30 Challenges and Risks in Cloud Migration (IaaS and PaaS)

May 12, 2021

The promise of improved agility and lower costs is leading organizations to consider broad adoption of cloud computing. But, a majority of CIO & CISOs see significant risk in the deployment of the different cloud computing services. The security for mission critical applications like Oracle EBS, JD Edwards, SAP or any custom built onprem application, too becomes paramount. IT Decision makers will not want to take any risks in migration, which might hamper critical business running on these applications.

The below migration risks checklist, can be used to evaluate whether a project is suitable for a cloud computing environment and understand vendor capabilities and security provisions

Cloud Migration Risks Categories

  • Data Evaluation Risks
  • Data Protection Risks
  • Vendor Assessment Risks

Data Evaluation Risks

1. The loss of or temporary unavailability of data / application (data classification)

2. We will not be adversely impacted if:

  • The data became public and distributed
  • The process or function were manipulated by an outsider
  • An employee of the cloud provider accessed the data
  • The data suddenly changes

eBook on Accelerating EBS to OCI Migration

Data Protection Risks

3. The vendor does not have

  • Comprehensive policies and procedures for data backup
  • Documented procedures for exporting data from the cloud
  • Interoperable export formats for data stored in the cloud

4. We have a challenge:

  • With the compartmentalization technique not used by the vendor
  • More than one data owner who decides access controls
  • More than one data owner who decides data retention and destruction schedules

5. Data is not commingled with other customers’ data while in use or storage

6. We will always know the geographical location of data storage, and will be consulted before the vendor decides to move our data outside national borders

7. The vendors’ data retention and destruction policy match with the organizational policy

8. Data encryption process (storage and transit) is satisfactory – what is the key system? (individual keys for individual members)?

9. Does the vendor have a response system in place if customers lose their passwords or are unable to keep their passwords secure?

10. The vendor meets all the regulatory requirements associated with the data we will process or store in the cloud

11. The vendor has certified host and network controls to protect the systems hosting our applications and information (ISO 27001)

Vendor Assessment Risks

12. The cloud vendor’s SLAs do not match our internal SLAs & does not have either a track record of performance against SLAs, or provides resources for performance monitoring

13. The vendor does not have clear, available channels for communication regarding service and performance issues

14. The vendor does not provide migration support or have enough trained partners for migration.

15. The vendor’s security governance processes and capabilities are not sufficient, mature and consistent with our information security management process

16. Vendor is likely unstable in a highly competitive and recessionary market

17. The vendor will not be able to compensate our organization appropriately for performance shortfalls

18. The vendor has not clearly defined the security related services that are outsourced or subcontracted

19. The vendor does not audits any outsourcers and sub-contracts periodically

20. The SLA provisions guaranteed by outsourcers are not at par than those of the primary vendor

21. Measures taken by the vendor to ensure third party service levels are not satisfactory

22. The vendor does not have a sound change control procedure and policy

23. The vendor does not have a process used to re-assess risks as a result of changes

24. No effective controls to protect against malicious code available with vendor

25. No security configurations that only allow the execution of authorized code and functionality

26. Does not provide details on audit logs (Integrity, data-retention time-period, confidentiality etc.)

27. Vendor does not give an estimate of space availability to avoid issues with resource exhaustion

28. The vendor does not offer periodic disaster recovery and business continuity plans

29. Vendor does not have a long-term business plan and the commitment of their financial backers

30. The cloud vendor does not have either a track record of performance against SLAs, or provides resources for performance monitoring


There are really no cloud migration risks/challenges that can’t be prevented. For that, you’ll certainly need some professional help. IT Convergence certified experts have been focusing on delivering first time right Cloud migration for all Oracle solutions and ensure you overcome any roadblocks on this migration journey. We are an Oracle certified cloud MSE with 20 years expertise in Oracle solutions. Contact us and we’ll handle any cloud migration issues you’re struggling with, no matter the level of complexity.

Talk to Our Migration Experts

Subscribe to our blog

Related Posts