​These decisions have the potential to impact an organization's scalability and its ability to enhance the environment in the future. To simplify this complexity, customers are actively seeking prescriptive guidance across a wide range of AWS services that can be utilized to create a solid foundational environment.

The key to establishing a successful cloud foundation on AWS lies in tailoring the guidance to the unique business needs of each organization. By adopting a capability-based approach, organizations can create an environment that enables them to efficiently deploy, operate, and govern their workloads. Furthermore, this approach allows them to enhance their capabilities and expand their environment as their requirements evolve and additional workloads are deployed to the cloud.
​
A standardized, prescriptive set of capabilities spanning different functional areas can serve as a structured approach for swiftly building or expanding an AWS Cloud environment. Organizations can adopt and implement these capabilities based on their operational and governance needs. As their business requirements mature, the capability-based approach can be utilized to ensure that their cloud environment is prepared to support their workloads and scale accordingly.

​Each capability includes stages of maturity that enable you to implement based on where you are in your cloud journey, including your governance and operational requirements. As your cloud environment grows and matures, the capabilities can be enhanced to meet your new requirements.

​When it comes to Governance, Risk Management, and Compliance (GRC), it's all about establishing a solid foundation for meeting security and compliance requirements while defining the policies that should govern your cloud environment. These capabilities play a crucial role in determining what needs to be done, defining your risk tolerance, and ensuring alignment with internal policies.

 
Within the Governance, Risk Management, and Compliance category, you'll find a range of capabilities designed to empower you in your GRC efforts:
​

• Tagging: This capability allows you to group resources by assigning metadata to them, serving various purposes such as access control, cost reporting, and automation. Tagging also offers visibility and control by grouping resources together, like microservices, applications, or workloads.
• Log Storage: Securely collecting and storing environment logs in tamper-resistant storage is vital. This capability enables you to evaluate, monitor, alert, and audit access and actions performed on your AWS resources and events.
• Forensics: In the event of a potential compromise, forensics involves analyzing log data and captured images to determine if a breach occurred and identify the root cause. This information helps drive the application of preventative measures.
• Service Onboarding: This capability enables you to review and approve AWS services for use, considering internal, compliance, and regulatory requirements. It involves risk assessment, documentation, implementation patterns, and communication regarding service consumption.
• Data De-Identification: Anonymizing sensitive data subsets during storage and processing is crucial. This capability reduces sensitivity for specific data types (e.g., national ID numbers, trade data, healthcare information) and may involve tokenization of sensitive data (e.g., credit card numbers, physical addresses, healthcare records) to minimize the need for direct access.
• Governance: This capability allows you to implement executive board policies that govern your AWS Cloud environment. It includes defining environment rules, identifying risks, and ensuring alignment with internal policies. As your cloud foundation evolves, elements of governance are integrated into all other capabilities to maintain compliance.
• Audit & Assessment: Gathering and organizing documentary evidence is essential for internal or independent assessment of your cloud environment. This capability provides information about access, changes, and helps validate that all actions align with policies and follow appropriate workflows.
• Change Management: This capability focuses on deploying planned alterations to configurable items within a defined scope, such as production and test environments. Approved changes are implemented with minimized risk, ensuring the stability of your existing IT infrastructure.

These capabilities within the Governance, Risk Management, and Compliance category offer you the necessary tools and guidance to establish a secure and compliant cloud environment. By leveraging them effectively, you can confidently navigate the complexities of GRC and safeguard your organization's interests.

​
When it comes to Operations, the goal is to enable your developers and operations teams to innovate at a rapid pace while maintaining the quality of application and infrastructure updates. The capabilities within this category empower you to effortlessly build, deploy, and operate workloads in the cloud, enhancing the developer experience and leveraging powerful tools.

