An increasing number of organizations are moving their resources to the cloud. This migration, however, is accompanied by concerns how to handle the migration process itself and the configuration of the new environment. The answer is the Landing Zone, which facilitates secure migration of resources to the cloud and simplifies referencing them in the future.
What is a landing zone?
Landing zone, also called “cloud foundation,” is the initial configuration of the cloud environment, which enables everyone to efficiently migrate and run applications in the cloud in an ongoing and scalable manner. Landing zone ensures that existing applications are moved to the new environment without interrupting the organization’s operations.
What is a landing zone and why you should have one
When building your space in the cloud, it is a good idea to start by laying a stable foundation for current and future systems that will fully use the advantages of cloud computing. “Landing zone” is the name we give to this stable foundation.
If you have a well-implemented landing zone, launching or migrating additional systems is faster and does not require you to think every time how to manage identities or how your network should be configured. All these elements should be defined when building the landing zone.
The effort put at this stage allows to significantly accelerate further stages of the organization’s digital transformation. With the landing zone in place, putting more applications in the cloud will be much smoother. The practical importance of the landing zone becomes apparent during the client’s deployments.
Landing zone in regulated sectors
For companies and institutions operating in regulated sectors (e.g., finance, healthcare) or public administration, there are many guidelines, regulations and recommendations on how they should take care of the architecture and configuration of their IT services. It is a priority for them to ensure a sufficiently high level of security of the data processed. Building a landing zone is a good time to technically prepare the IT environment for legal compliance with all types of regulations applicable to the specific organization. A well-configured landing zone allows you to launch further services in line with these requirements, allowing you to focus on business growth without generating additional legal risks.
What are the key aspects and issues in building a landing zone?
The needs related to the required resources may vary between organizations but also within a single organization. For example, critical systems may have higher security or backup-related requirements. Therefore, the structure of every landing zone should be approached individually. There are, however, some areas that any well-prepared landing zone should include:
1. Identity and privilege management
Security in the cloud environment is founded on identity and privilege management. On the one hand, public clouds have built-in security features to manage this area. If properly configured, they can effectively secure a cloud environment. On the other hand, identity credentials in a cloud environment allow access to various services. Therefore, any errors in this area are very dangerous for the entire organization. Identity and privilege management in a cloud environment are the primary things to be considered when building a landing zone.
The landing zone determines how new accounts will be created that can be authenticated in the cloud environment. To ensure the highest possible level of data security in an organization, identity and privilege management services must be properly designed and implemented.
2. Encryption and key management
When laying cloud foundations, one should not overlook issues related to cryptography, which is responsible for environment security. The landing zone allows you to take account of the requirements (strategy, procedures) of both the internal Compliance Department and the external regulator.
As a rule, the cloud provides encryption with a platform-managed key. It is also possible to provide your own key and encrypt data in line with the organization’s internal security regulations. For some organizations, regulatory bodies require them to encrypt data with their own key. Defining processes for the storage and management of keys, certificates and passwords at the landing zone design stage ensures efficient and secure deployment of new applications and systems.
3. Organizational structure
This topic refers to the division of the cloud environment in order to separate production environments from test or development environments, the allocation of projects and resource groups into different layers or business workflows. Creating an organizational structure enables to reflect the specific nature of the business or institution in the cloud and simplifies management.
A properly designed structure of resources, the naming convention of the referenced resources and the method of assigning permissions will greatly facilitate future work as the organization grows. The more employees and projects underway, and the richer the archive, the more complicated the process of granting and revoking privileges, setting up new resources, etc.
4. Cost management
The public cloud has budget control tools available that can also be configured as part of your landing zone. The tools allow you to oversee fees and allocate costs to individual projects and business initiatives.
The sooner cloud cost management methods are developed and implemented in an organization, the lower the risk of losing control over this important aspect of the business. Configuration of budgets and alerts ensures transparency of the costs of referenced resources. This makes controlling changes in the cost of cloud environments more efficient and predictable. Understanding and structuring budget issues will also make it easier to prepare business cases for migrating further solutions.
5. Mechanisms for resource referencing and management
Running a single virtual machine or setting up a VPN connection to your own infrastructure is a relatively simple task. However, the scale of the challenge increases with the size of the organization. Migrating hundreds of applications or running the same number of virtual machines is time-consuming and carry the risk of configuration errors, that couldwhich can result, for example, compromise the security level of the entire environment.
The solution is IaC (Infrastructure as Code), or the automation of the process of referencing and modifying environments. This enables to use best practices known from software development to manage the infrastructure, including full control and the ability to undo changes if anything is misconfigured.
6. Network and internet access
A well-designed landing zone covers both the current needs of the organization and the future target architecture of the network and connections.
Which addressing should be used in a cloud environment? How to optimally and – most of all – securely provide internet access to services, and how to control network traffic? The landing zone answers these questions. Decisions made at this stage will allow the cloud environment to grow without you having to worry about future scaling or the ability to communicate with local infrastructure.
7. Monitoring and event logging
One of the biggest risks in the infrastructure is lack of awareness of events and incidents that occur in the infrastructure. In the cloud, too, it is extremely important to properly log events and metrics on running services and their resource usage.
Properly configured monitoring and event logging enables to scale resources and track their performance, but also to respond to potential downtime or attempts at unauthorized access to the infrastructure.
This stage of building your landing zone is also the right time to decide on the tools to support the process. Is it better to use native cloud services, or would a local SIEM work much better?
Can you build a landing zone on your own?
Of course you can, but it is not always cost-effective. The less experience an organization has with cloud environments and the more extensive its IT resources (number of applications, amount of data, regulated market), the more cost-effective it is to work with an external partner.
OChK has people experienced in cloud environments, as well as implementations in regulated markets, which translates to both landing zone preparation time and a lower risk of error. Having your landing zone built by an external partner also means offloading your internal IT department in the migration process. Provided with support in setting up the environment, your administrators can focus on migrating applications and providing ongoing user support. We look forward to cooperating with you!