CLOUD MIGRATION. Celina Alexandre M6807

CLOUD

MIGRATION

Celina Alexandre

M6807

Content

1. Introduction

2. Methodology

3. Requirements Definition Phase

3.1. Strategy 3.2. Knowledge

Content

4. Analysis Phase

4.1. Aplications and Systems 4.2. Development Model

Content

4.3. Service Model

4.3.1. SaaS Migration Considerations

4.3.2. PaaS Migration Considerations

4.3.3. IaaS Migration Considerations 4.4. Provider Avaliation

Content

5. Security Phase

5.1. Migration Tests 5.2. Security Policies 5.3. Security Controls

Content

6. Operation Phase

7. SaaS Example – Normal Proccess

8. SaaS Example

1. Introduction

S  The term cloud is everytime presente in our daily life;

S  Looking at the advantages, companies have started to think about

it as an appealing option;

S  However, for some companies using cloud services can presente

1. Introduction

(Cont.)

S  When using cloud services becomes an option, one should

always take into account security issues, analyzing them, finding solutions to mitigate them;

S  A good organization plan should be presente in all projects

1. Introduction

(Cont.)

S  That being said, one should always have presente a good

methodology that helps create a good tasks planning;

S  4 Phases Methodology (Walter Andrew Shewhart, 30’s):

S  Plan;

S  Do;

S  Check;

2. Methodology

S  Based on the methodology presented before, in the 50’s,

Edward Deming proposed that the business processes, as well as the systems, should be monitorized, measured and analyzed continuously identifying more easily faults and measures to correct them;

2. Methodology

(Cont.)

S  Deming Plan-Do-Check-Act:

S  Plan: identification phase of what can be improved and all the

necessary changes;

S  Do: changes implementation phase;

S  Check: obtained results analysis phase;

3. Requirements Definition Phase

S  One of the most important phases in all projects;

S  Well defined and clarified objectives;

S  Organization expertise level identification;

S  Requirements definition (need of learning);

3.1. Strategy

S  The plan should include:

S  Risks and threats;

S  Applications and systems;

S  Well defined objectives;

S  Infrastructures and technologies in the new service;

3.1. Strategy

(Cont.)

S  Clear and suficient information to answer questions like:

S  Should the migration project be abandoned? Reduced? Delayed?

S  The cloud services are the most suitable for the business?

3.2. Knowledge

S  The plan before described should be able to make a

complete assessment of the thecnical knowledge needed;

S  With these plans there is an assurance that the project can

be accomplished and that all involved have a common definition of the topic at hand: cloud computing.

4. Analysis Phase

S  In the analysis phase the applications and systems ready to

migrate are identified;

S  An analysis of the development models should be made,

based on efficiency, economic beneficts, agility and inovation.

4.1. Aplications and Systems

S  A careful analysis should be made to evaluate what’s best;

S  These can vary from organization, depending on the

4.1. Aplications and Systems

(Cont.)

S  The analysis should be made with basis on the following

classification:

S  Availability: identify minimum requirements;

S  Latency: identify the minimum latency requirements for each

application;

S  _{Integration: level of integration, integrated applications can}

complicate the proccess, unlike stand-alone ones;

4.1. Aplications and Systems

(Cont.)

S  In terms of security it is necessary to evaluate:

S  Security: data security requirements and available system

encryption options;

S  Privacy and Confidentiality: security requirements that allow the

control of privacy and confidentiality;

S  Integrity: assure information integrity using redundancy, etc.

4.2. Development Model

S  There are several facts to consider, for exemple: economic

and security issues;

S  Organizations may choose to use a private or public cloud,

4.2. Development Model

(Cont.)

S  The following table shows a brief analysis of both cloud

models:

Factor Public Cloud Private cloud

Costs

•  Low cost;

•  Only pay for the necessary services; •  Cloud provider in charge of the •  High cost: - Instalation; - Configuration; - Maintenance. •  Access to the available

4.2. Development Model

(Cont.)

Factor Public Cloud Private cloud

Security

Suitable for information or services not critical for the organization.

Suitable for information or ser vices critical for the organization.

4.2. Development Model

(Cont.)

Factor Public Cloud Private cloud

Threats

•  Limited Infrastr ucture control since it is in charge of the cloud provider;

•  Requires good security policies that should be assured in the contract.

Controls to protect the private cloud can be implemented.

4.2. Development Model

(Cont.)

Factor Public Cloud Private cloud

Scalability

High, virtually infinite, o n l y l i m i t e d b y t h e contract between cliente and provider.

Low, limited to the i n f r a s t r u c t u r e a n d m o n e t a r y r e s o u r c e s available.

4.3. Service Model

S  In choosing from the several servisse models, Software as a

Service (SaaS), Platform as a Service (PaaS), Infrastructure as a

Service (IaaS), it is necessary to take into consideration the

organization business requirements;

S  Have knowledge of the requirements for the type of system

4.3.1. SaaS Migration

Considerations

S  Security options restricted at the application level;

S  Model used for colaboration applications, i.e., e-mail,

productivity, Customer Relationship Management (CRM), or specific sectors, like logistics;

4.3.1. SaaS Migration

Considerations

(Cont.)

S  Since comunication is done via Internet, it should be

considered to use encryption system (proprietary or from other entities);

S  For critical information it should not only used its own

encryption systems , as well as encryption of data stored on the provider 's infrastructure.

