successful cloud migration and choosing the right cloud provider

Challenges in cloud migration and cloud provider selection

The move to the cloud has the potential to improve IT security and availability. At the same time, costs are to be saved and companies are to be given more time for their core business. For this to succeed, key points in the company's needs profile must be clarified and the right cloud partner selected.

Because the flip side of cost savings, efficiency and time gains is the loss of control over the infrastructure. In other words, a key new business relationship is created.

So what should be considered when choosing a cloud provider and giving up in-house hardware?

The Path to the Cloud: A Guide for Successful Migration

Moving business resources to the cloud is a significant step that requires comprehensive planning and careful execution. A well-structured migration roadmap can help minimize risks and ensure a seamless transition.

In this article, we aim to provide an overview of what such a process could entail and the measures necessary for a successful migration to the cloud.

Phase 1: Cloud Migration Assessment

At the outset, a comprehensive analysis of the current IT landscape and business requirements should be conducted. This process, also known as Cloud Migration Assessment, lays the foundation for a successful migration.

The existing IT systems and applications, as well as the business requirements and goals to be achieved through the migration, need to be identified.

Checklist for Cloud Migration Assessment:

Identify data to be transferred to the cloud.
Determine business goals to be achieved through the migration.
Assess the workforce's technological proficiency in dealing with cloud technologies.

Phase 2: Creation of a Migration Plan

Following the analysis, the development of a detailed migration plan ensues. This plan acts as a roadmap for the entire migration process and should outline clear steps, milestones, and schedules for implementing each task.

Checklist for Creating a Migration Plan:

Define clear steps and milestones for the migration process.
Set a realistic timeframe for task execution.
Clarify roles and responsibilities of all involved parties in the plan.

Phase 3: Execution of Migration

The migration is carried out according to the established plan. During this phase, it is crucial to keep all stakeholders informed and address any issues promptly.

Checklist for Executing Migration:

Perform migration as per the established plan.
Keep all stakeholders updated on the progress of the migration.
Address any emerging issues promptly.

This structured approach and corresponding checklists ensure that the cloud migration proceeds successfully and seamlessly.

Important aspects when choosing a cloud provider

The primary goal of cloud migration is often to reduce costs and effort associated with in-house IT. In addition, geo-redundancy, improved (basic) security, scalability and a faster time-to-market are sought. For this to succeed, central attention must be paid to the choice of partner. Technical expertise is as important as reliability and trust.

The latter must always be accompanied by a clear assessment of what can happen to the data entrusted to the partner. In addition to obvious dangers such as theft or ransomware, it must be clear which states, authorities or organizations can access this data under which circumstances and how high the associated risks are.

On the one hand, these are compliance issues, but also questions of image and the requirement for one's own data sovereignty. For some, the risk of data being siphoned off by government organizations is insignificant; for others, it is central.

Security

Unlike data protection, data security is not limited to personal data. Thus, many companies are afraid to take the step into the cloud, primarily out of fear of data loss. The technical protection of data has top priority.

Data security has three elements: confidentiality (= protection against data theft), integrity (= protection against unlawful data modification) and availability (= protection against data blocking, loss, etc.).

The quality of the cloud provider can be recognized, among other things, by how it assists in identifying the requirements for the level of protection of the data entrusted to it and in determining the appropriate measures.

Some examples on the subject of security:

Data theft: data is copied and then sold on the darknet.
Data blocking (access to the data is no longer possible) by DDOS attacks or ransomware: The data is encrypted by malware. Access only becomes possible again after a ransom is paid. In the meantime, the business for which the data is necessary is at rest.
Data alteration: data is changed.

Data security is not only about protection from hackers, but also about protecting the user from himself. Therefore, good support can also be an important element of security, for example by preventing (inexperienced) users from accidentally accessing data.

Keyword hackers: cybercrime is a real danger, also in Switzerland. An up-to-date overview of the threat situation in Switzerland is provided by the National Cyber Security Center (NCSC).

Finally, one should be aware of the different forms of damage that a successful cyberattack can have: Loss of business-critical services, financial damage, loss of earnings, reputational damage, legal costs, as well as personal penalties for the decision-makers.

Availability and performance

Availability

The availability of a cloud service is the minimum period during which the system is available. Typical time units are minutes, hours, days, months, quarters or years. Availability is usually specified as a percentage value in relation to the period under consideration, for example "99.5% a month".

Availability can be measured as the ratio of uptime (the time the service is properly available) to total time (uptime plus downtime):

Availability = Uptime / (Uptime + Downtime).

Ideally, the downtime = 0. Then the availability is 100%. In cloud computing, 99.9% is the minimum value. It should also be borne in mind here that 99.9% means a loss of access of 8.7 hours per year. For some businesses, this may already be too much.

Outages due to service do not count as downtime for the provider. Therefore, maintenance windows should be clearly regulated.