Let's explore the capabilities within the Operations category that can revolutionize the way you manage your cloud environment:
​

• Rollout/Rollback: This capability involves having a well-defined strategy for rolling out application or configuration changes to your environment. It also includes the ability to roll back these changes if any issues or failures occur. Whether it's updating permissions, implementing new policies, configuring networks, or deploying new versions of applications or software development kits, this capability ensures smooth and reliable changes to your infrastructure.
• Logging & Monitoring: Gathering and aggregating security and operational data about your system and application activities is crucial. This capability allows for near-real-time analysis of data, enabling you to identify anomalies, indicators of compromise, performance issues, and configuration changes. With comprehensive logging and monitoring, you can proactively address any issues and ensure the smooth operation of your workloads.
• Metadata Sorting/Searching: The ability to search and filter resources based on applied metadata within your environment is invaluable. By leveraging this capability, you can efficiently locate and manage resources, whether they are specific accounts or resources within those accounts. It simplifies resource management and enhances visibility across your cloud environment.
• Patching: Keeping your infrastructure and workloads up to date is essential for optimal operation and security. This capability enables you to deploy sets of changes that address security vulnerabilities, apply bug fixes, and enhance the overall performance of your systems. From operating systems to applications and other relevant software systems, patching ensures that your environment remains secure and up to date.
• Developer Experience and Tools: To empower your developers, you need to provide them with the right tools and processes for building and deploying workloads seamlessly in the cloud. This capability covers everything from storing code to building workflows and facilitating the promotion of workloads from the testing phase to the production environment. By streamlining the developer experience, you can boost productivity and foster innovation within your teams.

With these Operations capabilities at your disposal, you can revolutionize how you manage your cloud environment. By enhancing the developer experience, ensuring effective rollout and rollback strategies, implementing robust logging and monitoring, simplifying resource management, and keeping your systems patched, you can drive efficiency, reliability, and innovation throughout your operations.

​
When it comes to Security, the focus is on creating a secure, high-performing, and resilient foundation for your cloud environment. The capabilities within this category allow you to design and implement robust security policies and controls at different levels of the stack, protecting your valuable resources from both external and internal vulnerabilities and threats. These capabilities ensure confidentiality, availability, integrity, and usability, while providing guidance and recommendations for effective remediation.

Let's delve into the capabilities within the Security category that empower you to establish a strong and reliable security framework for your cloud environment:
​

• Identity Management & Access Control: This capability enables your teams to efficiently build and centrally manage access to your cloud platform environment. It allows you to structure your organization, organize your accounts, and establish access based on the principle of least privilege. With effective identity management and access control, you can ensure that only authorized entities can access your resources, enhancing security and reducing the risk of unauthorized access.
• Data Isolation: Protecting your data is of utmost importance, and this capability enables you to limit access to data at rest and in transit. By implementing data isolation measures, you ensure that sensitive data is only accessible to authorized entities. Furthermore, this capability includes the ability to detect any misuse, unauthorized access, leaks, or theft of data, providing an additional layer of security for your valuable information.
• Application Security: Safeguarding your application software is crucial, and this capability focuses on protecting your applications from threats such as unauthorized access, privilege escalation, and other application-level vulnerabilities. It also involves detecting and responding to anomalous behavior in the context of application interactions with clients. By prioritizing application security, you can mitigate risks and ensure the integrity and reliability of your applications.
• Encryption and Key Management: This capability revolves around centrally managing encryption keys for different workloads and implementing encryption for data at rest and in transit. Access to keys follows the principle of least privilege, and usage is monitored to detect any anomalies. Additionally, encryption and key management provide various patterns for key rotation based on specific requirements, ensuring the ongoing security of your data.
• Secrets Management: Managing secrets, such as passwords, access keys, and API keys, is crucial for maintaining the security of your environment. This capability encompasses storage, access control, access logging, revocation, and rotation aspects of managing secrets. By effectively managing secrets, you can prevent unauthorized access and reduce the risk of credential misuse.
• Security Incident Response: In the event of a security incident, this capability enables you to respond effectively. It involves characterizing the nature of the incident and implementing appropriate changes, such as restoring operational status, identifying and remediating the root cause, and gathering evidence for potential legal actions. By having a well-defined incident response process, you can minimize the impact of security incidents and swiftly mitigate any potential risks.
• Vulnerability & Threat Management: Identifying and addressing vulnerabilities is a crucial aspect of maintaining a secure environment. This capability allows you to identify vulnerabilities that can affect the availability, performance, or security of your environment. It includes assessing the impact and scope of vulnerabilities and threats, and implementing necessary measures to address and remediate them. By effectively managing vulnerabilities and threats, you can enhance the overall security posture of your cloud environment.

By leveraging these Security capabilities, you can establish a robust security framework for your cloud environment, safeguarding your resources, and mitigating risks. From identity management and access control to data isolation, application security, encryption and key management, secrets management, incident response, and vulnerability management, these capabilities provide a comprehensive approach to protecting your cloud environment from a wide range of threats and vulnerabilities.

​When it comes to Business Continuity, resilience is key as it directly impacts the quality of service your users experience. The capabilities within this category empower you to establish a comprehensive strategy to ensure the continuity of operations during times of inefficiency or crisis. By implementing Disaster Recovery, Backups, and Support, you can proactively mitigate the impact of disruptions, minimize downtime during outages, and navigate unprecedented situations more effectively.

​When it comes to Finance, it's essential to establish and enhance your existing finance processes to be cloud-ready. By leveraging the capabilities within this area, you can effectively manage costs, ensure transparency and control, optimize spending, and meet compliance and regulatory requirements. Additionally, these capabilities enable you to efficiently manage your records and resource inventory, ensuring accurate financial management within your cloud environment.

Let's explore the capabilities within the Finance category that empower you to establish robust financial processes and optimize your cloud operations:
​

• Cloud Financial Management: This capability focuses on managing and optimizing your variable expenses associated with cloud services. With near real-time visibility and comprehensive cost and usage analysis, you gain valuable insights to support decision-making processes. From spend dashboards and optimization techniques to implementing spend limits and chargeback mechanisms, this capability enables you to proactively manage costs and detect anomalies. It also includes budgeting and forecasting features, allowing you to design a cost-optimized architecture for your workloads, select the right pricing models, and attribute costs to relevant teams. By centralizing expense information and providing targeted visibility to critical stakeholders, you can effectively track, notify, and apply cost optimization techniques across your environment and resources.
• Resource Inventory Management: This capability provides visibility and configuration management of the cloud-based resources that form an integral part of your IT-level services or workloads. By tracking resources and associated configurations in the environment, you can establish a system of record, such as a Configuration Management Database (CMDB) for IT Service Management (ITSM)-managed environments. This system of record facilitates visibility and configuration management of all software, hardware, and firmware resources within your cloud environment. With resource inventory management, you can effectively track and manage your cloud resources, ensuring accurate accounting and streamlined operations.
• Records Management: Records management is crucial for maintaining compliance and meeting internal policies and regulatory requirements. This capability enables you to define data retention policies, including the transition of data to archival storage before deletion. It encompasses various types of data, such as financial records, transactional data, audit logs, business records, and personally identifiable information (PII). By implementing effective records management practices, you can ensure proper data retention, meet compliance obligations, and maintain the integrity and security of sensitive information.

By leveraging these Finance capabilities, you can establish a cloud-ready finance framework that promotes cost transparency, control, planning, and optimization. From effectively managing variable expenses to maintaining accurate resource inventories and meeting regulatory requirements, these capabilities provide the foundation for efficient financial operations within your cloud environment. By embracing cloud financial management, resource inventory management, and records management, you can drive financial efficiency, ensure compliance, and optimize your cloud investments.

​When it comes to Infrastructure, it's crucial to design, build, and manage a secure and highly available cloud infrastructure. By leveraging the capabilities within this area, you can ensure the reliability and security of your infrastructure while accommodating the migration of applications from on-premises environments or building them natively in the cloud. Let's explore the key capabilities within the Infrastructure category that empower you to create a robust and resilient cloud infrastructure.

• Network Security: This capability focuses on designing and implementing security policies and controls across different levels of the networking stack. By leveraging network security practices, you can safeguard your resources from external and internal threats, ensuring confidentiality, availability, integrity, and usability. This capability encompasses measures such as monitoring ingress/egress and lateral data movement, detecting and blocking anomalous network traffic, and implementing preventive security measures.
• Network Connectivity: Network connectivity is essential for building a secure and highly available cloud infrastructure. This capability provides best practices and resources to design, build, and manage a network infrastructure that ensures reliable connectivity. From automating network infrastructure provisioning and configuration to facilitating expansion and scaling, network connectivity capabilities empower you to establish a robust and resilient network foundation for your cloud environment.
• Template Management: Template management enables you to streamline infrastructure deployment, management, and updates by creating and organizing reusable templates in a centralized repository. These templates encompass infrastructure configurations, schemas, golden images, and resources that can be readily deployed across your environment. With template management, you can expedite the provisioning process, ensure consistency, and easily manage updates and changes. These pre-approved templates follow established implementation patterns and leverage AWS services that have been onboarded and approved, providing teams with ready-to-use resources tailored to their specific requirements.
• Workload Isolation Boundary: This capability allows you to create and manage isolated environments to contain your newly created or migrated workloads. By implementing a workload isolation boundary, you minimize the impact and blast radius of vulnerabilities and threats. This approach simplifies compliance efforts by providing mechanisms to isolate access to resources, ensuring that workloads operate within defined boundaries while maintaining the necessary security and control measures.

