It’s a common misconception for people to imagine that business applications can be beamed up, Star Trek style, into the cloud and that the IT team just needs to press a few buttons and whoosh, the migration is done. If only it were that easy.
In the first place, it’s important to note that there are some applications that should not, or cannot be moved. Legacy applications may be difficult to virtualize, requiring significant development work before they can be migrated. Some applications may be sensitive to latency, so for performance reasons they should stay on-premise. Others may be governed by regulations which prohibit their moving outside of a given jurisdiction or geographic region. Despite these constraints, we’ve found through working with large enterprise organizations that around 85 percent of applications can potentially be migrated to the cloud.
But then there are multiple challenges which need to be addressed if the migration is to done smoothly and securely. First, the application’s existing network flows need to be mapped, so that the IT team knows how to reconnect the application’s connectivity post-migration. This is extremely hard to do in complex environments. There’s usually little to no up-to-date documentation, and attempting to understand the requirements and then painstakingly migrate and adjust every firewall rule, router ACL and cloud security group to the new environment manually is an extremely time-consuming and error prone process. A single mistake can cause outages, compliance violations and create holes in the businesses’ security perimeter.
Just how long could this process take? In AlgoSec’s experience, an experienced consultant can manually map around one application per day, or five per week, depending on the number of network flows in the application, and the complexity. This means a team of five consultants would take around a year to map 1,200 applications in a typical large enterprise. If the organization does have good documentation of its applications, and an accurate configuration management database, it may be possible to cut this time by 50 percent.
But given the work and time involved - not to mention cost - in mapping applications manually, some organizations may ask if they really need to do it before migration. The answer is definitely yes, unless they plan to move only one or two applications in total – and can afford to manage without those applications for hours or days, in the likely event that a problem occurs and connectivity is disrupted. Having comprehensive maps of all the applications that need to be migrated is essential: this atlas of connectivity flows shows the way forward to smooth, secure cloud migrations.
Ready to move
With an atlas of existing connectivity maps, organizations can tackle the migration process itself. This can be done manually using the APIs and dashboards available on all cloud platforms, but it’s slow work, and it’s all too easy to make costly mistakes. Some cloud service providers offer native automation tools, but these often only address the cloud provider’s environment and they don’t provide visibility, automation or change management across your entire estate. Even some third-party cloud management tools which are capable of spanning multiple clouds will not necessarily cover your on-premise networks.
The most effective way to accelerate application migrations is with an automation solution that supports both the existing on-premise firewall estate, and the new cloud security controls, and can accurately define the flows needed in the new environment based on the atlas of existing connectivity flows, as well as the security and compliance needs of the new environment. In fact, the right automation solution can also discover and map your enterprise applications and their connectivity flows for you, without requiring any prior knowledge or manual configuration by security, networking or application teams.
Businesses can then use the solution to navigate through the actual migration process to the cloud, automatically generating the hundreds of security policy change requests that are needed across both the on-premise firewalls and cloud security controls. This dramatically simplifies a process that is extremely complex, drawn-out and risky, if attempted manually.
After the applications have been migrated, the automation solution should be used to provide unified security policy management for the entire enterprise environment, from a single console.
While there isn’t yet a method for beaming applications up instantly into the cloud, automation makes the process both fast and relatively pain-free by eliminating time-sapping, error-prone manual processes, such as connectivity discovery and mapping, during the migration itself, and in ongoing management. Automation helps organizations to boldly go where they haven’t easily been able to go before.
About the Author
Edy Almer is responsible for developing and executing the company’s product strategy. Previously Mr. Almer served as VP of Marketing and Product Management at Wave Systems, an enterprise security software provider, following its acquisition of Safend where he served in the same role. Prior to Safend, Mr. Almer managed the encryption and endpoint DLP products within the Endpoint Security Group at Symantec. Previously he managed the memory cards product line at M-Systems prior to that company’s acquisition by Sandisk in 2006. Mr. Almer’s operational experience includes the launch of 3G services projects at Orange, Israel's fastest growing cellular operator, resulting in 100,000 new 3G customers within a year of its launch. As the CTO of Partner Future Comm, Mr. Almer developed the product and company strategy for potential venture capital recipient companies. Mr. Almer has a B. Sc. in Electrical Engineering and an MBA.