• United States



by Pierluigi Paganini

Best practices for moving workloads to the cloud

Oct 20, 201411 mins
Cloud Security

With data floating around in the clouds, it is good that you know how to secure it all.

The rapid diffusion for the cloud computing paradigm and promised benefits for the adoption of cloud infrastructure are attracting a growing number of businesses and organizations.

Of course, it is essential for organizations to maximize the benefits of migration to cloud architecture by reducing costs and minimizing risks.

Cloud computing represents a fundamental change in how companies use and provide their services. For many small and midsize businesses, it represents a choice to compete in a business environment with powerful competitors.

IT managers are today inundated with countless business proposals. For this reason, I will give you some useful insights for moving workloads to the cloud.

Identify decision makers within the upper management of the enterprise and be sure of their commitment.

The adoption of cloud architecture is a process that requires strong effort for the entire enterprise. Every function, application and data have to be moved to the cloud; for this reason, it is necessary to have a strong commitment from the management.

Top management is responsible for the harmonious growth of the company, and technology represents a key factor for business development today.

Managers have to establish reasonable goals for adopting the cloud computing paradigm. A migration to the cloud requires a team effort to plan, design, and execute all the activities to move the workloads to the new IT infrastructure. The migration process could be managed by three teams with a deep expertise in:

  • Infrastructure
  • Data and application
  • Cyber Security

The divisions have to coordinate their efforts, defining the transition plan and focusing on those activities that need a joint effort.

Public or private cloud, which to choose?

Enterprises have to choose the proper cloud architecture. One of the most important decisions is related to the adoption of a public or private cloud infrastructure.

The choice depends on various factors, including the size of the enterprise and the budget reserved to the IT services of the company. A public cloud is usually offered by specialized companies of large dimensions (e.g. Amazon, Google and Microsoft) which provides cloud infrastructure at low cost, including expenses for ordinary management of the architecture and of the hosted data.

Companies that choose a public cloud have little control of data. Data and applications are shared among numerous business with obvious repercussions on security and privacy.

[ How the cloud is changing the security game ]

In a private cloud, company data and applications are hosted in a remote data center dedicated to a single business, giving more control to the businesses in terms of security, privacy and flexibility. Obviously a private cloud is more expensive than a public one.

A third option is represented by a turnkey cloud: pre-tested and certified software and/or hardware and storage that could be quickly deployed by private companies and cloud providers. Turnkey clouds are especially convenient for organizations that lack IT resources; they allow small enterprises to adopt standard business applications from a big cloud provider through software such as a service (SaaS) model and use a cloud data center for services like email.

Choose the right cloud service provider

The choice of a provider requires the evaluation of a long list of options specifically related to the users’ business. The principal elements to consider for almost every company are:

Service Levels: This characteristic is essential when businesses have strict needs in terms of availability, response time, capacity and support. Cloud Service Level Agreements (SLA) are an important element to choose the right provider and establish a clear contractual relationship between a cloud service customer and a cloud service provider of a cloud service. Particular attention has to be reserved to legal requirements for the protection of the personal data hosted in the cloud service.

Support: The support is a parameter to consider carefully. It could be offered online or through a call center, and in some cases it could be necessary to refer to a dedicated resource with explicit timing constraints.

Security: What is the security level offered by the providers and which mechanisms are in place to preserve our applications and data? These and many other questions have to be formulated to the cloud provider to evaluate this essential feature for the overall architecture.

Compliance: Choose the cloud architecture according to the compliance with the standards for the specific industry. Privacy, security and quality are principal compliance to evaluate in this phase.

Prepare a detailed business plan to move to the cloud

It is necessary for a business plan to define the workflow for the migration to cloud infrastructure. The plan has to detail the resources involved in the process and related efforts. It must include the list of the services to migrate, the timeline of the operations, and the related costs on an annual basis.

In the drafting of the document, it is necessary to consider company business needs and requirements for the cloud provider that we need to choose. The migration impacts on every sector of the company, ranging from IT staff to the legal team that will deal with new types of technology contracts, so it is necessary to prepare the personnel in time.

Map business services to cloud IT services

The cloud computing model could be implemented at different levels. It could be very useful to list all the IT traditional services used/provided by the business and map them on the related cloud services listed below.

  • Infrastructure-as-a-Service (IaaS) is the provisioning model for the outsourcing of the equipment used to support operations of the companies, including storage, hardware, servers and networking components. It is important to determine whether the cloud-based server hardware and operating system (OS) are compatible with the company’s server infrastructure and OS.
  • Platform-as-a-Service (PaaS) Platform software services is the provisioning model for various software, including web application database servers. It is crucial to verify that the PaaS environment chosen will support all features of the application server used by the company.
  • Software-as-a-Service (SaaS) Applications provided as a service. Depending on the type of application to migrate, it is necessary to evaluate the existence of SaaS-based alternatives which have to meet both business and technical needs. Do not underestimate the necessity to migrate pre-existing data to the new application.
  • Data-as-a-Service (DaaS) Data or information delivered from the cloud, either as raw data sets or consumed through an analytics interface.
  • Business Process-as-a-Service (BPaaS) is the delivery of business process outsourcing (BPO) services that are sourced from the cloud.

