or partially replaced by a cloud service (e.g. database as a service), or even a SaaS solution?

BusinessWhatWhat are the business and IT policies regarding cloud adoption? Is the organisation ready for cloud adoption? Does the application owner, IT community and business support the migration to cloud computing? How averse is the business to IT risk? Is the application business or mission critical?

TechnologyTheThere are many aspects of an application’s technology stack and dependencies that must be considered. How the application implements resiliency and ensures business process continuity is a key factor that influences cloud suitability. Cloud platforms do not generally provide resilient servers, but do provide resilient environments (e.g. availability zones) and resilient services (e.g. Database as a Service, Cloud Storage) that automatically replicate data and services across multiple datacentres. Therefore, applications that rely on the underlying infrastructure to provide high availability with resilient servers, e.g. serverserver clusters, may not be suitable for cloud migration unless they can be re-designed to add resiliency and high availability into the software, or make use of resilient cloud services. How applications communicate across network boundaries is also a key consideration. Does the application use standard or open protocols that are supported on the cloud network or across firewalls and public network infrastructure? For example, multicast is often not supported on cloud networks.


IntegrationTheThe dependencies between an application and other systems is a critical factor when planning for cloud migration. An application may depend on other systems through process integration (they invoke each other), data integration (they provide data to each other via a network connection, or access the same database or file system), or presentation integration (their output is combined to generate a GUI or web page). The application being migrated may be the “system of record” for business critical data, such as financial reference data, or a client database. In which case there are likely to be many dependant systems thatthat may not always be known to the application owner. It is likely that the application relies on a complex runtime ecosystem in the current environment that must be replicated, replaced or integrated for an application to run on a cloud platform. This often includes enterprise services such as single sign-on, access controls, entitlement controls, directory services (e.g. Active Directory), encryption key management, etc. There will also be a need to integrate operational processes and tools such as incident management, problem management, change management, monitoring and event management. The assessmentassessment must identify all the integration points for an application, determine how extensive these integrations are, what utilities or libraries the application relies on, what protocols are used, and the performance requirements, including the volume and frequency of data communications.

2Is there sufficient business justification for migrating an application?

Challenge

The business case for migrating an existing application to cloud computing must balance the cost of migrating and ongoing operating costs, against the benefits, which should include both the realistic cost savings, and the meaningful business value. The business case must also take into consideration the organisation’s overall business and IT strategy. The migration of an individual application might not make sense on its own, but the overall benefit to the organisation may justify the migration costs and risks, e.g. datacentre exit, or to enable the migration of other, dependant applications.

TheThe business case for application migration is often justified with high level benefits, such as a shift from capital expenditure (CAPEX) to operational expenditure (OPEX), reduced datacentre footprint, cost savings, faster deployment, elasticity, greater development agility, greater automation, etc. These benefits are important aspects of the migration to cloud computing, but they need to be quantified in order to be meaningful. There may also be specific business problems that can be addressed by adopting a cloud strategy, e.g. enabling a business process to scale beyond the current capacity, or removing dependencies onon infrastructure shared between legal entities. The business justification must demonstrate how cloud adoption will address the specific problem and prove it is the most appropriate strategic solution.

3.2.1 Cost Analysis InIn order to validate an application as a suitable candidate for migration to cloud computing, an accurate cost analysis must be performed to determine the potential cost savings, or the potential cost increases. Any cost increases must be justified by other benefits, such as faster time-to-market, or improved performance and availability. In order to determine the potential cost savings or increases, a baseline cost for the current environment must be determined, and the migration costs and future operating costs must be estimated. The current baseline costs should include both the current operating costs, and any additionaladditional costs that might be incurred if the application is not migrated to cloud computing, e.g. refreshing the existing platform to increase capacity. The analysis of the costs for migrating an application to cloud computing and the future cloud operating costs should cover the following areas: Cloud service costsThe fees for the cloud services consumed by the application, including the effects of variable demand, utilisation threshold discounts, utilisation growth projections, additional cost for peak loads.


Service managementAdopting a service management approach to integrating cloud service providers is a key factor in the success of cloud computing. This will involve changes to a broad spectrum of existing IT capabilities, including financial management (billing), engineering, operations, vendor management, and legal-council.

IntegrationInIn most cases there will be a need to use integration solutions that allow cloud deployed applications to access other systems in order to share data or control workflow.

Re-developmentThe application may require significant re-development in order to be suitable for cloud migration or to take full advantage of the benefits cloud computing.

TestingWhether the application requires re-development or not, it must be tested on the cloud platform.

DeploymentDeploymentThe application will have to be configured and deployed onto the cloud platform. This could involve significant changes to the existing software development life-cycle, introducing additional steps in the software release and deployment process. Or investment in configuration management and automation systems.

