Cloud Migration
Advisory, implementation, and operational engagements where trust, alignment, and execution governance determine outcomes.
Inside this journey
-
Pre-Discovery
Align the room on outcomes, decision process, and constraints before deeper discovery.
-
Stakeholder Alignment
Confirm decision roles, deadlines (lease, vendor EOL, board mandates), success criteria, and key risks across IT, security, and finance.
Alignment Questions
Quick Intro: Who's in the Room?
- Who should we coordinate with day-to-day for scheduling, approvals, and clarifications?
- Which individual or role is the executive sponsor who will champion this migration?
- Which teams need direct involvement from day one (select all that apply)?
- Briefly describe any existing relationship, tension, or alignment between IT, Security, and Finance when it comes to cloud spend and risk.
- Who are the top three people we should meet during our first stakeholder alignment workshop (name + role)?
If One Thing Breaks, Who Gets Knocked Off-Balance?
- If a single critical application failed as a result of migration, who would face the highest immediate pressure and why?
- Which of the following failure scenarios concerns you most right now?
- Have you experienced a migration-related failure before? If yes, what happened and what did stakeholders most react to?
- When something goes wrong, what response or remediation do you expect from a migration partner within the first 24–72 hours?
- Describe the worst-case impact (operational, financial, reputational) you fear if a key workload migration fails.
Who's Holding the Keys?
- Which roles have final approval authority to move an application from 'ready' to 'migrate'?
- Are approval thresholds tied to budget, risk level, or technical complexity? Select all that apply.
- Who signs off on security and compliance acceptance for migrated workloads?
- Who owns the post-migration acceptance and operations handoff for applications (name and role)?
- Which internal or external stakeholders must be consulted before we run discovery tools in a production environment?
Deadlines That Keep You Up at Night
- Which immovable deadline is driving the migration timeline right now?
- Please provide the target date for that deadline (or range) and indicate how fixed it is.
- What happens if that deadline is missed? Select expected consequences.
- Are there interim milestones or blackout windows we need to know about (e.g., fiscal year close, audit periods)? Please list them.
- How much schedule flexibility can your leadership realistically grant to manage complex refactors or unexpected dependency discoveries?
What Would Make the Board Quiet?
- If you had to report a concise success statement to the board in 6 months, what single outcome would prove the migration is on track?
- Which of these measurable outcomes matter most for executive reporting? Choose up to three.
- Do you have baseline metrics (current costs, performance, incident rates) we can use to validate success? If yes, briefly describe availability.
- Who will own reporting and sign the acceptance of pilot success metrics?
- What acceptance criteria would make you comfortable to greenlight subsequent waves after a pilot (e.g., <X incidents, <Y% cost delta)?
Where the Risk Hides — IT, Security, Finance
- What single technical, security, or financial risk keeps you awake about this migration?
- Select the IT and technical risks you consider most likely to surface during migration.
- Select the security/compliance risks you are most concerned about.
- How do you prefer risk to be mitigated or accepted—prevention, staged mitigation (pilot), or rollback-first strategy?
- What financial guardrails should we adhere to during and after migration to avoid bill shock?
Unseen Dependencies & Knowledge Gaps
- How confident are you that your inventory captures all production dependencies for your top 20 business-critical apps?
- Which discovery artifacts and sources do you currently have available?
- How often do you find undocumented integrations or dependencies during assessments?
- Are there systems or teams that will resist discovery tool deployment (for security, policy, or vendor reasons)? If so, which ones and why?
- If we proposed automated dependency mapping, what concerns would you want addressed up front?
Decision Rhythm & Escalation: Who Calls the Shots?
- When an urgent migration issue arises, who has authority to reallocate budget or resources within 24 hours?
- What governance cadence do you expect for this program?
- What escalation path should we follow for security incidents during migration (who to notify and in what order)?
- Are there internal change control windows or CAB approval processes we must align to for cutovers?
- Which communication channels are mandatory for stakeholder updates (select all that apply)?
Comfort, Concerns & the Small Next Step
- If you could remove one concern about starting discovery and a pilot this month, what would it be?
