The 48 assessment questions to ask before Cloud Migration

According to an IDG report, 73% of all the companies use Cloud to run at least a portion of their application, and of the rest, 17% plan to move to the cloud in some form or the other in the next 12 months.

Source: IDG – 2018 Cloud Computing Survey

But why there’s such a surge to move in the cloud? From what I understand, the organizations have become more prudent in understanding that migrating to the cloud is not an option anymore but a requirement to sustain the growth and stay in the competition.

Migration to the cloud is not about risk avoidance but risk management.

More so, the following factors heavily favor the move to the cloud:

  • Cost effectiveness
  • Security and compliance
  • Scalability
  • Performance
  • Enables innovation
  • Ongoing support

However, not all organizations have the liberty to build an entire application from scratch in the cloud. For instance, many of the financial institutions still run the legacy applications in mainframes, and therefore it is preferable to move the applications in the cloud rather than reinventing the wheel.
Simple as it may seem, the move to the cloud is not straightforward. It involves support from the management as well as the skill-sets and expertise.

Following are the 6 steps for an effective and efficient to the cloud.

Migration_PhasesV1
Source: Rapyder – CLOUD MIGRATION

Putting the CISA into practice, I would consider the following questions for each of the migration steps:

  1. Strategy
    – Does the cloud strategy have a project sponsor for ongoing support?
    – Does the organization have a strategy to migrate to the cloud?
    – Does the organization have the support of the senior management for the migration?
    – Is the migration aligned with the business objectives of the organization?
    – Are all the business units understand the need and speak the same language (business and technical) for the cloud strategy?
    – Do we have the skill-set to migrate to the cloud?
    – Do we have the skill-set to implement and maintain the security in the cloud?
    – What are all the compliance/regulations (i.e. GDPR, CCPA, etc.) we are liable to follow during the migration?
    1. Pre-assessment
      – Are the applications ready to move to the cloud?
      – Do the benefits of cloud migration outweigh the cost?
      – What is the criticality of the application to be moved to the cloud?
      – What is the sensitivity of the data to be moved to the cloud?
      – Are there any privacy concerns to move the data to the cloud?
      – Do we have the cross-border control to move the data to the cloud?
      – Has a business impact analysis been done on the business process?
    2. Readiness Assessment Report
      – Is the readiness assessment report submitted to the steering committee for review?
      – Are there any critical findings in the report?
      – Are there any critical findings that are not addressed in the report?
    3. Migration Plan
      – Do we have a mitigation plan for all the findings?
      – Do the benefits of mitigation outweigh the cost of risk?
  2. Proof of Concept (PoC)
    – Do we have a time-horizon to perform the PoC?
    – Do we have the skill-set to perform the PoC?
    – Do we need to engage any vendors to perform the PoC?
    – Are there any show-stoppers that could hinder the PoC?
    – Who is the owner of the PoC strategy?
    – What is the criticality of the functionality going through the PoC?
    1. Identify Workload for PoC
      – Do we have sufficient resources to perform the PoC?
      – Do we have enough sponsorship to perform the PoC?
    2. Migrate to Cloud
      – Are the application(s) successfully migrated to the cloud?
      – What are the backup plans for recovery?
      – Are there any risks that were not identified in the Pre-assessment phase?
    3. Measure success
      – What are the KPIs for the successful migration?
      – Are there any findings that were not identified in the pre-assessment?
  3. Data Migration
    – Is the data migration completed successfully?
    – Are we able to maintain the identified RPO?
    – Are there any incidents/events in the data migration that should be highlighted to the senior management?
    – Is there a privacy concern to the data via the vendor?
    – Is proper access control to the data managed after the migration?
  4. Application Migration
    – Is the application migrated successfully?
    – Are we able to maintain the identified RTO?
    – Is proper application control managed after the migration?
  5. Cloud Transition
    – Is the transition successful?
    – Who is the responsible person/team for any resolving errors during the transition?
    – Is the entire transition process appropriately logged?
    1. Validation
      – Is the transition verified as successful?
  6. Run and Optimize
    1. Operate/Optimize
      – Does the application operate as anticipated?
      – Can the application be optimized further?
      – Is the application scalable?

These questions are part of the ‘Managerial’ control and partially ‘Operational’ control. The ‘Technical’ controls differ for each of the services (AWS, Azure, Google Cloud, etc.) and therefore will be summed up in a different post.