License managementItIt is important to understand third-party software dependencies, licensing models, and ongoing management of these licenses. Many third-party software providers license software on the basis of total number of cores or CPUs, whether the software is running or not. This does not account for the elastic or bursty nature of cloud computing where the average utilisation is much less than the potential peak, which may only be needed for a few hours every month. The cost of additional software licenses to enable cloud bursting may reduce or cancel the benefit of cloud computing. Software license agreements may stipulate locationslocations or even specific IP addresses where an application can run, preventing the application moving to an off-premises cloud service.

Maintenance and administrationOngoing maintenance and administration of the application may require additional or different processes or tools.

TrainingInternal personnel may need to be trained to support the migration to cloud computing.

Talent acquisitionThe profile of skills across an IT organisation may change as the application portfolio is migrated to cloud computing. The number of infrastructure engineering and operations personnel may reduce, while the number of vendor management, service management, financial management, integration engineering roles may increase.


3.2.2 Service Levels WhenWhen migrating an application to cloud computing it is important to understand the impact this will have on the application service levels and characteristics of the application when running on the cloud platform. In many cases there will be an expectation that the migration to cloud computing will improve some service levels, such as capacity and performance. In order to understand the benefits of migrating an application to cloud computing, these service levels should be clearly understood and quantified. It is also necessary to agree specific service levels with the cloud provider and document them in a cloud service agreement. The business case for migrating an application to cloud computing should consider these characteristics: The business case for migrating an application to cloud computing should consider these characteristics:

AvailabilityThe availability service levels of cloud services may be very different from the availability provided by the current platform. Existing applications often rely on the underlying infrastructure to provide resiliency and high available, so existing platforms may provide a service level guarantee with very high availability. In the cloud computing model individual servers must be treated as unreliable, because there are usually no specific guarantees of availability for individual servers. However, there are often very high levels of availability for the cloud service to provision new servers or for higher-level cloud application services, such asas Database as a Service. This means that in order for an application to deliver the same level of service expected from the current system, the responsibility for high availability is moved from the infrastructure into the application software stack, or if possible into cloud application services.

PerformanceUnderstanding the performance requirements of an application and the performance characteristics expected when deployed on the cloud platform are an important consideration for the business case. Migrating an application to cloud computing could result in a performance improvement, if the application can make use of the seemingly unlimited cloud resources. But could also result in a performance degradation, if the application is reliant on very consistent performance from the underlying server and storage resources, or if performance is impacted by network delays when communicating with other systems that are not migrated to the cloud platform.

SecuritySecurityTheThe security of an application and data has been one of the main barriers to cloud adoption for many organisations. In reality, security is such a critical part of the cloud service provider’s business model that the security levels provided by many cloud services are often superior to the security of traditional internal hosting. So migrating an application to cloud computing can help improve security service levels. Even though the cloud service provider may be responsible for delivering secure services, the application owner and business retain accountability for security. Before migrating an application to a cloud service it will be necessarynecessary to perform due diligence on the cloud service security controls to ensure appropriate controls are in place and operating effectively, and that any statutory obligations are fulfilled.

PrivacyIf an application that handles Personally Identifiable Information (PII) is migrated to cloud computing, appropriate measures must be taken to ensure PII data is properly stored and managed, with access to PII data restricted to authorised systems and personnel, including from cloud service provider personnel.

Regulatory complianceGovernment and industry regulators often impose specific regulations related to the use of cloud services and may require specific measures, such as restricting the migrated applications and data to reside in a specific geographic region.


3.2.2 Business ValueThe potential business value of migrating to cloud computing is equally important to the business case as cost and service levels. In fact, the business benefits may be the primary or only motivation for migrating an application to cloud computing. The business benefits to consider in the business case should include the following:

Time to marketWillWill the migration to cloud computing improve the time to deliver new functionality, enhancements or bug fixes?

Seemingly unlimited capacityWill the migration to cloud computing allow the application to scale capacity to match spikes in demand?

Revenue impactWill the migration to cloud computing increase the revenue generated by an application?

Customer impactIfIf the application is customer-facing or is a dependency for customer-facing applications, will the migration to cloud computing improve the customer experience, improve customer satisfaction, attract new customers or increase the number of customers that can use the application? WhenWhen developing the business case for migrating an application to cloud computing, considering the costs, service levels and business value described in this section will not only help justify the decision to migrate, but also help develop the most suitable migration approach, increasing the chances of success and ensuring the application migration delivers the expected benefits.


3What is the best technical approach for migrating an application?

Challenge

There are three potential target service models for the migration of an existing application or business process to cloud computing – Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).