- How ready are you to grant the access needed for automated discovery tools (logs, network flow, agents) on a pilot workload?
- What would make you feel confident to greenlight a one-workload pilot (select up to three)?
- What practical blocker, if unresolved, would prevent you from proceeding to a pilot in the next 30 days?
- Who should we schedule a 60–90 minute stakeholder alignment workshop with to finalize roles, deadlines, and pilot acceptance criteria?
-
Current State Mapping
Capture application inventory, undocumented dependencies, compliance constraints, and migration blockers using discovery artifacts and timelines.
Current State
Opening the Map: Who's in the Room and Why
- Which people or teams will actively participate in discovery sessions (select all that apply)?
- What is the single most important outcome you need from this migration (briefly)?
- Which hard deadlines are driving this program (pick any that apply)?
- How confident are you in the completeness of your current application inventory?
- How do you currently capture application dependencies and topology (describe tools and frequency)?
Hidden Webs: The Dependencies That Break Assumptions
- What if several systems you consider 'standalone' actually share critical hidden dependencies — how would that change your migration plan?
- How often have undocumented dependencies caused outages, delays, or rework during past changes?
- Which kinds of dependencies are you most worried about (select up to three)?
- Tell us about one example where a missed dependency created real impact — what happened and who was affected?
- Which discovery approaches have you tried and with what results (agent scanning, network tracing, manual interviews, CMDB reconciliation)?
Deadlines and Pressure Points: Which Ones Will Break You?
- Which single deadline would create a crisis for the business if we missed it?
- If that deadline slips by one month, what are the likely business impacts (cost, revenue, legal, customer trust)?
- How are migration timelines governed and who has final sign-off on schedule changes?
- Which internal approval gates typically slow you down (security review, finance sign-off, application owner consent, vendor approvals)?
- Are there windows where we cannot execute migrations (business blackout dates, seasonal peaks, regulatory reporting)?
Rules You Can't Bend: Compliance, Security and Non-Negotiables
- Which compliance or security requirement would stop a migration in its tracks if not met?
- Describe any data residency, encryption, or logging controls that are mandatory for workloads in scope.
- Do any applications rely on certifications, vendor audits, or attestation documents that must be preserved through migration?
- How mature are your identity, access, and network segmentation controls today?
- Please list any active or impending compliance audits, penalties, or contractual deadlines we should plan around.
Inventory Reality Check: What Your CMDB Isn't Telling You
- If an on-call engineer had to name every app that would cause a critical outage if moved, could they do it confidently?
- When was the last comprehensive scan or reconciliation of your application inventory and CMDB?
- Which sources currently feed your inventory (select all that apply)?
- Where do you suspect the biggest blind spots exist (shadow IT, third-party SaaS, legacy middleware, batch jobs)?
- How do you prefer to reconcile differences we uncover — automated sync, joint workshops, or directed owners' updates?
Migration Blockers & Technical Debt: What's Under the Hood?
- Which legacy constraint do you fear will derail a wave: old database versions, licensing, unsupported OS, or something else?
- How many applications would you estimate require code changes or refactoring versus lift-and-shift?
- List any third-party vendors or ISVs that restrict cloud moves or require special approval.
- Do you have license or maintenance contracts tied to physical hardware that could block migration?
- What internal resources do you currently lack that would speed refactor or remediation work (skills, automation, test environments)?
Pilot and Wave: What Will Make Us Succeed or Fail?
- What outcome would cause you to label the pilot a failure (performance regression, cost overshoot, broken integrations, missed cutover)?
- Which measurable pilot metrics matter most (select up to three)?
- Who will be the final authorizer to move from pilot to wider waves?
- Describe your rollback and remediation expectations — how quickly must we be able to restore production if a migration fails?
- How do you want migration responsibilities split between your team and ours during pilot and waves?
Discovery Artifacts: What We'll Need to Prove the Map
- If we delivered an interactive dependency map tomorrow, which immediate decision would it unlock for you?
- Which artifacts can you provide within two weeks to accelerate discovery (select all that apply)?
