Edy Almer, VP of Product at AlgoSec, looks at the challenges financial institutions face when migrating applications to the cloud.
It’s a common misconception held by many that business applications can be apparated, Harry Potter style, into the cloud and that the IT team just needs to press a few buttons and whoosh, the migration is done. If only it were that easy.
Firstly, despite the fact that, in our experience 85% of applications can potentially be migrated to the cloud, there are some applications that should not, or cannot be moved. Legacy applications may be difficult to virtualize, requiring significant development work before they can be migrated. Some applications may be sensitive to latency, so for performance reasons they should stay on-premise. Others may be governed by regulations which prohibit their moving outside of a given jurisdiction or geographic region.
However, even for the majority of applications that are suitable for migration, there are multiple challenges which need to be addressed if the migration is to be done smoothly and securely. First, the application’s existing network flows need to be mapped, so that the IT team knows how to reconnect the application’s connectivity post-migration. This is extremely hard to do in complex environments. There’s usually little to no up-to-date documentation, and attempting to understand the requirements and then painstakingly migrate and adjust every firewall rule, router ACL and cloud security group to the new environment manually is an extremely time-consuming and error prone process. A single mistake can cause outages, compliance violations and create holes in the businesses’ security perimeter.
This is a time consuming process: in AlgoSec’s experience, a team of five experienced consultants can manually map 25 applications a week. That means, in a typical enterprise running 1,200 applications, it would take the team a year to complete the process. If the organization has good documentation of its applications, and an accurate configuration management database, it may be possible to cut this time by 50%.
But given the resources required to map applications manually, some financial institutions may ask if they really need to do it before migration. The answer is definitely yes, unless they plan to move only one or two applications in total – and can afford to manage without those applications for hours or days, in the likely event that a problem occurs and connectivity is disrupted. Having comprehensive maps of all the applications that need to be migrated is essential: this atlas of connectivity flows shows the way forward to smooth, secure cloud migrations.
Ready to move
With an atlas of existing connectivity maps, financial institutions can tackle the migration process itself. This can be done manually using the APIs and dashboards available on all cloud platforms, but it’s slow work, and it’s all too easy to make costly mistakes. Some cloud service providers offer native automation tools, but these often only address the cloud provider’s environment and they don’t provide visibility, automation or change management across your entire estate. Even some third-party cloud management tools which are capable of spanning multiple clouds will not necessarily cover your on-premise networks.
The most effective way to accelerate application migrations is with an automation solution that supports both the existing on-premise firewall estate, and the new cloud security controls, and can accurately define the flows needed in the new environment based on the atlas of existing connectivity flows, as well as the security and compliance needs of the new environment. In fact, the right automation solution can also discover and map your enterprise applications and their connectivity flows for you, without requiring any prior knowledge or manual configuration by security, networking or application teams.
Institutions can then use the solution to navigate through the actual migration process to the cloud, automatically generating the hundreds of security policy change requests that are needed across both the on-premise firewalls and cloud security controls. This dramatically simplifies a process that is extremely complex, drawn-out and risky, if attempted manually.
After the applications have been migrated, the automation solution should be used to provide unified security policy management for the entire enterprise environment, from a single console.
While there isn’t yet a method for apparating applications instantly into the cloud, automation makes the process both fast and relatively pain-free by eliminating time-sapping, error-prone manual processes, such as connectivity discovery and mapping, during the migration itself, and in ongoing management.