Assess company applications and workloads

Once traditional IT services are mapped in cloud services, it is necessary to assess applications and workloads singularly. In this phase, IT staff in charge of the migration needs to determine which applications and data can be readily moved to a cloud infrastructure, which service to adopt, and which delivery models (public, private, or hybrid) meets the business needs of the company. It is a good practice to start from the lowest-risk applications, which usually have a minimum impact on the business continuity of the organization.

Adopt a flexible interoperability model

Almost every application migrated to a cloud service has connections with various other applications and systems. It is crucial to preventively evaluate the impact of the migration on these connections and prevent any interruption in data flows.

The communication between applications is typically classified into three categories:

  • Process integration, where an application invokes another in order to execute a specific operation.
  • Data integration, where applications share common data.
  • Presentation integration, where different applications provide computational results at the same time, mainly for the composition of a user’s dashboard.

The migration to a cloud infrastructure must be supported by a careful review of the overall interoperability of the business. Every interaction between systems inside the company and with outside entities has to be assessed and maintained in the new cloud infrastructure.

In many cases, it is not so easy to maintain the integration level and to ensure interoperability; “re-integration” activity of all the components subject to the migration is necessary.

Avoid being locked into a particular cloud service supplier/vendor

One of the greatest concerns for company managers in the migration phase is to avoid being locked to a particular cloud service provider. The problem is particularly concerning at the SaaS and PaaS levels.

For high management and IT staff, it is important to have an alternative strategy defined before the migration process will start.

Implement security and privacy requirements

Security and privacy are probably the most concerning issues for enterprises that decide to adopt a cloud infrastructure. Below are just a few questions that every IT security manager has in mind when he approaches the cloud computing paradigm.

  • Confidential data are securely stored in the cloud?
  • Which are the risks related to the exposure to the cyber threats?
  • Can we trust the cloud service provider’s personnel?
  • Which is the level of security offered in the SLA?
  • Which are the security mechanisms in place?
  • Are we compliant with security standards? Which one?

Privacy is closely related to security. A huge amount of sensitive data and personally identifiable information (PII) are stored by enterprises into cloud architectures, and there is the need to preserve them from intentional cyber attacks and accidental incidents.

An efficient approach for privacy and security issues is necessary to avoid loss of business caused by incidents (e.g. data breach) and non-compliance with government regulations.

Companies have to consider security and privacy issues according to the needs of the industry they work for. The key security constructs on the basis of which security policies must be analyzed are infrastructure, data, identity, and end-user devices.

To improve security and privacy of cloud architecture, companies that decide to move their workloads to the cloud have to:

  • Decide which data migrate to the cloud and request the implementation of necessary measures to ensure integrity of the information and preserve its confidentiality. Let’s imagine the source code of the core applications developed by a company that needs to be moved into the cloud; the software repository needs to be hardened against external attacks and their access must be regulated to prevent data leakage from insiders.
  • Map company data for requesting security classification.
  • Review the cloud providers’ security/privacy measures (e.g. physical security, incident notifications) and make sure that they are documented in the cloud SLA.
  • Identify sensitive data.
  • Define/Review the authorization and authentication processes.
  • Examine applicable regulations and carefully evaluate what needs to be done to meet them after a migration to cloud computing.
  • Manage the risks of security or privacy violations, evaluating the impact on the company business for every task/activity moved to the cloud.

It is crucial to understand that the migration process itself could expose company data to cyber threats and cause incidents. That is why the IT staff has to consider how to secure data and applications during the transition.

Manage the migration as a project

The migration to cloud architecture must be formalized by IT staff and shared with managers of different departments inside the company. Every activity must be defined, planned and executed, and the transition itself must be managed as an articulated project. As described in a previous point, it is necessary to define a formal project plan accepted by upper management. Every activity must be tracked and related costs and risks must be monitored during the migration.

It could be useful to prepare a sort of Statement of Objectives (SOO), which describes the goals that every department expects to achieve with regard to the migration of its services and application to the cloud.

A similar document, ordinarily used in government environments, has the primary goal to prepare personnel for moving its activities to the cloud infrastructure.

The SOO could include information regarding the following activities:

  • Conducting an inventory of every asset and service of the company.
  • Defining metrics to evaluate the evolution of activities during the migration to the cloud.
  • Application Mapping
  • Identifying appropriate service models (e.g. SaaS, IaaS) and deployment models (e.g. private, public)
  • Developing the business case to quantify cost and benefits
  • Migration planning

Once the migration is complete, it is necessary to verify the efficiency of procedures/services in the new environment according to the metric defined in the SOO document. The test phase has to be conducted, limiting the impact of the strategic functions of the company and if possible, using non-critical data.

I always suggest pay particular attention to privacy and security issues due to the rapid evolution of the security industry, which requires a dynamic approach.

Security and risk assessments must be continuously conducted in compliance with international standards.

Pierluigi Paganini is a Certified Ethical Hacker and author with over 20 years of experience in the security field.