3.3.1 SaaS MigrationInIn the SaaS cloud service model the application is owned, delivered and managed by the cloud provider, e.g. salesforce.com and gmail.com. In this model the customer is responsible for the data being processed or stored by the application and any integration required for dependant business processes or operations. Migrating an existing application to a SaaS model will involve moving all relevant data from the existing application into the SaaS application instance, for example uploading client contact details from an existing CRM solution into salesforce.com. This data migration may also require some integration solutions toto manage the data, synchronising with internal data stores, enabling data sharing with other systems, or securing the data by encrypting and decrypting sensitive data communications to and from the SaaS application.

3.3.2 PaaS Migration PaaS cloud services provide a highly standardised and automated shared environment often providing a broad collection of application platform services, such as execution containers (J2EE), middleware (message queues) and databases. Applications can commission, manage and decommission services using a self-service GUI or API. PaaS services often run in an IaaS environment to leverage the on-demand and elastic scaling of IaaS compute and storage resources.

TheThe PaaS service provides the entire software stack and the ecosystem needed to run a hosted application. This could include the operating system, runtime environment (e.g. JVM, libraries), middleware and databases. The consumer only needs to provide the application code and configuration in order to migrate an application onto the PaaS cloud service. The PaaS service must also provide additional capabilities needed to deploy and manage an application such as the ability to execute setup scripts, security tools, log file management tools, monitoring tools, etc. The PaaS services may provide a highly prproprietary software stack and ecosystem to enable sophisticated automation of hosted applications, e.g. automated deployment, scaling and load balancing.


To migrate an application to a PaaS cloud service, the application must be specifically designed, configured and packaged to run on the target PaaS environment. The migration could involve simple repackaging for applications that are already running on a similar environment, but could also require more complex re-factoring or re-development to run in the PaaS environment or to benefit from PaaS capabilities, like automated on-demand scaling. The complexity of the change needed to migrate an application will depend on a few factors; How similar is the current platform to the target platform? How dependantdependant is the application on proprietary features or capabilities of the current platform? Does the application need to integrate with the PaaS ecosystem to fully benefit from the migration to cloud computing? For instance, migrating a J2EE application from an internally hosted IBM Websphere application server to a cloud J2EE service may be relatively straight forward, as long as the application complies with J2EE standards and does not make use of any proprietary Websphere features. Similarly, migrating a database from a Sybase database to cloud database service, may be a simple case of porting thethe database schema, and transferring data, however, if the application makes use of Sybase stored procedures there may be a significant amount of redeveloped needed.

3.3.3 IaaS Migration IaaS cloud services provide a highly standardised and automated shared environment where consumers can commission, manage and decommission compute and storage resources on-demand, using a self-service web GUI or API.

The requirements on an IaaS cloud service to support the migration of applications is lower than those for PaaS or SaaS. The IaaS service provides basic virtual machine instances, the consumer is responsible for providing the entire software stack needed to run applications that are to be migrated, including the operating system, and any supporting software. The software stack needed to run an application must be packaged as one or more virtual machine (VM) images, which can be deployed onto the virtual machines provided by the cloud service.

TheThe software stack that supports applications in the current environment will include an operating system, and probably include additional software components that are needed to run and manage the application, including: execution environment (e.g. JVM, Python), runtime services (e.g. monitoring, logging), enterprise services (e.g. Identity Access Management, Entitlements), Middleware services (Messaging, Database). Many of these services will depend on other systems and processes, e.g. authorisation approval process for identity access management. These supporting systems and processes may need to be integrated with thethe cloud service to support an application running on the cloud platform, or removed as a dependency before the application is migrated.

3.3.4 Technical ApproachThere is a wide range of different approaches that can be taken when migrating an application onto cloud computing, from simple “lift and shift” of workloads by moving VM images from an existing virtualisation platform onto the cloud platform, to completely redeveloping a business process and application to be cloud native. The following table describes some of the common approaches with a description of the potential benefits and impact of each approach.


Approach Description Benefit Impact

• Can move existing software stacks onto IaaS platform• No changes required to applications or OS• Potentially some operational efficiency from cloud automation, but limited by existing OS ecosystem

•• Can move onto new cloud ready OS build• Potential to leverage new IaaS services• Operational efficiencies from cloud automation•• Minimal changes required for applications

• Improved infrastructure consistency• Improved portability and mobility• Enable automated deployment and provisioning•• Enable on-demand scaling up and down for applications and environments• Operational efficiencies from PaaS automation

• No application architecture changes required•• Minimal changes required to support target platform

• Remove hardcoded and tightly coupled dependencies• Dynamically resolve application dependencies at runtime•• Flexible applications with greater portability, mobility and scaling

• Stateless applications whose services are resolved dynamically can scale by simply provisioning more infrastructures.

