Elevating to the Cloud
Elevating to the Cloud:
Commonly Asked Questions About Migrating To A Cloud Provider
By Tony Abate
There are a myriad of reasons to migrate your infrastructure as a whole or in part to a cloud provider, such as: a lower total cost of ownership, eased management and administration, enhanced security controls, and the ability to increase resources easily and by large amounts. However, none of these are a given and preparing for the move to a cloud provider can be the most important technology project your organization undertakes. Our goal with writing this blog is to provide some guidance on some of the more common questions we’ve been asked when we on-board a new customer to Nova, the Nlets Secure Cloud Platform.
Can I Move My Existing Virtual Machines?
The answer to this varies from provider to provider. While it seems like a technically feasible scenario, there are other things to consider. Licensing for the operating system and installed software may not apply once the virtual machine is in a cloud provider’s environment, which means that new licensing may need to be obtained and installed. The actual act of taking the files that make up a virtual machine and uploading them to a cloud provider also requires coordination and configuration on the part of the provider and they may see that as a time and resource expense that is not worth the effort outside of specific circumstances. For example, when our clients are first migrating to Nova, we assign a Project Manager to the deployment of a new customer and therefore the staff resources are already available to assist with a VM migration, but other providers may not have as many resources available. That’s why finding out if you can move your existing virtual machines is an important question to ask your cloud provider. The answer can be the difference between a seamless transition and essentially a rebuild of your entire environment.
How Do I Manage My Environment?
This is an important question because managing your environment is at the heart of what cloud computing really is. Despite buzzwords, sales pitches, and grandiose descriptions of what cloud computing can accomplish, the core function of the cloud is to run your workloads on someone else’s computer. When your servers and software are running in another environment you don’t have full control over, the question of managing that environment becomes more nuanced. All providers offer at least some management capabilities that allow you to perform the basic steps necessary to connect to and manage your servers and applications, but there can be security concerns to consider. The use of standard management methods such as Remote Desktop Protocol (RDP) and Secure Shell (SSH) are discouraged, as this would go over the public internet as opposed to your internal network. Nova offers a secure ‘Console Connect’ feature that uses certificate authentication to establish a secure connection to virtual machines and allows for network and firewall rules to reduce your attack surface for public facing servers in general. Make sure to establish management paths with your cloud provider to ensure consistent and secure access.
What is a Hybrid Cloud?
In the earlier days of cloud computing, there was a large push to get entire datacenter environments into a cloud provider. Over time, this approach was found to be more difficult and expensive than initially thought so a new paradigm called a hybrid cloud was created to address and resolve those issues. A hybrid cloud is a scenario where you maintain a presence with a cloud provider but also preserve a local datacenter footprint as well. This allows for a more flexible infrastructure and ensures resources are in the place they need to be for the most cost-effective and productive solution. Connectivity between the on-premise and cloud environments is usually managed through a Site-to-Site Virtual Private Network, but there are also more direct mechanisms that are offered depending on the cloud provider. For example, Nova offers a Site-to-Site VPN as well as a Hybrid Colo approach that allows both your physical and cloud environments to co-exist within the Nlets datacenter. This is a key component because connectivity between on-premise and cloud environments can have an impact on the security of the environment and can be an issue during an audit, such as an audit to assess compliance with the CJIS Security Policy.
Will My Environment be Compliant with CJIS?
The Criminal Justice Information Systems (CJIS) Security Policy is developed collaboratively between law enforcement agencies and managed by the FBI's CJIS Policy Division. The FBI's Advisory Policy Board (APB) meets regularly to update the policy language as needed. It is essentially a set of rules to abide by when storing or processing criminal justice information. You may see or hear the term ‘CJIS certified’, but it’s important to understand that there is no such thing as a ‘CJIS certification’. Instead, security controls and documentation are implemented to be compliant with the CJIS Security Policy. The FBI performs an audit of CJIS Security Agencies (CSAs) to ensure compliance with the policy and only audits CSA’s.
In essence, a cloud provider’s environment may be fully compliant with the CJIS Security Policy but that does not mean it has been audited nor does it even mean your environment is CJIS compliant. This is because in a cloud model there are three areas of responsibility. The Service Provider is the organization who owns and maintains the cloud infrastructure and the Tenant is the organization who is hosted in the Service Provider’s cloud. Finally, there is the Shared responsibilities that are governed jointly by the Tenant and the Service Provider. If all three areas are following CJIS Security Policy standards, then the environment can be said to be CJIS compliant but that still may mean it has not been audited by the FBI or another CSA. As an example, Nova undergoes an audit as part of Nlets’ audit by the FBI. Our Service Provider area has therefore been found to be compliant. The Nlets Risk & Compliance department audits Nlets Strategic Partners' Tenant responsibilities and our own Shared responsibilities. As a CSA, Nlets can perform this audit and determine compliance.
However, an organization can also work with individual CSA’s outside of the FBI to be audited and work with those CSA’s directly. This creates a scenario where your environment and your cloud provider’s environment have been audited by one CSA and so they are willing to partner with you but another CSA may not be until they perform their own audit of your environment. It’s a complicated area that requires due diligence and discussion with your cloud provider as well as any CSA’s you plan to work with to determine whether your environment is CJIS compliant.
These are just some of the questions that many have regarding migrating to a cloud provider. Ultimately, it’s important to track expectations versus realized gains as the migration takes place and once it has been completed to determine whether it was the right decision. However, with plenty of research, discussion, and asking the right questions, you can be assured that when the migration is complete, your organization will be in a better position than it was. We’re always happy to answer any questions, so please feel free to leave a comment or contact our team via firstname.lastname@example.org.