Best practices for moving workloads to the cloud

The rapid diffusion for the cloud computing paradigm and promised benefits for the adoption of cloud infrastructure are attracting a growing number of businesses and organizations.

Of course, it is essential for organizations to maximize the benefits of migration to cloud architecture by reducing costs and minimizing risks.

Cloud computing represents a fundamental change in how companies use and provide their services. For many small and midsize businesses, it represents a choice to compete in a business environment with powerful competitors.

IT managers are today inundated with countless business proposals. For this reason, I will give you some useful insights for moving workloads to the cloud.

Identify decision makers within the upper management of the enterprise and be sure of their commitment.

The adoption of cloud architecture is a process that requires strong effort for the entire enterprise. Every function, application and data have to be moved to the cloud; for this reason, it is necessary to have a strong commitment from the management.

Top management is responsible for the harmonious growth of the company, and technology represents a key factor for business development today.

Managers have to establish reasonable goals for adopting the cloud computing paradigm. A migration to the cloud requires a team effort to plan, design, and execute all the activities to move the workloads to the new IT infrastructure. The migration process could be managed by three teams with a deep expertise in:


Data and application

Cyber Security

The divisions have to coordinate their efforts, defining the transition plan and focusing on those activities that need a joint effort.

Public or private cloud, which to choose?

Enterprises have to choose the proper cloud architecture. One of the most important decisions is related to the adoption of a public or private cloud infrastructure.

The choice depends on various factors, including the size of the enterprise and the budget reserved to the IT services of the company. A public cloud is usually offered by specialized companies of large dimensions (e.g. Amazon, Google and Microsoft) which provides cloud infrastructure at low cost, including expenses for ordinary management of the architecture and of the hosted data.

Companies that choose a public cloud have little control of data. Data and applications are shared among numerous business with obvious repercussions on security and privacy.

In a private cloud, company data and applications are hosted in a remote data center dedicated to a single business, giving more control to the businesses in terms of security, privacy and flexibility. Obviously a private cloud is more expensive than a public one.

A third option is represented by a turnkey cloud: pre-tested and certified software and/or hardware and storage that could be quickly deployed by private companies and cloud providers. Turnkey clouds are especially convenient for organizations that lack IT resources; they allow small enterprises to adopt standard business applications from a big cloud provider through software such as a service (SaaS) model and use a cloud data center for services like email.

Choose the right cloud service provider

The choice of a provider requires the evaluation of a long list of options specifically related to the users' business. The principal elements to consider for almost every company are:

Service Levels: This characteristic is essential when businesses have strict needs in terms of availability, response time, capacity and support. Cloud Service Level Agreements (SLA) are an important element to choose the right provider and establish a clear contractual relationship between a cloud service customer and a cloud service provider of a cloud service. Particular attention has to be reserved to legal requirements for the protection of the personal data hosted in the cloud service.

Support: The support is a parameter to consider carefully. It could be offered online or through a call center, and in some cases it could be necessary to refer to a dedicated resource with explicit timing constraints.

Security: What is the security level offered by the providers and which mechanisms are in place to preserve our applications and data? These and many other questions have to be formulated to the cloud provider to evaluate this essential feature for the overall architecture.

Compliance: Choose the cloud architecture according to the compliance with the standards for the specific industry. Privacy, security and quality are principal compliance to evaluate in this phase.

Prepare a detailed business plan to move to the cloud

It is necessary for a business plan to define the workflow for the migration to cloud infrastructure. The plan has to detail the resources involved in the process and related efforts. It must include the list of the services to migrate, the timeline of the operations, and the related costs on an annual basis.

In the drafting of the document, it is necessary to consider company business needs and requirements for the cloud provider that we need to choose. The migration impacts on every sector of the company, ranging from IT staff to the legal team that will deal with new types of technology contracts, so it is necessary to prepare the personnel in time.

Map business services to cloud IT services

The cloud computing model could be implemented at different levels. It could be very useful to list all the IT traditional services used/provided by the business and map them on the related cloud services listed below.

Infrastructure-as-a-Service (IaaS) is the provisioning model for the outsourcing of the equipment used to support operations of the companies, including storage, hardware, servers and networking components. It is important to determine whether the cloud-based server hardware and operating system (OS) are compatible with the company's server infrastructure and OS.

Platform-as-a-Service (PaaS) Platform software services is the provisioning model for various software, including web application database servers. It is crucial to verify that the PaaS environment chosen will support all features of the application server used by the company.

Software-as-a-Service (SaaS) Applications provided as a service. Depending on the type of application to migrate, it is necessary to evaluate the existence of SaaS-based alternatives which have to meet both business and technical needs. Do not underestimate the necessity to migrate pre-existing data to the new application.

Data-as-a-Service (DaaS) Data or information delivered from the cloud, either as raw data sets or consumed through an analytics interface.

Business Process-as-a-Service (BPaaS) is the delivery of business process outsourcing (BPO) services that are sourced from the cloud.