•• 12 factor applications are designed to fully realise the benefits of cloud computing• See https://12factor.net

Move existing virtual machines onto new platform

Move applications onto new platform with minimal change

Packing applications Packing applications into deployment packages or containers e.g. PaaS or Docker

Update codebase or Update codebase or recompile to support cloud runtime environment

Re-aRe-architect application to eliminate static dependencies on ecosystem and external components

Re-aRe-architect applications to eliminate state

Re-architect applications to be cloud native - “12 factor applications”

• Existing ecosystem and associated operate processes will not be replaced• May limit benefit realised from cloud adoption

• Will require application regression testing•• Application dependencies on legacy ecosystem or OS may complicate the migration• May have limited benefit from cloud adoption without redesigning application for on-demand scaling

•• Significant effort to develop packaging solution and integrate with SDLC• Will require application regression testing•• May not remove all dependencies on legacy ecosystem or OS which could complicate the migration or reduce the benefits

• Regression testing required on target platform•• May have implications for SDLC and operate processes and toolchain

• Significant redesign and redevelopment may be required•• May require a change in other systems that have hardcoded or tightly coupled dependencies on the application

• Significant redesign and redevelopment may be required•• Investment required in solution to manage state

• Significant redesign and redevelopment may be required• May have broad impact on the associated business process and application ecosystem

Virtual to Virtual (V2V)

Re-host

Re-package (containerise)

Re-factor

DecoupleRe-developRe-develop

StatelessRe-develop

12-Factor / Cloud NativeRe-develop


Figure 7: Migration Approach Benefits & Impact f

3.3.5 Design Patterns One approach that may accelerate the migration of applications to cloud computing is the use of design patterns or blue prints. These describe common solutions to application architecture problems or aspects of the cloud services available on the target platform. The patterns may include configuration and provisioning instructions for the cloud platform, so a new instance of the pattern can be automatically provisioned.

ForFor example, a pattern could be defined for a simple three tier web application with a web server, Java application server, and database. The pattern could specify the fundamental design, dependencies, components that need to be deployed and configured, and capabilities such as shared file storage, scaling, load balancing, and fault tolerance, but allow for some variation in terms of non-functional characteristics like availability or performance.

PattePatterns could accelerate the migration of applications with similar requirements, and ensure consistency in design and configuration of deployed applications. A pattern could be useful in understanding any changes that are needed in the application, and how to make use of the available cloud services when migrating an existing application. A pattern could also be used to automatically provision all the necessary standard components for an application, so the migration would only involve transferring the application specific code, configurations and data.

InIn the simplified three tier web application example, applications that have similar requirements can use the three tier web application pattern to deploy and configure the runtime environment which would include, the clustered web, app and database components, along with automated scaling, load balancing, firewalls, monitoring, etc. to ensure consistent reliability and performance for all applications deployed using the pattern. The actual migration would involve deploying HTML files and server side scripts to the web server, Java code and configuration to the Java application server, and populating the database with the application data schema and required data.

3.3.6 3.3.6 Technical ChallengesThere are many technical challenges that must be taken into account when selecting the most appropriate technical approach for migrating existing applications to SaaS, PaaS or IaaS cloud computing. Some of the common technical challenges are described below.

ScalabilityTheThe ability for an application to automatically scale up or down the infrastructure resources used is a key benefit of migrating to cloud computing. This scaling enables the “pay-per-use” characteristic of cloud with the costs increasing or decreasing as the resource usage fluctuates, based on business demand. It may be possible to adjust capacity by dynamically changing the amount of memory or CPU assigned to the virtual machine that the application is running on, which is known as vertical scaling, but there will be a limit on how much additional capacity can be added. In cloud computing it is expected that applications cancan horizontally scale, which involves running multiple instances of an application process in parallel and adding or removing process instances as demand fluctuates. To support horizontal scaling, an application may have to be redeveloped to allow multiple instances of the application to run at the same time. Other dependant systems may also need to be redeveloped to communicate with multiple instances of the


application at the same time. Redeveloping an application and dependencies that have been design for vertical scaling to support horizontal scaling can be a complex and costly challenge. The cost of this redevelopment may be prohibitive, negating any benefits from moving to cloud computing in the first place. However, without this redevelopment, an application may not be able to benefit from the on-demand scaling, “pay-per-use” nature of cloud computing, which could result in higher running costs, again, negating the benefit of migrating to cloud computing.

AvailabilityTheThe level of high availability required for applications and data is a critical factor when deciding on the cloud migration approach, solution design and whether cloud computing is a suitable alternative to the current platform.

