1 Introduction

Cloud computing has created a strong buzz around, both in academia and in the industry. Many SMEs (Small and Medium Enterprises) and IT companies view this technology as an opportunity for considerable business growth thereby creating competitive advantage (Buyya et al. 2009; Andrikopoulos et al. 2013). For SMEs, the central attraction for adopting cloud technology is its pay-per-use model, which delivers flexible costing options, apart from the scalability and interoperability features, which cloud environments offer. Larger enterprises are attempting to leverage this technology by considering the business continuity strategies for their exponential growth (Buyya et al. 2009; Khajeh-Hosseini et al. 2012). The traditional legacy system, which supports the core IT processes at organizations, is fraught with maintainability and scalability issues, (Khadka et al. 2013). Given the multiple benefits of cloud computing, many organizations are keen to adapt to this innovative technology. However, tackling security issues regarding the cloud and the migration process has hampered the cloud adoption rate (Rosado et al. 2012; Mather et al. 2009).

This paper is directed towards finding a viable solution to facilitate secure migration of on-premises software application to the cloud environments. Given the inherent advantages of cloud computing and the desire to migrate to cloud, there has been noteworthy research in the area of cloud migration (Khadka et al. 2013; Andrikopoulos et al. 2013). Most of the approaches have proposed frameworks, techniques, processes and methods which help in the migration and assist in decision process for migrating to cloud. For most of these approaches, the software application is in nascent stage as they are hosted on a local server, before the migration.

During the limited study, it was found that a systematic literature review of research on secure cloud migration hasn’t been undertaken. Besides considering the growing demand for migration toward cloud, there is an equal need to investigate a research framework for secure cloud migration.

A SLR identifies, classifies, and synthesizes a comparative overview of the ongoing research and enables knowledge transfer within the research community (Brereton et al. 2007). Likewise, for this paper, a SLR was conducted, with the primary objective to identify, taxonomically classify, and systematically compare the existing research, focused on planning, executing, and validating migration of legacy systems toward cloud-based software. More specifically, to the paper endeavors to answer the following questions, through conducting a methodological review of existing research:

  1. i.

    What are the motivations behind migration to the cloud?

  2. ii.

    What are the existing tasks, methods, and techniques to support secure migration of legacy on-premises software to cloud? In addition, what all tool support is available to achieve the objectives?

  3. iii.

    What are the existing research themes? What should form future research dimensions in legacy to- cloud migration?

The objective is to systematically identify and taxonomically classify available evidence on secure cloud migration and provide a holistic comparison to analyze potential and limitations of the existing research work.

The remaining sections of this paper are structured as follows: Section 2 describes background and related research to position the contributions of this work. Section 3 explains the research methodology, research questions, and scope; Section 4 provides a reference model for state-of-the research and a characterization scheme for cloud migration; Section 5 presents the results of the systematic review; Section 6 discusses the main findings, implications, and trends followed by an analysis of its limitations in Section 7 and Section 8 concludes the paper.

2 Related work

The research on cloud migration is incomplete without talking about SOA (Service-Oriented Architecture. As both cloud migration and SOA exhibit numerous similarities as well as differences at the same time, it would not be appropriate to position the study on cloud migration without SOA migration. Recently, several studies have focused on migration to SOA, but not many are found for cloud migration. Both these technologies offer key benefits as reduced overall cost, business agility and easy provisioning of services to the organizations. Systematic review of 121 primary studies on SOA migration done by Khadka et al (Khadka et al. 2013) showed the use of software re-engineering reference framework for SOA migration, to give a significant view of legacy to SOA migration. This work is motivated by the research methodology used in the mentioned review work. The research agenda developed by the SEI (Software Engineering Institute) for SOA migration (Lewis et al. 2010) provides a taxonomy, which is used to classify topics into various aspects of SOA, along with cross-cutting concerns. Another survey done by Razavian & Lago (2011) with industry representatives as participants on SOA migration highlights the potential gap between the theory and practice of the SOA migration. The survey also identified future research directions in SOA migration. Work done by Pahl et al. (2013) is based on the three different case studies in industry, which proposed a common migration process, based on expert interviews. They identified a process framework for the three deployment models in cloud computing; however the work didn’t deliberate on post migration activities.