Performance

This is about the quality of a service. After all, the cloud application may simply respond too slowly. Therefore, the customer should consider exactly what he needs in terms of reactivity for each service (e.g., response time for service X). This should then be defined by means of clearly defined key performance indicators (KPIs) and also fixed in the SLA. Reporting should work in exactly the same way.

It should also be clarified how or how quickly a provider must respond to faults and whether or what sanctions (e.g., financial) arise in the event of a failure.

Finally, when using shared resources, it should be clear how priorities are set in the event of a peak. For example, AWS conditions itself on the prioritization of its own applications (amazon.com) if necessary. In the event of rapid growth (e.g., at the onset of the Covid pandemic), demand may exceed the provider's capacity.

Support and transparency

Support

Support is a key and sometimes underestimated element. This is because the price for a service in normal operation can quickly differ from the price in a crisis situation.

It is important to get a precise overview beforehand of how much support is agreed in the contract, when the limit of the service covered in the contract is reached, and how the costs are made up as a result.

For example, support is generally organized hierarchically from level 0 to 3. The technical competence of the contact persons increases with each level. Level 0 is the self-service level. Depending on the provider, a great deal of self-service can be required at this level. With certain providers, personal support only starts from a contract amount of CHF 100,000 and before that, only FAQ, chatbots or e-mail are available.

So the latency here can be very high. And especially when a business-critical problem has occurred, the only option is a non-budgeted reach into the till.

Transparency

Partner transparency regarding costs, services and potential issues is central to assessing their trustworthiness. So these things should all be documented as publicly as possible.

In addition, critical information should also be clearly accessible in the backend, for example, new costs when additional services are booked or their performance is increased.
The same applies to performance: How easily does the customer have insight into critical KPIs - can they also call them up independently?

How does the cloud provider provide information in the event of security problems (to customers and third parties)? Does one feel comfortable with the partner's communication? This is all the more important because security problems are always a topic of discussion in the media.

Finally, there is the question of whether the service level agreement (SLA) is individually negotiable. Large public cloud providers rarely address customer needs: Is this important for the respective business or are standards enough?

Cost

The question of cost is the driver par excellence in the choice of partner. However, the difference between price and cost often falls by the wayside.

As described above on the subject of support, it can quickly become expensive if business-critical processes fail and the problem has to be solved immediately and outside of the contract.

There should also be a clear mechanism to show the customer each time new costs are incurred. Some developers like to book additional features and applications on the fly.

Not all cloud providers ensure transparency in the catalog of offerings. In addition to a clear catalog, a customer-friendly backend that provides transparent information is important here. The fact that even large providers do too little here is shown by the very existence of third-party offers that help to get a grip on escalating costs. Thus, the question must be asked to what extent the provider's ability to plan costs is realistic.

Compliance

The partner should be able to clearly show which regulations are fulfilled and for which customer these are relevant. He should be able to clarify the necessary requirements together with the customer.

For many companies, the topic of compliance is a closed book. They tend to shy away from it because compliance is only associated with costs in the first place.

The partner should be able to clearly show where the costs are worthwhile, where the responsibility lies with the provider and where with the customer. For example, even large companies delegate part of the responsibility to the customer, and various certifications apply only to basic services. The customer must then single-handedly ensure that the architecture and processes (e.g., encryption and key management) meet the requirements.

One example is AWS's "shared responsibility model". In any case, what the ratios are must be verified before working with any vendor.

ISO/IEC 27001: This standard specifies the requirements for establishing, implementing, maintaining and continuously improving a documented information security management system. The bottom line is that the partner has documented and audited processes to professionally manage security within the company - for itself and its customers.

This tool is central to demonstrating that a company is professionally managed. However, it is also not the "silver bullet" in the security environment, as it is rarely pointed out that there is a certain freedom of choice in the composition of the criteria fulfilled.

FINMA certification (FINMA-RS 08/7, RS 08/21 and RS 18/3): Many a provider talks about a Finma certification. But there is no such thing, because Finma only issues recommendations. Nevertheless, it is important for cloud providers who have partners in the financial industry to show that they take these recommendations into account (e.g., ISAE 3400 or SOC II Report).

GDPR: The European Union's (EU) General Data Protection Regulation (GDPR) has been in effect since 2018. The new regulations give citizens more control over their personal data. The regulation also has significance for Swiss companies:

If they operate a branch in an EU country.
If they offer goods or services in the EU (e.g. via an online store).
If a person residing in a member state of the EU, regardless of their nationality or place of residence, is directly affected by data processing.

Data Protection Act (nDSG): The Swiss Data Protection Act is currently being revised. The new Data Protection Act (nDSG) is scheduled to come into force on September 1, 2023. In large parts, there will be an approximation to the European GDPR.

