Founded in 2009, UnifyCloud is a company focused on Cloud, Cybersecurity and Compliance for Enterprise IT. UnifyCloud developed the CloudAtlas integrated suite of Cloud Migration Tools to provide automated support to DevOps through the entire application lifecycle of migrating to the cloud, and for cloud-born applications. Below is our interview with Marc Pinotti from UnifyCloud:
Q: Marc, could you tell us something more about the company and your core competence?
A: Traditionally, on-premise Enterprise IT departments have had separate roles and responsibilities for Development, Test, Operations, and Security. Today these roles are compressed into one: DevOps. Historically, major platform migrations came along every 3-5 years, allowing plenty of time for migrating from, say, Windows Server 2003 (WS03) to Windows Server 2008 (WS08). Now, Cloud Service Providers (CSPs) such as Amazon Web Services (AWS) and Azure releasing new services at an hourly rate.
Enterprise IT are asking DevOps to assume the expertise of four roles, with hours instead of years between CSP platform changes. It is not reasonable to expect a DevOps resource to exhibit deep expertise across all domains: Development, Test, Operations, and Security. This is compounded by the acceleration of changes in underlying platforms from 3-5 years to CSPs releasing at cloud speed, which means, on average, hourly changes.
UnifyCloud developed the CloudAtlas® integrated suite of Cloud Migration Tools to provide automated support to DevOps thru the entire application lifecycle of migrating to the cloud, and for cloud-born applications. Our leadership is focused on Cloud, Cybersecurity and Compliance for Enterprise IT.
Migrating to the cloud is a journey, not a destination. There is no “once and done” with cloud migration. Applications change, threats change, and CSP platforms change hourly. Integrated automated tools are the only way for enterprises to manage the complexity of application lifecycles in the cloud. This is true whether the application is ‘cloud born’ or a Line of Business (LoB) application being migrated to the cloud. CloudAtlas developed a suite of tools to help enterprises along the journey, some used at beginning, some along the way, some used on an ongoing way. CloudAtlas looks at migration process and challenges holistically and in a fundamentally different way to support cloud migration and applications.
Enterprises have developed millions of LoB applications that need to be securely migrated to the cloud. An integrated, automated cloud migration suite is the only viable solution. Effectively migrating from a traditional, on-premises IT environment to a Hybrid IT environment that may include elements of Software as a Service (SaaS), Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) requires a logical, integrated suite of tools-based approach.
Organizations cannot simply jump to the Cloud. There needs to be a phased evaluation and plan to move to the Cloud, we use a three step migration process. For DevOps to succeed at cloud speed, integrated, automated tools are necessary to support DevOps at every phase of the migration lifecycle:
• Discover & Assess – Assesses your infrastructure to create an inventory of IT assets, applications and workloads that are candidates for the Cloud: SaaS (replace), IaaS (relocate), and/or PaaS (refactor/rebuild). It uses criteria such as data compliance requirements, architecture, hardware dependency, software end-of-service, ROI, security, and criticality.
• Target & Migrate – Once you have identified applications that are candidates for IaaS or PaaS, our products determine the specific services required (e.g., Compute, Storage, Network), validate at the line of code level what refactoring is necessary, remediate, and test against PaaS standards you develop. This same process is used for new “Cloud-born” applications as well as for LoB applications.
• Monitor & Report – Using a baseline of enterprise standards for Cloud IT controls, best practices and GRC, our products monitor and report on application compliance as PaaS environments evolve, applications are changed, and enterprise standards are updated to address changing threat environments relative to the baseline(s).
Recommended: CloudCodes SSO1 Brings Anti-Phishing Control, Biometric Authentication And Quick Onboarding
Q: You’ve recently announced the release of CloudAtlas; tell us something more?
A: CloudAtlas provides an Enterprise IT organization with:
• Cost-effective ways to quickly assess the various Cloud migration options they have along with associated costs of those options compared to today’s standard on-premises cost model;
• Detailed estimates on what it will cost to remediate critical line of business applications generated in a fraction of the time and cost often quoted by large application migration firms;
• Technical, code-block level roadmaps on each recommended change that will reduce the cost of migration, promote standardized Cloud development practices, and leverage scarce Cloud skills; and
• Monitoring tools, at both subscription and enterprise levels that alert application owners when any standard settings or controls have drifted from compliance and support fast remediation.
Moving to the Cloud is not a “once and done” process. Cloud solutions offered through SaaS, IaaS and PaaS continue to evolve with feature-level updates hourly by major Cloud vendors. Effective monitoring of applications in the cloud is a key component of staying secure and compliant. A challenge of this is that a DevOps resource is asked to be knowledgeable on Development, Test, Operations, Security, the CSP Platform, and application code. CloudAtlas integrated tools ensure the success of DevOps.