- Are you willing to permit agent-based discovery and network flow capture in your environment for 30–90 days?
- Who are the two primary contacts (name, role, email) who will own artifact delivery and access approvals?
- What timeline would you like for receiving a first-pass dependency map and gap analysis from us?
-
-
Solution Experience
Use the customer’s inventory and risk scenarios to show how automated dependency mapping, pilot outcomes, and cost modeling prevent failures and bill shock.
Experience Meetings
- Solution Experience Kickoff — Current State & Consequence Alignment
- Automated Dependency Mapping — Live Proof with Customer Inventory
- Pilot Outcomes & Runbook Validation — Proof of Safe Cutover
- Cost Modeling & Bill-Shock Prevention Workshop
- Solution Experience Validation & Go/No-Go Confirmation
- Produce a set of accepted cost assumptions and a monitoring cadence for wave execution.
- Pilot Summary & Metrics
- Demonstrate that the pilot validated the migration approach and runbook sufficiently to prevent the top failure modes.
- Obtain customer agreement on which pilot findings are acceptable and which require remediation before waves.
- Confirm explicit pass/fail decision for advancing to wave execution or define remediation backlog.
- Seller: Produce a pilot lessons-learned report with prioritized remediation items and estimated effort.
- Customer: Approve or reject pilot acceptance and sign off on any required remediation priorities.
- Seller: Update runbooks and automated checks based on pilot learnings and recirculate to SMEs.
- Recap: Cost-related Consequences to Prevent
- Validate that the modeled cloud costs align to customer expectations or surface precise delta with data-center baseline.
- Agree on specific cost guardrails and governance processes that will prevent bill shock during and after migration.
- Introductions & Purpose
- Seller: Deliver the detailed cost model workbook with scenario tabs and a one-page delta summary vs baseline.
- Customer: Confirm budget thresholds, approval channel, and escalation path for cost variances.
- Seller: Configure cost-alerting dashboards and schedule a short training for the customer's finance and cloud ops teams.
- Synthesis: Problem -> Proof -> Validation
- Obtain explicit customer validation that the solution experience proved the future state or capture conditional requirements to reach validation.
- Agree a clear set of remediation actions (if any) with owners and deadlines before wave execution.
- Document the go/no-go decision and the agreed next steps for Solution Scope and Pilot Authorization.
- Customer: Provide formal go/no-go decision or sign-off on conditional remediation items with deadlines.
- Seller: Publish a Solution Experience report summarizing proofs, validation results, and required remediation; include acceptance artifacts for the record.
- Seller & Customer: Schedule Solution Scope kickoff and assign governance leads.
- Produce a single, agreed one-sentence current state describing where migration is breaking today.
- Surface and quantify the top 3 consequences (cost, downtime, compliance exposure) to create urgency.
- Agree a one-sentence future state outcome that all demonstrations must prove.
- Confirm required datasets and access for the automated mapping and cost modeling sessions.
- Customer: Provide final sanitized inventory, top risk scenarios, and any existing dependency outputs (deadline: 48 hours).
- Seller: Validate access to discovery artifacts and prepare mapping tool configuration for the customer's environment.
- Seller: Draft the one-sentence current-state and future-state statements from the session and circulate for confirmation.
- Recap of Agreed Current State & Validation Rules
- Prove that automated mapping uncovers hidden dependencies that would cause migration failures if missed.
- Receive live validation from at least one app owner on correctness of critical dependency mappings.
- Produce a short list of candidate pilot workloads informed by mapping and risk prioritization.
- Agree on follow-up actions to reconcile any mapping gaps identified by owners.
- Seller: Deliver an annotated dependency map PDF marked with high/medium/low risk nodes within 48 hours.
- Customer: Assign 2-3 additional app owners to validate mappings for the pilot workload (names & contact info).
- Seller: Update pilot candidate list and rationale based on mapping validation.
