Cloud Infrastructure
Platform decisions with deep integration complexity, organizational change, and long-term data stakes.
Inside this journey
-
Pre-Discovery
Align the room on outcomes, decision process, and constraints before deeper discovery.
-
Stakeholder Alignment
Confirm decision roles, timeline, compliance owners (CISO, compliance officer), and what ‘good’ looks like for security, finance, and procurement.
Alignment Questions
Start Here: A Quick Snapshot
- Which best describes your organization's primary industry and scale?
- Who will be the primary sponsor for this cloud initiative (title/function)?
- What is the main strategic reason you are evaluating a move to a compliance‑focused cloud platform today?
- How would you describe your current overall stance toward cloud adoption?
- If you had to name the single most important outcome for this engagement (in one line), what would it be?
Who Actually Signs Off — and Who Keeps You From Moving?
- If your CISO or compliance officer said 'not today' on this migration, who else would be directly impacted and why?
- Which roles will need formal approval for a procurement/committed‑spend decision?
- Who owns incident response, penetration testing approvals, and vendor security attestations in your organization—name titles if possible?
- What is the realistic decision timeline from initial SOW to signed committed spend?
- What procurement constraints or approval gates typically slow this kind of deal (e.g., legal review, budget cycles, regulatory signoff)?
What’s Living Under the Floorboards?
- How many 'unknown' or shadow systems do you think would surprise your team during a migration inventory?
- Can you describe your current architecture footprint—primary datacenters, clouds in use, and any co‑located sites?
- Which data classifications and sensitive data types run in the workloads you plan to move first?
- Which compliance frameworks must the migrated workloads satisfy?
- Do you have up‑to‑date architecture diagrams, data flow maps, and a list of third‑party integrations for the targeted workloads?
When Costs Go Off the Rails — Tell Me the Worst‑Case Month
- Imagine a production month where cloud spend is far higher than expected—what are the three most likely causes?
- Which cost drivers do you currently struggle to model or control?
- Who currently owns cloud cost forecasting and committed‑spend reconciliation in your organization?
- What visibility tools or reports do you have to reconcile committed spend vs actuals each month?
- How tolerant is your finance team of month‑to‑month variance (e.g., ±10%, ±25%, higher)?
If Compliance Could Speak, What Would It Ask?
- What single compliance requirement would immediately block deployment if not demonstrably satisfied?
- What evidence package does your audit team expect for a new cloud provider (e.g., SOC2 reports, FedRAMP package, configuration baselines)?
- How do you prefer contractual security guarantees to be structured: strict SLAs with penalties, shared responsibilities with defined handoffs, or a hybrid?
- What are your expectations around penetration testing—frequency, scope (internal/external), and DPA/GDPR‑related requirements?
- What residual risk thresholds are acceptable for your compliance officer (e.g., 0 critical findings, some low/medium findings allowed)?
What Would Make Everyone Celebrate Six Months From Now?
- If the migration succeeded perfectly, what measurable signals would your CTO, CISO, and Finance each point to as proof?
- Which KPIs would you track to determine whether the platform met expectations (pick top three)?
- How quickly do you expect to see ROI from the first migrated workload (choose target window)?
- What acceptance criteria will your compliance team require to sign off a workload as 'production ready'?
- What would be an unacceptable outcome even if other metrics were green (e.g., any data residency violation, a missed SLA causing revenue loss)?
What Could Make the Cutover Fail at T‑Minus 1?
- What single unresolved dependency would cause you to pause or cancel a go‑live in the final week?
- Who must be on call during migration waves and who is the ultimate owner for rollback decisions?
- Do you have preapproved migration windows and maintenance blackout dates that we must work around?
- Which runbook elements are missing or untested today (select all that apply)?
- What would be the acceptable maximum downtime or data loss for the initial workloads?
Tying the Deal to Reality — Commercial & Operational Red Lines
- What contractual terms would make you comfortable signing a committed‑spend agreement today?
- How important is month‑to‑month reconciliation and a monthly committed‑spend review with our account team?
- Would you require a pilot or proof‑of‑value before committing to annual spend? If yes, what should the pilot prove?
- What level of solutions‑architect engagement do you expect during onboarding (hours/week or named SA)?
- Are there any commercial non‑negotiables (e.g., egress caps, data residency guarantees, penalty clauses) we should be aware of now?
A Practical Roadmap — Next Steps That Make Sense
- Which of these immediate next steps would be most valuable to you right now?
