One of the most widely used technologies today is cloud computing, where workloads are hosted by vendors and accessed via the Internet automatically, without provider’s interaction at anytime and anywhere.
The adoption of cloud computing is increasing as it provides organizations with several benefits, such as access to new and latest technologies while reducing costs, as organizations only pay for the resources they use according to their business needs, so they can be scaled up or down.
Migration to the cloud offers many opportunities to improve business productivity, but like any technology, cloud computing presents many challenges, particularly for the IT department that must manage the integration and migration of data and workloads.
Before taking the initiative to migrate to the cloud, it is necessary to consider the key challenges to successful migration, regardless of the service and deployment models chosen.
The main challenges of cloud migration
Among the most critical barriers to cloud adoption, organizations report the ongoing lack of qualified cybersecurity staff (40%) as the biggest impediment to faster adoption. This is followed by legal and regulatory compliance (33%) and data security issues (31%) (cloud security 2022).
Lack of strategy – what are the cloud migration plans ?
Many organizations migrate to the cloud without a strategy or plan that align their business requirements with the migration project and manage their future costs in terms of expense and savings. Indeed, costs change dynamically due to the scalability and elasticity of the outsourced services.
Cloud strategy is not only about choosing the right provider. It is important to define the deployment and service model according to business needs, cost management as well as the definition of an IT strategy: the monitoring of services after migration and integration to ensure performance, availability, data privacy and compliance with legal and regulatory like GDPR (General data protection regulation).
IT teams have the expertise to manage their infrastructure effectively in-house (on-premises) and not through the cloud because of its complexity. Therefore, it is critically important to train the staff on how to properly manage outsourced resources and services, especially for IaaS and SaaS service models as the cloud user is responsible for what they build in the infrastructure or platform.
For example, the “lift and shift” approach to migrate applications without any changes may fail because it doesn’t consider the cloud’s configuration and it may generate and increase risks. Each outsourced service must therefore have its own business case and strategy depending on the complexity of the application and its criticality to the organization’s business continuity.
Cloud security and compliance
Cloud computing is a shared responsibility model as both the cloud service provider and consumer have responsibilities. The cloud service provider is responsible for security of the cloud and the consumer is responsible for the security in the cloud. These responsibilities will depend on the chosen service model, such as IaaS (Infrastructure as a service), PaaS (Platform as a service), or SaaS (Software as a service) except data security and compliance with requirements of regulatory laws which are the responsibility of the user, regardless of the service model.
Data security when migrating to the cloud is a high priority. If the third party is trustworthy, it will ensure business activities continuity. If not, the organization will face major losses. Therefore, it is very important to assess the risks of the outsourced activities and the security practices of the cloud provider, define the contractual clauses such as establishing the roles and responsibilities of the parties involved in the outsourced project. It is also necessary to know where the data will be stored and how the provider encrypts the data at rest and in transit using different encryption key management systems. For instance, BYOK (Bring Your Own Key) enables organizations to encrypt data and retain control and management of their encryption keys. Another example is HYOK (Hold your own key), a key management system used to encrypt data before it is sent to the cloud and is only decrypted once back onsite, ensuring that sensitive data is highly secured and your encryption keys are never exposed.
The consumer should be aware of and be able to define the regulatory and standard requirements that the vendor complies with, such as compliance with the Cloud Security Alliance framework.
It is very important to define and formalize a vendor evaluation process before you initiate your cloud migration project.
Vendor Lock-In
Once the vendor is chosen, the question that needs to be asked is “if a failure occurs at the cloud service provider after the migration, how can I ensure the continuity of my business activities and recover my data?”, knowing that switching to another provider can take time as a new migration strategy must be developed, which will impact the organization’s business continuity and can be very costly.
Vendor Lock-In is one of the major challenges. Therefore, before migrating to the cloud, the organization must make sure that its data will be portable and define its data model to ensure the ability to read files. It is also necessary to define and formalize an exit strategy by migrating the service to another provider or integrating it in-house, as well as the costs associated with implementing a backup plan.
Organizations should adopt a multi-cloud strategy to minimize the vendor lock-in issue and ensure high availability of sensitive data needed for business continuity. For instance, when migrating to the cloud, sensitive data can be hosted by another service provider to have a backup. If the organization is dependent on a single provider, it can have it in-premises.
How can Excellium services help you ?
Thanks to our expertise in information security, we have established a structured and pragmatic approach to support our clients in their migration to the cloud, starting with the strategy and ending with the elaboration of their cloud migration roadmap.
Our approach is based on developing a successful cloud strategy to align business needs, legal issues, and technical requirements with the goals of the migration project. Regarding the security aspect, we will help our clients develop a cloud governance framework that includes security and compliance management that covers risks management, privacy and data encryption. This framework will also include other aspects such as data management, operations management that ensures the right definition of SLAs and the ongoing monitoring of the outsourced activities as well as contractual clauses such as the right to audit, the definition of an exit strategy and portability of data in case of failure.
There are specific regulations for cloud outsourcing. Therefore, we will help you to identify and integrate regulatory obligations by elaborating a conformity file to ensure compliance with those regulatory requirements, for instance the CSSF in Luxembourg for financial sector organizations.
Once the strategy is settled and all security and compliance issues are taken into account, we will develop a roadmap for the cloud migration.