- Forward-looking Cost Model Walkthrough
- Gap Review
- One-sentence Current State
- Mapping Tool Live Walkthrough
- Incident Review — What Would Have Failed
- Acceptance Criteria Check
- Consequence Quantification
- Runbook & Cutover Checklist Live Validation
- Problem-to-Proof Tieback
- Sensitivity & Worst-case Scenarios
- Controls to Prevent Bill Shock
- Acceptance Criteria vs Results
- Owner Validation Exercise
- One-sentence Future State
- Decision & Next Steps
- Communications & Governance
- Remediation & Pilot Targeting
- Next-wave Readiness Decisions
- Data & Tooling Check
- Decision Points & Cost Acceptance
- Agenda & Validation Rules
-
Solution Scope
Define assessment deliverables, landing zone architecture, pilot workload, wave sequencing, responsibilities, and measurable acceptance criteria.
Scope Configuration
- Run automated dependency discovery and generate dependency maps
- Provision secure cloud landing zone
- Establish hybrid connectivity (VPN/Direct Connect)
- Rehost VMs with automated replication and cutover
- Migrate databases to managed cloud database services
- Refactor applications into containers and deploy to Kubernetes
- Replatform applications to cloud-managed platform services
- Implement CI/CD pipelines and automated release workflows
- Apply cloud-native monitoring, logging, and APM
- Perform cloud cost optimization and rightsizing during migration
- Implement cloud security controls, IAM, and encryption
- Execute cutover runbooks and rollback during migration waves
- Decommission on-premises assets and validate resource teardown
Scope Questions
Run automated dependency discovery and generate dependency maps
- Do you want automated dependency discovery across the entire portfolio or limited to selected applications?
- Approximately how many application components, hosts, or services should be discovered?
- Which existing artifacts should we ingest to enrich discovery (select all that apply)?
- Which environments must be discovered?
- Are there systems that cannot accept discovery agents or have restricted network access (air-gapped, regulated)?
- If yes or partially, list systems or constraints (hostnames, datacenters, regulatory limits, maintenance windows)
Provision secure cloud landing zone
- Which cloud provider(s) and account model do you require for the landing zone?
- Which compliance or regulatory frameworks must the landing zone meet?
- Approximately how many accounts/subscriptions/projects and organizational units will be needed?
- What network segmentation model is required (e.g., prod/non-prod, business-unit, flat)?
- Who will own ongoing landing zone operations after handoff?
- List acceptance criteria for the landing zone (examples: IAM baseline, centralized logging, guardrails, encryption at rest)
Establish hybrid connectivity (VPN/Direct Connect)
- Do you need persistent dedicated connections (Direct Connect/ExpressRoute), VPNs, or a combination?
- What is the expected bandwidth requirement for hybrid connectivity?
- Are low-latency or high-throughput SLAs required for specific applications?
- Do you require high-availability connectivity (active-active or redundant circuits)?
- Are there preferred carriers, colocation sites, or datacenter locations that must be used?
- What is the target timeline for connectivity to be operational before migration cutovers?
Rehost VMs with automated replication and cutover
- How many VMs or physical servers are expected to be rehosted in the project scope?
- Provide the typical VM footprint or a sample distribution (vCPU / RAM / Storage) if available
- What hypervisors and operating systems are in use (VMware, Hyper-V, KVM, Windows, Linux, legacy)?
- What are the recovery/availability targets for rehosted workloads (pick the closest)
- Which replication approach is preferred or required (agent-based, agentless, snapshot-based)?
- List any licensing, storage, or network constraints that will affect replication and cutover
Migrate databases to managed cloud database services
- Which database engines are in scope for migration?
- Estimate total database size and number of instances to migrate
- Will migrations be homogeneous (same engine) or require heterogeneous conversions (e.g., Oracle -> Postgres)?
- Are there strict RPO / RTO targets for database migration or synchronization requirements?
- Are there regulatory or data residency requirements that affect database placement or encryption?
- List critical upstream/downstream integrations, maintenance windows, and any blackout periods that will affect DB migration planning
Refactor applications into containers and deploy to Kubernetes
- How many applications or services are candidates for containerization in this engagement?
- Are target applications mostly monoliths, microservices, or a mix?
