When you’re ready to move to the cloud, it’s truly a transformational time. Determining your cloud strategy before moving too quickly is paramount. It is important to make the hard and big decisions first. You will be in the cloud for many years to come. This can be a time to also remove years of technical debt. After all, you want to migrate your workloads and not lift and shift your technical debt along with it. At the same time, you do not want to experience “analysis paralysis” with all the decisions to be made. Ultimately, you can have the speed, agility and cross-organizational support while providing the proper governance and guardrails.
Determining your migration strategy ahead of time is important for security, change management, and cost containment. The promise of the cloud is great. You might want to allow people to build and development environments at will. You have smart and capable people. They need help to quickly deploy. Shadow IT results when innovative people are constrained from experimenting. And often, the intention is that it will be temporary. However, temporary quickly becomes permanent and undocumented without compliance. The decision points listed in this article are important. This is by no means a compressive list, as other items will likely reveal themselves during the process.
Decisions for Enterprise Cloud Migration – the Business of the Cloud:
- Discovery – Can you get an accurate list of the application inventory? What operating systems are in use? Are all the applications still relevant or can they be retired? What are the applications that have dependencies on other applications? It may be hard to get this list together. Some of these applications are likely many years old. This can be time consuming and will help identify the true scope and cost estimates of moving to the cloud. In many cases, third party discovery tools can aid in the discovery.
- Vision and Education – Are the teams infighting and holding territory? This can be related to understanding the cloud as well as they can. It can be scary as all transformations are. Y2K, client/server and the Internet revolution were scary as well. We survived. Plans for education to create awareness and capabilities will help. There are also many misconceptions about the cloud in top management that will probably need to be addressed.
Strategic Decisions for the Cloud:
- Which cloud providers are you going to use? Clearly, Amazon Web Services is the leading cloud service provider. However, a multi-cloud strategy may be important to the company as well. How are you going to interconnect the cloud providers?
- What account strategy will you use? Will applications get their own account? Or will accounts be aligned by business unit? There are many different approaches to account strategy. It will be hard to undue, so it is important to weigh the pros and cons of each strategy to account for billing, security and isolation.
- What will your networking strategy be for networking in the cloud? Will you use non-overlapping subnets managed with your on premise IP management? Will you isolate production and non-production environments to separated block ranges in VPCs? Or will you allow your migrated applications to only be accessed over the public internet instead of VPN? It could also be a combination of these strategies. There are many variables that will need to be identified to determine the best strategy.
- Will you integrate on premise Identity management systems with your cloud infrastructure? Active directory is common technology in most enterprises. Will you extend your current AD architecture? What changes need to be made to make it optimal for the cloud?
Decisions for Cost, Security and Compliance:
- How will you tag your cloud assets? Will it account for billing, security, and compliance? Getting this right early on will allow for automation to enforce compliance and monitor for violations.
- How will you manage the cloud costs? Will you allow developers to provision their own instances? What will your Reserved Instance strategy be? How often does it need to be reviewed? Costs in the cloud can spin out of control if proper guardrails are not established. Scheduled power on and power off of environments is also another important strategy to further reduce costs.
- What technologies are approved for cloud deployments? Will your organization create approved images? How will they be managed and updated? Maybe your organization has approved base software that must be installed. How will you maintain this configuration? Configuration management and image baking are important processes to identify and define.
- How will the cloud assets be continuously monitored for compliance? Once a violation is found, how will it be remediated, with automation or manually? Between AWS Config, CloudTrail and Tagging strategies, much of this task can be accomplished with automation. However, there still needs to be individuals that review and update the process.
- How will you secure your cloud environments? WAF, anti-virus, IDS/IPS, and firewalls are just part of the overall security solution. How will you control egress traffic as well? How will you isolate your applications from each other and control user access? We all know security is hard and requires constant care. Find the right balance between real threats while still providing agility are important.
- Will you secure data at rest? Will you use built in AWS services for encryption keys, KMS or CloudHSM? Or will you bring your own keys? How will you provide column or row based encryption of your databases? Cloud solutions need to be analyzed against the company standards to determine if you can use built in cloud encryption or decide to roll your own.
- How will you provision your certificates for data in transit? AWS provides the Certificate Manager service to provision SSL certificates. Or will you continue to use your existing provider? How will you track expiring certificates and update them? AWS has many features for SSL including integration with their Elastic Load Balancers.
- How will you manage your big data? Will you scale up or out? Are the workloads transient? There are many options for cost optimization. Between Spot Instances and automation, incredibility elegant solutions can be created.
- What are your Disaster Recovery policies? Do they need to be adjusted for the cloud? Most likely they do. How will you deliver your DR solutions? Again, there are many solutions for DR in the cloud from infrastructure as code and creating automation to critical data and servers between regions.
- What are your data retention policies? How will you implement them in the cloud? How will you ensure that you have met your regulatory compliance? There are built-in solutions for data life cycles in AWS, but in many cases, it is more complicated than what is available off the shelf.
- How will you handle OS and application licensing? Will you use on-demand or bring your own licenses? There is no one right answer. ROIs needs to be calculated in many cases.
- What is your single-sign-on (SSO) solution? How will it integrate into the cloud? AWS does provide federated authentication all of its services.
This is a long list of questions. It isn’t intended to scare you away from the cloud, but rather to embrace it correctly. No two enterprises are identical, but most share many of the same challenges. Starting with this list of questions may help you identify many of the successful approaches to a migration journey to the much-promised benefits of the cloud.
-Ian Willoughby, Principal Architect