Skip to main content

NHS Cloud exit strategy

Page contents

Cloud Centre of Excellence - NHS Cloud strategy

Let us know what you think about the Cloud Centre of Excellence (CCOE) strategy.  

When working with partner organisations there is always a risk that changes in either organisations priorities or business model may adversely impact the services they provide. Equally where an organisation is running services on behalf of the NHS disruptions to the services, they provide can impact the NHS. While the geographically dispersed nature of hyperscale cloud providers services reduces the risk associated with service disruption.

The risk of building on proprietary services is harder to mitigate and while there is clear value in utilising the “heavy lifting” a vendor is performing in providing a platform or component as a service. An amount of care is needed to ensure that any migration can be done in a structured way which minimises the risks to the solution and its customers.

This is not to state that cloud computing is an unreliable outsourcing option. On the contrary, many cloud computing services are often more reliable, than alternative hosting options or on-premises systems. A cloud computing provider's business model depends on its ability to provide secure, reliable IT services. These Cloud service providers build a robust infrastructure and pay particular attention to security and reliability.

We believe there are a small number of issues that would create a need to exit a vendor's platform entirely.

Examples include:

  • a competitor's SaaS solution has grown beyond the capabilities of the one in use. In this case, an exit may be needed to acquire new features and capabilities needed to grow or keep the business competitive
  • a cloud vendor decides to exit a market completely
  • regulations introduced in one country might force the exit from cloud providers hosted in that country due to incompatibilities with such things as data privacy regulations
  • political actions were taken by the UK or international government

There would be substantial and immediate challenges in an occurrence of any of the above. NHS and healthcare organisations must make risk management and mitigation an essential part of their cloud adoption plan. For NHS and healthcare organisations that are just starting their cloud adoption, a cloud exit plan must be clearly defined before the first application or data is hosted in the cloud. For organisations that are already consuming cloud services without an exit plan, remedying that oversight is essential.

Creating a Cloud exit plan

Best practices to follow during the creation of the plan.

Plan for parallel hosting
Plan for parallel hosting

Expect both the current and new environment to run side by side. Running applications in parallel allows you the luxury of building and configuring the new environment, as well as migrating the data while the existing application continues to serve its purpose, even if it is in a degraded state. Running parallel environments is especially important when the application must be refactored significantly. For example, if the application is being pulled back in-house and being run on a different platform, extra time may be needed to get everything functioning smoothly.

Understand data migration options, especially for bulk datasets
Understand data migration options, especially for bulk datasets

Migrating large amounts of data to/from a cloud provider can be challenging, so keep the following in mind:

  • cost: Some providers charge per byte of data moving in or out of their network, so don't forget to factor these costs into the plan.
  • time: Assess the network connections and movement options between you and the provider or between the old and new provider and estimate the time needed to copy the data. If the dataset grows significantly over time, this should be factored into the estimate.

For large datasets, it may be quicker to look at drive shipping options where data is copied to a portable hard drive and shipped to the secondary site. This option becomes increasingly attractive once the time to complete the network-copy option exceeds the typical shipping time.

Estimate project costs and timeline
Estimate project costs and timeline

The exit plan will take both time and money to complete, so include estimates for both in the plan. These time and cost estimates are critical for the triage team to make an informed decision when determining exit viability.

Include the business continuity preparations in the plan
Include the business continuity preparations in the plan

Doing this properly will protect the application against the inability to exit if the primary provider is unavailable or the data has been lost.

Apply practical cutover methodology
Apply practical cutover methodology

At some point in the migration, a logical "switch" must occur from the old to the new provider. This may entail a series of user acceptance tests as well as data quality checks. As with any other life cycle management project, schedule the cutover and associated downtime, communicate to users and stakeholders, and plan a rollback option should the migration not go well.

Determine the testing methodology
Determine the testing methodology

All exit plans be put through at least an initial paper based dry run or test exercise to further vet the plan's accuracy and its steps.

The Cloud Centre of Excellence and Cloud Board should ask themselves questions like:

  • do we want or need to test the exit plan before a possible future forced exit
  • how often should the test be run — once, quarterly, annually
  • should a development or testing environment be maintained strictly for regular testing of the exit plan?

Keeping these best practices in mind, the next step is for the Programme and Project team to create plans for each application. Typically, organisations have processes in place for creating application design, installation, life cycle, and migration plans.