This means that the requirements will be stricter and personal penalties of up to CHF 250,000 will be introduced for non-compliance. Thus, data protection will now become increasingly relevant, even if the company only works in Switzerland with Swiss customers.

swiss hosting (full disclosure: this is a product of swiss made software): The question "Where is the data located?" is becoming increasingly important for many companies - for reasons of security, but also compliance. It is often claimed that the data location Switzerland is sufficient. However, it is underestimated that it is just as important who can access the data from where and under what circumstances.

An obvious example is the CLOUD Act: US authorities are always allowed to access any data, no matter in whose territory it is stored. swiss hosting shows where there is no automatic access by third countries.

What is the ideal relationship with the provider?

The relationship with the cloud provider should be characterized by trust. However, this trust must be earned.

The cloud provider must be transparent, technically competent and its infrastructure easy to use. In addition, the partner should be able to clearly show which responsibilities will lie with him in the future and which will remain with the customer or arise anew.

Expectations: Standard performance vs. customized performance

It is often said that cloud offerings do not cause lock-in (the customer can simply switch partners at any time). But this does not correspond to reality. The more specific the requirements and the more customizations are made, the more difficult it is to switch later. For complex cloud applications, it is therefore enormously important to choose the right partner.

In addition, the partner should clearly show how large its capacities are for special requests. It is of little use if customizations are theoretically possible, but no employees are free in the foreseeable future.

Use of hardware - dedicated / bare metal

Depending on the type of customer, different hardware requirements are relevant. A virtualized server, for example, means that the customer shares the hardware with one or more customers who may access the infrastructure simultaneously. Those who do not want this can rely on dedicated servers, also known as "bare metal".

The term "scalability", i.e. smooth adaptation to the customer's requirements, is often used for all variants. This is not just about ramping up during peak loads, but also ramping down when these peaks have passed. Ultimately, a central promise of the cloud is that the customer can dynamically adapt the hardware to the business requirements and only pay for what he needs at any given time.

This is to avoid high fixed costs for redundant hardware. As tempting as it may sound, scalability is only relevant for a small proportion of companies and the question of its necessity is also part of the serious clarification of the customer profile.

FAQs when choosing a cloud provider

Does cloud migration allow you to do without your own IT?

The cloud is no substitute for IT expertise. The customer must be aware of what a failure means and how such a problem can be resolved. If the customer has its own IT experts, it is more likely to be able to solve problems without the support of its partner.

If, on the other hand, the customer's own IT expertise is low, it must be known how quickly direct contact can be made with support (a human being). It must also be clear how quickly it can be escalated to a higher level in case of doubt.

Rule of thumb: The more support is included in the standard package, the more reliable and efficient a cloud provider must be - otherwise the support costs will eat it up.

What does cloud migration mean for responsibilities?

Transparency in responsibilities: Which responsibilities are assumed by the cloud provider, which remain with the customer, and do new responsibilities arise for the customer? Is all this listed in the service level agreement (SLA)?

What should I look out for when it comes to support during cloud migration?

Not all support is the same: What is included in support and how is it made transparent? How long does it take for a problem to reach management?

What should I pay attention to during data processing?

Processing: Any cloud providers should clearly state what they do with the data, where it takes place and by whom (whether other companies are involved). It should also be explicitly stated that the data remains the property of the company (again, SLA).

How important is lock-in in cloud migration?

Lock-in or how easy is it to switch? The more software adjustments are made, the more difficult it becomes to switch. That's why the right choice of partner is crucial. Under certain circumstances, a business relationship may develop that lasts for years - whether you want it to or not. It should also be clearly defined what the process for an exit looks like.

What is central to cloud provider selection?

Open and transparent dialog about what the customer really needs. For example, the vast majority only need scalability to a limited extent, and even a Kubernetes cluster only makes sense in certain use cases.

Are international cloud providers more secure than local providers?

The fact that large international providers offer greater protection because they have more experts and higher budgets may or may not be the case. Case in point: the data breaches that are regularly highlighted in the media often occur at large international companies. The larger the organization, the more complex and challenging the task of plugging all the holes.

Large organizations are characterized by the "single point of failure": things only have to go wrong once to affect millions of people. At the same time, this makes large providers attractive targets for attack. But that doesn't mean that small is automatically fine.

Rather, it is important to clarify exactly who the partner is (e.g., look at the customer list), what their protective measures are, what data you have yourself (data classification and measures to be derived) and, above all, to only store data that is really necessary.

In many places, everything that is possible is stored, even if there is no concrete use for it. In fact, data economy also reduces one's own risk profile.

Is cyber insurance important for cloud migration?

Cyber insurance: There are now various offers for cyber insurance. It is worth taking a close look at the market.

Conclusion on cloud migration and choosing the right service provider

Although migrating to the cloud can be a complex task, it can become a successful endeavor through careful planning and preparation.

Thorough assessment, a detailed migration plan, and selecting the right cloud service provider are the cornerstones of a successful cloud migration.

With these components in focus, companies can fully leverage the diverse benefits of cloud technology and effectively achieve their business goals.