Accelerating Application Migrations To The Cloud

It’s a common misconception for people to imagine that business applications can be apparated, Harry Potter-style, into the cloud and that the IT team just needs to press a few buttons and whoosh, the migration is done. If only it were that easy.

Firstly, despite the fact that, in our experience 85% of applications can potentially be migrated to the cloud, there are some applications that should not, or cannot be moved. Legacy applications may be difficult to virtualize, requiring significant development work before they can be migrated. Some applications may be sensitive to latency, so for performance reasons they should stay on-premise. Others may be governed by regulations which prohibit their moving outside of a given jurisdiction or geographic region.

Hand-Drawing Maps

However, even for the majority of applications that are suitable for migration, there are multiple challenges which need to be addressed if the migration is to be done smoothly and securely. First, the application’s existing network flows need to be mapped so that the IT team knows how to reconnect the application’s connectivity post-migration. This is extremely hard to do in complex environments. There’s usually little to no up-to-date documentation, and attempting to understand the requirements and then painstakingly migrate and adjust every firewall rule, router ACL, and cloud security group to the new environment manually is an extremely time-consuming and error prone process. A single mistake can cause outages, compliance violations, and create holes in the businesses’ security perimeter.

This is a time consuming process. In AlgoSec’s experience, a team of five experienced consultants can manually map 25 applications a week. That means, in a typical enterprise running 1,200 applications, it would take the team a year to complete the process. If the organization has good documentation of its applications, and an accurate configuration management database, it may be possible to cut this time by 50%.

But given the resources required to map applications manually, some organizations may ask if they really need to do it before migration. The answer is definitely yes, unless they plan to move only one or two applications in total — and can afford to manage without those applications for hours or days, in the likely event that a problem occurs and connectivity is disrupted. Having comprehensive maps of all the applications that need to be migrated is essential: this atlas of connectivity flows shows the way forward to smooth, secure cloud migrations.

Ready to Move

With an atlas of existing connectivity maps, organizations can tackle the migration process itself. This can be done manually using the APIs and dashboards available on all cloud platforms, but it’s slow work, and it’s all too easy to make costly mistakes. Some cloud service providers offer native automation tools, but these often only address the cloud provider’s environment and they don’t provide visibility, automation, or change management across your entire estate. Even some third-party cloud management tools which are capable of spanning multiple clouds will not necessarily cover your on-premise networks.

The most effective way to accelerate application migrations is with an automation solution that supports both the existing on-premise firewall estate, and the new cloud security controls, and can accurately define the flows needed in the new environment based on the atlas of existing connectivity flows, as well as the security and compliance needs of the new environment. In fact, the right automation solution can also discover and map your enterprise applications and their connectivity flows for you, without requiring any prior knowledge or manual configuration by security, networking or application teams.

Businesses can then use the solution to navigate through the actual migration process to the cloud, automatically generating the hundreds of security policy change requests that are needed across both the on-premise firewalls and cloud security controls. This dramatically simplifies a process that is extremely complex, drawn-out, and risky, if attempted manually.

After the applications have been migrated, the automation solution should be used to provide unified security policy management for the entire enterprise environment, from a single console.

While there isn’t yet a method for apparating applications instantly into the cloud, automation makes the process both fast and relatively pain-free by eliminating time-sapping, error-prone manual processes, such as connectivity discovery and mapping, during the migration itself, and in ongoing management.

Powered by WPeMatico

Centralized security in the cloud is the best security model

It’s 6:00 a.m. on a Monday morning. You get an automated text from your security systems that a DDOS attack was attempted, but new security policies downloaded several hours earlier proactively protected the systems from the attacking IP address. All is well. 

The alternative is not good—meaning that you had no idea of the DDOS attack, and now you’re playing cloud security whack-a-mole to fend off the attack until you can put more permanent solutions in place. Of course, other types of breaches could be much worse, in terms of their impact on the enterprise. 

Proactive and automated security solutions are known as centralized trust. Simply put, these are central repositories of security policies that are linked to local repositories in the enterprise cloud. They may even contain centralized identities—things, processes, or people—that that can be centrally credentialed.

To read this article in full or to leave a comment, please click here

Powered by WPeMatico

VMWorld Goes All In On The Cloud

This year’s VMworld showed new directions for VMware, which previously seemed a bit disoriented in the cloud computing revolution.

Following up on their prior goal of being the Switzerland of software, VMware is aiming to become the universal middleware for physical and software-defined data centers, leveraging Dell’s deep partner ecosystem. And this is also evidenced in their efforts to partner with AWS as the first partner in a strategy of “any cloud and any workload” which will soon include Azure and Google Cloud.

Besides helping their customers to build fully-digital data centers in the cloud, VMware is also working on securing both the virtual plumbing and the virtual endpoints. This could be a new paradigm for digital security, according to CEO Pat Gelsinger at the opening keynote.

There were two key announcements made at VMworld that support this. First, the result of their often mentioned Project Goldilocks, an endpoint security app called AppDefense that leverages existing VMware infrastructure to monitor and alert when virtual endpoints change to unexpected states.


