APM Best Practices Can Help Organizations Plan and Manage Cloud Migration

Another IT initiative is in the news.  What does it really mean for you?  Is it an opportunity?  Or is it a distraction?  Whatever your perspective, it seems clear that internet computing standards have reached another plateau of standardization and capability, such that vendors see an opportunity to pursue new models of computing.

Looking at the cloud opportunity, there is not anything that can be viewed as  new, in terms application functionality.  The formerly proprietary standards for sharing data and services; private networks, electronic data interchange, credit card authorizations, etc. - are now supplanted by internet standards for achieving those same capabilities, and more.  That standardization is important because it improves access to the technology through uniform interfaces and vastly reduced cost.  Likewise, there is nothing new about evaluating if you are in a position to exploit the cloud.  You need to select appropriate applications, have supporting process capabilities and also some framework for evaluating your partners.  It can be a challenge today for many organizations to carry out these planning and assessment activities.  There simply have not been many opportunities for an IT group to refresh and hone these skill sets because the last 5 years have seen more focus on operating and cost reduction, rather than improving IT capabilities.

Organizations can restore these process capabilities for APM (application performance management) initiatives, with what is called the APM Best Practices.  What is surprising is how many of these practices (strategies, exercises and techniques) are exactly what you need to undertake when you are considering the cloud and what it may do for you. 

What's Really New about the Cloud

Much of the cloud discussion focuses on the solution architecture: SaaS, IaaS, PaaS and hybrid.  What is novel about the cloud is the distribution of responsibility for a portion of the application lifecycle.  Much the same as the revolution in software that moving from mainframe to distributed computing enabled, this decentralization of responsibility for a portion of your IT landscape has tremendous potential to change how we think about software systems.  Today, the majority of cloud solutions are focused on the operational or production phase of the lifecycle.  But there is growing activity to use the cloud for development, testing and monitoring.

Before you can consider any of these cloud models, you need to successfully address three themes on which cloud computing rests: deployment or workload automation, security, and shared management.  Whether or not you see any cloud initiates in your immediate future, you really don't have an opportunity to use the cloud, at any level, unless these three themes have already been addressed.

Three Themes Before You Start

You would have had to been stuck on a remote island to have missed all the discussion about virtualization the last few years, but this is what a major portion of your potential for cloud depends on.  Your candidate applications need to be virtualization-certified or you are limited to the SaaS model and replacing an in-house application with a cloud-based service.  This first process can be called Rapid Deployment and shows that you have identified all the steps to deploy your application such that any qualified system administrator can complete the deployment. If you were to pursue PaaS, for example, this is exactly what you provide to your cloud partner so that they can complete the deployment on their servers.  Virtualization simply extends this process by standardizing the packaging of an application and then automating the creation and deletion of additional instances of that application in order to meet varying transaction loads.  This elastic feature is an important benefit of the cloud as an efficient compute utility but what really matters to the cloud provider is that your deployment package follows a virtualization standard.

Data security is the next major question.  Your internal standards are the major blocker in terms of what you can do with the cloud.  Security issues are divided among data, authentication and process protections and you need to understand what each candidate application requires and what may be distributed to your cloud partner.  For example, if you keep all your data, you still need to provide an authentication service to allow remote access.  Those authentication servers are usually something you will look to have hosted, with that security responsibility owned by the cloud provider.  It's not much but, depending on the number of users, it is something that can generate some savings overall.

The next level up would be to transfer the data to the cloud provider, who would then encrypt all of that data while you retain the encryption keys.  This neatly addresses security concerns but has the potential to slow down access to the data.  Encryption and decryption takes time, which can be significant for your overall end-user experience.  A focus on data security also addresses concerns when you are hosted in a shared environment, where you have to evaluate the protections available at the virtual machine level.

Whatever distributed architecture your security team allows, you really need to understand the performance characteristics, before and after your move to the cloud.  That visibility is what APM techniques provide and why it is helpful in establishing and monitoring your SLA for cloud performance.

You Manage What You Measure

Sharing management of the application, in terms of availability, performance, capacity and end-user experience is critical to the definition of your SLA (service-level agreement) - which will be the basis for your contract with the cloud provider.  You will only get what you negotiate and this highlights a major gap in many organizations - that they really don't understand the performance capability of their candidate applications.  An easy criteria to assess if a candidate application is suitable for cloud operation is "how well do you manage and understand the end-user experience?"  This is today one of the major benefits of moving to the cloud - using the elastic compute capability to ensure good response time, no matter the user load.  If this is something you don't really care about or that you don't have visibility into - cloud is likely not an interesting option.

Getting that visibility is what an APM initiative provides and it might be something that your cloud provider can help you with.  From the cloud provider perspective, you want applications that are well managed and have well-known performance characteristics.  When the client doesn't know their application's performance characteristics - this raises a big red flag, so having some facility to evaluate performance is really going to be critical for the cloud provider, as many clients will simply not be at that level.  This brings us to a second critical APM process called the Application Audit.  This is where the performance characteristics of the candidate application are investigated and results in the validation of thresholds, alerts, and reporting, which the cloud provider needs to work with.