Q: Could you explain the most prominent advantages of your CloudAtlas?
A: CloudOrigin® is the underlying knowledgebase that supports CloudRecon®, CloudPilot® and CloudSupervisor®. CloudOrigin serves as a single authoritative resource for DevOps, across Development, Test, Operations, and Security.
We keep the CloudOrigin knowledgebase current as new services, settings, guidance, and compliance are released on Azure. Typically, we update the knowledgebase within two weeks of services going public. This serves as the authoritative resource for DevOps as they proceed thru the application lifecycle.
Our knowledgebase can be further customized by Enterprise IT to suit their particular needs, for example Financial Services, or Healthcare. The ability to customize means Enterprise IT Departments can produce authoritative guidance and drive best practices in terms of security and compliance; it also drives best practices in terms of providing sample code for developers to use in particular scenarios.
Recommended: Talari Networks Changes The Way Companies Think About, Create And Manage Their WAN
Q: UnifyCloud has also developed the Cybersecurity Threat Intelligence solutions; What’s the difference between your solution (CloudSupervisor) and your competition?
A: We haven’t developed Cybersecurity Threat Intelligence per se. We do enable Enterprises to understand what changes need to be made to applications in the cloud based on new threats, down to the line of code for a particular application.
Through the application lifecycle, applications experience “drift”, as applications change, threat environments change, and CSP platforms change. Effective monitoring of applications in the cloud is a key component of staying secure and compliant. For example, an Enterprise decides to change the identify and access requirements from 1FA (single factor authentication) to 2FA (two factor authentication) for a particular category of applications. This could be due to changes in threat environment, changes in government regulations, or changes in the Enterprises security policies. How does a CIO know that the affected applications in the cloud are compliant with this new 2FA policy?
CloudSupervisor provides the CIO with the visibility into the applications down to the application code level to protect against drift, ensuring that applications remain visible and compliant with the Enterprise’s security policy. The CloudAtlas suite can be used in conjunction with an existing threat intelligence solution to ensure Azure applications remain configured correctly for optimal security.
As changes occur to the standards published by CloudOrigin, applications are monitored to ensure compliance. For customers, managing drift is critical due to the afore mentioned feature updates in Azure. This is due to application enhancements or consumption of new Azure Services, regulatory changes that guide IT Risk Management, or changes in the threat environment.
CloudOrigin is a customizable knowledgebase of all Azure services settings and configurations, recommended code changes, guidance, etc., for Enterprises to define to meet their application standards. It is the knowledge repository that informs the other CloudAtlas tools. With feature level changes happening at an hourly rate in Azure to enhance capabilities and performance, CloudOrigin ensures that at the point of deployment, as well as during ongoing operations, Cloud-based applications remain in compliance with company standards.
CloudSupervisor is not threat intelligence, but allows an organization to respond to changes in a threat environment by changing the configuration settings for applications. Application and Cloud subscription owners need a way to monitor and control applications running in the Cloud. Given the continuous challenges in the Cybersecurity threat landscape, the evolution of Cloud platforms by CSPs, and changes to regulatory requirements, CloudSupervisor, integrated with CloudOrigin can provide real-time monitoring and alerts, pinpoint areas in the provisioned Cloud Services where settings have changed, and recommend any code level changes required. Code changes can be implemented by CloudPilot, using the latest enterprise guidance, and following best practices and security guidance.
Q: What’s the difference between your solution (CloudAtlas) and your competition?
A: To our knowledge, there currently is no other integrated suite of tools that takes an integrated, application lifecycle view of cloud migration process. CloudAtlas provides automation to support the scale and speed required for enterprise scale cloud migration. Any potential competitors we are currently aware of are ‘point’ solutions, vs our approach of an integrated suite.
We have not been able to find ‘point’ competitors to CloudRecon, CloudPilot or CloudOrigin. Evident.io is a ‘point’ competitor to CloudSupervisor.
CloudRecon assesses your IT infrastructure to create a cloud migration strategy, recommending which applications should migrate to the Cloud (SaaS, IaaS, or PaaS), as well as providing a Cybersecurity assessment using a maturity model.
CloudPilot performs static code analysis of application code, database scripts, and application configuration data, to provide detailed recommendations down to the actual line of code to migrate applications to Azure. CloudPilot is being used by Enterprises as a planning tool, for Azure migration sprints, and to help internal development teams ensure that all Enterprise Security and Operational technical policies for Cloud-based applications are complied with prior to final deployment into Azure PaaS.
