CLOUD MIGRATION M6807 S
Content 1. Introduction 2. Methodology 3. Requirements Definition Phase 3.1. Strategy 3.2. Knowledge 06/05/15 2
Content 4. Analysis Phase 4.1. Aplications and Systems 4.2. Development Model 06/05/15 3
Content 4.3. Service Model 4.3.1. SaaS Migration Considerations 4.3.2. PaaS Migration Considerations 4.3.3. IaaS Migration Considerations 4.4. Provider Avaliation 06/05/15 4
Content 5. Security Phase 5.1. Migration Tests 5.2. Security Policies 5.3. Security Controls 06/05/15 5
Content 6. Operation Phase 7. SaaS Example Normal Proccess 8. SaaS Example 9. References 06/05/15 6
1. Introduction S The term cloud is everytime presente in our daily life; S Looking at the advantages, companies have started to think about it as an appealing option; S However, for some companies using cloud services can presente some threats; S All companies should carefully, plan and analyze the change; 06/05/15 7
1. Introduction (Cont.) S When using cloud services becomes an option, one should always take into account security issues, analyzing them, finding solutions to mitigate them; S A good organization plan should be presente in all projects if they are to succeed; 06/05/15 8
1. Introduction (Cont.) S That being said, one should always have presente a good methodology that helps create a good tasks planning; S 4 Phases Methodology (Walter Andrew Shewhart, 30 s): S Plan; S Do; S Check; S Act. 06/05/15 9
2. Methodology S Based on the methodology presented before, in the 50 s, Edward Deming proposed that the business processes, as well as the systems, should be monitorized, measured and analyzed continuously identifying more easily faults and measures to correct them; 06/05/15 10
2. Methodology (Cont.) S Deming Plan-Do-Check-Act: S Plan: identification phase of what can be improved and all the necessary changes; S Do: changes implementation phase; S Check: obtained results analysis phase; S Act: phase to correct all that didn t work. 06/05/15 11
3. Requirements Definition Phase S One of the most important phases in all projects; S Well defined and clarified objectives; S Organization expertise level identification; S Requirements definition (need of learning); S Or, decide to use external services. 06/05/15 12
3.1. Strategy S The plan should include: S Risks and threats; S Applications and systems; S Well defined objectives; S Infrastructures and technologies in the new service; S Existing beneficts; 06/05/15 13
3.1. Strategy (Cont.) S Clear and suficient information to answer questions like: S Should the migration project be abandoned? Reduced? Delayed? S The cloud services are the most suitable for the business? S Should more careful analysis be made? 06/05/15 14
3.2. Knowledge S The plan before described should be able to make a complete assessment of the thecnical knowledge needed; S With these plans there is an assurance that the project can be accomplished and that all involved have a common definition of the topic at hand: cloud computing. 06/05/15 15
4. Analysis Phase S In the analysis phase the applications and systems ready to migrate are identified; S An analysis of the development models should be made, based on efficiency, economic beneficts, agility and inovation. 06/05/15 16
4.1. Aplications and Systems S A careful analysis should be made to evaluate what s best; S These can vary from organization, depending on the necessities, information to migrate, laws, regulations, etc 06/05/15 17
4.1. Aplications and Systems (Cont.) S The analysis should be made with basis on the following classification: S S S S Availability: identify minimum requirements; Latency: identify the minimum latency requirements for each application; Integration: level of integration, integrated applications can complicate the proccess, unlike stand-alone ones; Portability: evaluate the data migration capacity. 06/05/15 18
4.1. Aplications and Systems (Cont.) S In terms of security it is necessary to evaluate: S S S S Security: data security requirements and available system encryption options; Privacy and Confidentiality: security requirements that allow the control of privacy and confidentiality; Integrity: assure information integrity using redundancy, etc. Compliance: specific laws and regulations regarding sensible information. 06/05/15 19
4.2. Development Model S There are several facts to consider, for exemple: economic and security issues; S Organizations may choose to use a private or public cloud, depending of the necessity and available budget. 06/05/15 20
4.2. Development Model (Cont.) S The following table shows a brief analysis of both cloud models: Factor Public Cloud Private cloud Costs Low cost; Only pay for the necessary services; Cloud provider in charge of the Infrastructure. High cost: - Instalation; - Configuration; - Maintenance. Access to the available hardware. 06/05/15 21
4.2. Development Model (Cont.) Factor Public Cloud Private cloud Security Suitable for information or services not critical for the organization. Suitable for information or services critical for the organization. 06/05/15 22
4.2. Development Model (Cont.) Factor Public Cloud Private cloud Threats Limited Infrastructure control since it is in charge of the cloud provider; Requires good security policies that should be assured in the contract. Controls to protect the private cloud can be implemented. 06/05/15 23
4.2. Development Model (Cont.) Factor Public Cloud Private cloud Scalability High, virtually infinite, only limited by the contract between cliente and provider. Low, limited to the infrastructure and monetary resources available. 06/05/15 24
4.3. Service Model S In choosing from the several servisse models, Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), it is necessary to take into consideration the organization business requirements; S Have knowledge of the requirements for the type of system or information used. 06/05/15 25
4.3.1. SaaS Migration Considerations S Security options restricted at the application level; S Model used for colaboration applications, i.e., e-mail, productivity, Customer Relationship Management (CRM), or specific sectors, like logistics; 06/05/15 26
4.3.1. SaaS Migration Considerations (Cont.) S Since comunication is done via Internet, it should be considered to use encryption system (proprietary or from other entities); S For critical information it should not only used its own encryption systems, as well as encryption of data stored on the provider 's infrastructure. 07/05/15 27
4.3.2. PaaS Migration Considerations S The PaaS offer lies mostly in a complete development environment; S It is an indicated model for own or custom applications or custom applications, security services, databases services, etc. 06/05/15 28
