Jun 7, 2021, Consulting, Infrastructure

Moving to the cloud – get there without falling

Jacek Bochenek Cloud and Security Team Leader - CISSP, CISM, CCSP

More and more companies realize that moving to the cloud will give them tangible benefits. But some of the advantages might be important to one company while being completely irrelevant to others. It is very essential to note that moving to the cloud is a process. You can’t just decide one day and say “let’s do it” – although I wouldn’t be surprised if some of the companies just did that – and failed. 

Cloud computing adoption lifecycle

To better understand what steps are involved when moving to the cloud, it is important to understand the most common cloud computing adoption lifecycle. We can identify nine crucial stages:

  1. Proof of concept / Pilot project – this stage lets you understand what you know and what you don’t know about the cloud, and prepares the organization for a more formalized planning and implementation process going forward.
  2. Cloud strategy and roadmap – the goal of this stage is to incorporate the lessons learned from the POC and pilots into a formal cloud strategy development plan. It is very important to formalize the cloud strategy regardless how long it takes.
  3. Cloud modeling and Architecture – the goal of this stage is to perform the necessary cloud modeling and architecture in order to execute the cloud strategy.
  4. Cloud implementation planning – the goal of this stage is to prepare for cloud implementation. It focuses on a selection of appropriate cloud technologies, cloud service providers, and cloud solutions to support your chosen cloud strategy. Deployment models and the necessary governance, operations, support, management, monitoring, and security challenges are addressed in this stage.
  5. Cloud implementation – actual implementation of the previous step.
  6. Cloud expansion – this step of the cloud adoption process is where the enterprise builds on its successful cloud reference implementation to expand its cloud capabilities. 
  7. Cloud integration – the need to integrate cloud capabilities and deployment approaches and to ensure cloud interoperability as cloud computing matures. 
  8. Cloud collaboration – requirements of cross-cloud collaboration, the composition of applications across clouds, orchestration of distributed processes across cloud deployments.
  9. Cloud maturity – the stage where the cloud matures and the next technology wave comes in – not any time soon. 

Key steps of moving to the cloud

As we said earlier, moving to the cloud is a process that will affect our organization, systems, and people. We can identify at least four steps in this process, and should remember that each and every one of them is very important. What are they?

  1. Research and pre-planning
  2. Planning and purchasing
  3. Execution
  4. Operations

Now that we’ve specified the steps, we can go into more specifics. 

Research and pre-planning

Pre-planning can be as crucial as the implementation itself. As with everything we do, it is extremely important to align with the business goals. If the move isn’t in line with the company’s intentions, it can have long term negative effects – wasting resources and placing the business at risk.

The most important question we should ask is “Why exactly are we moving to the cloud”. Even though the answer might seem simple, it certainly is not. If the move to the cloud does not support our business goals, the management will be disillusioned, the cloud will be perceived as irrelevant and ineffective, and the participation in future planning and implementation of the cloud will be reduced.

In this stage, critical things to understand are:

  1. What business problem will it solve?
  2. Who are the internal and external users?
  3. When, where and how will the cloud be accessed?
  4. Is it business critical?
  5. What are the consequences of the cloud being degraded or unavailable at any time?
  6. How will the use of the cloud change over time?

It is also important to do readiness assessments that will cover technology, people and processes. Why is it so essential?

  1. Assess business and technical readiness
  2. It is vital to a successful move to cloud
  3. Helps develop realistic expectations
  4. It can help
    • Prepare a detailed plan
    • Explain how to move to the cloud successfully
    • In what order events should occur
    • Minimize complexity

Planning and purchasing

At this stage, we’re engaging different CSP – Cloud Service Providers to determine different SLA and cloud computing architecture options. We also have to look at where the data will be located, what are different legal requirements, for example GDPR ones. We will also have to determine what is the responsibility of the provider and our local IT. It is called – Shared Responsibility Model.

The SLA should at least:

  • Describe the metrics of each service.
  • Detail the ownerships of data and the right to return to you.
  • Describe the IT infrastructure, security standards and the right to audit.
  • Examine your rights to continue or terminate the service and costs involved with this process.
  • Detail the roles and responsibilities of an organisation and CSP.
  • Detail specific deliverables.

At this stage, it is also very important to decide on the Cloud Computing architecture which is made up of three primary design elements: compute (the computing processing units), storage (the physical / virtual space where cloud data is stored) and networking (the networks that connect cloud technologies). As with other contexts of the word architecture, cloud computing architecture involves determining the needs of the user/system/technology, as well as creating a logical design and standards based on these needs.

The cloud architecture should be designed to provide users with access to required bandwidth, ensuring they have uninterrupted access to secure data and applications, on-demand agile networks with ability to move quickly and efficiently between servers and between different cloud environments.

It is also important to understand data location options before moving to the cloud:

  • Will data be moved outside the country?
  • Will data be moved to other legal jurisdictions?
  • What level of transparency will the CSP allow?
  • How will maintenance and hardware changes affect data?


When moving to the cloud, it is crucial to understand:

  1. Security controls which should at least include:
    • Authorization and access control
    • Provisioning and deprovisioning
    • Directory services
    • User management
  1. Risk assessment – careful analysis of cloud threats and vulnerabilities to determine the extent of adverse impact and the likelihood of occurrence.
  2. Business continuity – a proactive process referring to the procedures an organization implements to ensure mission-critical functions can continue during and after a disaster
  3. Disaster recovery – compromises specific steps an organization must take to resume operations following an incident. Response may vary from seconds to days.

The last three points are extremely important. Failure to do so can put our organisation at risk. 

Operations and maintenance

The key factors in operating a cloud environment are:

  1. Cloud operations – optimization of performance and capacity per business requirements.
  2. Cloud governance – policies and guidelines establishing alignment of investments and security controls.
  3. Performance measures – key metrics to ensure the customer gets what they pay for.
  4. Continuous monitoring – confirms that the set of deployed security controls in a cloud information system remains effective.


  • Cost management – procedures to control costs.
  • Security – enforcement of security requirements across networks, data and asset configuration.
  • Resource consistency – consistent configuration across cloud resources: tools, applications, infrastructure.
  • Identity baseline – identity is consistently applied across all cloud deployments.

Performance measures

  • First document performance baselines to compare with performance specified in the SLA
    • Response times
    • Business logic calculation times
    • Transaction processing times
  • Metrics to watch:
    • Service / system availability
    • Reliability – 
      • MTBF – an average time a service runs before failing. It measures the operational time between failures.
      • MTTR – an average time to fix a failed service
    • Response time – a time to workload to be completed.
    • Security – access control, identity management, privacy – a priority.
    • Latency – a time between submitting a request and receiving a receipt of request.

Continuous monitoring

  • It checks performance, efficiency, effectiveness
  • Checks service level against SLA
  • Detects compliance and risk issues
  • The goal is to:
    • Gain operational visibility
    • Managed change control
    • Incident response


Moving to the cloud is not a trivial task. That’s why every company that doesn’t have an internal well established cloud competency center needs a partner that can help in this process. If you would like to talk about your journey to the cloud, please contact us.