From On-Premise to Cloud - Lessons Learned at Immigration and...

From On-Premise to Cloud - Lessons Learned at Immigration and Customs Enforcement

Michael C. Brown, CIO, U.S. Immigration and Customs Enforcement (ICE)

Michael C. Brown, CIO, U.S. Immigration and Customs Enforcement (ICE)

Snug and secure after almost a decade in our data center environment, the IT team at Immigration and Customs Enforcement was asked to vacate the data center as part of a Department of Homeland Security cost reduction effort. We were given eight months to do so and no funding for transition. Over the course of six months, 147 business systems were transformed to use cloud services and 682 pieces of hardware were decommissioned.

"Hug your Cloud Service Provider (CSP) not your server.  Your CSP is a mission critical supplier"

We had a head start with several cloud-based applications already in operation, a nascent set of environments at two cloud service providers, a high degree of virtualization and growing familiarity with how to operate in the cloud. A rapid and large-scale migration still seemed daunting. How we approached the task and what we learned:

Money isn’t everything. Incrementally reducing hosting costs at our on-premise center while turning up services in the cloud helped reduce transition costs. Cloud hosting doesn’t require the hardware investments that a traditional data center move does.

Change needs champions. Find champions that are respected by those that will most resist the change. This could be a Chief Technology Officer or co-opted members of the groups most vested in the status quo. Constantly demonstrate executive sponsorship for the change. Recognize the early adopters.

Hug your Cloud Service Provider (CSP) not your server. Your CSP is a mission critical supplier. The business relationship should account for appropriate duration, growth and flexibility. More than one CSP helps mitigate risk and can allow workloads to be targeted to the most ideal environment. Learning and managing multiple CSPs will consume time and effort, so team capacity is a consideration. If time permits, sequentially building familiarity with first one CSP and then additional providers will be less stressful. Schedule permitting, a generous, but active, learning period can better foster adoption. Short term consulting services from your chosen CSP can help jump start your team.

Get every discipline involved. Operations, development, security, contracting and budget all need to engage. All these disciplines are part of current hosting arrangements and all will need to be engaged in creating the to-be. There is a cloud analog for most that these disciplines undertake in a traditional on-premise environment. Identifying these analogous functions helps demystify the change.

Make fundamental decisions early: 

Will you use fully commercial cloud, government community cloud or a combination? Fully commercial services will be more feature rich and lead CSP innovation, whereas government community can address data sovereignty and higher security.

Hybrid or complete cloud adoption? Hybrid operations will be inevitable in the short term as business systems are rehosted, but long-term hybrid operations may also be necessary in cases where systems will have to be substantially refactored to operate in a virtual environment.

Refactor or lift & shift?  Rehosting is an opportunity for system enhancements, replacement of commercial software products with open source products or addressing a backlog of functional improvements. Weighing benefits of application software changes against an increased timeline for rehosting is the decision calculus. Refactoring and functional enhancements may well be less challenging once at a CSP. Make decisions for every system. At this point, begin selection of migration support tools such as heterogenous database replication software or virtual server replication software.

Will regular system enhancements be deferred? The regular pace of application system changes and a migration to the cloud are unlikely to be accommodated simultaneously. A moratorium on system enhancements may be necessary. Gain cooperation from business units that expect regular product releases and who may not appreciate the benefits of moving to the cloud. Selling the disruption to customers is critical.

Build and secure your dream house:

A logical view of a cloud environment will not be radically different from a traditional on-premise physical environment. Virtual Private Clouds (VPC) will exist for development, test, pre-production and production. VPCs may need to be created for different business units for charge back and data isolation. Software routers will connect environments. The picture below is one example.

Using a CSP with Federal Risk and Authorization Management Program certification provides inheritance of many security controls, but an accreditation process is still required. Addressing cybersecurity early and often, engaging the Chief Information Security Officer whenever cloud environment architecture is being determined is essential.

Network architecture requires significant thought and planning. Provisioning of network services is typically a long-lead effort. Look to capacity at current on-premise data center as a starting point. Distance to CSP facilities may introduce latency that applications might not tolerate. Enterprise or department-level security, such as a Trusted Internet Connection, will offer complications that must be addressed as early as possible.

Fail and learn. Pick early adopter application systems and make the move. Fail early with lower risk systems and use retrospective-style sessions to make lessons widely known. Finalize any migration tool choices and methods.

Manage, but don’t micro manage. Kanban method, tracking software such as Jira and frequent kanban board review sessions are effective tools. An executive-level dashboard, like that illustrated below, is helpful for external reporting. Progress reviews need to be held at multiple levels. A traditional project plan with work packages and milestones can be overly granular and prescriptive. Each system migration team will need flexibility to adapt to the new and the unexpected. Continuous executive sponsorship and assistance with blockers is key. Celebrate successes often. Don’t let blockers fester.

Topple silos. Use the cloud migration as an opportunity to break down silos of excellence where possible. The instant provisioning of infrastructure that cloud hosting allows is an opportunity to create more effective multidisciplinary product teams. Devolve control of environment provisioning where practical. 

Weekly Brief

Read Also

Putting the Awareness in Security Awareness

Paul Jones, CIO, City of West Palm Beach

Leveraging Technology to Enhance City-Business in the Post-Pandemic World

Muslim Gadiwalla, Chief Information Officer, The City of St. Petersburg

San Francisco's Digital Equity PlanAdapts with Coronavirus

Linda Gerull, CIO and Executive Director of the Department of Technology for the City and County of San Francisco

Building A "New Better" - Not A "New Normal" - With Government Digital Services

Ted Ross, Chief Information Officer, City of Los Angeles

Smart Community Innovation For The Post Pandemic

Harry Meier, Deputy CIO for Innovation, Department of Innovation and Technology, City of Mesa

The Road to Modern Governance

David J. Elges, Chief Information Officer (CIO), City of Boston