In part, AppDefense is about applying least privilege and white-listing security paradigms ubiquitously to virtual infrastructure.

“AppDefense delivers an intent-based security model that focuses on what the applications should do — the known good — rather than what the attackers do — the known bad. We believe it will do for compute what VMware NSX and micro-segmentation did for the network — enable least privilege environments for critical applications,” said Tom Corn, senior vice president of security products, VMware.

When a threat is detected, AppDefense leverages vSphere and VMware NSX to automate the correct response to the threat. For example, AppDefense can automatically:

Another major security tool for virtual infrastructure is NSX Cloud, a version built to provide network security for the hybrid cloud.

“We find it to be a positive development that VMware is delivering enhanced security capabilities to complement multi-cloud architectures. The opportunity to enforce consistent policies at the network layer through micro-segmentation is an attractive feature/benefit combination of NSX network virtualization. Although we have more to learn about AppDefense, the concept holds similar potential within virtual machine operating systems and applications. These technologies enable greater control … by taking advantage of both public and private clouds and express the desire for workload mobility for reasons of rapid capacity expansion, data sovereignty isolation, disaster recovery, and more,” said Jon Rosenson, senior vice president at Expedient.

In his August 28 blog entry on the VMware web site, Alex Berger, product marketing manager, Networking & Security, wrote, “AppDefense is the other half of the puzzle. Whereas NSX prevents threats from moving freely throughout the network, AppDefense detects anything that does make it to an endpoint and can automatically trigger responses using through integration with NSX and vSphere.”


NSX, VMware’s network security offering for micro-segmentation, is becoming the glue that can build and integrate hybrid clouds. There are now two flavors: the on-prem version that runs with vSphere, and the new Cloud-Based as-a-Service NSX Cloud.

VMware Cloud on AWS uses multiple VMware products, including NSX for networking and security. NSX Cloud, on the other hand, focuses on workloads running natively in different public clouds, such as an Amazon EC2 for instance in the AWS cloud.

Since NSX Cloud is a service, it does not require NSX, or any VMware software, on-premises. VMware Cloud can replace tools that are specific to each public cloud like AWS CloudWatch and Azure Monitor.

In his VMware blog on August 28, “Introducing NSX Cloud,” Mark Schweighardt, director, product marketing, Networking & Security, wrote, “NSX Cloud provides an abstraction layer that is independent of the underlying cloud networking constructs. You can think of NSX Cloud as a way to bring your own enterprise networking management and controls to the public cloud. This gives IT more precise control over the networking topologies, traffic flows, IP addressing, and protocols used within and across public clouds. For example, IT can easily stretch NSX Cloud subnets to applications running across multiple regions or clouds.”

Taken together, these new offerings place VMware solidly in the cloud security arena.

According to Chris Williams, an Enterprise IT consultant at GreenPages in Kittery, Maine, VMware missed customers’ real needs in trying to launch their own cloud service. Instead, he said, nearly every customer wants to take their on-prem workload and move these up to any cloud without refactoring to AWS, or Azure, or Google, or any cloud. Williams likes the cloud partnership with AWS. “Marrying them together is like a dream come true.”

“VMware is uniquely positioned in data centers,” Williams said. “App Defense is a first shot at filling some of the blind spots other security companies miss. It looks like it will be very cool,” Williams added. “I still have more questions, but I like fact that you can use it to see anomalous behavior. For years I have been working with customers who needed info on their steady state. I think that VMware will figure out how to use this steady state info with other security partners.”

Evidence of initial integration partnerships came from Carbon Black and IBM, which announced links to AppDefense at VMworld. These partnerships incorporate VM-level detection data from AppDefense into security analytics.

Williams was also part of the dedicated vBrownBag group that held focused tech talks at VMworld. They have streamed these tech sessions live from VMworld for several years, but this year the sessions were listed in the conference schedule builder and attendance exploded at the vBrown Bag Tech Talks.

Many of this year’s VMworld tech talks will be posted on their YouTube channel. Visit for details.

“VMware is applying security in two areas, its own infrastructure and cloud infrastructure,” Jon Oltsik, senior principal analyst at ESG, told Mission Critical. “In this way, AppDefense complements traditional static security controls.”

“[NSX Cloud is] a good move for VMware controlling cloud and ESx policy and network segmentation centrally. The challenge is for organizations who are more aggressive with cloud and not as active with ESx,” Oltsik said.

“We do intrinsic digital security for the new digital enterprise. IT infrastructure is no longer held in the four walls of the data center. The infrastructure is everywhere. That is what our customers are facing now and we have a footprint in this entire infrastructure. We can help simplify and consolidate the way customers approach security,” said Chris Campbell, director, security solutions, VMware, summing up the company’s approach to the cloud.