- Which languages, runtimes, and framework versions are in use that will affect containerization?
- Do you require container image registry, vulnerability scanning, and image promotion workflows?
- What availability, scaling, and stateful requirements must Kubernetes deployments meet?
- List any third-party libraries, vendor-supported components, or licensing constraints that may block refactoring
Replatform applications to cloud-managed platform services
- Which managed platform services are you targeting (select all that apply)?
- Are the applications compatible with PaaS constraints (e.g., statelessness, session handling)?
- Do you require zero code changes, minor modifications, or full refactor for replatforming?
- Are there runtime, OS, or library version limitations that would prevent migration to managed services?
- What cost or performance targets must replatformed apps meet compared to on-premises?
- Define acceptance criteria for a successful replatform (examples: functional parity, performance within X%, no increased operational overhead)
Implement CI/CD pipelines and automated release workflows
- Do you have an existing CI/CD toolchain to integrate or should we provision a new one?
- Which pipelines are required: infrastructure (IaC), application builds, deployments, or all?
- Which deployment strategies are required or preferred?
- What is the target deployment frequency (how often will you deploy changes)?
- List required quality gates, security scans, or approvals that must be part of pipeline workflows
- Who will own and operate the pipelines after transition?
Apply cloud-native monitoring, logging, and APM
- What monitoring scope do you require: infrastructure, application, user experience, security, or all?
- Do you have an existing monitoring/APM/logging solution to integrate with?
- What retention period is required for logs and metrics?
- Are there defined SLIs/SLOs or alerts that must be implemented during migration?
- Do you require synthetic monitoring and/or real user monitoring (RUM)?
- Describe current alerting pain points or escalation workflows that must be addressed
Perform cloud cost optimization and rightsizing during migration
- When do you want cost optimization efforts executed: before migration, during migration, or after?
- Do you have cost reduction or budget targets (percent or absolute) to measure success?
- Are long-term commitments (Reserved Instances / Savings Plans / Committed Use) acceptable?
- Do you require tagging, chargeback/showback, and department-level cost allocation?
- Who approves cost optimization recommendations and potential changes to instance types or commitments?
- List any fixed licensing or contractual costs that limit rightsizing decisions
-
Mutual Commit
Agree commercial terms, pilot success metrics, SLAs, governance cadence, and escalation paths tied to migration milestones.
Agreement Modules
- Statement of Work (SOW)
- Master Services Agreement (MSA)
- Commercial Terms & Pricing Schedule
- Pilot Acceptance Criteria & Success Metrics
- Service Level Agreement (SLA)
- Governance & Cadence Agreement
- Escalation & Issue Resolution Matrix
- Change Control & Change Order Process
- Security & Compliance Addendum (DPA)
- Shared Responsibility & Access Matrix
- Migration Acceptance & Cutover Criteria
- Termination, Exit & Repatriation Plan
- Insurance & Liability Confirmation
- Performance Remedies & Service Credits
- Execution & Signature Checklist
-
Deployment
Operationalize rollout with readiness checks, enablement, and outcome validation.
-
Pre-Deployment Readiness
Confirm access, discovery tool deployment, security/compliance controls, rollback plans, and owner signoffs before execution.
Readiness Questions
Quick Snapshot: Who’s in the Room?
- Which people or roles should we treat as primary contacts for decisions, day-to-day access, and emergency escalation?
- Which single migration deadline is non-negotiable for your organization (lease expiry, vendor EOL, board target)? Please give the date if available.
- What is the principal business objective driving this migration right now?
- If you had to name one worry keeping you up at night about this program, what would it be?
- How confident are you that the people named above have the authority to approve access and signoffs during deployment?
What If Access Breaks the Whole Plan?
- What would you estimate is the single biggest access-related blocker that has derailed past IT projects here?
- Which environments do we need discovery or agent access to (select all that apply)?
- Are privileged credentials available for temporary use, or do we need to request elevated sessions each time?
- Describe any internal approval process or committee that typically reviews access requests and how long approval usually takes.