AA key difference between cloud computing and more traditional enterprise hosting is the reliability of the servers. In traditional hosting, applications often rely on the underlying infrastructure to provide high availability with fault tolerant hardware and server clustering (i.e. two or more servers working together as a single system to provide high availability). However, in IaaS and PaaS cloud computing, providers will not usually give any guarantees about the reliability or availability of individual servers or application instance. So, in cloud computing, responsibility for ensuring high availability of a business process lies with the applicationapplication software stack. The software must be designed in such a way that that any failures in the cloud infrastructure will not impact the business process – the application must be “designed for failure”. A common approach for designing an application to handle failure is to use application clustering (similar to server cluster but at the application level). Application clustering often involves horizontal scaling and load balancing so there are multiple instances of each application component running in parallel and capable of supporting the workload. If one or more instances of a component fails the workload is automatically rredistributed across the other available instances, so the business process is not impacted by the failure. Redesigning an application to remove any dependency on infrastructure for high availability may require a significant amount of redevelopment, which will increase the cost and timescales for migrating the application to cloud.

The situation is slightly different when migrating to SaaS cloud services. In the case of SaaS, it is the provider’s responsibility to provide high availability for the application which they are providing as a service. So it is important to understand the service provider’s availability guarantees that are stipulated in the service agreement, how these are implemented, and ensure these are appropriate for the business process.

State ManagementManyMany applications maintain application state in-memory; this means the runtime state of any active processes will be lost if an application server fails. These applications will need to be re-developed to separate the application state from the application instance, using a more highly available state management solution such as a distributed cache or database which will ensure application state can be quickly recovered following a server failure.

ForFor example, if the data provided by a user for an online mortgage application web site was held in-memory and the server running the application failed before the application process was completed, the data provided by the user would be lost and the user would have to repeat the application process. If the user provided data was held in a database, another instance of the application could take over from the failed instance, loading the data already provided from the database and completing the application process. The user would be unaware of the server failure.


SecurityEnsuringEnsuring the continued security of an application and data that have been migrated to cloud computing is a critical factor when planning the cloud migration. The potential security risks for an application and data must be clearly understood, and solutions to mitigate any risks included in the cloud solution design and migration plans. The security measures needed to reduce the risk of the application migration will depend on the security measures provided by the cloud service provider, so it is critical to understand the cloud service security model in order to make informed decisions about any additional measures needed. The solutionsolution design may include the use of a virtual private network (VPN) for access to the cloud services. This will restrict access to applications running on the cloud platform, so only internal staff will have access, preventing access from the public internet. Data migrated to the cloud platform may need to be encrypted to reduce the risk of data leakage, or to comply with governmental or regulatory obligations. The security challenges are addressed in more detail in the following sections.

IntegrationWhether migrating an application to IaaS, PaaS or SaaS, there is likely to be a need to integrate the application or the cloud services with other systems.

ThisThis integration may be needed to enable data communications between applications running on the cloud platform and application dependencies not migrated. This could be to allow a cloud application to access an internally hosted database, or to extend enterprise services beyond the network boundaries of the organisation. For example, integrating Active Directory into the cloud service to allow user identities to be shared between internal and cloud hosted applications, or integrating incident management and event management tools with the equivalent cloud tools, to allow existing operating processes to continue managingmanaging the application after migration. The integration challenges are addressed in more detail in the following sections.

Monitoring and ManagementThe migration approach selected for an application must consider the ongoing monitoring and management of an application running on the cloud service. This may be dependent on the operating model that will be used to run the application. Will the existing operating model be expanded to include cloud services and applications running on cloud computing, or will a new cloud operating model be introduced? Will existing tools be used for monitoring, alerting, and application management, or will the tools provided by the cloud provider be adopted?

SkillsMigratingMigrating applications to a cloud service will require new skills that an organisation must develop through training, experience, or acquisition. The time and cost to develop these skills must be considered when planning the cloud adoption roadmap and project plans. TheseThese technical challenges may raise doubts about the feasibility or business case for migrating an application to cloud computing. Any conclusions after considering the technical challenges should be fed back into the suitability assessment and the business case, and will need to be taken into account when considering the integration challenges and migration execution challenges described in the following sections.


4What integration solutions are needed to support an application on the cloud platform?

Challenge

Most applications will have dependencies on other systems that must be considered when migrating to cloud computing. The dependencies will determine the integration points that will likely be critical factors when planning for cloud migration. There could be a number of reasons why the integration between applications and other systems is needed, for example: Allowing applications to communicate to enable business processes or workflow; Supporting cross-business enterprise services such as user identify management; or, supporting IT operations with tools for monitoring and managing IT systems, and automating processes such as incident management, problem management, and event management.

