Application migration

Application screening is the first step in identifying whether a specific application is ready to move into the cloud. This is normally accomplished using an interview process, with the system/application owner designed to identify cloud migration readiness and the value a migration could provide. As a data discovery exercise, this process will help identify applications for migration, while ensuring that the existing IT and security architecture is well understood, and this also helps to mitigate many complications that may occur when executing a migration strategy. Interviewers should leverage a consistent set of evaluation tested questions that will help triage an organization's application portfolio. Responses should be analysed with a focus on deciding the following:

• The most appropriate target deployment environment, which varies from physical hardware in a user-owned and -operated data center to a virtualized platform, a private cloud, or a public cloud
• Each application's SPAR benefit (scalability, performance, accessibility, reliability)
• Each application's SOAR readiness (security, organization, architecture resilience).

This triage effort should also highlight the most influential business or mission drivers, key readiness strengths, key benefit weaknesses, and key readiness weaknesses.

After identifying the applications that should be moved into the cloud, a data classification (PII, classified information, and so on) of the information processed by these systems should be completed. This should be done with input from the relevant SMEs and the Governance, Risk Management, and Compliance (GRC) team. This is an important step to understand because CSPs operate on a shared-responsibility model. The CSP will provide security of the cloud and the customer is responsible securing the information that put in the cloud. Data classification will help determine what information will remain on-premises and what information will be moved into the cloud, and it also helps to ensure that compliance requirements can be achieved.

Application portfolio data should then be compiled across all relevant or interrelated domains. The selection of a service model (SaaS, PaaS, or IaaS) and a deployment model (public, community, or hybrid) should be driven by organizational goals and compliance needs. It is important the think about where data will be stored, is encryption required, how information will be encrypted at rest, how information will be encrypted in motion, and who will manage the encryption. Answers to these types of questions will inform your selection. Screening output should also provides data to inform long-term application strategy decisions. Long-term options typically include retirement, refactoring, rebuilding, or lift and shift.