There are many reasons organisations may want to move all of their applications to the cloud, from avoiding the need to yet again replace internal IT infrastructure when it reaches the end of life or – particularly for public sector organisations – moving away from the expensive prime contractor or managed service contracts.

Moving applications such as your corporate email service to public cloud SaaS service is straightforward. There are several high-quality services available plus tools to simplify migration, and prices are acceptable compared to on-premise service provision. The challenge comes in moving applications which may have been originally developed ten or more years ago and on which the business relies. These could be bespoke applications developed in-house, or specialist packaged applications which have been customised to organisational needs and where the software providers’ SaaS offering, if available, cannot accept the customisations.  Few of the cloud services currently available offer the ability to easily transfer legacy applications and all the associated data onto them.

For example, Autodesk has a Software as a Service (SaaS) offer, but at present, this only runs one version of the software and cannot accept customised applications or third party developed add-ins. Similarly, organisations which have tailored their ERP applications to suit the needs and processes of their organisation may be unable to find an appropriate cloud solution, and the same holds true for local authorities who have highly customised applications for services such as parking management and waste collection. Some application providers are developing their own SaaS strategy, but in many cases, we have seen it is: “‘We’ll park and maintain a dedicated version of your software on a public cloud service”, and they will charge you a considerable premium for the privilege of doing so.

[easy-tweet tweet=”All the cloud provider offers is the hosted VM, it will still need monitoring and management” hashtags=”Cloud,Management”]

For organisations that find themselves in this situation, there are some options available. One solution is cloud re-platforming onto Infrastructure as a Service (IaaS), where an organisation moves its application, as is or with minor enhancements, to operate from another provider’s infrastructure. This enables organisations to free themselves from having to own, operate and manage the infrastructure on which the application is hosted and the associated day-to-day responsibilities and costs of running it, while still maintaining the existing licence and support with the application provider.

However, with the public cloud, all that the cloud provider offers is the hosted VM (virtual machine); you will still be responsible for providing patching, resilience, back-up, security and application support and maintenance inside the instance (see Table 1). The service will also still need monitoring and management.  In my view, the best answer is Managed IaaS, offered by Fordway and a wide range of other suppliers through G-Cloud and commercial routes.

A second option is A Platform as a Service (PaaS), where the cloud provider provides a secured and patched base application, such as a database or development environment, onto which the organisation installs and manages its own tailored application or code. Again, the organisation has to retain responsibility for maintaining the application itself, and most legacy applications will need redeveloping to work on publicly available PaaS services as these are based on the current versions; there are not many SQL Server 2008, Informix or Progress DB PaaS services.  If redevelopment or migration to new platforms does not make business sense, moving to a suitable IaaS is pretty much the only option.

Table 1: what is provided with different cloud options


 Service provider security responsibilitiesCustomer security responsibilities
IaaSControl access to the hosted instance, good general security up to and including host and hypervisor patching and proactive infrastructure security monitoringSecuring access to the instance(s) and everything inside them plus security of integration between instances or contracting the provider or another third party to do it for you
PaaSAll the above plus OS and platform patchingAccess and authentication to the service plus application and code patching for any service running on the platform
SaaSOverall security of the service including responsibility for securing any client data hosted within the serviceAuthentication to the service and data transfer between service providers


A third option is managed cloud SaaS, in which responsibility for all aspects of the application are transferred to a third party provider or partner.  The provider customises the service to the exact characteristics required, providing a tailored service while enabling the organisation to take advantage of cloud’s low costs, scalability and flexibility. The outcome is predictable costs, flexible billing, internally managed service delivery and clear, internally developed, robust SLAs, but this normally requires either significant customisation of the SaaS offering or the organisation has to accept that they can work without the customisations and enhancements they have previously developed.

For organisations running legacy applications, a cloud solution is achievable.  They are likely to find themselves using the private cloud or managed IaaS as a staging point until more appropriate public cloud services become available. Whichever combination of cloud services is chosen, the organisation still needs to retain responsibility for ensuring that their chosen cloud provider offers and can meet the required SLAs and is suitably financially secure to continue to deliver the required service for many years to come.