3.4.1 3.4.1 Integration TypesApplication dependencies and integration points are typical categorised into three types:

Data integrationApplications provide data to each other via network communications, or shared access to a database or file system

Presentation integrationThe output of multiple applications is combined to generate a user interface or web page

PProcess or control integrationApplication processes invoke each other in order to execute a workflow

3.4.2 Integration PrinciplesTheThe technical approach for migrating an application must take into account all the current dependencies and integration points. So one of the first challenges to migrating an application to cloud computing will be understanding the integration points and determining the solutions needed to tackle the integration requirements. There are many potential solutions for handling integration, but there is not usually one solution that is suitable for all cases. Generally, the integration approach should consider the following aspects:


FlexibilityAllow for several different techniques to tackle specific situations. Enforcing a single solution for a specific integration situation could limit the number of applications that are suitable for migration, or could result in sub-optimal solutions with the design specifications based on a compromise from a wide range of requirements.

ReusableTTo counterbalance the flexibility principle and avoid the proliferation of many unique solutions for common problems, it is important to design integration solutions that can be reused for similar situations.

StandardsMaking use of standards will allow migrated applications to be more portable and less sensitive to environment changes.

3.4.3 Technical ApproachSome common integration techniques are summarised below:

No change is neededNo change is neededThere may be no need for any specific integration solutions, the current integrations may continue to work after the application is migrated. For instance, if the integration uses web services that are available on the cloud platform or protocols that are supported by the cloud platform and intervening network.

Configuration changes to allow communicationsTheThere is likely to be network security devices, such as network firewalls, that restrict communications. These could prevent communications between applications migrated to cloud services and dependant systems. It may be possible to reconfigure these security devices to allow communications, without weakening the network security.

Redesign the communications mechanismUse communications protocols that are supported by the cloud platform, and allowed to traverse network security devices, or to optimise the protocol to avoid performance issues.

Deploy cloud specific communications end-pointsDeploy cloud specific communications end-pointsIn order to provide communication channels between the cloud and internally hosted systems it may be considered more secure to deploy end-points in a DMZ in the internal datacentre to terminate network connections from less trusted cloud network. The DMZ will isolate the cloud communications channel from the rest of the organisation’s network.

Migrate dependenciesInIn some cases, it may not be feasible to migrate a complex “spaghetti” of integrated applications as discrete, independent components, it which case it may be necessary to migrate all interdependent application components or systems to cloud computing at the same time.


Replicate shared dataAfterAfter migrating an application to cloud services, there may be an increased delay in accessing shared data which may be unacceptable for the application and users. Creating a copy of the data on the cloud platform may improve the performance of the application. But, this may have other detrimental performance implications for the application and other systems that access the data, if the data needs to be synchronised with the other copies. For instance, replicating and continuously synchronising a file system or database storage system could mean that all applications that write to the storage might have toto wait for each replicated copy to be update before the write process is completed, this could significantly slow down an applications responsiveness. This is known as synchronous replication. In some situations, data replication can be implemented in a way that does not require applications that write to the storage to wait for all replica copies to be updated, and does not impact the performance of the application or dependencies. This is known as asynchronous replication.

Data cachingAnother technique for avoiding data access performance problems after migrating an application to cloud computing is to cache frequently accessed data. This involves storing a local copy of the data on the cloud platform so access is quicker. For example, the first time a data item is accessed from another system it is copied into a local storage system so any subsequent access requests can be serviced more quickly from the local storage.

Remove dependenciesItIt may be necessary or preferential to re-package, re-factor or re-develop an application or other systems to remove dependencies. This could be a complex and costly activity, but even if other potential solutions are possible this may be the preferred solution in order to remove the “technical debt” of legacy systems, and make an application or group of applications more portable and mobile in preparation for future migrations. For instance, re-developing a core system that is central to many business processes and many applications depend on may allow these applications to migrate to cloud computing with minimal changes to the applications themselves.


5What security and compliance risks or obligations need to be addressed?

Challenge

Security and compliance are often topics that present the greatest barriers to cloud adoption. Many of the same concerns exist with internally hosted systems and traditional IT outsourcing, but the concerns are often amplified with cloud computing because the resources used to deliver cloud services are shared across many cloud customers with limited transparency of the underlying systems. Some the key concerns are summarised below.

3.5.1 Cloud Risk and Security ConcernsStatutory and Contractual Obligations

Authorisation, Authentication and Entitlements

What security guarantees are stipulated in the cloud service level agreement (SLA)?Is the cloud service certified for use by a relevant regulator or legal entity, or does the cloud service meet industry specific statutory obligations?With cloud computing you share responsibility with the cloud service provider for security, but you remain accountable for meeting client expectations and statutory obligations. How do you demonstrate the necessary security measures are in place?