Finding Applications That Matter

So far we have touched on a sprinkling of criteria that can help you assess if you have an application suitable for the cloud.  We can formalize this a bit by looking at a third APM process called the assessment - specifically the Application Survey.  This is a form-based interview, usually filled out by the business stakeholder for the candidate application that provides a summary of the information you need to evaluate what type of monitoring visibility you might provide, as part of an APM initiative.  The advantage of this survey is that you can get a lot of stakeholders to contribute in a standardized fashion, and so make it possible to identify if you have some real opportunities for the cloud, virtualization, and monitoring.  This is something that IT shops should always be doing so that they have real data on hand when opportunities for investment or new initiatives pop up.

Another dimension of the assessment practice is called Incident Analysis.  This is where you evaluate the potential of APM to improve the overall quality of the application, provided that you can correct the configuration and code defects that can occur.  You make a direct analysis of the available incidents, reducing that large collection of data down to a few charts.  While you are focused on improving software quality, for the APM initiative, you also make a nice presentation of the proportion of incidents attributed to platform and network issues.  When these incidents dominate, you have the data to justify a migration to IaaS or PaaS cloud architectures as a means to alleviate those volumes of incidents.

Yet another assessment dimension is the Skills Assessment, which is used to evaluate what gaps exist for an APM team, in terms of skills, processes and  competencies so that they can be remediated and get them back on track.  With critical competencies for APM that track the progress and maturity of the organization identified - why not extend these to the cloud as well?  Moreover, why not assess your cloud provider, using these same assessment techniques?  Let's look a little deeper at the audit and assessment processes.

Auditing an Application for Manageability

An Application Audit is an exercise of the application under simulated load and with APM deployed.  This is used primarily to confirm that I have the correct monitoring configuration and visibility.  When the load is accurate, you can also determine the performance baseline for the application.  This identifies the key software and interface components, memory profile and other characteristics and allows you validate thresholds for alerting.  When you can audit an application, you eliminate many of the surprises that a new application brings to your environment.  It's a feature of APM technology that you do not need a full production load in order to detect potential problems, but improving your load generation capability will enhance your forecast of performance and capacity for the application.

If you are unable to generate load and obtain detailed performance measurements, then you have little choice than to collect those measurements after deploying to production.  That path is simply full of risk and you can expect that cloud providers will audit your application, even when you do not, so that they can avoid bringing a troubled application into their environment; using your APM technology or providing their own.  At the very least, charging a price that will balance the trouble they are about to incur.

When your cloud vendor is providing a test environment, with load generation and APM visibility, this is an "on-boarding service."  They will also have a Rapid Deployment competency, a virtualization practice, and likely an assessment and planning service.  If you don't have those capabilities already then that is what you really need from a partner.  Otherwise, you are both going to suffer while the inevitable kinks of an unmanaged application are worked out.

Assessing cloud vendor skills and processes

The relationship with your cloud provider is defined by security, virtualization and monitoring, or SVM.  This is summarized by an SLA which determines the fees, goals and penalties, but before you spend time there, assessing the vendor SVM will help you understand if you have the right partner for the project.

The CSA (Cloud Security Alliance) has already defined the security attributes that your vendor should provide.  This breaks down to building security, operating system security and network security.  The details are in the Skills Assessment worksheet.  There is also a section for the Client Security processes that should be established.  Who owns these processes can vary but you have to make sure someone has each responsibility - and that's what the worksheet allows.

The next section is for Compliance Considerations.  This is obviously dependent on the business vertical you are operating in and I've only indicated an example list but professional in the banking and insurance industries should know what the rules are.

The final section is for Performance Management.  What is getting measured and the frequency that it is reported.  How are incidents going to be handled and what is the minimum criteria for acceptable operation?  There are lots of measurement strategies that can be used but you want to use a measurement that you already have some experience and history.  Otherwise, you may be disappointed in the results.

Assessment tools are two-edged swords.  They evaluate the preparation of both your vendor and your own organization.  Your ability to complete the client-side of the assessment is just as important as what your vendor completes on their side.


Cloud computing is a technology plateau.  Getting to that plateau requires addressing the technical foundation enough of a benefit for now; automation, security and management, as well as cataloging potential candidates for a migration to the cloud.  The cloud may not fit your application landscape but getting your technology foundation established is something you can do immediately to reap those benefits now.  Companies that do will be in a much better position to answer the question about moving to the cloud - when those opportunities present themselves.

Additional Material

The documents mentioned in this article can be found at:

You can also participate in the conversation at  A full discussion of the APM processes mentioned here can be had in Michael Sydor's recent book APM Best Practices - Realizing Application Performance Management and is available today on and