By leveraging these Infrastructure capabilities, you can design, build, and manage a secure and highly available cloud infrastructure. From implementing robust network security measures to ensuring reliable network connectivity, template management, and workload isolation, these capabilities provide the foundation for a secure and scalable infrastructure. By prioritizing infrastructure security and reliability, you can create a resilient environment that supports the migration and development of applications in the cloud with confidence.

​​In the previous two articles on Cloud Migration Strategy and Best Practices, we discussed the importance of having a well-defined strategy, a clear scope, and realistic timeline for successful cloud migration projects. We also highlighted the critical role that people and technology play in the success of cloud migration projects. ​In this article, we will shift our focus to the process perspective of cloud migration in terms of preparing for a large migration and running a large migration.

To ensure a successful migration journey, it is crucial to establish core principles that provide a clear direction and obtain buy-in from stakeholders.

In this section, we will cover the following topics:
​

• Define business drivers and communicate strategy, cope, and timeline.
• Define a clear escalation path to help remove the blockers.
• Minimize unnecessary change.
• Document an end-to-end process early.
• Document standard migration patterns and artifacts.
• Establish a single source of truth for migration metadata and status.

​
Define Business Drivers and Communicate Strategy, Scope and Timeline

Defining business drivers and having a clear communication plan for the straetgy, scope and timeline are vital for large migrations to AWS. Different migration paths can be considered, such as rehosting workloads, containerizing applications, or redesigning them into serverless architecture. To determine the appropriate migration path, it is important to align with business drivers.

Involving various stakeholders, including application owners, network teams, database administrators, and executive sponsors, is crucial. Documenting business drivers and setting key performance indicators (KPIs) aligned with target outcomes helps ensure stakeholder alignment and effective decision-making.
 
Define a Clear Escalation Path to Help Remove Blockers

Large cloud migration programs involve multiple stakeholders with their own priorities, which can create challenges. To address this, a clear escalation path must be established to outline the necessary actions for removing any blockers that may arise. This streamlines decision-making processes and ensures alignment among teams. An example of resolving conflicting migration paths is setting a clear mandate following an escalation to the Chief Information Officer (CIO) and implementing a mechanism for requesting required decisions.
 
Minimize Unnecessary Change

While change is beneficial, excessive changes can introduce additional risks. When a business case for a large migration is approved, it is recommended to set a two-week rule to prevent application teams from spending excessive time rewriting their applications. This rule helps maintain consistency and enables a sustainable migration process over a multi-year period. By minimizing changes that do not align with the desired business outcomes, mechanisms can be developed to manage such changes in future projects.
 
Document an End-to-End Process Early

Comprehensive documentation of the entire migration process is essential for effective planning. This documentation should assign ownership of tasks and processes to specific stakeholders, ensuring clarity of roles and responsibilities. It also helps identify potential issues and facilitates ongoing improvements.

​Existing processes, dependencies, and integration points should be documented, and a RACI matrix can be created to assign responsibilities and accountabilities. Additionally, establishing a countdown plan, working backward from the workload migration cutover date and time, provides a structured approach.
 
Document Standard Migration Patterns and Artifacts
​
Documenting standard migration patterns and artifacts is critical for success. These resources serve as reusable references, documentation, and runbooks for future migration projects, enabling avoidance of past pitfalls and issues. Standard processes and artifacts significantly accelerate the migration process and improve consistency.

It is recommended to establish central ownership of these documents and artifacts, with a process for submitting recommended changes. Regularly sharing updates and changes with all teams promotes effective communication and ensures consistency throughout the migration project.
 