- How soon can your team participate in a 2‑week discovery sprint to produce an actionable migration plan?
- What additional stakeholders should we include in the next meeting to accelerate decisions?
- What format of deliverable helps you get internal buy‑in (e.g., one‑page executive brief, technical runbook, financial model)?
- Finally, what would success look like for our first 30‑, 90‑, and 180‑day checkpoints? Please list concise objectives for each timebox.
-
Current State Mapping
Capture on‑prem and cloud architectures, compliance gaps (FedRAMP/HITRUST/PCI), cost drivers, and failure modes that block migration.
Current State
Tell Us About Today — quick orientation
- Which environments host your current production workloads?
- Approximately how many active compute nodes (VMs/instances/hosts) and containers are in scope for the first wave?
- How much primary data (TB) and monthly egress (TB/month) do you estimate leaving the origin systems today?
- Which three applications or systems are highest priority for migration and why?
- Who currently owns the migration decision and budget (pick all that influence sign‑off)?
- How confident are you that your existing architecture already satisfies your regulator’s expectations?
If Your Architecture Were a Story, Where Does It Stall?
- What single recurring architectural problem most frequently delays projects or triggers escalations?
- Which of these best describes your network topology constraints between on‑prem and cloud?
- Which backend integrations or third‑party systems (IDPs, payment gateways, lab systems, EHRs) create the tightest coupling to your current datacenter?
- How tightly bound is data residency to physical racks/regions — are there datasets that cannot leave a specific geography?
- Tell a story of the last time an architectural change failed in production—what happened, who noticed it first, and how long did recovery take?
What Compliance Audits Keep You Up at Night?
- Which compliance frameworks must be satisfied for any cloud environment you run in (select all that apply)?
- Which specific control gaps have auditors or internal assessments repeatedly flagged?
- If a cloud provider could guarantee a particular certification out of the box, which one would change your timeline or decision the most?
- Which security controls are currently manual or inconsistent in your estate (encryption key management, least‑privilege access, audit logging, pen‑test remediation)?
- When was your last external compliance audit or pen‑test, and what were the top three findings that still need work?
Where the Bills Surprise You — cost friction and unpredictability
- When was the last time your cloud or hosting bill created an unexpected finance escalation?
- Which cost drivers have historically been hardest to model or control?
- How do you currently forecast committed spend vs actual consumption (tools/process), and where does that process break down?
- Have you experienced a workload that behaved well in test but spiked costs in production? Tell us which workload and why you think costs spiked.
- Which billing transparency features would reduce your procurement team's objections (hourly cost of egress by service, storage tier breakdown, reserved capacity utilization dashboards)?
What Breaks When Things Go Wrong?
- Which failure mode would cause the most immediate business damage if it occurred in the cloud (data breach, extended outage, compliance audit failure, cost overrun)?
- How well defined are your current runbooks, rollback plans, and on‑call responsibilities for the systems we’d migrate first?
- Describe the last incident that exposed a gap in monitoring, alerting, or audit logging. What was missed, and what would you change?
- What recovery time and recovery point objectives (RTO / RPO) are non‑negotiable for your top workloads?
- Which diagnostic or observability tools are essential for you to trust a migration (APM, distributed tracing, centralized logging, SIEM), and which are missing today?
People, Policy, and the Hidden Hurdles
- Who on your team can unilaterally block a migration decision, and why would they do so?
- Which procurement or legal constraints are most likely to delay contracting (committed‑spend approval, DPA negotiation, egress/storage terms, SLAs)?
- How mature is your internal change management — approvals, CAB meetings, and security sign‑offs required per migration wave?
- Where does skill shortage show up most — platform automation, networking, security hardening, or migration orchestration?
- How does your team prefer to receive help — embedded solutions architect, runbook templates, hands‑on migration support, or train‑the‑trainer sessions?
If We Could Move One Thing First, What Would Change?
- What single outcome would make the first migration wave feel like an unequivocal success to execs and compliance?
- Which measurable success signals would you accept after wave one (latency reduction, cost predictability within X%, audit evidence delivered, successful DR run)?
- What residual risks are acceptable after the first wave, and which are absolute deal‑stoppers?
- Realistically, what is your desired timeline for the first cutover and what blockers must we clear to hit it?
- If we were to propose a migration playbook today, what level of vendor involvement would you expect during execution?
-
-
Outcome & Risk Discovery
Define target outcomes, measurable success signals, acceptable residual risk, and procurement constraints tied to committed spend.
