Cloud migration is the process of moving applications, data, or other business elements from an organization’s onsite computers to the cloud, or moving them from one cloud environment to another.
Cloud computing has come a long way over the years. Moving to the cloud is serious business. Only a few enterprises have managed to master the art of cloud migration. There are several common drawbacks companies make when it comes to cloud migration. Perhaps the most common and the expensive is failing to plan for compliance before beginning a cloud migration.
The mistake most companies make is to realize that compliance in the cloud looks different than it did when all their data is stored on-premises. When migrating to the cloud, companies are giving away some control over data and sharing responsibility with a cloud provider. The key is in understanding where the cloud is strong, where it is weak, and revising your IT governance accordingly.
Many organizations struggle with how they want their cloud to look, often so anxious to move that proper planning is ignored. Whether adopting PaaS, IaaS, or SaaS, properly planned governance and security foundations are key to ensuring a protected and controlled environment.
Building Governance and Security foundations in Azure
Before loading mission-critical workloads or data, ensure your foundational governance model considers your organization’s operational, security, and compliance requirements without slowing down your adoption. Scale your business cloud footprint with peace of mind while leveraging the agility offered by cloud resources.
There are 7 top design considerations you should consider when laying the foundational components of a structured governance model in Azure:
- Accounts/enterprise agreement: The cornerstone of governance allowing for subdivisions into departments, accounts, and subscriptions.
- Best practice: Use an O365 mailbox or on-premise monitored mailbox whose account is synchronized to O365 to automate assignment and revocation as part of your Identity and Access management policies.
- Subscriptions: This is the administrative security boundary of Azure, containing all resources and defining several limits including some cores and resources.
- Best practice: Design the organizational hierarchy, keeping in mind that one or multiple subscriptions can only be associated with one Azure AD at a time. Plan based on how your company operates, understanding the impact on billing, resource access, and complexity specific to your needs.
- Tip: Keep the subscription model simple but flexible enough that it can scale as required.
- Naming standards: Cohesiveness is key for locating, managing, and securing resources while minimizing complexity. Leverage existing standards to use a similar naming scheme for resources.
- Best practice: Review and adopt the patterns and practices guidance to help decide on a meaningful naming standard, and consider using Azure Resource Manager policies to enforce them.
- Resource policies and resource locks: Mitigate cost overruns, data residency, or accidental outages that can bring your organization down. For example, if your workload has regulations that require its data to be created in a Canadian-based azure location, create a policy preventing compute resources to be created outside of Azure Canadian regions to ensure adherence to such compliance policies mandated for certain types of data. Ensure only specific types of VMs can be created to ensure budget adherence for dev-test resource groups. For labeling, create a policy that enforces tagging to ensure production environment resources are tagged from dev/test resources at the time of creation.
- Tip: Leverage the use of resource locks to ensure certain key resources can’t be easily deleted.
- Implement a least privileged access model: Permissions are inherited from the subscriptions to the resource groups and the resources within them including storage, network, and VMs.
- Best practice: Delegate access based on need and tasks and at the resource group level. For example, cloud operators can be added to the Virtual Machine Contributor role for the resource groups they manage as opposed to subscription level. For additional security, also enforce Multi-Factor Authentication for access to resources by privileged accounts.
- Implement Azure Security Center and Azure Advisor: Understand your current security posture by enabling Azure Advisor and Azure Security Center which will allow you to:
- Apply the policy to ensure compliance with security standards.
- Find/fix vulnerabilities before they can be exploited across VMs, networks, and storage.
- Optimize your Azure resources for high availability, security, performance, and cost.
- Implement personalized recommendations with ease.
- Control subscription Costs: Understand and control your Azure subscription expenses by implementing azure cost managementacross your subscriptions to ensure you can:
- Prevent Unexpected charges
- Control cost allocation and chargebacks
- Optimize your azure consumption costs
Lumen21 is the Microsoft Azure Cloud partner of the year 2016. As a HITRUST validated cloud environment for both AWS and Microsoft Azure which follow most of the above guidelines and we can help in configuration, guidance, and management of your Microsoft Azure or AWS environments. For more details visit www.lumen21.com