- Tell us about one past project where access delays impacted timeline—what happened and how did you respond?
Are We Really Ready to Run Discovery?
- If our discovery tool was run tomorrow, what single technical constraint would most likely prevent it from completing successfully?
- Which discovery approach do you prefer for your estate?
- List the key systems, platforms, or silos that are often excluded from discovery or require special handling (e.g., mainframe, OT, SaaS, vendor-hosted).
- Are there blackout windows, maintenance cycles, or business events that constrain when we can run discovery? Please provide typical days/times or blackout periods.
- Do you have any data classification or privacy rules that would prevent us from collecting certain metadata or logs? If so, please describe.
What Could Make a Pilot Fail Before It Starts?
- What single assumption about your environment, if proven wrong during the pilot, would cause you to pause or stop the pilot?
- Do you have an existing rollback or backout playbook for migrations, and how often has it been exercised in the last 24 months?
- What are your RTO and RPO expectations for pilot workloads and how strict are they?
- If a rollback is required, who must approve it and what information do they need to decide?
- Describe a past rollback or failed cutover—what were the root causes and the recovery steps taken?
Who Holds the Red Card?
- Who is authorized to give the official 'go/no-go' for a pilot cutover and for subsequent waves?
- What signoff artifacts do approvers expect before authorizing a migration wave (runbooks, test results, cost estimate, security checklist)?
- How quickly do your approvers typically respond to signoff requests during a migration cadence?
- Who are the escalation contacts for unresolved issues, and what is their expected response time?
- What would cause an approver to require additional evidence before signing off (examples: third-party validation, performance test results, security scans)?
Show Me Your Security Guardrails
- Which regulatory or compliance frameworks must the migration and deployed workloads adhere to?
- Which security controls are mandatory to validate before we move any workload (examples: vulnerability scan, config benchmark, encryption at rest/in transit)?
- Are there any contractually required audit artifacts or evidence packages we must produce during or after migration?
- Who manages key material and KMS/HSM access and what is the process to request temporary usage for the migration?
- Have you defined acceptable vulnerability severity thresholds (e.g., block migration if critical vulnerabilities present)? If so, please describe.
If Something Breaks, Will Anyone Notice?
- What monitoring and alerting systems will we rely on to detect issues during the pilot and waves?
- What are the key operational metrics we must validate post-cutover to consider the migration successful (latency, error rate, throughput, cost per transaction)?
- Where are your runbooks and run-time playbooks stored, and can we access them for onboarding?
- Who is on-call during cutover windows and what is the expected on-call response time for critical alerts?
- Describe a time when monitoring caught a migration-related issue early—what alerted you and how was it resolved?
What Would Zero-Surprise Pre-Deployment Look Like?
- Imagine we have zero surprises on go-day—what three things had to be true the week before to make that happen?
- Which measurable readiness gates should we use to automatically green-light a wave (select all that apply)?
- What risk threshold would you accept to proceed without resolving a non-critical item (e.g., accept with mitigation, delay wave)?
- If you could guarantee one thing about the pilot outcome, what would it be and why?
Next Steps: Who Does What, When?
- What is the ideal date by which you can provide full access and necessary approvals so we can start discovery?
- Which communication channel keeps your stakeholders most comfortable during execution (email, Slack/MS Teams, weekly sync, escalation-only)?
- Who should receive daily readiness updates during pilot execution, and who is optional?
- What remaining blockers would stop you from committing to the pilot dates right now?
- Which artifacts can you provide immediately to accelerate readiness (access lists, network diagrams, runbooks, inventory), and which will require time to assemble?
-
Migration Wave Execution
Schedule and run pilot and subsequent waves with migration-factory cadence, cutover windows, and daily checkpoints.
-
Validation Checklist
Verify connectivity, performance, security/compliance, and cloud cost baselines; document results and authorize next waves.
Validation Questions
Quick Check-In: Who's In the Room?
- Who will be our primary contact for validation checks and final approvals for this wave?
- Which hard deadline or milestone are we validating this wave against (pick the closest)?
