Relieving cloud migration headaches

Featured eBooks
Whole-of-State Cybersecurity
The State of Trust in Government
Cybersecurity in State and Local Government
By Kurt Marko
 

Connecting state and local government leaders

By Kurt Marko

|

Skimping on planning, product research and testing, starting with overly ambitious goals and failing to manage internal politics and stakeholders are all recipes for failure.

One look at the exponential increase in Amazon Web Services revenue, which has grown by an order of magnitude over the past five years, makes clear that we are on the cusp of a generational transformation in how IT organizations provide application infrastructure. Indeed, Gartner, which estimates that infrastructure-as-a-service revenue grew by nearly 43 percent in 2016, said organizations saved “14 percent of their budgets as an outcome of public cloud adoption," a ratio that is sure to rise in the coming years. And many government IT organizations are at the forefront of the cloud conversion due to executive-level mandates, tight IT budgets and demand for increased access to information and online services.

MORE INFO

How to get the most out of a cloud SLA

The Government Accountability Office outlined key practices that can help agencies ensure cloud services are performed effectively, efficiently, and securely.Read more.

8 common cloud migration mistakes

Migration mistakes run from from insufficient due diligence and security policies to forgetting the laws of physics. Read more.

Given the massive installed base of IT infrastructure and billions spent every year on equipment, software and services in the public sector, shifting deployment models from on-premise to in-cloud won't happen overnight.  It will span generations of technology and applications. So government IT organizations have time to do it right and learn from rookie mistakes made by early, overly hasty adopters.

Cloud migration scenarios and the problems they create

Many cloud migration mistakes are generic and could be seen with any major IT project, but some are a function of how cloud services are used. Most migration scenarios involve data movement, such as using a cloud service for backup and disaster recovery or redeploying an enterprise application that relies on legacy, on-premise data sources. In these situations, it can be challenging to ensure the completeness, integrity and security of data migration.

When moving applications to the cloud, IT faces the choice of how to maintain access to necessary data sources. If opting for a hybrid architecture, with applications in the cloud and master data copies remaining on premise, it's easy to make mistakes setting up network connections, security policies and replication settings.

For example, there are no hard rules for choosing the data to replicate, how often and how long it's to be retained and how many replicas should be kept. Also, is it better to migrate all application layers to the cloud or just the user interface and business logic, leaving databases behind? Indeed, IT must decide whether the complexity of a hybrid design creates more trouble than dealing with the expense of fully replicating all data to the cloud.

Other migration scenarios, like replacing on-premise applications with software as a service, are simpler.  However, they create problems of application governance, feature mismatch, policy compliance and client support, particularly for organizations with a large fleet of legacy devices long overdue for upgrades. Although cloud migrations shouldn't mean modifications to security policy, they do change how that policy is implemented. As Google Senior Solution Architect Loren Hudziak pointed out, "Government and other regulated industries have no shortage of accreditation and certifications to consider, but to simply check the box of a cloud provider as meeting one of them isn't enough."

Regardless of the technical details, migrations are a major undertaking, and organizations face the pitfalls of any large project.  Skimping on planning, product research and testing, starting with overly ambitious goals and failing to manage internal politics and stakeholders are all recipes for failure.

Best practices

Government IT departments face some unique challenges when migrating to the cloud because of regulatory, security or application requirements. Mistakes can arise from inadequately vetting the provider for fit with current application requirements and user needs, but aside from the technical hurdles, don't underestimate the organizational challenges of a cloud migration.

According to a General Services Administration spokesman, "It really has to start 'at the top' with buy-in from the CIO and senior leadership." GSA, which manages the Federal Risk Authorization and Management Program and offers a range of cloud services through its various acquisition vehicles, has also learned the need to start small and not jeopardize ongoing operations.

"Trying to transform an organization overnight, for example, asking them to move production to the cloud when previously it’s been off limits, can be an intimidating milestone for a traditional CIO organization," the GSA official said. "So an effective approach creates a 'sandbox' -- contractually, technically and organizationally, to allow the knowledge to incubate and grow."

Indeed, a bimodal IT structure can be an effective way to introduce cloud services to a government agency, often in concert with other innovative IT practices such as DevOps, Agile development and continuous integration and delivery processes.

Hudziak emphasized the importance of exploiting cloud services to do things in new ways and not just "lift and shift" an existing environment. "Making the move to the cloud should be taken as an opportunity to revisit the organization’s functional and business requirements," he said.  "CIOs should ask: have we been doing things the way we have because the technology has historically forced us into that pattern?"