Discovery Questions
Start with the Big Picture
- What's the single most important business outcome you need this cloud migration to deliver in the next 12 months?
- Who is the executive sponsor and who will be your day‑to‑day point of contact for technical decisions?
- How would you describe your current cloud posture today—pilot/POC, partial production, multi‑cloud, or mostly on‑prem?
- What is the timeline you're working toward for migrating the first regulated workload to production?
- When you think about this effort, what keeps you or your team up at night?
If Compliance Could Talk, What Would It Demand?
- What would it do to your migration plan if your CISO or a regulator said: 'We won't accept anything less than full FedRAMP/HITRUST/PCI controls as deployed—not just compliance‑eligible services'?
- Which specific certifications or attestations are mandatory for the workload(s) in scope?
- Who in your organization is the final approver for compliance acceptance (title/role)?
- What compliance evidence do you currently require to sign off on a new platform (examples: control mapping, audit reports, system security plan, pen‑test report)?
- Tell us about a past time compliance blocked or delayed a cloud project—what happened and how long did it take to resolve?
- Are there internal policies or external contracts that prevent you from using certain regions or vendors (e.g., data residency, vendor blacklist)?
Where Money Sneaks Out the Backdoor
- What would it mean for your team if a migrated workload produced a surprise six‑figure monthly bill—how would decisions change?
- Which of these cost factors have surprised you before or feel most risky for this migration?
- Do you currently model expected steady‑state monthly spend and peak month spend separately? If so, how confident are you in those models?
- What committed‑spend approach would your finance/procurement team consider acceptable (minimum term, payment cadence, true‑up options)?
- Have you experienced billing disputes or opaque egress/storage pricing with prior vendors? Describe one example and the impact.
- Which stakeholders must approve pricing tradeoffs (e.g., finance, procurement, legal, security)?
What Does Success Look Like in Real Numbers?
- If we measured success 90 days after go‑live, what 3 metrics would tell you this migration is working?
- Which of the following operational targets are non‑negotiable for you?
- What thresholds in those metrics would trigger escalation or rollbacks?
- How will you measure user/business impact (examples: transaction latency, support tickets, revenue at risk)?
- Who will own reporting and cadence for these metrics after go‑live (title/role)?
- Would you be open to a jointly defined success dashboard we review monthly with the account and engineering teams?
How Much Risk Are You Willing to Live With?
- If you had to pick one sentence that describes your organization's appetite for residual risk after migration, what would it be?
- Which residual risks would you consider acceptable to the business (select all that apply)?
- What incidents or findings in a pen‑test or audit would be automatic deal blockers for your compliance team?
- How do you currently handle risk exceptions—who signs them off and what documentation is required?
- What specific security or privacy controls do you expect to be enforced by default (examples: encryption at rest, access boundaries, centralized audit logging)?
- How quickly would you expect remediation for a high‑severity finding post‑deployment (SLAs for fixes)?
Deal Mechanics — Where the Rubber Meets Paper
- What are the non‑negotiable contract terms you must have before signing a committed‑spend agreement?
- Which procurement cycle best describes how your organization awards multi‑year platform agreements?
- Who needs to sign off on pricing and legal terms (roles)?
- What billing model do you prefer for committed spend?
- What exit/egress protections are essential to you (examples: data export tools, assistance, capped transfer rates)?
- Are there procurement policies (e.g., SOC 2 attestation required, DPA language) you can share so we can align contract language early?
Who's Playing Which Role — Team Rhythm and RACI
- Who will be the dedicated technical owner for the migration and ongoing ops (title/role)?
- Which internal teams must be actively involved during migration windows?
- Would you want a named solutions architect embedded with your team for the first 3–6 months?
- How do you prefer handoffs and decision‑making to work during migration (examples: weekly steering, daily standups, asynchronous tickets)?
- What internal communication channels and escalation paths already exist for cloud incidents?
- What would success look like for your team’s working relationship with our solutions architect in month 1 and month 3?
If This Worked, What Comes Next?
- Imagine we met your top success metrics—what would your next migration look like and how soon would you want to expand?
- Which parts of your estate are highest priority for follow‑on migrations (select up to three)?
- What organizational signals would tell you it’s time to expand (examples: compliance sign‑off, cost savings realized, SLA reliability)?
- What internal obstacles could derail expansion even if the initial migration succeeds?
- If you could ask our team for one guarantee to make you feel confident about expanding, what would it be?
