Transitioning Traditional Apps into the Cloud
Contributed by Intezer
For organizations, cloud adoption is the primary driver of digital transformation and modernizing traditional applications to cloud constructs is a major milestone. Cloud opens up a world of opportunities, with a choice of IaaS, PaaS, and SaaS as deployment models.
Organizations must decide what kind of transformation is preferred or achievable. It’s easiest to lift and shift workloads. This involves moving machines from on-premises as-is to the cloud by replicating the disks. This means there are no OS-level or application-level changes. The workload migration approach at a high level involves redeploying an application to a new environment in the cloud. However, some applications might need additional code-level changes or refactoring to modern cloud capabilities like PaaS, database-as-a-service, or serverless functions.
In this article we explore the different considerations when you plan to move your applications to cloud environments. How do you make the transition without overhauling your entire application stack? What are the security implications and how can you make this move without creating additional risks?
Transitioning to the Cloud: Migration Considerations
Traditionally, on-premises applications have been built as monoliths, i.e., multiple components tightly coupled together, so that any changes or updates might impact the functionality of the entire stack. Though converting them to loosely coupled microservices-based architecture in the cloud is beneficial and should be the goal in the long run, it doesn’t have to be the first step you take when transitioning your applications to the cloud.
Start with a simple lift and shift to IaaS model, which is always a quick win. In lift and shift, you don’t make any changes to the application configuration. Instead, you “lift” the on-premises machine’s disks as is and “shift” them to the cloud, with no OS- or application-level changes. This also works if your applications are already containerized, as all leading cloud service providers offer full-fledged container ecosystems, including managed containers, Kubernetes clusters, and container registry. You can simply move your container images to a cloud-based container registry and deploy them to container hosting services in the cloud.
Security in the cloud is different from on-premises security and legacy workloads where more emphasis is placed on perimeter and network security. Applications cannot be considered successfully transformed unless the process is secure and aligned with a defined set of cloud-security controls. If configured correctly, they can provide multilayer protection for your workloads that’s much more advanced than what you can achieve in on-premises deployments.
Let’s explore how to make the best use of the right services, controls, and configurations while transitioning applications to the cloud.
Customers can choose from cloud servers, containers, serverless functions, or PaaS solutions that provide compute resources for the applications transitioned to the cloud. If you want end-to-end control of your application stack, IaaS services like Amazon EC2 or virtual machines in Azure and GCP would be the best choice. This approach helps you to transition applications—even monolithic applications—to the cloud as-is, without much overhead. Most often it involves replicating or importing disks to the cloud.
Some organizations prefer phased migrations, where sensitive data remains on-premises while applications move to the cloud first. Secure access to the cloud through hybrid connectivity is recommended for such transitions. A hybrid connection is used to securely connect your on-premises systems to resources deployed in the cloud. This can either be a virtual private network (VPN) or a dedicated network connection to the cloud service provider’s data center. The cloud offers more-granular security controls than on-premises deployments, from the application’s access perimeter through protection against in-memory vulnerabilities.
Cloud service providers offer a plethora of storage choices, including object storage, in addition to the block storage commonly used on-premises. Block storage is the same as physical or virtual disks used on-premises and it can be based on SSD or HDD. You need to select the storage that is the best fit while transitioning to the cloud, based on the applications’ performance requirements. For example, SSD drives support faster read/writes and can be used when you migrate your databases to the cloud.
When you transition applications, the first step will be to capture requirements like capacity, expected data growth rate, and disk performance, and map them to available storage SKUs. If you are refactoring applications so they can benefit from cloud storage PaaS services, you can consider object storage solutions like AWS S3 or Azure storage for unstructured text or binary data. Object storage is cheaper and is much more flexible, as data can be easily accessed by applications through simple API calls. The pay-as-you-go model helps you grow your storage on demand without paying for costly storage upfront.
In all these cases, the options for securely migrating data to the cloud become a key deciding factor. You can use hybrid connectivity to migrate smaller datasets, but you’ll have to check for specialized solutions when you have petabytes of data to be migrated. AWS Snowcone, Snowball, and Snowmobile are examples of secure data-transport-service solutions that encrypt data and give the customer full control over the process. In Azure, you can use a disk-based import/export service or request that Data Box devices transport the data. GCP also provides a transfer appliance with maximum capacity of up to 480 TB.
All leading cloud service providers have DBaaS solutions for popular DB platforms like SQL, MySQL, PostgreSQL, and MariaDB. With DBaaS, you can focus on migrating your data, as the underlying infrastructure is managed by the cloud service provider. DBaaS solutions also have several built-in security features, like network encryption, Transparent Data Encryption, SSL/TLS connections to DB instances, access protection through cloud identities, and restricted network access.
Customers can leverage the native DB features, i.e., backup/restore or replication, to transition the data from on-premises to cloud. They can also use database migration services offered by leading cloud providers like AWS and Azure, or third-party migration services.