GSA officials pointed to an example of the incremental approach to cloud migrations at NASA, which funded its first cloud contract with just $25,000, then doubled it as IT managers learned and grew confident in the technology. NASA realized that "a massive 'broker' contract was inefficient and instead separated out the roles of consumption metering and billing from consulting or the assistance with integration and delivery," the spokesman said. "This led to increased transparency in tracking spending and contracting efficiency, as the cloud accounts and operational services did not have to be transitioned concurrently with support contracts."

FedRAMP is no panacea

For agencies following the cloud-first policy and the Federal Cloud Computing Initiative, FedRAMP is supposed to provide a standard, centralized system to streamline the assessment, authorization and procurement of cloud services; however, it doesn't obviate the need for due diligence including a service-level agreement. For example, a September 2016 audit by the Government Publishing Office's Inspector General found that although GPO's cloud service provider was FedRAMP-approved, important problems persisted:

  • GPO policy did not include cloud computing and/or hosted service definitions, principles, rules and guidelines.
  • Personnel did not follow configuration management policy during the transition to the Amazon Web Services.
  • Contract language did not address hosted services.

"Lack of appropriate contract language for data ownership established an increased risk," the IG said. "Such a risk could have allowed the cloud provider with unnecessary access to Federal data." The audit also noted that GPO did not incorporate new AWS instances into its existing configuration management database and procedures, an oversight that illustrates an important point: Every cloud migration must include process and admin integration and not treat the cloud as a one-off environment.

Recommendations

When planning cloud migrations, government IT organizations should avoid reinventing the wheel. Exploiting the expertise of cloud pioneers and the other resources available can dramatically simplify migration planning. For federal agencies especially, there are now expertise and communities of interest around FedRAMP, the Trusted Internet Connection efforts and the Data Center Optimization Initiative.

Agencies should also draw upon existing standards and guidelines. As the GPO IG's audit points out, the Federal CIO and Chief Acquisition Officers' councils published best practices for acquiring IT services. Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service includes guidelines for selecting cloud services, writing contracts and SLAs, delineation of responsibilities between providers and agencies and standards for security, privacy, e-discovery and Freedom of Information Act requests.

However, agencies at all levels of government should take care not to interpret government standards too liberally and extend them into situations and technologies they couldn't anticipate.

"The government IT landscape is made up of policies and accreditations that keep it locked in the past," Hudziak said. "Many of these standards were created years ago when things were very different -- not just the technology, but entire development processes and languages, as well as how we leverage modern solutions like virtual machines and containerization.

Standards and frameworks like FedRAMP are a step in the right direction, he said. "But for government to move to the cloud, the notion of innovation needs to be holistic, and regulations need to keep up with the technology developments."

And again, leave the big bang to physics; starting too large is a common mistake. Cloud migration is a journey that should start with small, relatively low-risk applications and data, adding more complex systems as agencies gain experience and refine governance processes

Other migration planning tips include:

Don't underestimate migration costs. As a report on the Federal Cloud Computing Initiative from the Congressional Research Service points out, "One commonly cited cost is migration. If a user needs to move resources such as data from its own local facilities to those of the cloud provider, there will be a cost for such migration. That cost will depend on several factors, such as the size of the resources being moved, the method by which they are moved and whether the resources will need to be modified. Such costs are also a consideration with respect to a potential move from one cloud provider to another."

Avoid sticker shock resulting from naive underestimates of costs and resource usage. Have a complete cost model that accurately reflects service usage and that can be used to lower spending by opportunistically using both reserve (for steady-state workloads) and spot (for batch or asynchronous workloads that aren't time critical) instance discounts.

Don't get caught with inadequate staffing for migration projects. Also, plan for training in cloud technologies; don't assume staff can quickly transfer existing skills and expertise to the cloud because their roles will often change from operations and administration to system integration and capacity management.

Think about automation and orchestration up front, before doing the first application migrations. Tools like AWS CloudFormation and Opsware, Azure Templates or third-party software like Ansible, Chef, Puppet or Salt can streamline migration tasks, maintain consistency and reduce ongoing operations overhead.

Define cloud-specific management processes and associated tools. Have staff assigned to actively monitor cloud deployments, resource usage and application performance, and don't put cloud deployments on autopilot.

Use either multiple cloud services or independent regions at the same provider when planning for disaster recover or continuity of operations. You never want a primary and backup site taken out by the same infrastructure failure.

NEXT STORY: Water Emergency in Chapel Hill, N.C.: ‘Our Water Supply Basically Ran Out’

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.