• •

•

How do you manage user identities and authorise users to use and manage cloud services and applications running on a cloud service?How do you manage user entitlements for applications running on a cloud service?How do you manage privileged user access (e.g. root user or administrators) for systems or applications running on a cloud service?HowHow do you remove entitlements and unauthorise users, and how quickly can this be done in an urgent situation (such as termination of employment)? For internal hosted systems, physical building access may be required in order to access applications, however, this is not necessarily the case for applications that have been migrated to cloud computing and may be accessible via the public internet.

•

• •

•


Data ConfidentialityCan an external intruder steal confidential software or data from the cloud provider’s systems (external threat)?Can personnel with access to cloud provider systems (e.g. system administrators) access confidential software or data from the cloud provider’s systems (internal threat)?Will you know if an intruder has stolen confidential data or software?What is the risk that a domestic or foreign law enforcement agency will seize your confidential data with a legally binding request to the cloud service provider?HowHow will Personally Identifiable Information (PII) be protected from disclosure to people that do not have a right to access it? And, equally how will PII data be made available to people that do have a right to access it?Some software algorithms that provide a business competitive advantage may be highly confidential. How can you protect software algorithms that are migrated to the cloud service?

•

•

• •

•

•

Viruses, Backdoors and Denial-of-serviceWhat is the risk that your software could be infected by viruses or other malware introduced by another customer on a multi-tenant cloud service, and how can you protect your software from this risk?With cloud computing the cloud service provider is responsible for the parts of the software stack that runs your applications, or stores and processes your data. How can you be certain the software components you do not control are secure and do not contain intentionally developed backdoors that expose security risks?WhatWhat would be the impact of a denial-of-service attack, which could prevent users from accessing a business critical application?

Any one of these issues could potentially cause significant damage to an organisation, including legal action against an organisation or individuals, penalties for non-compliance with statutory obligations, or reduced revenue or profit from loss of business. Therefore, it is critical that these risks and potential threats are identified and understood for applications that are to be migrated to cloud computing, and an approach to mitigate each risk must be identified and implemented.

•

•

•


3.5.2 Cloud Risk and Security BenefitsThere are a few characteristics of cloud computing that may counteract some of these risks and threats.

Cloud Computing is secureSecuritySecurity and compliance is a fundamental aspect of a cloud service provider’s business model; any breach of security or compliance could result in significant damage to their business. This ensures that CSPs make significant investments to maintain the security of their services with the result that they usually have superior security and compliance capabilities than traditional internal hosting systems.

Cloud Computing gives anonymityCloudCloud computing resources are shared by many customers that use the cloud services. This gives individual firms a certain amount of anonymity, making it difficult for a potential cyber-attacker to target a specific firm’s systems and data, which may otherwise be more obvious if hosted on a firm’s internal systems.

•

• • •

•

•

•

•

•


3.5.3 Risk Mitigation ApproachWhen developing the risk mitigation approach to address the risks and threats described above, there are a number of key steps that should be considered to improve the chances of success.

Understand Your InformationClearly understand and determine the security classification for data and softwaClearly understand and determine the security classification for data and software that will be migrated to the cloud platform. Security classification may be based on internal policies or statutory obligations; this should specifically include PII classification.

Identify Information RisksIdentify data and software that will pose a security or compliance risk.

Data Security ApproachDetermineDetermine a technical approach to protect confidential data that is being migrated to a cloud service. The approach for data security should consider the following scenarios:

Governance, Risk & Compliance ApproachClearly understand the regulatory and legal obligations for data and software that are to be migrated to a cloud service and develop a suitable Governance, Risk and Compliance (GRC) model to ensure these statutory obligations are met. The GRC model should consider the following areas:

Data at rest – can data at rest be encrypted and can this encryption be handled by the cloud service or will the application need to manage the encryption/decryption process.Data in motion – can data transmitted to or from other systems be encrypted while in transit, and are the data encryption protocols supported by the cloud service and any intervening networks. This may require encryption keys to be shared with the cloud service, which will also need to be protected. Also, data encryption may reduce speed of communication which could impact the application performance.DataData in use – data being read or processed by an application may need to be held in memory in clear text, which exposes the data to the risk of being intercepted. This may be reduced by applications handling data in an encrypted or obfuscated form as much possible, so clear text data is only held in temporary memory buffers for short periods of time.

Baseline Evaluation - Understand your current policies, governance processes and controlsGap analysis - Determine the additional controls and policies required for the target cloud use casesMinimum viable service - Design and build a “minimum viable service” to allow early adopters to migrate to cloud with suitable governance, risk and compliance (GRC) controls in placeRoadmap to mature services - Define a roadmap to iterate the GRC controls, maturing the service offering to support mass adoptionOngoingOngoing assurance - Implement an ongoing assurance framework to ensure migrated applications remain compliant with policiesRegulatory compliance - Engage with statutory bodies to verify that controls and policies are compliant with regulations


Cloud Providers SLAReview the cloud provider’s security and compliance measures and ensure these are documented in the cloud provider Service Level Agreement (SLA).