Application exit plan

Individual exit plans will be shaped by the cloud provider, cloud layer, alternative provider, type of application, amount of data, interdependencies, integration points, user base and much more. In most cases, the plan will vary based on whether the application will move to another cloud provider, hybrid hosting or back on-premise. Recommended areas to consider in the application exit plan is the following components, which are common to all exit-planning scenarios

  • application movement plan
  • data movement plan
  • security and identity and access management (IAM) plan
  • management plan
  • personnel plan
  • business continuity plan

Application movement plan

The difficulty in moving an application from one public cloud provider to another provider depends on the cloud layer used to host the application. In short, the challenges in moving an application increase as we move from IaaS to PaaS to SaaS, because of the increasing reliance on proprietary features in the platform. The table below outlines the challenges for each scenario.

Application movement challenges

By different scenarios: 

Moving from one SaaS application to a different SaaS application

Challenges

  • data migration
  • user training
  • changes in functionality
  • establishing business relationship with new SaaS provider
  • downstream impacts to other applications caused by API and data format changes
Staying with the same SaaS application but changing hosting provider

Challenges

  • establishing business relationship with new provider
  • data transfer to new provider
Moving application based on one Cloud Service Providers (CSP) PaaS to a different CSP

Challenges:

  • really an application-porting exercise because the application may need significant rework to function on top of a different PaaS
  • may require additional work to create PaaS services missing at the target site
  • data stored within PaaS services will have to be exported from the current provider and imported to the new provider; this may require reformatting of the data
Moving application based on third-party or open-source PaaS to a different CSP

Challenges:

  • assuming the same PaaS framework is available on the other cloud provider, or can be installed on top of IaaS, this type of move is relatively straightforward
  • if your organisation must install and maintain the PaaS, the expertise gained on the current provider may need updating.
  • fata will have to be moved, but data translation/reformatting will be minimal
  • provisioning scripts and other application management artefacts will need to be updated to match the provider
Moving from an IaaS implementation that uses proprietary cloud services to another IaaS cloud

Challenges

  • any proprietary services from the current CSP will have to be replaced with comparable services at the new CSP; for example, if the application uses the provider's databases as a service or load balancer, these services will have to be replaced
  • if no matching service exists or the service on the new CSP lacks critical features, it may be necessary to look for third-party solutions to enhance or replace the service on the new CSP
  • provisioning scripts, VM sizing and other application management artefacts will need to be updated to match the provider
  • data may have to be reformatted to load into services at the new provider
Moving "lift-n-shift" applications between providers

Challenges

  • in this case, the application just consists of virtual machines and data, no proprietary elements of the IaaS providers service are used
  • the application can be re-created on another provider with relative ease
  • provisioning scripts, VM sizing and other application management artefacts will need to be updated to match the provider
  • data will have to migrated but will not need to be translated to a new format
Moving application between service types (i.e., IaaS to PaaS,)

Challenges

  • significantly more challenging than moving between the same service type on different providers
  • like to require significant development resources
  • only really possible for applications the organisation controls (i.e. in-house developed), or for off-the-shelf applications where a SaaS option becomes available

Regardless of which scenario applies from the table above, extensive testing will be required after the application migration, and this must be included in any migration plan.

Moving any public cloud application back on-premise presents different challenges. In most cases, on-premise hosting capabilities fall short of the capabilities offered by the public cloud provider in terms of feature set. However, as time passes, an organisation may find that its on-premises services have matured to the point where it can now offer competitive application hosting to the public cloud provider. Here are some important aspects to keep in mind based on the cloud layer.

SaaS

The biggest challenge may be persuading the provider to support the application outside of its own SaaS offering, in which case, a new application will have to be selected. Assuming that moving the SaaS application in-house is an option, the organisation must assess its ability to host an entire stack (i.e., infrastructure, platform, and application). In many cases, SaaS solutions fulfil a niche need in the market and are something that is not a core skill set within the organisation. Organisations must consider the time, effort, and long-term desire to build an entire application stack and support it over the long run.

PaaS

Moving an application from public PaaS to in-house must focus on an assessment of the specific platform capabilities offered by the public provider. Key questions to ask in this scenario are

  • does the organisation have the skills and experience to deploy the PaaS layer in-house?
  • is a PaaS layer available that is API-compliant with the offering currently in use?
  • how much of the application will have to be modified/rewritten to conform to the new PaaS layer?
  • does the level of integration between development tools and application deployment infrastructure match development velocity requirements?