3 Research methodology

This research effort will thus aim to address the following Research Questions (Table 1):

Table 1 Research questions and their motivation


Systematic Literature Review (SLR) and the related guidelines (Kitchenham 2004) have been used, to answer the stated research questions. Select survey with optimal mix of participants and interactive conversation has been used to arrive at answers to some of the questions. Primary objective of systematic literature review is to provide a comprehensive summery of literature related to a research question. “A systematic literature review is a means of identifying, evaluating and interpreting all available research relevant to a particular research question, or topic area, or phenomena of interest”(Kitchenham 2004). This kind of review involves several discrete activities. Refer to Figure 1 for the Systematic Review Process. They have been divided into three main phases, as follows:

  1. i.

    Planning the review

  2. ii.

    Conducting review

  3. iii.

    Reporting review

Figure 1
figure 1

Systematic Review Process.

Planning the review

Stages involved in planning review

The following Table 2 shows the stages involved in planning the review work and the criteria chosen for the review planning.

Table 2 Stages and their criteria involved in planning the review

Development of review protocol

After identifying the need of research, research questions were prepared and the review protocol was designed. Review protocol defines specific procedures for conducting the systematic review process. This procedure helps in gathering fair and unbiased information. This protocol development has different stages, such as search strategy, selection criteria, quality assessment criteria, data extraction form and data synthesis strategy.

Search strategy

This strategy helps in answering key research questions effectively. By using keywords search strings were developed. Search strings are constructed by identifying synonyms and alternative spellings for each of the question elements and link them by using the Boolean OR and Boolean AND. Keywords in Table 3 are defined by using PICO (Population Intervention Comparison Outcomes) method (Kitchenham 2004); and are used to construct search strings. The elements of PICO is indicated below-

  1. i.

    Population: The population might be any of the specific role, application and area.

    • Population- Cloud Computing

  2. ii.

    Intervention: The intervention is the tool or technology or procedure that addresses a specific issue.

    • Intervention-Cloud Migration

  3. iii.

    Comparison: This is a tool or technology or procedure with which intervention is being compared.

    • Comparison- Legacy on premises application

  4. iv.

    Outcomes: Outcomes should relate to factors of importance to practitioners such as improved security, reliability and cost benefits. All outcomes should be specified.

    • Outcomes - Secure framework for migration, improved security aspects, performance, cost benefits, applications, tools and techniques.

Table 3 Research questions and keywords

Search string

Following search strings in Table 4 are appropriately designed by using keywords, which are derived from research questions through PICO method. These search strings are constructed by using Boolean ANDs and ORs.

Table 4 Research questions and search strings


Search strings are used in digital libraries for getting related research content. The articles, journals, conference papers, and workshop papers have been identified from the most authentic digital databases, that are scientifically and technically peer reviewed. Some of the databases are as follows -

  1. i.

    ACM Digital Library

  2. ii.

    Springer Link

  3. iii.

    Science Direct

  4. iv.

    IEEE Xplore

  5. v.

    Google Scholar

  6. vi.


  7. vii.


  8. viii.

    Reports and white papers published by groups and organizations working on cloud computing (e.g. CSA, NIST, ENISA etc.)

Inclusion criteria

The following inclusion criteria (Table 5) were used to include the selected papers.

Table 5 Inclusion criteria

Exclusion criteria

The research articles were excluded that didn’t meet the criteria mentioned as indicated above in Table 5 and the following parameters:

  1. i.

    Articles shorter than 6 pages

  2. ii.

    Editorials and Abstracts

  3. iii.

    No-peer reviewed studies

Survey on secure migration process

Survey on the secure migration process was done, to identify key concerns related to the secure adoption of cloud by both industry and academia and also to seek their expert opinion on the proposed framework. All the participants had considerable understanding of cloud computing, its multiple offerings, related technologies, and many hands-on expertise to Cloud environment. As part of their work, the participants were part of the team, which migrated different types of applications to Cloud (including Amazon EC2, Amazon RDS, S3, Simple DB, Windows Azure etc.). With their exposure to the cloud computing environment, they were reliable and valuable participants for the discussion.


The discussion and the survey were carried out with 9 participants from industry and academia individually. Refer Table 6 for the survey participants. The sample characteristics are shown in Figure 2.

Table 6 Survey participants
Figure 2
figure 2

Sample Characteristics (Total = 9).

Discussion protocol

Each participant was asked similar questions in three steps:

  1. i.

    Firstly, each participant was asked for his opinions on the state of art of cloud computing, existing security concerns and the taxonomy of migration tasks. The participants were encouraged to suggest adding more tasks, removing some, or re-categorizing a task.

  2. ii.

    Secondly, the framework for secure cloud migration was presented to the participants, and they were asked for their expert opinion and advice on the model.

  3. iii.

    Thirdly, each participant was asked to describe a cloud migration project, which they worked on, together with the time spent on each migration task in that project.

The discussion was completed with each participant individually, without knowledge of other participants’ answers in the first round. Second round of discussions was conducted with each participant again, but this time with knowledge of other participants’ replies, to decrease the range of answers. This is known as Delphi technique and its helps combine experts’ opinion for a better judgment (Shepperd & Schofield 1997). Interactive conversation survey method was used for conducting fair survey. Here in this method, professional websites as m LinkedIn, different blogs related to Cloud and Cloud Migration was leveraged for conducting the survey. Questionnaires were posted into those sites to have an interactive conversation with the participants, regarding cloud. Author also had few conversations with select organizations using live chat who are working in the field of Cloud.

4 A 5-phase model for classification and comparison of cloud migration research

In this section, a conceptual model called as ‘5-Phased Cloud Migration Model’ has been introduced, to classify and categorize cloud migration research, in terms of distinct phases or processes involved in the cloud migration. While developing this reference model, situational method engineering has been adopted to consolidate the existing frameworks (e.g.P3, P4, P9, P23 etc.) in cloud migration. Method engineering follows a bottom-up approach by identifying low level activities and techniques. These low level activities are then categorized to form generalized processes and phases. Alternatively, a top-down approach forms a framework or a conceptual model consisting of phases, processes and activities. Based on these existing frameworks and guidelines, we have identified the key phases in cloud migration. By reviewing the primary studies and exploring the defined migration tasks, migration process has been categorized in five phases. Figure 3 below represents the ‘5-phased cloud migration model’ which is also inspired by the well-known ‘Water Fall model from the Software Development Life Cycle (SDLC). The proposed conceptual model consists of five phases. Figure 4 shows the distribution of studies according to 5-Phase Cloud Migration Model

Figure 3
figure 3

5-Phase Cloud Migration Model.

Figure 4
figure 4

Distribution of studies according to 5-Phase Cloud Migration Model.

Phase-1: Feasibility study [5 studies]

In the first phase the goal is to identify or determine whether the cloud migration is financially/ technically feasible or not [P2] [P6] [P8] [P13] [P14].

Phase-2: Requirement analysis & migration planning [18 Studies]

In this phase, a detailed assessment of the existing IT environment is done. The objective is to understand the applications that are appropriate for moving into the Cloud [P2] [P15] [P16] [P18], decision making regarding which cloud provider to choose [P3] [P5] [P6] [P9] [P13] [P16], which part of the application to be migrated [P3] [P6] [P13] [P15] and which services to use [P4] [P6] [P11] [P12] are conducted. The output of this phase is a detailed migration plan document.

Phase-3: Migration execution [15 Studies]

In the migration execution phase, the actual migration of data and application is carried out. The process like data extraction [P2] [P11] [P22], code modification [P15] [P17] [P20], architecture recovery [P9] [P11] [P2] [P22] [P18] [P20], cloud migration [P9] [P22] [P17] etc. are actually implemented.

Phase-4: Testing & migration validation [6 Studies]

In the fourth phase, testing and evaluation is done to validate the migrated system [P9] [P11] [P15] [P22] [P17] [P18].

Phase-5: Monitoring & maintenance [4 Studies]

The last and fifth phase is required to maintain and monitor the migrated systems. Not much evidence could be found for this activity in the selected study except for some related activities, as governance [P2] and training [P11] [P21] [P17].

5 Results

In this section we have discussed the results of the SLR process based on the research questions that were defined in Section 1.

Key factors for migration

Based on the existing literature, the research question (RQ1) has been answered and the key reasons for adoption of clouds have been identified. Some of the key drivers for the adoption of clouds are:

  1. i.

    Cost saving

  2. ii.

    Optimum resource utilization

  3. iii.

    Unlimited scalability of resources

  4. iv.

    Less maintainability

These key drivers for cloud adoption have been identified from the selected primary studies and have been presented in a tabular form along with the author’s name and title. For instance the cost saving has been the major driver for cloud adoption as mentioned and discussed about in several studies, also indicated in the Table 7 below.

Table 7 Key factors for migration

Challenges in cloud migration process

In our previous work (Rashmi et al. 2013) we have identified (refer Table 8) various challenges in the cloud migration process and have attempted to answer the RQ2 by listing out various challenges which organizations face, while adopting the cloud.