4.3.2. PaaS Migration Considerations (Cont.) S Security considerations cover the access control and authorization, operation in shared environments, information and data;; S This model operates on a shared environment, so a strong authentication framework is essential to ensure that access to information is made only by those with permission. 06/05/15 29
4.3.3. IaaS Migration Considerations S The vendor provides a complete infrastructure to its customers; S Customers can install and provide services and resources to internal and external users; S It applies primarily to disk space, computing, storage, web page publishing and to backup and disaster recovery systems. 06/05/15 30
4.3.3. IaaS Migration Considerations (Cont.) S The customer must ensure that the implemented security controls can effectively separate and secure virtual machines, use of memory, network and storage resources; S As in previous models, encryption methods must be considered either to data in transit, whether for data at rest. 06/05/15 31
4.4. Provider Avaliation S This is a complex process which should check comparative standards, in a way that enables a real comparison between the different potential providers of services; S This analysis should focus the following: S Services, data and applications integration: analyze the existing infrastructure integration features in the organization with the services provided by the cloud provider; 06/05/15 32
4.4. Provider Avaliation (Cont.) S Protect data and information: analyse which encryption systems the provider has available; S Performance: make admission tests to make sure it is not too slow; S Contract negotiations: conform key settings, such as portability of information and systems, the ease of switching provider, change contractual terms of services, etc. 06/05/15 33
4.4. Provider Avaliation (Cont.) S S Physical security: check safety standards for implemented installations and what evidence can be provided; Product support : confirm the inclusion of technical support in the contract and the additional costs of providing this service. Also check the time in which this is available and what training and certification the support team has; S References: request a list of all customers, preferably up to date, and look for information about the organization. 06/05/15 34
5. Security Phase S At this stage we define controls attesting that the security is effective and observed; S Migration tests should be planned, tested and performed to allow a good decision of when and how the migration of applications, data and information should be conducted; S These tests determine whether the migration is done in stages or all at once, understanding the need to maintain services or applications in parallel and for how long. 06/05/15 35
5.1. Migration Tests S Migration tests are one of the final steps; S The planning and execution of migration may vary depending on whether the classification of the application: essential or imply losses for the company if it is stopped; S If the application is classified as in the previous topic this the migration should be achieved in phases, coexisting both infrastructures; 06/05/15 36
5.1. Migration Tests (Cont.) S The information collected in all the previous steps should be used for creating tests; S A well made and applied test plan will assure a cloud migration project success. 06/05/15 37
5.1. Migration Tests (Cont.) S In these tests, the following features should be analyzed: S Confirm the integrity of the data; S Set recovery plans and disaster response ; S Check the need for training workers whose job is to answer questions or problems of users; S Set a return plan in case of unexpected problems arise. 07/05/15 38
5.2. Security Policies S Approved by the management of the organization; S A security policy should have (Winkler, 2011): S Identification of all resources and systems we want to protect; S Identify vulnerabilities, threats and exposure to threats; S Measures to protect resources, evaluate security controls and estimate implementation costs. 06/05/15 39
5.3. Security Controls S They are administrative, technical and physical measures attesting that security policies are observed and followed; S Guarantee and minimize the loss or unauthorized alteration of the information, unavailability of systems, service degradation and the loss of access to systems. 06/05/15 40
5.3. Security Controls (Cont.) S Physical controls: implementation of security controls that prevent unauthorized access to facilities, equipment or systems; S Technical controls: implementing access control technology information stored in IT systems; S Administrative controls: implementation of administrative security controls that prevent access to information intentionally or not. 06/05/15 41
6. Operation Phase S It is the last step that occurs after the migration; S It is a strategic assessment at regular intervals to ensure that the contracted services are within the defined objectives; S Metric analysis process should be established so that there is a contract with enforcement agreed with the supplier; 06/05/15 42
6. Operation Phase (Cont.) S These processes should: S Promote internal information collection to support achievement of a qualitative and quantitative analysis to assess problems and weaknesses to solve; S Attest to the safety and privacy with the rules that are in force; S Monitor the performance of the contract with the supplier guaranteeing that this is being complied with; 06/05/15 43
6. Operation Phase (Cont.) S Analyze similar services from other providers so there is a comparison of the service, conditions, etc... S Ask the supplier for certificates, inspections and audits that guarantee that the processes are maintained and safety checks are laid down in the contract; S Establish billing process monitoring of contracted services and services actually consumed. 06/05/15 44
7. SaaS Example Normal Proccess 1. New worker 2. Notification from the access manager to the helpdesk: email 5. Worker has access 4. Worker notified Problems: Manual process; Slow; Low volume. 3. Access is assured 06/05/15 45
8. SaaS Example 4. Automatic welcome e- mail Work makes request 5. Using application 2. Service invoked automatically Sign up page Beneficts: Automatic; Fast; High volume. Problem: Access restrictions. Access Management Service 3. User registered 06/05/15 46
9. References S http://repositorio.ucp.pt/bitstream/10400.14/16110/1/ Dissertação-Migração%20e%20segurança%20em%20plataformas %20cloud%20computing%20-%20Roberto%20Silva.pdf S https://www.usenix.org/legacy/event/lisa11/tech/full_papers/ Zhang.pdf S http://ieeexplore.ieee.org/xplore/login.jsp?url=http%3a%2f %2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber %3D6008753&authDecision=-203 S http://regions.cmg.org/regions/stlcmg/files/download/ Presentations_2012-02/CMG%20App%20Migration%20PPT.pptx 06/05/15 47
CLOUD MIGRATION M6807 S