- List any blackout windows, business events, or maintenance freezes in the next 30–90 days that will constrain cutover timing.
- Which stakeholder groups must sign off before the next wave can start?
- How would you describe leadership’s current confidence in moving from validation to authorization for this wave?
What if Connectivity Fails at Cutover?
- If network connectivity hiccups during cutover, which single business capability would be most critically impacted?
- Which applications in this wave have dependencies on on-prem systems that cannot tolerate more than 5 minutes of outage? Please name them.
- How complete is our documentation for IPs, routing, VPN/ExpressRoute, and peering configurations for the workloads in scope?
- Have we executed end-to-end connectivity tests (from users and external partners to cloud workloads) under both typical and peak loads?
- Please paste or summarize the most recent connectivity test results and the timestamp of that test.
- Who is the designated on-call owner for immediate network troubleshooting during cutover (role/name)?
Are We Measuring What Matters?
- Are our performance targets realistic, or are we at risk of declaring 'success' on metrics that don't reflect real user experience?
- List the top 3 SLA or observable metrics that define success for this wave (for example: p95 latency, error rate, transactions/sec).
- Do we have on-prem baselines for those metrics and the monitoring queries/dashboards prepared to compare pre- and post-migration?
- Have we performed capacity or load testing in the landing zone for the pilot workload? If yes, what was the outcome?
- What specific acceptance thresholds will trigger an automated rollback versus a continued remediation path?
- Would synthetic transactions, real-user monitoring (RUM), or both be required to demonstrate parity for authorization?
Are We Missing Security Alarms?
- If the first critical security alert arrives after cutover, what single omission would we most regret not addressing beforehand?
- Has a cloud security gap assessment for this landing zone and these workloads been completed and signed off?
- Which regulatory or compliance frameworks apply to these workloads (select all that apply)?
- Are IAM roles, least-privilege policies, and secret management for migration and post-migration accounts validated?
- Have we run vulnerability scans and DAST/SAST against the pilot workload and resolved all high/critical findings?
- Who formally signs security acceptance (role/title) and what evidence will they require to sign off?
Can We Trust the Cost Numbers?
- If cloud bills arrive 30% higher than projected in month one, what immediate action would leadership take?
- Do we have a verified cost baseline comparing current data center spend to projected cloud spend for the workloads in this wave?
- Which cost components worry you most for this migration? (select all that apply)
- Has FinOps validated and approved the tagging strategy, cost allocation, and forecast model for this wave?
- Would temporary guardrails (budget alerts, auto-scaling limits, spend caps) be acceptable to proceed while we monitor costs?
- What threshold of cost variance would require a pause and re-evaluation?
Who Will Take Responsibility If Things Go Wrong?
- Who will be accountable in the first 24 hours of a failed cutover—who is the single point of accountability?
- Please confirm or paste the RACI summary for migration day (who is Responsible, Accountable, Consulted, Informed).
- Who is authorized to approve an immediate rollback and what exact conditions must be met for that approval?
- Are escalation paths, 24/7 contact details, and vendor support contracts in place and tested for incidents during cutover?
- Are runbooks, playbooks, and on-call rosters accessible to all responders and ownership confirmed?
- What is the expected internal communication cadence and audience for incident updates during the first 24 hours?
How Will We Capture and Share What We Find?
- If validation uncovers hidden dependencies or config drift, where will we record and track those items so they’re resolved before the next wave?
- Do we have templates for validation evidence (metrics exports, packet captures, screenshots) and a post-validation report?
- Who will own creation and distribution of the post-validation report and the remediation backlog?
- How quickly must issues discovered in validation be logged and assigned in the tracking tool?
- Would automating evidence collection (scripts to collect logs/metrics) materially reduce manual effort and increase accuracy?
Green Light or Pause: Making the Call
- What exact, non-negotiable criteria across connectivity, performance, security, and cost must be met to authorize the next wave?
- Who is the formal authorizer for proceeding to the next wave (role/title) and how will they sign off?
- Is a mandatory post-validation review meeting required before authorization (and who must attend)?
