Cloud Migration Project Risk Assessment Considerations

The importance of risk identification and management cannot be overstated in a cloud data migration project. The challenge is in understanding how the various types of risk are inter-related. A cloud migration project, for example, spans all levels of an organization, from the underlying business processes to the staff responsible for setting and enforcing policy, to the very technology and physical facility which will be directly impacted by a cloud migration. Risks will also vary depending on the type of cloud deployment planned.

How do we plan for and mitigate risk given these variables? To begin, we need to establish a foundation for the project and fully understand

• what is the business trying to accomplish in moving to a cloud environment? Compliance? Cost? Efficiency? Privacy? Reliability? How are the objectives of various business units related?
• who are the stakeholders and what is their role in the project?
• what are the dependencies between processes, systems and data?
• what are the physical requirements of the data? Consider jurisdiction, disaster recovery, for example.
• how can we integrate intrinsic cloud risk into our everyday business decision making processes?
• How does moving to the cloud impact existing business processes and staff roles? What roles and processes are changing?

When assessing risk in a cloud migration project, one of the most important questions that the project manager can ask is “what will change?” In a SaaS (Software as a Service) model, for example, the IT business model fundamentally changes. All aspects of the service are under the control of the provider, from the physical facility to the data to the application itself. This model impacts not only the IT staff, but potentially the end user as well. For example, how will disaster recovery be managed? Will additional training be required of the end user? Will the interface change?

In a PaaS (Platform as a Service) model, the organization maintains some control over the application. In an IaaS (Infrastructure as a Service) model, the organization maintains complete control over the application, middle ware and data since only the Infrastructure is being purchased. Each cloud computing model thus has both a shared set of risk and unique risk depending on the model implemented.

Change impacts the stability of both the application and the organization itself, and is a significant source of project risk. By asking “what will change?” and addressing each aspect of the anticipated change, the project manager can begin to set the framework for identifying and managing risk.

Example Risks in an IaaS environment
Given the fundamental infrastructure changes in an IaaS environment, possible risks include:

• disaster in physical facility
• breach of facilities security
• network unavailability
• hardware failure
• hardware performance issues
• OS failure
• OS security breach
• provider business continuity
• integration issues with legacy applications
• regulatory compliance issues

Example Risks in an SaaS environment
Given the changes in an SaaS environment, additional possible risks include:

• stakeholder resistance due to radical changes in business processes
• data privacy and security concerns
• middle ware compatibility issues
• costs of end user training

Cloud computing is an emerging field and the technologies in use will evolve. By focusing on the impacts of change faced by the organization undertaking a cloud computing migration project, the project manager can effectively identify and prioritize risk and align risk response with core business objectives.