IaaS

The most straightforward internal exit is at the IaaS layer, but the same precautions apply as moving between two public IaaS providers (listed previously) in terms of hypervisors, features, provisioning models, and APIs. It's also important to consider such issues as data centre capacity, ability to meet availability requirements.

Data movement plan

Several potential data challenges exist when moving applications.

Quantity of data
Quantity of data

Sheer volume of data can be a challenge. At the very least, it may be expensive and time-consuming to move the data.

Data format
Data format

The data may not be in a format that can be directly read at the new location. It may need to be exported to some common denominator format such as XML or comma-separated values (CSV) and imported to the application.

Other users of the data
Other users of the data

In some cases, a dataset may be used by more than one application. Relocating the data may require relocation of other applications if the organisation doesn't want to suffer lower performance or higher costs for the other applications.

Missing functionality
Missing functionality

While it may be possible to dump the data into a format that can be read by the new application, there may be elements of the data that simply don't translate. For example, access control metadata, such as who can read/write the information, may not be translatable in any meaningful way.

Reports and dashboards
Reports and dashboards

All the reporting systems built around the existing dataset may have to be re-created as part of the move and depending on the functionality of the target system this may not be possible.

Costs
Costs

In most cases, the old provider will charge an egress data rate, while the new provider will not charge an ingress data rate.

Security
Security

Security is the responsibility of the organisation moving the data. This means that, if the IT organisation decides to write a script or application to move the data, it is the IT organisation's responsibility — not that of the providers — to secure and verify the data transfer.

The hardest problem to solve relates to the use of proprietary services from your current cloud provider. The problem is that while other providers may offer functionally similar services, the APIs and low-level capabilities, and data formats may be different, so a simple one-to-one mapping of services between providers isn't good enough. As a result, applications that make use of proprietary services at the current provider will require changes when moving them to a different provider.

Moving the application back in-house is no easier than moving to another provider, where all the issues outlined in this section still apply, as well as

Lack of functionality
Lack of functionality

The cloud application may be using services that are not typically found in the enterprise, such as object storage and NoSQL databases. Organisations will have to either implement these services in-house or modify the application to remove the dependency. 

Data storage requirements
Data storage requirements

One of the benefits of public cloud is the near-limitless capacity, so long as customers don't mind paying, Cloud companies will expand their infrastructure to meet the demand. Traditional data centres cannot match this elasticity due to constraints on floor space, power, cooling, and budget. So moving an application with hundreds of terabytes or even petabytes of data out of the public cloud may not be feasible.

Security and identity access management plan

Although all public providers have good options for security and Identity Access Management (IAM), they vary widely in implementation. As a result, every provider is different, and there is little or no portability of IAM and security policy metadata between providers.

NHS and healthcare organisations considering moving an application from one provider to another should start by identifying each feature or control (for example security monitoring, intrusion detection, and firewalls) in use at the existing provider. The next step is to map those capabilities onto the new provider and plan how to create similar functionality. For example, if the primary cloud provider handles server-side encryption and key management as a service, but the alternate provider does not, the application team must build a key management capability and encryption service implementation at the new provider. Alternatively, the organisation can buy something comparable from a third party.

Because IAM is handled very differently among leading providers, it's important to consider all the administrative and user accounts, policies, and controls that must be migrated and define processes to

  • export all existing IAM accounts, roles, delegated access, and policies assigned at the primary provider
  • re-create a comparable structure at the alternate provider and
  • define the process to force users to create new passwords

Many of these problems with IAM can be avoided by implementing identity brokers that centralise IAM access across multiple providers. Additionally, the use of federated directory services can greatly reduce the complexity of application integration middleware (AIM), especially across multiple providers.

Management plan

Enterprise management is the core of IT operations and is critical to ensuring compliance with regulations. Unfortunately, large public cloud providers represent islands of management, largely relying on the cloud service provider's own tooling to monitor the infrastructure and applications, and with little or no ability to work with other cloud services. As a result, moving to an alternate cloud provider inevitably disrupts enterprise management processes built around the current provider. Processes like asset, change,  configuration, incident, problem and financial management are all sure to change, and the exit plan must take this into account.

