Is your firm planning on migrating applications to a Cloud-based platform? It could very well be the best solution, but it’s also going to be a lot of work. Migrating applications is not simply a matter of lifting and shifting to a different platform. Instead, each application in a firm’s portfolio must be evaluated to determine how well it is suited for Cloud operation and which Cloud environment is most appropriate (e.g., Public Cloud vs. Private Cloud). At Paragon Solutions, we refer to this evaluation process as a Cloud Suitability Assessment.
Once an application is assessed and categorized according to its level of value and usefulness to the firm, decision makers must consider how effectively it functions and the environment from which it operates.
Key factors to consider during a Cloud Suitability Assessment are:
1. Data Sensitivity
The level of data sensitivity will determine how suitable an application is for deployment in the Cloud. Applications that deal primarily with non-restricted data are more appropriate candidates for deployment in the Public Cloud. Applications that process private or proprietary data, on the other hand, are highly sensitive and therefore more compatible with a secure, Private Cloud operation. Whether Private or Public is determined to be the most appropriate Cloud solution, there are several critical questions decision makers should be asking at this stage:
- How secure is the Cloud provider’s infrastructure?
- Is the Cloud infrastructure a multi-tenant or single-tenant environment?
- Is the storage layer secured appropriately?
- Does the service provider comply with ISO 27001 standards?
- Is connection to the Cloud provider secured via encryption or private MPLS connection?
In order to fulfill existing compliance requirements, there must be clear service-level agreements with Cloud providers to ensure the data of each Client sharing the same hardware is protected. The auditability of the Cloud platform is also a critical compliance consideration when assessing application suitability for the Cloud. While there is a movement among Cloud providers to standardize on ISO 27001 as the certified security baseline, many providers are not open to security audits. Organizations subject to regulatory investigation should take steps to determine whether ISO 27001 is sufficient to ensure compliance or a Private Cloud environment is preferable.
3. Business and Operational Scalability
Applications with significant variations in computing resource usage, such as storage capacity and processing power, are often primary candidates for migrating to a Cloud environment. This is due to the fact that Cloud computing allows users to acquire “resources on demand” as conditions warrant, rather than acquiring and maintaining a steady state of resources capable of supporting the periodic maximum load. The capability of “Resources on demand” is particularly attractive for startups with unpredictable computing resource requirements and for established firms that experience variations in transaction volumes throughout the year.
4. Cost to Operate
While there will be ongoing subscription costs to operate an application in the Cloud, they must be weighed against the support costs of the current operation. Existing operating costs to consider in the evaluation include acquisition and maintenance of the operating environment and operating infrastructure, personnel costs associated with developing and maintaining the operating environment, training employees to operate and support it, monitoring costs and maintenance costs - such as licensing and hardware/firmware upgrades.
5. Application Availability
Not all Cloud environments are going to be appropriate for each application’s availability requirements. Decision makers must define time windows in terms of full functionality and partial functionality, and each application should (at minimum) meet its current standards for availability and data recovery when operating from within the Cloud environment. When considering the factors of availability and recoverability, the following questions should be asked:
- What happens when there is a failure?
- How robust is the disaster recovery offered by the provider?
- What are the Cloud provider’s communication protocols in the event of an incident?
- How much downtime and data loss can be tolerated before systems are restored?
A failure in one of a provider’s Cloud locations could impact more than one customer, and your organization could be one of them. It’s possible to minimize risk to application availability when operating in a Cloud environment by utilizing a secondary Cloud provider to handle the disaster recovery infrastructure, or by requiring the primary Cloud provider to use a discrete, dedicated infrastructure for all recovery components.
6. Customized Functionality
Finally, firms must consider customized functionality when assessing the suitability of their application portfolio for the Cloud. The suitability of an application for Cloud operation greatly depends on the extent to which it supports the firm’s core competencies and/or aligns with proprietary business rules or best practices. Applications that are highly customized are better suited to operate in-house or from a Private Cloud, where proprietary software is considered most secure. On the other hand, more “generic” applications that address basic operational and administrative functions, may be appropriate for a Public Cloud, as long as any data sensitivity issues are addressed. Such applications may also be appropriate for migration to a third-party software solution provided from the Cloud.