- Realistically, when should we schedule a follow‑up to review success signals and discuss expansion plans?
-
Solution Experience
Ground the offering in the customer’s context by walking through a compliant architecture, migration path, and cost model that prove the outcomes.
Experience Meetings
- Solution Experience Kickoff — Current State Confirmation
- Consequence & Success Metrics Workshop
- Compliant Architecture Solution Experience
- Migration Path & Runbook — Pilot Proof
- Cost Model & Commercial Proof
- Lock in pilot schedule and required test data windows.
- Compliance owner lists mandatory compliance gates (e.g., FedRAMP baseline, pen-test timing) and signs off.
- One-sentence Future State
- Get customer agreement that the presented architecture will achieve the defined future state and success metrics.
- Map each compliance control to evidence and owner, closing any responsibility gaps.
- Establish concrete validation checkpoints to be executed during pilot and waves.
- Solutions architect to deliver an annotated architecture diagram with control-to-evidence mapping.
- Compliance owner to confirm the sufficiency of mapped evidence for audits and list any additional documentary needs.
- Operations owner to accept the validation checklist and assign test owners.
- Migration Waves & Pilot Selection
- Agree on a low-risk pilot that will prove the architecture and migration process against the success metrics.
- Confirm runbooks, rollback criteria, and operational owners for pilot execution.
- Introductions & Objectives
- Build and share pilot runbook with step owners, expected outcomes, and rollback triggers.
- Network/ops to provision transfer bandwidth reservation and confirm egress throttling parameters for the pilot window.
- Schedule pilot cutover date and invite all operational stakeholders and audit observers.
- Current Cost Baseline & Drivers
- Obtain customer validation that the cost model reliably projects outcomes and that key cost risks are mitigated.
- Select a pricing scenario for negotiation and identify legal/compliance items required to finalize terms.
- Establish a billing governance cadence and dashboard ownership for ongoing cost control.
- Deliver a detailed cost-model workbook with scenario tabs and assumptions annotated for customer review.
- Finance/legal to draft term sheet reflecting committed-spend band, egress/storage clauses, and SLA obligations.
- Set up monthly spend-review meeting and connect billing dashboards to designated finance owners.
- Achieve a single, agreed one-sentence current state describing who is affected and how it’s breaking.
- Surface initial quantified consequences (cost/risk/time) tied to the current state.
- List all missing evidence and assign owners to supply them before the architecture walkthrough.
- Customer provides finalized architecture diagram, workload inventory, and last 3 months of billing/cost drivers.
- Solutions architect drafts a one-sentence current-state proposal based on attachments for customer confirmation.
- Schedule the Consequence & Metrics Workshop and Architecture Walkthrough with required stakeholders.
- Reconfirm Current State & Stakes
- Agree on a small set of measurable success signals that will prove the future state.
- Quantify the business and compliance consequences that make the change urgent.
- Document acceptable residual risk and procurement constraints to constrain the solution design.
- Create a Success Metrics document mapping each metric to measurement source, owner, and target values.
- Finance provides committed-spend bounds and billing constraints to be used in cost modeling.
- Proposed Cost Model Aligned to Architecture
- Data Migration & Egress Strategy
- Quantify Consequence — Cost, Time, Risk
- Read & Validate Current State (one sentence)
- Architecture Walkthrough — Zones & Controls
- Runbooks & Rollback Procedures
- Evidence Review — What’s Real
- Control-to-Evidence Mapping
- Define Measurable Success Signals
- Scenario Modeling & Sensitivity Analysis
- Consequences Snapshot (preliminary)
- How Design Eliminates the Key Problems
- Operational Owners & Run Schedule
- Billing Governance & Reconciliation
- Acceptable Residual Risk & Compliance Gates
- Acceptance Criteria & Validation Points
- Data & Preconditions Missing
- Procurement & Spend Constraints
- Pilot Success Criteria & Measurement
- Decision & Contractual Next Steps
- Validation & Sign-off
- Alignment & Next Steps
-
Solution Scope
Define modules (compute, storage, networking, DB, containers, AI), compliance baselines, data residency, responsibilities, and acceptance criteria; assign the dedicated solutions architect.