In addition to changes to system management and monitoring, application teams must plan for changes to the processes that result from moving to a new provider. For example, the application team may rely on standard logging of all cloud events, such as create and terminate, at the primary cloud provider. Moving to a new provider without a similar logging service could mean the application team must establish its own audit logging system for these same cloud events.

In some cases, leveraging a third-party cloud management broker might facilitate or abstract underlying provider changes and allow organisations to change providers without as much disruption.

People plan

Systems are defined as a combination of people, processes, and technology, so it's unwise to move an application without thinking about the impact on the skills of your people within your organisation. A people plan must be structured to account for:

  • administrators: Staff responsible for managing the application will have to become familiar with the management capabilities of the new platform
  • support staff: Staff responsible for end-user support on the application must be familiar with the new platform and make changes to support documentation where necessary
  • end-users: At the end of the day, end-user familiarity with the new application is critical to a successful migration. It doesn't matter if the new application works perfectly if the users can't work out how to use it

Business continuity plan

The Business Continuity Plan (BCP) typically encompasses such things as backup and recovery, as well as Disaster Recovery. It can impact the exit plan at two levels:

  • aid to exit planning
  • exit plan invalidates the business continuity plan

Aid to exit planning

One of the key concepts in Disaster Recovery (DR) is the recovery time objective (RTO), which defines how long any failover to the DR site should take, with more critical applications having RTOs measured in seconds. The cost of meeting the RTO is inversely proportional to the length of the RTO, i.e., the smaller the RTO the higher the cost.

The concept of an RTO can be extended to exit planning, where it's critical to determine how quickly an application must be able to exit the current provider. For example, if the application owners are happy to wait for months while the exit plan is implemented, costs will be low. An application that must be prepared to exit in days will have a much higher cost.

In some cases, it may be possible to combine the DR implementation with that required for the exit plan. In effect, the same procedures are followed in both cases and the alternate site for the exit plan and the DR site is the same. This is particularly attractive in situations where the RTO and the "time to exit" are similar

  • there's no need to run a DR site and a hot exit plan site, which significantly reduces cost
  • the same procedures can be used for a DR failover and the exit plan
  • testing of DR and exit plan operations can be carried out as a single exercise

The challenge is that typically, the DR implementation does not involve changing providers. That is, in a typical DR scenario, the primary and secondary sites would be in different data centres run by the same provider.

Setting up a remote DR site at an alternate provider requires addressing multiple challenges, such as:

  • dross-provider data replication
  • IAM across providers
  • building the application in a way that can work across providers
  • re-routing incoming connections when one provider fails

However, many of these problems will have to be solved as part of the exit plan, so the additional work is not as great as it appears at first glance. Building a DR configuration across providers is not something that makes sense for many applications, but in cases where RTO and engineer to order (ETO) are similar, the extra expense and complexity may be worth considering.

Exit plan invalidates the BCP

Changing providers will have a significant impact on standard BCP, such as backup and recovery, site-to-site replication, and disaster recovery. Key issues to address are

  • impact on backup and recovery operations, such as where and how data is backed up when the provider changes
  • any DR plan that involves a secondary site for hot/warm/cold standby must be modified to reflect the new provider
  • data copies resulting from backup or DR operations held at secondary sites belonging to the current provider must be erased once the exit process is complete

Further information

internal NHS Cloud strategy primer

This primer provides an overview of public clouds and focuses on specific areas of importance for public NHS and healthcare organisations.

internal NHS Cloud policies and guidance

Share our Cloud policies to establish a baseline understanding and adopt best practices of cloud and internet first across your organisation.

internal NHS Cloud Strategy adoption plan

To help NHS and healthcare organisations get started with understanding how to adopt cloud and what the impact will be on their server, infrastructure, and applications we have provided information on public cloud adoption best practice. 

internal Benefits of Cloud

This guidance is designed to highlight the many benefits cloud services can bring to the NHS or healthcare provider, and how using the cloud can support your digital transformation.

internal Choosing a Cloud migration strategy for applications

A workload assessment is an essential tool to structure and communicate your application transformation roadmap. It allows informed decisions on how each application in the scope of a transformation will eventually touch the cloud.

internal Role guidance on Cloud

To provide guidance in your organisations cloud adoption when you have created 6 guides focusing on key areas of your organisations and the NHS Cloud Strategy, principles, policies and guidance is relevant to your role.

Last edited: 5 July 2023 5:02 pm