Access controlsDetermineDetermine how users will be authenticated and authorised for applications being migrated to a cloud service. This may be built into an application, or may require integration with an enterprise user directory (e.g. Microsoft Active Directory), a single-sign-on system (SSO) or an identity and access management system (IAM). If this integration requires communications with systems that have not been migrated to the cloud service or integrated with the cloud service, there may be significant integration work required.

Also,Also, determine how user access can be quickly revoked for applications that have been migrated to cloud computing. Applications running on cloud services may be accessible from the public internet, so it may be necessary to immediately revoke access for personnel that have been terminated.

In order to accelerate the adoption of cloud computing for applications, without increasing risks to the business or impacting customers, firms must take a strategic and methodical approach. The existing application portfolio should be assessed to prioritise the workloads that can benefit the most from adopting cloud computing. The key considerations should include both the risks associated with an application migrating to cloud computing and an applications suitability for cloud, which is a combination of the business value of migrating and technical fit with the target cloud platform.

TheThe enterprise cloud adoption strategy must identify specific business processes and applications that could potentially benefit from cloud computing, and provide a clear business justification for the cost of migrating to cloud as a strategic alternative to the current IT solutions. The business case for adopting cloud should describe the current state, and the expected future state, with the estimated migration costs and risks, and demonstrate the achievable benefits of cloud, which should include both realistic cost savings and meaningful business value.

ForFor many firms, the most practical approach for mass adoption of cloud computing is to start small with low risk and low cost pilots, and expand after initial success has been proven. Starting with the most cloud-ready applications should minimise the effort, time, and costs of initial migration pilots, or starting with applications that will benefit the most from cloud would demonstrate the business value. Having completed the initial pilot migrations, proven the approach and developed the necessary skills, the migration of more business-critical applications can be considered.

TheThe objective of this paper was to help organisations define a strategic and methodical approach for adopting cloud computing as an IT strategy. Focusing on five challenges that an organisation will face when adopting cloud computing, and providing guidance on how to tackle these challenges with best practices and activities to plan and implement a cloud adoption roadmap.

HavingHaving addressed the five challenges, an organisation will have defined “on paper” the cloud adoption roadmap. The next step will be to develop and implement the detailed execution plans for deploying the cloud services, building the integration and risk mitigation solutions, transforming applications and processes, and migrating applications to the cloud services.

4 Conclusion


Citihub Consulting is a global, independent IT advisory firm with deep domain expertise across every layer of the

technology stack – from business applications and data platforms down to core infrastructure. From IT strategy,

architecture and solution development, through to cost optimisation, risk assessment and implementation – our

trusted experts deliver the right results for your business.

For us consultancy is personal. For us consultancy is personal. We have a relentless commitment to great execution, integrity and client success. We

aim to redefine perceptions of our industry and our commitment to delivering the right results for our clients has never

changed, even as the business has grown consistently over the last decades.

For more information, please visit www.citihub.com

David Sewell, Partner & CTO, Citihub Consulting

DavidDavid is an innovative technology leader with more than 25 years experience creating IT strategies and solutions for

the financial services industry. Covering a broad spectrum of Business and IT challenges, including infrastructure

architecture, application architecture and software development, IT operations, and front office sales and trading

technology. In recent years David has worked with many of the world’s largest and most complex financial services

institutions to help shape and deliver hybrid cloud strategies. David has been a Citihub Partner and CTO for 16 years,

he has a background in electronics and software engineering and previously worked for Accenture and JPMorgan.

Contact Us

About the Author

EMEA

Richard Hamstead

[email protected]

Moor Place

1 Fore Street

London EC2Y 9DT

+44 800 028 1901+44 800 028 1901

Bellerivestrasse 201

8008 Zurich

+41 44 562 7101

North America

Keith Maitland

[email protected]

500 Fifth Ave, Suite 1610

New York, NY 10110

+1 646-780-1150

The Dineen BuildingThe Dineen Building

140 Yonge Street, Suite 200

Toronto, Ontario, M5C 1X6

+1 437 886 8390

Asia Pacific

Steve Rutherford

[email protected]

3 Pickering Street

#01-64

Singapore 048660

+65 3152 2777+65 3152 2777

Flat 406-9, 4/F

Three Pacific Place

1 Queen’s Road East

Hong Kong

+852 8108 2777

5 About Citihub Consulting


migrating applications to hybrid cloud computing · cloud platforms and integrating public cloud...

Documents