when it comes time to migrate 50 or 100 applications , other groups within your company ( Risk , Legal , Finance , etc .) know what to expect .
Look for these characteristics when selecting your MVC Pilot Application :
• Has sensitive data - You want sensitive data in the MVC 1.0 . Why ? Because the organization needs to care about what you are doing . Avoiding the topic of sensitive data only kicks the can down the road . Deal with this issue up front and resolve concerns early .
• Has fewer than 10 servers - Do not try to boil the ocean . Moving a large application is not the point of the pilot . Pick something that is manageable , but meaningful .
• Can “ Lift and Shift ” - Stay away from refactoring or rewriting an application . These are long and often drawn out processes that will delay your effort . Find an application that has OS and database services that are supported by your cloud provider .
• Has a Bastion host - A Bastion host is an internet facing portal that allows developers to access the application from outside . Although optional , this is an important organizational step , because the Risk and Compliance business units tend to get queasy when you open the cloud platform to the internet . If you are developing code , this will need to happen - if not in MVC 1.0 then definitely in MVC 1.1 or 1.2 .
• Has cooperative application owners - Seems like a no-brainer , but let ’ s not overlook the importance of an application that is owned by a team who wants to go to the cloud . All app owners are not equal , so choose wisely .
# 7 - Perform a Security & Governance Gap Assessment
CTP ’ s Cloud Adoption Program is very prescriptive . After hundreds of cloud engagements we discovered that the cloud security technology used from client to client are nearly identical . There are repeatable patterns of reference architectures that form a baseline by which we can assess gaps in your program . We have built those repeatable patterns into the MVC model and the patterns are standard with every MVC we build .
What is often missed , however , is the assessment of the Security and Governance control objects that map to the repeatable patterns in the MVC . The control objectives may range greatly from client to client , with some requiring PCI and SOX regulations , and others adhering to NIST , FISMA and many other industry standards . The challenge is understanding how these standards and regulations map to your cloud program .
The Cloud Security Alliance ( CSA ) is the world ’ s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment . The CSA has produced the Cloud Controls
64 | THE DOPPLER | SUMMER 2016