Some customers might want to retain the data on-premises due to compliance restrictions or organization-specific restrictions. In such cases, you can consider hybrid architectures that retain data on-premises with high-speed dedicated connectivity to other application components in the cloud. However, it is recommended to evaluate specific requirements in each case and then make your decision, as security controls for databases in the cloud are second to none and are often more advanced than what is available on-premises.
If your applications are already containerized, you have several options in the cloud for a lift and shift transition: container PaaS services, managed Kubernetes clusters, container registry services, and DIY Kubernetes clusters and registries, to name a few.
Kubernetes is the industry favorite container-orchestration platform. It has recently gained a lot of traction in the cloud, with every cloud service provider coming up with a version of managed service that takes care of control plane configurations for you, such as Azure Kubernetes Service (AKS), Elastic Kubernetes service (EKS), and Google Kubernetes Engine (GKE). To achieve the transition, you could redeploy your on-premises container images to these platforms with minimal or no change. Tools like GCP Anthos and Azure Arc enabled Kubernetes support hybrid deployment of containers and low-touch secure migrations.
Network and Hybrid Connectivity
When you’re transitioning applications to the cloud, designing the target network is one of the foundational activities. Cloud networks are virtualized and are much more flexible and agile than their conventional on-premises counterparts. You can ensure the security of transitioned workloads through microsegmentation of the network and control of traffic flow between application components.
The cloud also offers multiple load balancing solutions to ensure that traffic is evenly distributed. If your applications are exposed to the internet, you can consider cloud-based firewall services as a frontend to protect them from evolving threats in the cloud.
You will need to retain hybrid architectures during the transition phase or even in the long run, since some applications might remain on-premises due to migration constraints. You can achieve hybrid connectivity to the cloud in such scenarios through VPN connections or through dedicated connectivity solutions such as Azure ExpressRoute, AWS Direct Connect, and GCP Dedicated Interconnect. For large-scale deployments, dedicated connectivity to cloud service providers is the recommended solution because they offer enhanced security, assured bandwidth, and SLAs.
Identity and Access Management
Identity and access management is inherently part of the application design and might need some tweaks while you move your workloads to the cloud. Cloud-based identity management solutions help you implement access regulations, i.e., restricting who can authenticate and authorize users accessing your applications transitioned to the cloud. Solutions such as Azure Active Directory or AWS IAM help you implement fine-grained, role-based access control for your applications.
In some cases, you’ll need to use hybrid identity management and extend to the cloud on-premises identity solutions like Windows Active Directory to ensure the same user experience after the transition. The deployment models will vary from application to application. However, it’s important to ensure that proper security controls are in place for admin access auditing and to monitor logins and usage for suspicious activities.
In the cloud the threat landscape is far more evolved and complex than traditional on-premises deployments, where the focus is on perimeter security to block threats. While you’re moving traditional applications to the cloud, it’s essential to have a well-defined security strategy with a focus on reducing the attack surface, visibility to workloads, and tools for detecting and responding to threats. As part of the transition, organizations should define the applicable security controls and categories for the target cloud environment, then implement them in accordance with best practices. While there is a common perception that moving to the cloud means more risk, if you leverage the cloud security controls according to best practices, you can make the deployments much more secure than they are on-premises.
You can start with microsegmentation of networks to allow only required traffic to flow between your cloud components once they are transitioned to the cloud. Web application firewalls can protect your internet-facing applications from malicious traffic and known attacks. Cloud native services can be leveraged to protect your applications from Distributed Denial-of-Service (DDoS) attacks in the cloud that could render your application unresponsive. Additional security controls to be considered include advanced threat protection, security log monitoring, and container security management. Cloud Security Posture Management solutions (CSPMs), which do continuous risk and compliance assessment and report deviations, will help reduce the attack surface for applications in the cloud. Another must-have solution is Cloud Workload Platform Protection (CWPP) tools, with their workload-centric approach and deep visibility into threats in your workloads, both Windows and Linux.
With increased attacks on Linux, once considered “secure by default,” the need of the hour is solutions that specialize in security management and threat detection for Linux. Intezer Protect, which helps protect your workloads with advanced threat detection and security management capabilities for Linux, is one such solution. It also protects your applications from in-memory threats and unauthorized code execution.
Transitioning traditional applications to the cloud may not require a complete overhaul. The key is to start small with quick wins, like lift and shift, and then build on top of them to achieve long-term transformation goals. Choose the deployment architecture based on organizational priorities and consider leveraging cloud native solutions like DBaaS as much as you can. Last but not least, keep a laser focus on security during and after the transition by using cloud native security features wherever possible, augmented by third-party tools as required.
Join Intezer's Linux Threat Feed
Every month we find approximately 100 undetected Linux threats, and every week we send subscribers hashes for the latest low and undetected Linux threats. Join our Linux threat feed to learn more: https://hubs.li/H0FftK70