Establish a Single Source of Truth for Migration Metadata and Status
​
Creating a single source of truth for migration metadata and status is essential for effective planning. This allows all teams to align and make data-driven decisions. Initially, multiple data sources may exist, such as configuration management databases (CMDBs) or inventory lists. Data capture mechanisms, like using discovery tooling or surveying IT leaders, may be necessary. Aggregating all data sources into a single dataset simplifies tracking the migration progress, including the status of migrated servers.​

Once the business outcomes have been established and the migration strategy has been communicated to the stakeholders, it is time to plan how to divide the scope of the large migration into manageable migration events or waves. The following sections provide essential guidance for creating a wave plan.

Plan Migration Waves Ahead of Time to Ensure a Steady Flow

Thorough planning is crucial for the success of the migration program. Planning migration waves in advance allows the project to progress smoothly and enables the team to be proactive in addressing migration requirements. It facilitates scalability, enhances decision-making, and improves forecasting as project demands become more complex. Additionally, planning ahead enhances the team's adaptability to changes. For instance, a financial services customer working on a data center exit program initially faced delays due to sequential wave planning. When stakeholders were informed about their applications' migration to AWS, they still had several tasks to complete before starting the migration, causing significant program delays. To address this, the customer implemented a holistic approach where migration waves were planned months in advance. This provided ample time for application teams to complete pre-migration activities and eliminated unnecessary delays.

Keep Wave Implementation and Wave Planning Separate

Separating the teams responsible for wave planning and wave implementation allows both processes to work concurrently. With effective communication and coordination, this approach avoids slowdowns in the migration caused by insufficiently prepared servers or applications. It is crucial to involve the migration implementation team during wave planning to ensure complete and accurate data collection. Additionally, creating a buffer between wave preparation and implementation is essential. Collaboration between the wave planning team and the migration team is necessary to gather the right data and minimize the need for rework.

Start Small for Great Outcomes

Starting with a small-scale initial wave and gradually increasing migration velocity in subsequent waves leads to favorable outcomes. The first wave should involve a single, small application with fewer than 10 servers. As the migration progresses, additional applications and servers can be included in subsequent waves, gradually building up to the target migration velocity.

Prioritizing less complex or risky applications and incrementally ramping up the migration velocity allows the team to adjust to working together and learn from the process. With each wave, the team can identify and implement process improvements, significantly enhancing the velocity of later waves. For example, a customer migrating over 1,300 servers in a year began with a pilot migration and a few smaller waves.

This approach allowed the team to identify opportunities for improvement, optimize network segments, collaborate with the firewall team to prevent delays, and develop automation scripts for discovery and cutover processes. Starting small enabled the team to focus on process enhancements and increased overall confidence.

Minimize the Number of Cutover Windows

Maintaining discipline in managing scale is crucial for successful mass migrations. Limiting the number of weekly cutover windows ensures that the time spent on cutover activities is maximized. By reducing flexibility in this area, unnecessary delays and operational burdens associated with scheduling are minimized. For instance, instead of having multiple small cutovers, consolidating servers into fewer, larger cutovers optimizes operational efficiency and reduces potential delays.

A large technology company experienced delays early in their migration project due to application teams having the flexibility to dictate migration schedules until the last minute. This resulted in constant negotiation and stress for the migration team. To address this, the company improved their planning discipline and reduced the number of cutover windows, avoiding delays in meeting data center contract expiration dates.

Fail Fast, Apply Experience, and Iterate

It is common for initial migration waves to encounter challenges and setbacks. Failing early in the process allows the team to learn, identify bottlenecks, and apply lessons learned to subsequent waves. During the initial stages of a migration, the team needs time to adjust, integrate various tools and people, and continuously improve the end-to-end process. Understanding and communicating that initial issues are expected is crucial, as some teams may be reluctant to embrace new approaches and failure.

Ensuring everyone understands that these challenges are part of the journey encourages the team to learn, adapt, and ultimately achieve a successful migration. For instance, a company planning to migrate over 10,000 servers in 24-36 months began with learning waves to understand the processes and permissions involved. Through iterative improvements, such as integrating with CMDB and CyberArk, the team increased their migration velocity to over 120 servers per week within six months.

