7 tactics for a smooth cloud migration
- By John Reeher, Chris Jackson
- Aug 21, 2014
Relocating IT applications to the cloud can be a complex process for government agencies. Before making the jump, IT managers need to lay some groundwork, ensuring they have the right technology and security protocols in place, as well as a complete understanding of the regulatory issues affecting the project. The following are some key tactics to keep in mind when developing a cloud-hosting strategy.
1. Virtualization first. Before an agency can consider itself ready to move to the cloud, it should first embrace virtualization technology – software that acts as a virtual replacement for hardware, significantly reducing the hardware needed to run applications. Virtualization can put an organization in the right mindset for cloud services, and agencies that are comfortable with these tools will be in a better position to expand to the cloud.
2. Look for certified cloud providers. All cloud vendors are not equal, and government agencies must work with those that are certified through the Federal Risk and Authorization Management Program. FedRAMP-certified vendors are approved to host FISMA-moderate (Federal Information Security Management Act) applications, but not all applications can be hosted at a FISMA-moderate level. If an application – such as one that houses confidential patient health data – requires higher security, then an agency may have to find a cloud provider that offers FedRAMP-high protection, which can increase costs.
3. Balance cost and security. IT managers should closely review their applications and see which make the most sense to move to the cloud given the data housed in the application, the applicable privacy and security regulations as well as the agency’s own policies and procedures regarding information security. For example, while there are regulations in place for hosting health care applications in the cloud (i.e., the Health Insurance Portability and Accountability Act and FISMA), an agency’s own policies may be even more strict in protecting sensitive information than the regulations. Leaders should review organization policies and aim to strike a balance between maintaining appropriate security and capitalizing on the cost and resource advantages of cloud hosting.
4. Start with cloud-friendly applications. Moving to the cloud is not an all or nothing proposition. Certain applications are more easily cloud-enabled than others, and agencies would be wise to consider transitioning these first. For instance, disaster recovery is ideally suited for the cloud. Traditional disaster recovery requires maintaining a separate, offsite, physical location for data storage. By using the cloud instead, resources can be consumed only during periods of demand, making this a positive value proposition.
Other logical applications for the cloud include those with highly variable workloads or short-term usage requirements, such as research software that needs a robust computing capacity for a brief period. Similarly, if an organization is performance testing a large application, then using the cloud for short-term testing may be appropriate.
One thing to note when selecting applications for the cloud is that there may be tradeoffs in performance, depending on available bandwidth. Although the cloud will give unlimited computing power, it may cause dips in performance, and organizations need to be aware of those potential tradeoffs before moving forward.
5. Deploy appropriate security. To secure applications in the cloud, it is necessary to build in portable controls that can move with the application to guarantee data privacy and integrity. Cloud-based applications should always use encryption when storing sensitive data, and the system host design should include virtualized security modules, including IP filtering, intrusion monitoring and audit controls.
When information is put into the cloud, the agency may not know exactly who has access to the data, but implementing a security control such as encryption allows the organization to maintain control over the data’s security even if the data moves from cloud to cloud. This ensures the encrypted data is never exposed to the cloud provider, and, paves the way for an agency to shop for cloud providers to identify one with the most value.
6. Update the reference architecture. Many agencies develop a reference architecture – a resource that contains system design best practices for use throughout an organization – for their system hosting. This architecture needs to be updated to ensure a consistent approach to cloud-based computing across the enterprise. Agencies should also audit their shared enterprise systems to ensure they are capable of supporting cloud-hosted applications. These systems include enterprise email, remote access, identity and authorization providers, time synchronization, DNS and any other shared systems that traditionally support internally hosted environments.
7. Don’t move without a plan. Strong, decisive leadership is critical when looking to move applications to the cloud. Agencies should also develop strategic plans to guide the process and ensure decisions meet both organizational and regulatory requirements. Although the cloud is not ready to completely replace IT infrastructure, it is mature enough that agencies should plan for upcoming changes. Getting ahead of the curve will not only help agencies better navigate the coming shift but avoid the extra expense associated with being a late adopter.