Starting Your Secure Cloud Migration

There is a very real opportunity to redefine how security and compliance for your workloads is done in the future. You can implement a multi-layer, defense-in-depth security and compliance posture that is continuously evaluating adherence to a global security policy while protecting your sensitive applications and data in the cloud. And you can address both “accidental” risk—the risk introduced from things like cloud misconfigurations and open settings—and “intentional” cyber risk—risk caused by bad actors targeting your cloud workloads and data.

The cloud represents a fundamentally different way of computing and as a result, offers and even requires a fundamentally different way of securing applications and data or addressing adherence with compliance frameworks.

Before you embark on your cloud migration project and overall journey to the cloud, it’s critical to understand the Shared Responsibility model. This model is a key tenet for any cloud or hosted solution. And the level of responsibility the customer owns varies based on the different cloud platform types as depicted here. IT, Security and DevOps teams need to have a keen understanding of shared responsibility for each cloud or hosted solution employed.

Shared Responsibility

In the cloud, Shared Responsibility is black and white. The various cloud service providers go out of their way to make it clear where their responsibility ends and yours begins. Before embarking on your cloud migration journey, make sure you know exactly what your organization is on the hook for across private cloud, Infrastructure-as-a-Service, Platform-as-a-Service and Security-as-a-Service cloud computing models.

Shared Responsibility is a key tenet for any cloud or hosted solution. And the level of responsibility the customer owns varies based on the different cloud platform types as depicted here. IT, Security, and DevOps teams need to have a keen understanding of shared responsibility for each cloud or hosted solution employed.

Download the Secure Cloud Migration Framework

Get the Secure Cloud Migration Template Now

Cloud Migration Strategies

Before you take your first step toward migrating applications to the cloud, you need to step back and consider what your organization’s overall cloud strategy will be.

You’ll want to consider whether your cloud migration plan encompasses more than one application and if so, outline multiple streams of cloud migration based on your determinations using Gartner’s 5 R’s.

Rehost

Rehost (aka lift and shift) consists of redeployment of an application to the cloud

Disadvantage: Might run into scalability issues

Refactor

Refactor (aka, tinker and shift) involves making some optimizations and changes for the cloud and employing a Platform-as-a-Service (PaaS).

Disadvantage: Lock-in, requires good business case

Revise

This approach involves making architectural and code changes before migrating to the cloud.

Disadvantage: Could cost more and require code changes

Rebuild

Similar to revise it consists of discarding the legacy application and developing again.

Disadvantage: Lock-in

Replace

Replace is a strategy to replace your existing application using some commercial software.

Disadvantage: Lock in, limitations to customization

Cloud Migration Challenges

The cloud migration process is both a project management process and a risk management process. From a risk management standpoint, the process is intended to minimize the risk to investing in migrating applications to the cloud. The first stages—Assess and Plan, and Validate—represent the information-gathering and planning phases that will determine how the rest of the project will go. View the process through a risk management lens, and it’s likely your results in the early stages will yield the results you are looking for in the latter stages. 

Learn from those who have gone before you,as you aren’t the first to migrate applications to the cloudand you won’t be the last. We included this chart to remind you of the importance of proper due diligence and planning in your cloud migration process. As you can see, security/governance/compliance concerns still hold the number one spot in terms of challenges. The next three highest values all represent challenges associated with cloud migration and optimization. 

Consider starting your cloud migration journey with smaller-scale, less sensitive applications to prove out processes and build experience across your team. These may even be non-production applications. As you go about your first migrations, keep an eye out for examples and best practices that apply to your more sensitive applications to migrate. What defines the “sensitivity” of applications may be driven by whether the application (and related data) is subject to a compliance mandate, the application has a direct revenue impact, etc. The simple graphic below represents this continuum: 

Cloud Migration Business Drivers

The cloud migration process is both a project management process and a risk management process. From a risk management standpoint, the process is intended to minimize the risk to investing in migrating applications to the cloud. The first stages—Assess and Plan, and Validate—represent the information-gathering and planning phases that will determine how the rest of the project will go. View the process through a risk management lens, and it’s likely your results in the early stages will yield the results you are looking for in the latter stages. 

Operational Costs
Workforce Productivity
Cost Avoidance
Business Agility

Cloud Migration Process

The cloud migration process is both a project management process and a risk management process.

1 icon

Assess & Plan

This is the strategy, research, and planning phase for everything that follows. Arguably, it is the most important phase in the cloud migration process because your efforts here set the tone for the overall success or failure of your application migration.

2 icon

Validate

The Validate phase involves creating an initial Proof of Concept that serves to help formulate and validate how your workload (application, data, ancillary systems, and processes) may function effectively and securely in the cloud.

3 icon

Build

The Build phase is where you deploy an actual running workload—albeit in a more piloted or narrow usage model—in the cloud. In this phase, the idea is to pilot your application while proving out that everything, including security and compliance controls and workflows, are in place and operating as intended.
4 icon

Migrate

The Migrate phase is where your application, in its full scope, is deployed to the cloud. All of your efforts up to this point are intended to make the actual migration as seamless and painless as possible.

5 icon

Optimize

The Optimize phase is the second most important phase in the Secure Cloud Migration Framework. This is where teams must place additional focus to ensure their migration projects actually capture the Return on Investment promised to leaders and other stakeholders at the outset of the project.