CloudSupervisor runs in an Azure subscription to provide subscription owners with compliance monitoring with regulatory requirements (e.g. SOX, HIPAA, etc.) at the application level across all their Azure subscriptions. As changes occur to the standards published by CloudOrigin, applications are monitored to ensure compliance. CloudSupervisor goes one step further and monitors compliance with internal security standards or recommended industry best practices.
CloudOrigin is a customizable knowledgebase of all Azure services settings and configurations, recommended code changes, guidance, etc., for Enterprises to define to meet their application standards. It is the knowledge repository that informs the other CloudAtlas tools. Feature level changes happen hourly in Azure to enhance capabilities, performance, pricing, and regulatory compliance. CloudOrigin ensures that all CloudAtlas tools stay current at the point of deployment, and that Cloud-based applications remain in compliance with company standards.
Recommended: “Engagement” The Most Important Metric For Any Software Company
Looking at potential competitors by migration phase:
Discover and Assess:
• Discovery. There are some discovery tools that provide an inventory of assets on premise, however, these would not really be considered a competitor. These tools include products like Microsoft® MAP Tool (free), SNOW, Dell® Kace, LanSweeper®, Alteris®, IT Asset management systems, Configuration Database Management (CMDB) systems, Microsoft System Center®.
• Assess: There are not really any direct competitors in this area for cloud assessments to develop cloud migration strategies, but there are solutions in the licensing and audit space. SAM Live! is a very strong solution for License Management and Compliance. SAM Live! recognizes and evaluates installed, used and licensed software providing an analysis of existing licensing models and metrics, SAM Live! also provides forensic software usage/consumption analysis for all kinds of software applications. CloudRecon has a “better together” partnership with SAM Live! that enables the two solutions to provide one source of detailed IT from virtually any source of infrastructure data.
CloudRecon does not collect infrastructure data, therefore it is not competitive with the above mentioned Discovery tools. Instead, it uses the data from Discovery tools as inputs to provide a cloud-ready strategy, cybersecurity maturity model, and recommendations on how to migrate to the cloud, along with detailed ROI calculations. This product also identifies risks for your future hybrid IT environment (on premise and cloud) along with cost estimates and ROI for Cloud Migration. The output is a Cloud Strategy and Security Strategy.
Target & Migrate:
• CloudPilot is the only tool that supports migration to Azure PaaS or IaaS. There are some “lift and shift” tools such as AppZero for migration to IaaS, only. However, there are many challenges with these tools. We were told by one large Enterprise company that AppZero failed on 50% of the migrations.
Gartner does not recommend ‘lift and shift’ as it does not enable the application to take full advantage of cloud characteristics:
“Myth 9: Migrating to the Cloud Means You Automatically Get All Cloud Characteristics
Cloud computing has unique attributes and characteristics. Gartner’s cloud attributes include scalability and elasticity; they use service based (and self-service) Internet technologies; they are shared (and uniform) and metered by use. Many migrations to the cloud are “lift and shift” rehosting, or other movements that do not exhibit these characteristics at higher levels. Being “hosted in the cloud” (even if on cloud IaaS) does not mean that what is hosted is also a cloud service. There are other types of cloud migration (refactoring and rewriting, for example) that typically do offer more of these characteristics. The most common use case for the cloud, however, is new applications.”1 ( 1 Gartner: The Top 10 Cloud Myths, October, 2014 G00270265)
• CloudPilot® in planning mode enables Development managers, developers, and Program Managers to have a detailed report, down to line of code, of the changes that need to be made to the application for it to run in Azure and to be secure and compliant This includes estimates of the amount of time it will take to migrate the application to Azure, skills needed by the developers (database, security, network, etc.)
• CloudPilot in remediation mode provides sample code that a developer can use to ensure the application runs in Azure, as well as links to authoritative guidance, and recommended best practices. CloudPilot ensures that the application is using the correct configurations settings for the Azure services (over 60 in total) being used by the application. It then provides the developer with guidance on what services are being used, and whether those services meet the compliance requirements of the application
• CloudPilot® in test mode with Azure Config files serves as a final checkpoint to ensure the application will migrate to the cloud following best practices including coding, security, and compliance. It does not compete with the Qualys or Fortify class of tools, but rather complements them. Qualys and Fortify look at the quality of the code, and for application level vulnerabilities such as cross-site scripting vulnerabilities.
Monitor and Report:
• Evident.io is a tool comparable to CloudSupervisor. However, it is a point solution, not part of an integrated suite focused on accelerating migration to the cloud.
Q: What can we expect from UnifyCloud in next six months?
A: Over the course of the next six months, we are expanding our channel, including System Integrators, Microsoft Partners, Managed Service Providers, Hosters, and Software Asset Management Partners.Activate Social Media: