Refactor or lift-and-shift: How to prioritize modernization efforts

January 29, 2021 Derrick Harris

The hard part about application modernization isn’t determining whether or not it’s a good idea. It almost certainly is. Rather, the hard part is figuring out how to get started: Which applications you should focus on first, and what’s the best approach to modernizing them. Fully refactoring 1,000 applications from monolith into microservices, for example, might seem like the right goal, but it might also take the rest of this century.

In this episode of Cloud & Culture, Felicia Schwartz—director of modern application services at VMware Tanzu Labs—discusses how her team helps organizations find the right plan, whether that’s simply lifting-and-shifting an application onto Kubernetes or fully refactoring it, or whether to start with 1 application or 1,000 applications. As she explains, the best path is one that aligns with business goals, can produce results quickly, and is agile enough to evolve along with demands.

Below are some highlights from the episode. But if you’re staring down the barrel of an app modernization effort, it’s well worth listening to the whole episode to hear Schwartz’s advice and experiences on everything from hiring the right people to avoiding analysis paralysis.

Business goals should dictate the plan

“We've worked with clients who [we’re planning to] shut down a data center. And a data center is applications, it's also data. There's a lot to that. We've also had customers who had 10,000 applications that they wanted to move to the cloud. There's a lot of commonality in terms of what we were going to do, but the prioritization is very different. 

“I would target the data center that's shutting down. We have a date; we're restricted by a date. If that date is the top priority for them, I may not get to the final solution for an application, which [might be that] we need to re-architect this application because some of the business problems are so complex you can't just move it to the cloud and get the results you want. But if they are date-driven we may say, ‘Step one is just, let's move it. It may not improve the performance you want from this application, but if your goal is to get out of the data center, that's the solution for you.’”

Boiling the ocean is a bad strategy

“Oftentimes, we get clients who will say, ‘We need to assess those 10,000 applications that we know have to go to the cloud before we do anything on them.’ And we try to change that around and ask why: ‘Why do you have to look at all of them?’

“ . . . I haven't found a customer that doesn't know some of those critical applications that are very painful, that go down all the time or whatever the criteria is. They all have something that keeps them up at night, that they get the calls [about] at 3 a.m. They know they've got to think about those first.

"Let's start with that—that's going to give you great results. You'll learn so much about the possibilities and the options out there. And then you can take those and apply it to the 9,995 others.”

Refactoring to improve security

“We see a lot of secrets within [legacy] applications, things are not protected as well as they should be. Remember, a lot of the applications have been around for a long time, so the latest and greatest things that are in place are not necessarily in place. They weren't around when these applications were written. So, when we start scanning them—and these applications may not have been changed—some of the security scans that they go through, they haven't necessarily gone through all of these. So when we're trying to make changes, we're seeing these vulnerabilities in place. 

“One of the things that's come out of that is we’re helping clients get ahead of it. So, how do you detect things in advance that may cause a risk, from a security standpoint, to your applications? 

“Again, newer things are easier to protect because the technologies have improved. Older applications have a little bit more challenges to them because you don't necessarily have the time to rewrite something from scratch, but the security vulnerabilities that exist are intense. So, a workaround is: How do we get up front to see some things that are going on beforehand so that we could get ahead of it, if the application can support it?”

Get security stakeholders aligned before the work starts

“What we like to do is say, ‘Let's get security involved from the beginning. Let's identify the things that the organization feels are risks.’ We don't want to go down a path of making changes to be stopped at the eleventh hour to say, ‘No, no, sorry, this is a security risk. We can’t do it.’

“So getting everybody in the room who will have a say in what happens, especially when you're talking about public clouds, where there's still a lot of fear . . . Get the people in there—who have always had oversight from a risk compliance and security perspective—involved from the very beginning. Listen to their concerns, understand what the challenges they've seen and that they're afraid of are, so as we make the changes, we can implement the right things to address them.”

Learn more about application modernization

Application Modernization with Tanzu Labs

Three Transformations Powering App Modernization

App Modernization 101: An Executive’s Guide to Shipping Better Software

The 1-Factor App: Using Kubernetes to Get a Jumpstart on Modernization

About the Author

Derrick Harris

Derrick Harris is a product marketing manager at VMware.

More Content by Derrick Harris
Chaos Engineering, Explained
Chaos Engineering, Explained

Chaos engineering can save your organization millions by reducing outages. Here's advice on how to get star...

(Almost) Everything You Need to Know About SRE
(Almost) Everything You Need to Know About SRE