Assess company applications and workloads

Once traditional IT services are mapped in cloud services, it is necessary to assess applications and workloads singularly. In this phase, IT staff in charge of the migration needs to determine which applications and data can be readily moved to a cloud infrastructure, which service to adopt, and which delivery models (public, private, or hybrid) meets the business needs of the company. It is a good practice to start from the lowest-risk applications, which usually have a minimum impact on the business continuity of the organization.

Adopt a flexible interoperability model

Almost every application migrated to a cloud service has connections with various other applications and systems. It is crucial to preventively evaluate the impact of the migration on these connections and prevent any interruption in data flows.

The communication between applications is typically classified into three categories:

Process integration, where an application invokes another in order to execute a specific operation.

Data integration, where applications share common data.

Presentation integration, where different applications provide computational results at the same time, mainly for the composition of a user's dashboard.

The migration to a cloud infrastructure must be supported by a careful review of the overall interoperability of the business. Every interaction between systems inside the company and with outside entities has to be assessed and maintained in the new cloud infrastructure.

In many cases, it is not so easy to maintain the integration level and to ensure interoperability; "re-integration" activity of all the components subject to the migration is necessary.

Avoid being locked into a particular cloud service supplier/vendor

One of the greatest concerns for company managers in the migration phase is to avoid being locked to a particular cloud service provider. The problem is particularly concerning at the SaaS and PaaS levels.

For high management and IT staff, it is important to have an alternative strategy defined before the migration process will start.

Implement security and privacy requirements

Security and privacy are probably the most concerning issues for enterprises that decide to adopt a cloud infrastructure. Below are just a few questions that every IT security manager has in mind when he approaches the cloud computing paradigm.

Confidential data are securely stored in the cloud?

Which are the risks related to the exposure to the cyber threats?

Can we trust the cloud service provider's personnel?

Which is the level of security offered in the SLA?

Which are the security mechanisms in place?

Are we compliant with security standards? Which one?

Privacy is closely related to security. A huge amount of sensitive data and personally identifiable information (PII) are stored by enterprises into cloud architectures, and there is the need to preserve them from intentional cyber attacks and accidental incidents.

Cloud security diagram


poodle at play

Dreaded SSLv3 bug no monster, only a POODLE

Microsoft sign closeup

Microsoft's monthly update fixes two Zero-Day vulnerabilities

browserwars 620x468

Six browser plug-ins that protect your privacy

An efficient approach for privacy and security issues is necessary to avoid loss of business caused by incidents (e.g. data breach) and non-compliance with government regulations.

Companies have to consider security and privacy issues according to the needs of the industry they work for. The key security constructs on the basis of which security policies must be analyzed are infrastructure, data, identity, and end-user devices.

To improve security and privacy of cloud architecture, companies that decide to move their workloads to the cloud have to:

Decide which data migrate to the cloud and request the implementation of necessary measures to ensure integrity of the information and preserve its confidentiality. Let's imagine the source code of the core applications developed by a company that needs to be moved into the cloud; the software repository needs to be hardened against external attacks and their access must be regulated to prevent data leakage from insiders.

Map company data for requesting security classification.

Review the cloud providers' security/privacy measures (e.g. physical security, incident notifications) and make sure that they are documented in the cloud SLA.

Identify sensitive data.

Define/Review the authorization and authentication processes.

Examine applicable regulations and carefully evaluate what needs to be done to meet them after a migration to cloud computing.

Manage the risks of security or privacy violations, evaluating the impact on the company business for every task/activity moved to the cloud.

It is crucial to understand that the migration process itself could expose company data to cyber threats and cause incidents. That is why the IT staff has to consider how to secure data and applications during the transition.

Manage the migration as a project

The migration to cloud architecture must be formalized by IT staff and shared with managers of different departments inside the company. Every activity must be defined, planned and executed, and the transition itself must be managed as an articulated project. As described in a previous point, it is necessary to define a formal project plan accepted by upper management. Every activity must be tracked and related costs and risks must be monitored during the migration.

It could be useful to prepare a sort of Statement of Objectives (SOO), which describes the goals that every department expects to achieve with regard to the migration of its services and application to the cloud.

A similar document, ordinarily used in government environments, has the primary goal to prepare personnel for moving its activities to the cloud infrastructure.

The SOO could include information regarding the following activities:

Conducting an inventory of every asset and service of the company.

Defining metrics to evaluate the evolution of activities during the migration to the cloud.

Application Mapping

Identifying appropriate service models (e.g. SaaS, IaaS) and deployment models (e.g. private, public)

Developing the business case to quantify cost and benefits

Migration planning

Once the migration is complete, it is necessary to verify the efficiency of procedures/services in the new environment according to the metric defined in the SOO document. The test phase has to be conducted, limiting the impact of the strategic functions of the company and if possible, using non-critical data.

I always suggest pay particular attention to privacy and security issues due to the rapid evolution of the security industry, which requires a dynamic approach.

Security and risk assessments must be continuously conducted in compliance with international standards.

Pierluigi Paganini is a Certified Ethical Hacker and author with over 20 years of experience in the security field.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitycloud computinginternet

More about GoogleMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Pierluigi Paganini

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts