Migrating to the Cloud: An Overview of Process and Strategy
Over the next few years, the number of organizations navigating to the cloud to advance their business goals is expected to grow exponentially. According to Gartner, more than 70% of enterprises will use cloud platforms to accelerate their business initiatives by 2027. (That's up from less than 15% in 2023.) Part of this growth will result from public cloud providers' increasing access to and adoption of innovative technologies, particularly generative artificial intelligence (GenAI).
Looking at these predictions, perhaps you’re feeling it’s time for your organization to initiate its own cloud migration process. Don’t know where to start? It’s okay. You need to learn about your options first before figuring out where you want to go.
In this blog post, I’ll introduce the concept of migrating to the cloud. I’ll identify key benefits, challenges, and methods of migrating to the cloud so that you can begin to think about what you’d like your cloud migration to look like.
Why You Want to Migrate to the Cloud
To me, migrating to the cloud means hosting your infrastructure in a secure multi-tenant environment, which is managed by the cloud provider. This allows you to focus on application delivery that provides value to your business.
There are several benefits you can achieve by migrating to the cloud. For instance, you can get improved resiliency and higher availability by leveraging the redundancy built into cloud providers' Infrastructure-as-a-Service (IaaS) offerings. (For comparison, you must invest in this fault tolerance if deploying in an on-premises environment.)
The cloud also offers the ability to move faster. It helps to remove equipment procurement cycles, enabling IT to experiment with solutions and shut down experiments that shouldn’t move forward without long-term commitments to capital investments. Such flexibility helps you to act on your changing business requirements faster than you otherwise could.
Navigating to the cloud comes with security advantages, as well. For instance, all cloud providers offer security settings that have been tested over time. Another advantage is the ability to use tested solutions from the cloud vendors' marketplaces to eliminate the need to build and maintain these images and applications yourself. This is the main idea behind the CIS Hardened Images®; the Center for Internet Security® (CIS®) has done the secure configurations for your cloud-based operating systems (OSes) for you.
Want a quick overview of how the Hardened Images can help you migrate to the cloud? Check out our video below.
Understanding Where You Want to Go in the Cloud
When it comes to planning your cloud migration, there are three common types of cloud storage from which your organization can choose. They are as follows:
1. Blob or Object Storage
Accessible by HTTPS, blob or object storage is suitable for mass file transfers/migrations. Not only that, but it's also independent of systems or virtual machines (VMs), and in many cases, you can use it to deliver content to users. The risk of using this type of storage is that it can be made publicly available. As such, you need to be very careful in classifying data to ensure you are not exposing confidential data unintentionally.
2. Block Storage
Block storage is attached directly to individual VMs. You can typically use direct attached or Storage Area Network (SAN) storage for block storage in an on-premises data center. You can also provision it for performance, but you're ultimately responsible for configuring redundancy, fault tolerance, and high availability. It is by default internal to your cloud environment, but you as the customer are typically responsible for enabling encryption and data protection methods.
3. Network Attached Storage
Network attached storage (NAS) is akin to a “fileserver,” which can be accessed by multiple users/systems simultaneously. You can use this to effectively share data amongst systems internally, reducing the need to keep multiple copies on individual systems and maintaining updates on each system. Here, you are also usually responsible for enabling encryption and data protection methods.
Cloud Service Models: Your Responsibility in the Cloud
Beyond cloud storage types, every cloud provider offers varying levels of service models that you can opt to use. This gives you the freedom to pick the service level that is right for your organization, your staff capabilities, and your skill sets. You can choose from bare metal platforms, where you're responsible for everything above the base hardware and networking level (IaaS), all the way up to fully managed services and applications, where the responsibility for configuring and maintaining the servers, applications, and environments is taken on by the cloud provider (Software-as-a-Service (Saas) or Function-as-a-Service (FaaS)).
Each level of managed services has pros and cons. The pros of managed services are that you don’t have to focus on the details of systems management and maintenance. Additionally, you can concentrate on applications, which add value to the company.
The cons can be a loss of customization options, access to lower-level resources if needed, and increased cost. For example, hosting a customer-installed database instance on top of VMs provided by a cloud provider enables you to access and configure every aspect of the software. The downside is that you are now responsible for operations, maintenance, patching, upgrading, etc. With a managed database service, you can focus on designing the database schema and queries, thus delegating other operational responsibilities to the cloud provider.
What Moving to the Cloud Looks Like
The shared responsibility model discussed above affects your selection of a cloud computing style that works best for your needs. Most organizations choose from one of the following three styles:
1. Public Cloud
Public cloud is what many people think of when they hear the term “cloud.” A customer subscribes to a service that provides computing infrastructure in a (mostly) multi-tenant environment. (Cloud providers have recognized the need for dedicated servers, and several now offer this as a premium option.) The benefits of this model are you only pay for what you use. What’s more, your environment can scale up and down based on load. Ultimately, the cloud provider is responsible for maintaining and securing the infrastructure, including areas such as data center, compute servers, storage, and network. You’re responsible for the configuration and security of the applications, tasks which include piecing together separate service offerings to build the application. This requires your technical staff to have a different skill set than managing applications and services in an on-premises data center. It can also introduce complexity, as security is a shared responsibility. You need to be fully aware of the boundaries of each service and provider.
2. Private Cloud
Private cloud is a bit of a misnomer. It means you are fully hosting your computing environment in your on-premises data center or in a colocation facility as companies have been doing for years. One of the benefits of this approach is that you have full control of all facets of the computing environment and security, from facilities and power up though application stack and everything in between. This may be an attractive option for legacy applications or operating systems that cannot be migrated easily to the cloud. The downsides are that you must build and deploy your applications for peak load, ensure fault tolerance and redundancy, and maintain facilities, including power, environmentals, physical security, and logical security. This can be an expensive investment to maintain, especially for assets that are not used often.
3. Hybrid Cloud
Hybrid cloud is a mix of on-premises and public cloud. Most enterprises go through this state even if the end goal is to be fully in the cloud. The pros of a hybrid cloud is you have options to keep full control of the assets and security for each application, and you can make case-by-case decisions on whether or not to move to the cloud. The cons of the hybrid cloud are added complexity and possibly costs. The surface area and security exposure increase when you use multiple clouds or a mix on on-premises assets and cloud. The skills and expertise needed to manage such an environment is greater than what you need when you’re all in on one environment. If you move applications and services to the cloud but do not retire on-premises environments, you probably will not see large cost savings. In this environment, you will need to be aware of all the security boundaries and responsibilities, as it can become very complex.
How to Migrate to the Cloud
If you're looking to move to the cloud, there are three common ways by which you can go about it.
1. Lift and Shift
Lift and shift takes the servers and applications running in the on-premises data center and simply re-hosts them in the cloud. This can be the easiest way to migrate to the cloud, and it is the first step many companies take. The risk here is you need to understand how the cloud is different in security, networking, and server management. Additionally, this method doesn’t help with reducing technical debt, and it is often not a means of cost-effective migration, as you are not right-sizing your infrastructure or taking advantage of the elastic nature of the cloud.
Refactoring includes modifying on-premises infrastructure, code, and deployments to take advantage of the elastic nature of the cloud. This method includes the advantage of having web services behind a load balancer and scaling computing resources up and down based on demand instead of building a web farm to support peak load. You may also take advantage of managed services or Platform-as-a-Service (PaaS) offerings such as CDN, database, and data replication services. This method enables you to take advantage of cost savings associated with minimizing resources when demand decreases, paying for what you need vs. always-on resources. The risk with this approach is you are changing multiple variables during the migration process, which makes troubleshooting more complex.
3. Redesigning to Be Cloud Native
This can be a complex migration strategy where the applications' architecture is redesigned during migration to take full advantage of the benefits of the cloud. This includes utilizing SaaS offerings from the cloud vendor or third-party providers, relying on managed services (PaaS) to minimize operational burdens, introducing technologies such as containers and serverless computing, and embracing an Infrastructure as Code (IAC) philosophy. The pros of this approach is it can be a highly resilient, cost-effective solution that scales to meet demand without over provisioning. The cons are that it adds complexity and risk, as many architecture components are changing at the same time. Additionally, it's challenging to ensure resiliency and security.
Why Cloud Migrations Fail
As with any IT infrastructure, you must make sure the cloud provider is compliant with all the regulations your industry needs and can provide evidence of successfully passing audits that validate compliance. You also need to govern the security of your applications and data. Your IT and development teams need to have a security-first mindset and configure the infrastructure and apps to align with compliance requirements and security best practices.
Specifically, you need to consider how and where data is transmitted and stored. Is it encrypted everywhere? Is access minimized to only the roles that need it? Is unauthorized duplication of data protected against? This is important to review in both the migration processes and once in the cloud.
Your Responsibility in Moving to the Cloud
Migrating to the cloud should not be seen as a single project but an multi-stage program. You will learn a great deal by starting small and building on the experience. You may not realize cost savings until the application and infrastructure are designed to scale up and down such that you can take advantage of the elastic capabilities and pay-per-use philosophy of the cloud.
Moving to the cloud does not make you automatically secure, however. You are always responsible for securing applications, OS images, networks, access rules, and data in the cloud. Cloud vendors provide security of the computing assets, not the data placed on their assets. You will need to establish a relationship with your cloud provider to understand where security responsibilities lie and test the security.
In the next blog post, I’ll discuss how you can use CIS resources to meet your security responsibilities when migrating to the cloud.
Want a sneak peek of what I’ll be discussing?
About the Author
VP of IT Services
Don Freeley is a technologist with more than 25 years of experience leading architecture, engineering, and IT organizations. As Vice President of Information Technology Services, Don is responsible for the delivery of innovative, reliable, and secure computing environments that support and enhance CIS’ global mission.
In addition to managing daily technology operations, Don provides strategic leadership for a fast-growing company globally recognized as a leader in cybersecurity. Prior to joining CIS in 2023, Don led IT, Architecture, and Engineering organizations at global companies, helping public and private sector organizations deploy use technology securely at scale.
Don holds a Bachelor of Science in Computer Science degree from the University of Massachusetts.