Engage security and risk departments early and often. Security, risk and compliance teams should be engaged early in the cloud adoption program to address issues such as data protection, controls, auditability and identity and access management. Late engagement with your security team could result in resistance and delays in moving workloads to the cloud. Adapting to new security patterns and cloud security features can take time in your organization. Early and frequent engagement is imperative to meet your timelines. By using policy as code (PaC), you can help build confidence with your risk and security teams for how new cloud services can be provisioned and maintained within the guardrails of compliance requirements. PaC can help you enforce recommended security practices and compliance requirements without slowing down development. This practice can also create consistency and compliance within a DevSecOps mode of operations.
Get the disposition right. The proper disposition of your application portfolio requires a detailed roadmap and a rolling wave plan. The plan should include each application’s strategic hosting destination and should align to business needs, technology strategy, cloud adoption policies, constraints and rules of acceptable use. Make sure to ask yourself whether the application will be retired, remain in place, moved as-is, modernized or take one of the many other paths to cloud. Take the time to perform an application analysis and disposition effort, including the interdependencies that make up a business ecosystem, before moving any workloads.
Effective portfolio analysis should include both technical and business considerations. Without accounting for business needs and business relationships within the application portfolio, your move to the cloud is far less likely to succeed. The sources of data needed to perform this broad analysis properly are often diverse and scattered throughout the enterprise. Infrastructure data from a configuration management database (CMDB) or other inventory source is commonly the easiest to include. However, because many enterprises treat cloud adoption as an infrastructure change, this source can have a disproportionate impact on disposition decisions.
For an adoption program to be successful, you should include a broader collection of data in the disposition analysis than the infrastructure inventory alone. This data should include application architecture sources to help understand each system’s in-depth architecture. A keen understanding of business ecosystem information is needed so applications are not treated as an isolated component. This is a critical step to help avoid splitting a complex business process apart during the migration waves. You should also pay attention to policy, governance and controls requirements so that disposition decisions will comply with enterprise requirements for data protection, tech governance and terms of acceptable use of cloud services.