Fundamentals of landing zones when migrating to the cloudPublish Date: September 6, 2019
The number of enterprise applications and data being moved to the cloud is on a pacing rise, and so is the number of cloud failures. Most recently, a global security group approached us with a similar problem of cloud failure. They had difficulty with their on-premise hardware procurement & provisioning, and could not attain the flexibility they wanted on the cloud. After assessing their existing cloud environment, we could see that this led to high egress charges, veiled, and complex bills and along with added IT complexity.
Which is why to attain success, any cloud journey needs sound governance and operational model – before it even sets off with its adoption, migration, or strategy. Lack of attention to this can lead to longer migration cycles, higher cross-team dependencies, and chokepoints, increasing operational costs at the same time. It is therefore also crucial to implement cloud services directly tailored to your business needs because one size does not fit all.
A landing zone is typically the first step in a business’ cloud migration journey for a factory model application. It is the infrastructure foundation that allows you to scale ten stories on top of it without any chances of collapsing – only if the design/blueprint is correct.
This is also the lynchpin which can eventually lead to success or failure of cloud migration, and it behooves us to know more about why a landing zone is necessary.
So, what is a landing zone?
If you are a business, you would typically need an environment that meets the global security and auditing requirements, is ready to support highly scalable workloads, and can be tailored to support your continuously evolving business needs. A landing zone, thus, is a pre-configured environment with a standardized set of secure cloud infrastructure best practices, guidelines, policies, and centrally managed services. If you are migrating your data to the cloud (AWS or Azure for instance), a landing zone would be the initial destination area on the cloud, where the first applications will operate from after they have been migrated successfully.
Thus before you even decide to move to the cloud, its important to assess certain basic considerations like:
- How your site-to-site or direct on-premise connectivity works
- How efficiently used the network topology is
- How securely and seamlessly multiple accounts and subscriptions interact on the cloud
A landing zone is your one-stop address for all your business considerations by having a baseline cloud infrastructure. It is also the starting point for new developments and experimentations. Getting it right ensures all critical services are present and properly configured before you begin the deployment of workloads.
What’s driving the adoption?
A prime driver for the adoption of a landing zone in any cloud environment is that it lets you save time by automating the setup of an environment to run secure and scalable workloads. For AWS’ landing zone, for example, compliance and governance are provided out-of-the-box as a package for all accounts.
Regardless of the method used to create your landing zone, it is important to exercise best practices. These should include security controls of multi-account structures, self-servicing with guard-rails, foundations for scalability – all combined with automation.
Typically monitored KPIs include the pace of innovation, self-service-sufficiency, the agility of workload migrations, and levels of security. Both Azure and AWS’ landing zones are a great fit for organizations with multiple IT roles wherein managers can control access to resources and restrict activities wherever necessary including database, DevOps, security, and development network.
Four key considerations for the cloud user
Before you deploy your workload on AWS or Azure, the following four key considerations should be kept in mind.
Automated account management
One challenge with the landing zone is the use of multiple accounts. One can work with a single account, but it becomes difficult to manage as the environment grows. This is because many teams in the same account can overstep on one another due to varied responsibilities that may eventually lead to vulnerability of access and breach of compliance. Landing Zone provides a framework for creating and baselining a multi-account automated environment Automation of the multi-account cloud environment helps save the time of setup, while also implementing that initial security baseline for any digital environment you are going to use.
The automated multi-account structure includes security, audit, and shared service requirements.
Account security baseline
A landing zone allows you to enforce security at the global and account level. Security baseline with preventative and detective control. Secure by control, compliance, and design needs to be at the heart of everything that is done. Planning for centralized security and logging approach gives you a single pane of glass over multiple environments or accounts. With continuous monitoring, you can also set up alert notifications pertaining to security, sign-in failures, root logins, etc.
I&A (Identity & Access) management
It is important to create roles and policies that enforce access controls to only users who do what they need to and nothing else. Build foundational pieces for identity and access management to identify individual roles and responsibilities. Identity and access management (IAM) is a framework of business processes, policies, and technologies that facilitates the management of electronic or digital identities.
AWS landing zone, for example, provides access through a secret key rotation every 90 days, while simultaneously enabling multi-factor authentication or MFA for all users.
Designing and implementing cloud networking capabilities is a critical part of your cloud adoption efforts.
Networking is composed of multiple products and services that provide different networking capabilities.
Network Implementation measures to ensure the network is highly available, resilient, and scalable. Choose networking services, tools, and architectures to support the organization’s workload, governance, and connectivity requirements.
A landing zone package should thus achieve three things – an immediate safe and quick adoption, short-term operational excellence, and long-term self-sufficiency and business resiliency. The success of this endeavor is measured by the time it takes for an enterprise to become self-sufficient in the adoption and operation of cloud technologies on top of their cloud environments.
This is the first blog of a series. Subsequent blogs will further expand on the challenges, key considerations, and common mistakes to avoid when implementing your landing zone strategy.
Are you migrating to the cloud? If you have specific questions, doubts or scenarios that you want to run by a specialist in cloud infrastructure, feel free to reach out to YASH Technologies