Table 8 Migration challenges

Existing processes or frameworks for secure cloud migration

To answer RQ3, classification of different migration types given in (Khajeh-Hosseini et al. 2012) has been referred to. This work considers different application layers and different degree of adaptation required to enable migration. It classifies the migration process into following types:

  1. Type 1:


    This type of migration replaces one or more legacy component with cloud services. This is least invasive of all types and requires data or business tiers to be migrated to the cloud stack. This type of migration is done by reconfiguring the components and is done to adjust incompatibilities, to use functionalities of the migrating layer. Replace type of migration couldn’t be identified in the selected studies. This particular type is not very popular as much as pure cloud enabler and hence the evidence in probably not available.

  2. Type 2:

    Partially Migrate

    This one partially migrates some of the systems components to the cloud. There are quite few papers on the partial migration where the organizations have migrated one or more application layer implementing a particular functionality in the cloud.

  3. Type 3:

    Migrate the whole application

    This is a perfect example of migration where the whole application is encapsulated in one or more virtual machines, which are already running into the clouds. This one also doesn’t need many changes to the application, assuming the application can be ported ‘as is’ into a virtual machine.

  4. Type 4:


    Cloudify is an example of full migration, where an application is converted to a fully-fledged cloud enabled system by composing cloud services.

Table 9 below categorizes all the four types of migration along with the Cloud Deployment models, which were used in the migration process. The table also identifies various tools/frameworks which are used in the selected studies.

Table 9 Categorization of primary studies based on migration type, deployment model and tool support

Current state and ongoing research issues in secure cloud migration

In this section, we have attempted to answer RQ 4 by carrying out a systematic review of the existing approaches for legacy to cloud migration. This review is done to summarize the existing approaches, models, tools and techniques and also to identify and analyze the security issues considered in these migration approaches. The focal objective is to identify the possible solutions offered to address the security concerns or needs in the cloud migration process. In this regard, a set of approaches have been collated which is pertinent for this analysis. The details are as summarized in the Table 10.

Table 10 Primary studies on secure cloud migration and key findings


The central objective of this review paper was to consolidate the existing research on cloud migration and identify the security concerns reflected in these selected review papers. The foremost contribution of this systematic review is the proposition of conceptual model for cloud migration for the characterization of the studies and a comparative analysis of the existing literature through the model, to indicate the tools and techniques used in the various studies. Authors have also tried to identify the security concerns in the existing literature studies on cloud migration. Authors have defined the cloud migration process in a 5-Phased model. The five phases are as follows-

  1. i.

    Feasibility study

  2. ii.

    Requirement analysis & migration planning

  3. iii.

    Migration execution

  4. iv.

    Testing & migration validation

  5. v.

    Monitoring & maintenance

After analyzing the studies collected through this Systematic Review Process, a number of research challenges were observed and which indicated future directions of this research.

  1. i.

    Growing maturity of cloud migration – Even though it has been acknowledged that the maturity of the cloud migration is in its pivotal stage, one can observe a clear sign of growth by observing various types of cloud migration being reported in the literature (already discussed in Section 2.3). Proper validation across all these types of migration is an area that needs immediate attention by the cloud researchers.

  2. ii.

    Need for more results on cloud migration evaluation - By observing the results on cloud migration in the selected studies one can clearly identify the need for more and more results and real-time case studies from industries on cloud migration. More evaluation, survey and experience reports on legacy-to-cloud migration will be needed, which will result in more trust and confidence of researchers regarding the validity of cloud migration research.

  3. iii.

    Need of a comprehensive migration framework – Although, the Authors have presented a 5-Phase model for cloud migration in Section 4, the cloud researchers needs to propose a more comprehensive framework such as the ones proposed for SOA migration (Discussed in Section 2) with tangible evidence of solutions in terms of methods and techniques.

  4. iv.

    Solutions to address Security Concerns – As per the distribution of studies based on the 5-Phase model for cloud migration (Figure 4), the main focus of the research is on the requirement analysis and cloud migration planning (approx. 38%), however very few of them address the security concerns hovering over the cloud migration (discussed in Section 5.4).

To summarize, one can conclude that cloud migration is still in its nascent stage, but is maturing at a fast pace. The Authors have acknowledged the call for a tangible secure migration framework, to facilitate systematic and trustworthy migration to the cloud.