- If remediation is required, what is the maximum acceptable delay before reattempting validation?
- If criteria are met, would you prefer a cautious partial rollout or a full wave cutover?
What's Still Keeping You Up at Night?
- If you woke up tomorrow and this wave had failed, what single omission or assumption would you blame most?
- Please rank your top three remaining concerns for this wave.
- What immediate support from our team would reduce your risk perception the most (select all that apply)?
- After this validation completes, how confident are you that you can authorize subsequent waves?
- Any final notes, constraints, or success signals you want included in the handover packet?
-
-
Success
Review outcomes against success signals, capture lessons learned, and maintain a shared channel for issues and continuous optimization.
Success Reviews
- Success Review — Outcomes vs Success Signals
- Lessons Learned & Continuous Improvement Workshop
- Cost & Performance Optimization Review
- Operational Handover & Shared Channel Setup
- Executive Review & Strategic Next Wave Planning
Issues & Enhancements
- Agree on escalation paths, SLAs, and the operational cadence for continuous improvement.
- Capture repeatable practices and update runbooks/processes accordingly.
- Create and publish the prioritized improvement backlog in the project tracker with owners and dates.
- Update migration runbooks and playbooks to include agreed improvements.
- Schedule follow-up checkpoint to validate completion of high-priority backlog items.
- One-sentence Current Cost/Performance State
- Establish accepted cost and performance baselines for the migrated environment.
- Agree a prioritized optimization plan with owners and expected savings.
- Define measurement criteria and schedule for validating realized savings and performance improvements.
- Implement top-priority optimizations (e.g., rightsizing pilot, enable autoscaling policies) and report results after agreed window.
- Enable and share cost/perf dashboards with stakeholders and set alert thresholds.
- Prepare a short ROI summary for executive review showing realized vs projected savings.
- One-sentence Current Operations State
- Create and populate the shared channel with correct membership and governance rules.
- Confirm runbooks, playbooks, and access are in the operations team's possession.
- Welcome & Objectives
- Create the shared channel, add members, and publish the channel charter and message taxonomy.
- Deliver final runbook pack and verify ops team acknowledgement.
- Schedule the recurring ops cadence meetings and invite required participants.
- Secure executive acceptance of outcomes and signoff on closure or continuation.
- Executive Summary (One-sentence Current & Future State)
- Obtain budgetary and prioritization commitments for next waves or modernization investments.
- Align executives on residual risks and required governance.
- Publish a one-page executive brief summarizing outcomes, ROI, recommended next steps, and approval requests.
- If approved, finalize budget allocation and confirm wave sequencing and sponsors.
- If additional analysis requested, scope and assign responsible parties with delivery dates.
- Confirm which success signals were met, partially met, or missed.
- Secure customer acceptance for closure or an agreed remediation path with owners and timelines.
- Produce a short list of prioritized remediation items if any signal failed.
- Publish the Success Signals Report comparing targets vs measured results and circulate to stakeholders.
- Create remediation tickets for any failed signals with owners and target dates.
- Schedule follow-up validation checkpoint if remediation is required.
- Pre-work Review & Framing
- Produce a prioritized improvement backlog tied to specific root causes.
- Assign owners and realistic timelines for each improvement item.
- Migration Timeline & Event Walkthrough
- Baseline Metrics Presentation
- One-sentence Current State
- Runbook & Playbook Handover
- KPI & ROI Highlights
- Shared Channel Protocol
- Consequence Quantification
- Root Causes for Cost Variance
- Structured Root Cause Analysis
- Risk & Compliance Posture
- Success Signals Walkthrough
- Recommended Next-wave Priorities
- Optimization Opportunities & Proofs
- Wins, Workflows to Preserve
- Escalation Paths & RTO/RPO
- Ongoing Cadence & Checkpoints
- Prioritized Improvement Backlog
- Decision & Commitments
- Prioritized Optimization Roadmap
- Evidence & Proof Points
- Validation & Commitment
- Measurement & Validation Plan
- Knowledge Transfer & Access Completion
- Customer Validation & Acceptance
- Decision & Next Steps