Phasing applications into the public cloud
January 21, 2011
Where does a 500-million-dollar, mid-sized company go to implement cloud computing? Where should they begin? How should a company phase its deployment in order to reduce risks?
First, let’s focus on a global law firm. Most law firms have similar business applications, so a public cloud provider could address this niche for law firms around the globe. What should they outsource first? I’ll outline five deployment phases related to risk and information security. The five include network infrastructure, disaster recovery infrastructure, remote offices, core law applications, and critical sensitive data applications.
Often the first deployment phase, network connectivity is already outsourced to what could be called a cloud provider. The companies’ network connectivity to the main data center (where the law web applications are hosted on web servers) is hosted by one network provider such as AT&T. Their second backup provider may be Verizon. The network connectivity to all of the law offices is also provided by AT&T and/or Verizon.
Phase 2 should focus on outsourcing the functions that are critical for disaster recovery of the main data center. This architecture could be deployed at a disaster recovery site in another major city where it can be tested to make sure it covers all business critical functions. The cloud provider needs to be checked to see if they support these functions so that you can be assured that a disaster is addressed well and that your phase 3 migration will go well. What components belong in phase 2?
The following components are needed to serve all of the future phases of recovery. The encryption host is currently housed on separate servers and is used to encrypt disaster recovery sensitive data on the main SAN and NAS storage subsystems. The LDAP host defines end user role-based access to systems and applications. Network management systems are used to monitor up-time of the various data center systems. Email applications are needed for managing global email. A firewall protects web traffic from internet attack. Application software update tools enable corporations to update critical application features in a controlled fashion. Load balancers are needed to evenly distribute web traffic to various web servers that serve various web applications. Web servers host critical business applications: word processing, spreadsheets, presentations, and law applications. A simple SAN and/or NAS storage subsystem is needed to support only the critical phase 2 disaster recovery systems.
Phase 3 addresses functions that exist in branch law office. In order to see the benefits of cloud computing, the cloud providers must provide web-based branch law office applications. If they are not, the cost associated with keeping branch office support personnel is necessary. Note, it is possible to perform remote desktop functions via a browser so that branch applications do not need to be rewritten. It is becoming more and more expensive to keep support staff in the various branches. Eventually, only browser based software on iPad-like hardware will be needed at remote locations with storage coming from the cloud. Only the branches wireless and LAN infrastructure will be needed at branch locations and it will likely be outsourced to a network provider.
Phase 3 also addresses what is deployed within the data center to support the branches. The addition of each office increases the demand for web applications, web servers, load balancers, database servers, virtualisation infrastructure (virtual machines) and cloud storage. The cloud provider’s data center should be scaled up incrementally. New routers, switches, and dedicated centralised SAN and NAS storage subsystems (cloud storage) are also needed.
Phase 4 focuses on core business applications. These business applications are accessed by corporate users over the web via a web browser. These business applications are generally used by the corporate office and consume a chunk of various data center resources.
Lastly, phase 5 addresses critical applications’ HIPAA health care data, financial data, HR data, and other sensitive data. Like phase 4, it takes advantage of second-tier virtual firewalls to protect the applications with similar data in various segments. In this design separate SANs or storage clouds can be used to isolate each type of data. One benefit of segmentation is that all of the sensitive data in a given segment can be encrypted using the same method.
In summary, phase 1 already exists in many corporations. Their network infrastructure to the data center and the remote offices is outsourced to an internet provider. Phase 2 focuses on outsourcing the most critical portion of the infrastructure, that which is needed for disaster recovery. After this phase is complete, phase 3 addresses the infrastructure that is needed for the various remote offices. Phase 4 addresses non-critical applications within the data center. Lastly, phase 5 separates applications with similar critical data using virtual firewall segments. This incremental phasing moves the law firm’s applications into the cloud without putting the their business at risk.