Scope Configuration
- Provision FedRAMP-certified Compute Instances
- Deploy HITRUST-compliant Managed Database
- Create Isolated Compliance VPC with Network Controls
- Enable Default Encryption and Managed KMS
- Activate Audit Logging with Tamper-Evident Storage
- Provision PCI-DSS Hardened Payment Processing Environment
- Provision Managed Kubernetes Cluster with Compliance Defaults
- Configure Data Residency Controls and Regional Locking
- Provision Dedicated Hosts with FIPS 140-2 Modules
- Set Up Role-Based Access Boundaries with MFA
- Enable Transparent Egress Billing and Usage Alerts
- Provision Storage Tiering with Lifecycle Policies
- Deploy Managed AI Inference Service in Certified Region
- Provision Terraform Provider with Prebuilt Compliance Modules
Scope Questions
Provision FedRAMP-certified Compute Instances
- Which FedRAMP impact level do your workloads require?
- What types of workloads will run on these instances (e.g., web tier, application servers, analytics)? List primary workload types and any special requirements.
- Estimate the expected instance footprint at launch (CPU cores and RAM per node) and anticipated scale over 12 months.
- Do you require single-tenant / dedicated compute (hardware isolation) versus multi-tenant instances?
- What uptime or SLA targets must compute meet (percent uptime, RTO for critical services)?
- Are there specific OS images, hardening standards (CIS, STIG), or baseline configurations we should apply?
Deploy HITRUST-compliant Managed Database
- Which database engines do you plan to use?
- What is the expected database size and IOPS profile at go‑live and projected 12 months out?
- Does the data include PHI or other HITRUST-sensitive categories that require special handling?
- What RPO/RTO requirements do you have for the database (backup frequency, maximum acceptable data loss)?
- Do you require customer-managed keys (BYOK) for DB encryption or provider-managed keys?
- Are cross-region replication, read replicas, or analytics replicas required as part of the managed DB offering?
Create Isolated Compliance VPC with Network Controls
- What isolation model do you prefer for the VPC/network (per-application, per-environment, per-tenant)?
- Which inbound/outbound connectivity patterns are required (Internet only, VPN, Direct Connect/PrivateLink, partner peering)?
- Which network controls do you require by default (security groups, NACLs, stateful firewall, IDS/IPS, WAF)?
- Do you need explicit egress filtering or proxying for traffic leaving the VPC (e.g., approved outbound IPs, TLS inspection)?
- Are private DNS, internal load balancers, and service discovery required within the isolated network?
- Do you require network segmentation proof (diagrams, segmentation tests) for auditors/regulators?
Enable Default Encryption and Managed KMS
- Do you require provider-managed keys, customer-managed keys (BYOK), or HSM-backed keys for encryption at rest?
- Which assets must be encrypted by default (compute disks, databases, object storage, backup snapshots)?
- Do you require key rotation policies, dual-control for key deletion, or separation of duties for KMS admin roles?
- Are FIPS 140-2/140-3 validated cryptographic modules required for your environment?
- Will keys be used across multiple regions or must keys be region-locked?
- Do you require audit logging and exportable key usage reports for compliance reviews?
Activate Audit Logging with Tamper-Evident Storage
- Which sources should forward logs by default (compute, databases, network devices, containers, IAM events)?
- What retention period is required for audit logs for compliance (months/years)?
- Do you require tamper-evident/WORM storage and chain-of-custody evidence for stored logs?
- Do you need logs forwarded to an existing SIEM, or should we provide a hosted log analytics instance?
- What volume of logs (GB/day) do you estimate so we can size retention and storage tiers?
- Which personnel should have access to audit logs and what RBAC restrictions are required?
Provision PCI-DSS Hardened Payment Processing Environment
- Does your environment handle cardholder data directly, or will a tokenization/third-party gateway be used?
- What PCI level / SAQ type do you expect to demonstrate (e.g., SAQ A, SAQ D)?
- Are there required quarterly external vulnerability scans and annual penetration tests to include in scope?
- Which encryption and TLS requirements must be enforced for payment traffic?
- Do you require segmentation evidence demonstrating separation of cardholder environment from other systems?
- Are there preferred WAF rulesets, fraud detection integrations, or payment gateways we must support?
Provision Managed Kubernetes Cluster with Compliance Defaults
- What Kubernetes control plane model do you prefer (managed control plane, self-managed, or hybrid)?
- What compliance defaults are required (network policies, Pod Security Standards, admission controllers, image scanning)?
- Estimate cluster size (number of nodes) and expected pod density for initial migration.
- Do you require private container registries with signed images and SBOM support?
- What RBAC model and service account restrictions are required for operator/CI/CD access?
- Do you need built-in backup/restore for cluster state and persistent volumes?