4.3.2. PaaS Migration Considerations

S  The PaaS offer lies mostly in a complete development

environment;

S  It is an indicated model for own or custom applications or

custom applications, security services, databases services, etc.

4.3.2. PaaS Migration

Considerations

(Cont.)

S  Security considerations cover the access control and

authorization, operation in shared environments, information and data;;

S  This model operates on a shared environment, so a strong

authentication framework is essential to ensure that access to information is made only by those with permission.

4.3.3. IaaS Migration

Considerations

S  The vendor provides a complete infrastructure to its customers;

S  Customers can install and provide services and resources to

internal and external users;

S  It applies primarily to disk space, computing, storage, web page

4.3.3. IaaS Migration

Considerations

(Cont.)

S  The customer must ensure that the implemented security

controls can effectively separate and secure virtual machines, use of memory, network and storage resources;

S  As in previous models, encryption methods must be

4.4. Provider Avaliation

S  This is a complex process which should check comparative

standards, in a way that enables a real comparison between the different potential providers of services;

S  This analysis should focus the following:

S  _{Services, data and applications integration: analyze the existing}

infrastructure integration features in the organization with the services provided by the cloud provider;

4.4. Provider Avaliation

(Cont.)

S  _{Protect data and information: analyse which encryption}

systems the provider has available;

S  _{Performance: make admission tests to make sure it is not too}

slow;

S  _{Contract negotiations: conform key settings, such as}

4.4. Provider Avaliation

(Cont.)

S  _{Physical security: check safety standards for implemented}

installations and what evidence can be provided;

S  _{Product support : confirm the inclusion of technical support in}

the contract and the additional costs of providing this service. Also check the time in which this is available and what training and certification the support team has;

S  References: request a list of all customers, preferably up to date,

5. Security Phase

S  At this stage we define controls attesting that the security is effective

and observed;

S  Migration tests should be planned, tested and performed to allow a

good decision of when and how the migration of applications, data and information should be conducted;

5.1. Migration Tests

S  Migration tests are one of the final steps;

S  The planning and execution of migration may vary depending on

whether the classification of the application: essential or imply losses for the company if it is stopped;

S  If the application is classified as in the previous topic this the

migration should be achieved in phases, coexisting both infrastructures;

5.1. Migration Tests

(Cont.)

S  The information collected in all the previous steps should be

used for creating tests;

S  A well made and applied test plan will assure a cloud

5.1. Migration Tests

(Cont.)

S  In these tests , the following features should be analyzed:

S  Confirm the integrity of the data;

S  Set recovery plans and disaster response ;

S  Check the need for training workers whose job is to answer

questions or problems of users;

5.2. Security Policies

S  Approved by the management of the organization;

S  A security policy should have (Winkler, 2011):

S  Identification of all resources and systems we want to protect;

S  Identify vulnerabilities, threats and exposure to threats;

S  Measures to protect resources, evaluate security controls and

5.3. Security Controls

S  They are administrative, technical and physical measures

attesting that security policies are observed and followed;

S  Guarantee and minimize the loss or unauthorized alteration

of the information, unavailability of systems, service degradation and the loss of access to systems.

5.3. Security Controls

(Cont.)

S  _{Physical controls: implementation of security controls that}

prevent unauthorized access to facilities, equipment or systems;

S  _{Technical controls: implementing access control technology}

information stored in IT systems;

S  _{Administrative controls: implementation of administrative}

security controls that prevent access to information intentionally or not.

6. Operation Phase

S  It is the last step that occurs after the migration;

S  It is a strategic assessment at regular intervals to ensure that

the contracted services are within the defined objectives;

S  Metric analysis process should be established so that there is

6. Operation Phase

(Cont.)

S  These processes should:

S  Promote internal information collection to support achievement

of a qualitative and quantitative analysis to assess problems and weaknesses to solve;

S  Attest to the safety and privacy with the rules that are in force;

S  Monitor the performance of the contract with the supplier

6. Operation Phase

(Cont.)

S  Analyze similar services from other providers so there is a

comparison of the service, conditions, etc ...

S  Ask the supplier for certificates, inspections and audits that

guarantee that the processes are maintained and safety checks are laid down in the contract;

S  Establish billing process monitoring of contracted services and

7. SaaS Example – Normal

Proccess

1. New worker

2. Notification from the access manager to the helpdesk: email 4. Worker notified 5. Worker has access Problems: •  Manual process;

8. SaaS Example

Work makes request

Sign up page 5. Using application 4. Automatic welcome e-mail 2. Service invoked automatically Access Management Service 3. User registered Beneficts: •  Automatic; •  Fast; •  High volume. Problem: •  Access restrictions.

9. References

S  http://repositorio.ucp.pt/bitstream/10400.14/16110/1/ Dissertação-Migração%20e%20segurança%20em%20plataformas %20cloud%20computing%20-%20Roberto%20Silva.pdf S  https://www.usenix.org/legacy/event/lisa11/tech/full_papers/ Zhang.pdf S  http://ieeexplore.ieee.org/Xplore/login.jsp?url=http%3A%2F %2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber %3D6008753&authDecision=-203 S  http://regions.cmg.org/regions/stlcmg/files/Download/

S

CLOUD

MIGRATION

Celina Alexandre

M6807