Don't Forget the Retrospective

Conducting retrospectives is an essential part of an agile process. These sessions allow the team to reflect, discuss, learn, and make necessary adjustments before moving forward. Retrospectives provide a structured approach to capturing lessons learned, which can then be used to drive improvements. For large migrations to succeed, constant evolution and improvement of processes, tools, and teams are vital. Retrospectives play a significant role in this continuous improvement cycle.

Instead of waiting until the end of the program, lessons learned from previous waves should be applied to the planning of subsequent waves. Regular retrospectives provide opportunities to identify areas for streamlining, process improvements, and automation. By implementing a countdown schedule and automating manual tasks, one customer significantly minimized delays and optimized their cutover process.

Another large tech company held regular retrospectives that led to improvements in processes, scripts, and automation, resulting in a 40% reduction in average migration time over the course of the program.

Large migrations present different challenges when compared to smaller migrations. This is mostly due to the complexities introduced by the scale. Running a large migration requires meticulous planning and execution as well as effective coordination, and a focus on continuous improvement. By following the guidance provided in this three-part series, organizations can navigate the complexities of large-scale migrations and achieve successful outcomes.​

In this article, we will shift our focus to the technology perspective of cloud migration. We will explore how technology can be used to achieve the scale and velocity required, while aligning with the strategy, scope and timelines of the migration project. The key principle is to automate wherever possible, utilizing tools such as discovery tools, migration implementation tools, configuration management databases, inventory spreadsheets, and project management tools.

​Once the necessary tools are selected, it's essential to ensure that the migration team has the skills to use them effectively. With the right tools and skills in place, technology can play a critical role in accelerating large migrations.

Successful cloud migration projects require a holistic approach that considers people, process, and technology. In this article we have focused on the technology perspective of cloud migration, which is a critical aspect of any successful migration project. 

The automation of migration discovery, repetitive tasks, tracking, and reporting can significantly reduce the time and effort required to complete a migration project. By automating these aspects, migration projects can accelerate the migration process while aligning with the project's scope, strategy, and timelines. To ensure a successful migration, it is crucial to explore tooling that can facilitate the migration process.
 
​​In the next article, we will delve deeper into the process perspective and provide insights and best practices for navigating the procedural aspects of cloud migration.

Now, migrating at scale isn't just about the number of servers you're moving over. It also involves a whole host of complexities like people, processes, and technology. This is part one of a three-part series of articles that dive deeper into cloud migration strategy and best practice diving deeper into people, process and technology. In this article, we'll focus on the ‘people’ perspective of large cloud migration projects. By following these best practices, you can streamline the migration process, reduce risk, and maximize the benefits of cloud computing.

Cloud migration is the process of moving an organization's data, applications, and other digital assets from on-premises infrastructure to a cloud computing environment. Migrating to the cloud offers many benefits, including greater flexibility, scalability, security, and cost savings. However, there are many different cloud migration strategies to choose from, each with its own unique set of benefits and challenges. 

When we talk about migrating a workload to the  Cloud, we're referring to the process of moving an application or workload to the cloud. In this article, we'll focus on the migration strategies for the AWS Cloud.

There are seven migration strategies that we call the 7 Rs, which are:

• Retire
• Retain
• Rehost
• Relocate
• Repurchase
• Replatform
• Refactor or re-architect

 
It's really important to select the right migration strategies for a large migration. You might have already selected the strategies during the mobilize phase or during the initial portfolio assessment. In this section, we'll go over each migration strategy and its common use cases.

​
Rehosting your applications into the Cloud using this strategy is also called “lift and shift”. It means moving your application stack from your source environment to the Cloud without making any changes to the application itself. This means that you can quickly migrate your applications from on-premises or other cloud platforms to the Cloud, without worrying about compatibility or performance disruptions.

With rehosting, you can migrate a large number of machines, including physical, virtual, or other cloud platforms, to the Cloud without downtime or long cutover windows. This helps minimize disruption to your business and your customers. The length of downtime depends on your cutover strategy.

The rehosting strategy lets you scale your applications without making any cloud optimizations, which means you don't have to spend time or money making changes to your applications before migration. Once your applications are running in the cloud, you can optimize or re-architect them more easily and integrate them with other cloud services.
​
With regards to AWS Cloud, you can make the migration process even smoother by automating the rehosting process using services such as:

• AWS Application Migration Service
• AWS Cloud Migration Factory Solution​