Videos of the top sessions of VMworld are now posted at

Powered by WPeMatico

Now’s the time to do deep learning in the cloud

The AWS Re:invent conference is coming up, and predictions are starting to fly around what Amazon Web Services will announce there. A sure bet is that it will announce some sort of deep learning cloud service. Of course, Google, Microsoft, and IBM won’t be far behind; indeed, both IBM and Microsoft have their own special deep learning projects in the works, called Brainwave and Distributed Deep Learning, respectively.

So, what’s the difference between machine learning and deep learning? Simply put, machine learning typically deals with tactical applications of AI, such as making instant predictions. Deep learning provides a foundation for the understanding of massive amounts of patterns or data.

To read this article in full or to leave a comment, please click here

Powered by WPeMatico

SD-WAN + UCaaS As A Centerpiece For Cloud Strategies

Some things are simply better together. Like Han Solo and Chewbacca. Or honey ham and Swiss cheese. Each of them is great on its own, but something special happens when you put them together. SD-WAN and UCaaS are one of those combinations that is greater than the sum of its parts, but companies typically don’t see them as a dynamic duo. Companies are typically either mulling over the idea of upgrading their outdated WAN to an SD-WAN … or they are thinking of upgrading their voice systems to a Unified-Communications-as-a-Service (UCaaS) solution. These are typically seen as two completely separate technology issues, but doing one without the other would be a missed opportunity for companies’ cloud strategies because of the way they enhance one another.

The benefits of doing these two implementations together are particularly dramatic for mid-sized companies because of the legacy technologies that they are usually upgrading from. Unlike large enterprises, which are typically pretty far down the path of cloud infrastructure investments, the 200,000 mid-sized companies in the U.S. are generally starting from much further behind:

  • The underlying infrastructure they are using is often traditional WAN technology, which may quite literally be decades old if the company has a long history. Because it is technology that predates the Internet, let alone the cloud, a traditional WAN is highly problematic as a foundation for companies’ web-based apps, mobile computing and other cloud-related technologies. Simply put: performance is terrible, flexibility is non-existent, and maintenance is treacherous for the IT teams. Outdated WANs create problems that are very difficult to ignore, prompting companies to take a close look at a migration strategy for moving to a cloud-friendly SD-WAN.
  • The voice systems that many mid-sized companies have are often equally outdated, since voice systems are typically at the bottom of the priority lists as companies with limited IT budgets weigh the most urgent systems to invest in. As a result, many companies’ voice systems pre-date the emergence of the cloud or simply utilize VOIP in a narrow way for cost savings without addressing their larger communications needs. Compared to the true cloud-based unified communications systems that large enterprises and small businesses use, mid-sized companies are often a decade or more behind, with voice systems that are a patchwork of technologies and fixes bolted together to try to get one more year out of the system, followed by hope that it will last just one more year, and one more year, and so on. This typically results in poor voice performance, lack of integration with other corporate systems, employees supplementing the system with rogue solutions that introduce security and compatibility problems, and many other issues.

Upgrading to an SD-WAN or making a UCaaS implementation each has major benefits. For example, a UCaaS implementation can instantly transform obsolete, costly-to-maintain, difficult-to-expand legacy voice and messaging systems into an integrated combination of web-based voice/messaging/video tools that enhance everything from uptime to customer experience to productivity. And an SD-WAN implementation reduces the complexity and downtime and optimizes the costs that so many mid-market companies experience with their outdated traditional WANs, which are poorly suited to support the diverse set of cloud applications that companies are running today. SD-WAN provides a dynamic, adaptable, intelligent foundation for managing all of that traffic in a way that gives each application what it needs to perform optimally while making cost-conscious decisions about how to utilize various grades of bandwidth.

SD-WAN and UCaaS each have a major positive impact on its own, but together they are much greater than the sum of their parts:

  • By implementing an SD-WAN as a central element of a cloud strategy, a company has an “application-aware, cloud ready” network that can actively manage how bandwidth is sourced and utilized, routing traffic in ways that optimize the performance of every application.
  • And the SD-WAN’s dynamic management of bandwidth ensures that the UCaaS gets prioritized so that employees have high-quality voice and video tools that are reliable for customer communications and other external and internal collaboration.
  • With the SD-WAN as the foundation, the UCaaS can perform to the specifications it is designed for, while also allowing the company to manage broadband/network costs effectively by using higher-cost services only when needed to ensure application performance while utilizing lower-cost, commodity services whenever and wherever it can to save money.
  • In return, the UCaaS implementation provides a clear blueprint for how the SD-WAN should be designed and managed, and the unified communications applications become Exhibit A for how the SD-WAN implementation is having a positive operational impact on the organization.

For mid-sized companies, this kind of dual implementation not only addresses two sources of daily operational frustration — poor performance of the network and an outdated voice system — but can also give much-needed clarity and direction to the company’s cloud strategy. Together, these implementations can serve as a centerpiece of a cloud strategy, delivering benefits that will be easy for the entire organization to see in ways ranging from integrated cloud-based voice tools to far faster network performance. And with these wins in hand, it may even be easier to build support for the next phases of the company’s cloud strategy.

Powered by WPeMatico