naas migration and business continuity
Getting your Trinity Audio player ready...

Don’t Lose Sight of Business Continuity While Migrating to a New NaaS Service

IT supports the bread and butter of any business. A new technology introduction should minimize or prevent any business disruption. To migrate to a new NaaS (Network as a Service), serious consideration should be given in evaluating, planning and executing the migration. In this short article, my goal would be to share some standard migration best practices followed by an example of security migration to a new NaaS offer as in the case of SASE (Secure Access Services Edge) or SSE (Secure Services Edge). I have kept my approach vendor-agnostic so that it can be applied across the board.

Importance of Business Continuity

Business demands that any changes in the IT landscape should either improve the service or have no degradation. Any degradation in business continuity will most likely result in a roll back to the older service followed by serious questioning of the quality of the new solution. Imagine a manufacturing plant, which loses its production capability even for the shortest amount of time on the new solution will ask for a roll back.

Best Practices in Migrating to a New NaaS Service

There are generally two camps when it comes to adopting a new service. The first group takes a more cautious waterfall approach where the other one takes an agile methodology. An agile group wants to experiment with the technology after some evaluation where waterfall group likes to evaluate in depth before experimenting. Both approaches have merit and should be used as appropriate.

agile approach
Regardless of the approach, any new solution should go through some rigor in the Proof of Concept (POC) phase where main capabilities were demonstrated by the vendor and tested by the IT team. The POC timeframe varies between solutions and approaches, but no shortcuts should be taken. Current vs committed roadmap features along with risks should be well documented. Pilot migration planning should be done on friendly users from the team who did the evaluation and/or offices locations which are least business critical (like labs and small branches). Enough soak and testing time is given during the pilot phase while full production planning is getting shape which includes change management requests, communication plan, schedules, automation, rollback procedures etc.

Post successful pilot comes a limited production rollout. The risks should be very carefully managed with all hands-on deck support and a clear rollback plan. A very thorough test plan should also be used to avoid any Monday morning blues.

Production rollout is ready when business has fully agreed and approved the new solution, a full communication plan along with schedules has been developed, and all support channels are ready. Timelines depends on the complexity and scale of the new solution. Once ready, teams generally move fast with batches of sites and users migrating at once. In many cases, migration automation helps tremendously. Careful observations should be made on the number of support tickets being generated due to the new solution. Similarly, constant improvements in migration windows should also be observed as teams are more comfortable and are using automation.

Then comes Sunsetting of the older solution which depends on many factors. Generally, it is contract dependent. If there is a contract term left on the solution, IT will consider keeping the old solution to go back to it in case disaster recovery when the new solution goes belly up. Eventually the older solution will be turned off with the return of equipment or reselling of the hardware.

old security vs new security

NaaS Example: Cloud Delivered Security Service

Traditional on-prem DMZ is slowly getting migrated or jointly served from a cloud-delivered security solution as in the case of SASE and SSE. However, for large IT shops, this isn’t that straightforward. For example, years and years of firewall rules, which BTW never gets cleaned up, must now be ported to the cloud solution.

Modern cloud security solutions are intent, and policy driven, therefore making a simple 1:1 copy of on-prem FW rules and pasting in the new cloud solution in not going to work. Serious upfront work is required in mapping the requirements to new rules and policy sets without compromising security. This requires mapping and transformation of the legacy policy to the cloud policy, add tagging, application recognition signatures (DPI), logging etc. As described in the best practices section above, pilot testing with knowledgeable friendly users is a must to clean up any mistakes and have practical learning. This will be followed by a controlled full production rollout with rollback plans in place. Care must be taken to reduce your blast radius such that in case of a major outage, the number affected users and applications are under control Types of issues to expect in such migrations are port exhaustion on the on-prem edge devices as more traffic is migrated to the cloud, Egress IPs and locations changing from customer-owned to cloud-provider which can have implications on geo-location services, IP filtering,and authentication issues. A new cloud security system may have different logging capabilities than on-prem service.  Integration with the existing SEIM (Security information and event management) systems must also be thoroughly tested.

Conclusion

NaaS promises many new agile capabilities with cloud and software-driven driven automation as its core components. Any new NaaS solution must go through a thorough evaluation, proof of concept testing, pilot rollout, and production deployment. Special care must be taken in evaluating any business disruption when deploying any new solution. Proper communication and a well-tested roll-back plan must be in place to bring the business running in case of a disruption caused by the new service.
Facebook
Twitter
LinkedIn
Pinterest
Reddit
WhatsApp