Configure Data Residency Controls and Regional Locking
- Which regions or countries must data remain in for residency/compliance reasons?
- Which data classes are subject to residency controls (PII, PHI, payment data, logs, backups)?
- Is cross-region replication or disaster recovery permitted if the destination is the same jurisdiction?
- Do you require automated region-locking enforcement and drift detection for storage and databases?
- Are legal hold, e-discovery, or regulator access controls required for region-locked data?
- What latency or locality constraints exist for users or systems accessing region-locked data?
Provision Dedicated Hosts with FIPS 140-2 Modules
- How many dedicated hosts are required at launch and what growth do you expect in 12 months?
- Do hosts need FIPS 140-2 validated crypto modules for all cryptographic operations?
- Is single-tenant physical isolation mandatory for regulatory reasons, or is logical isolation sufficient?
- What hardware profiles (CPU, RAM, GPU) and OS families are required on the dedicated hosts?
- Do you require provable attestation, telemetry, or certificates for host integrity to present to auditors?
- Are maintenance windows and reboot policies constrained by regulatory commitments or business operations?
Set Up Role-Based Access Boundaries with MFA
- Which identity provider(s) will you integrate for SSO (Okta, Azure AD, ADFS, other)?
- Which MFA methods are acceptable for your organization (hardware token, TOTP, push, U2F/WebAuthn)?
- How many distinct roles or access boundaries are required (e.g., dev, ops, security, auditors)?
- Do you require just-in-time privileged access, approval workflows, or session recording for privileged sessions?
- Are break-glass procedures and emergency access controls required and who should own them?
- Do auditors or third parties need read-only access to specific logs or resources?
-
Mutual Commit
Finalize committed‑spend pricing, transparent egress/storage terms, SLAs, DPAs, pen‑test requirements, and mutual acceptance criteria.
Agreement Modules
- Statement of Work (SOW)
- Master Services Agreement (MSA)
- Committed Spend & Pricing Annex
- Billing, Invoicing & Payment Terms
- Egress & Data Transfer Addendum
- Storage Tiering & Retention Addendum
- Service Level Agreement (SLA)
- Data Processing Agreement (DPA)
- Security & Penetration Test Addendum
- Compliance Evidence & Certification Appendix
- Acceptance Criteria & Go‑Live Checklist
- Reserved Capacity & Allocation Schedule
- Implementation & Migration Plan
- Change Order & Scope Amendment Process
- Data Return, Deletion & Offboarding Agreement
- Governance, Escalation & QBR Cadence
- Legal & Regulatory Contact Annex
- Signature & E‑Sign Execution
-
Deployment
Operationalize rollout with readiness checks, enablement, and outcome validation.
-
Pre-Deployment Readiness
Confirm data classification, access controls, reserved capacity, migration windows, compliance evidence, and owners are ready for execution.
Readiness Questions
Quick Intro: Who Are We Talking With Today?
- Please introduce your organization (name, primary vertical) and the single strongest reason you're evaluating a regulated-cloud migration now.
- Which best describes your current infrastructure footprint?
- Who will be the core decision team for this migration (select all who apply)?
- What is your target timeline to have an initial production workload live on a compliant cloud?
- Roughly, what committed annual spend band would procurement consider (or has committed to discussing)?
- How would you describe current confidence that your compliance team will approve a cloud migration without major rework?
If Compliance Is the Gatekeeper, What’s Holding the Key?
- If your CISO or compliance officer could insist on one non‑negotiable artifact before approving migration, what would it be?
- Which compliance certifications or attestations must the platform demonstrate for your workloads?
- Which concrete pieces of evidence does your auditor expect (select all that apply)?
- Where does your organization draw the line on data residency and cross‑border transfer for regulated data?
- Tell us about the last time compliance blocked or delayed a cloud project—what specifically failed to satisfy them?
- What residual risk level would be acceptable to your security/compliance teams (e.g., documented compensating controls, SLA-backed remediation windows, or zero residual risk)?
Where Does Cost Surprise You Most?
- What single billing or cost issue has caused the largest operational upset in the past year?
- Which cost drivers worry you most during migration and in production (select all that apply)?
- Do you currently model egress, storage lifecycle, and reserved capacity for production workloads?
- Which procurement pricing protections would materially reduce your risk (pick up to two)?
- How would you prefer to receive cost transparency during migration (select all that apply)?
- Share an example of a surprise charge you faced previously and its operational impact.
Who Really Owns Risk — And What Will Make Them Say Yes?
- If one stakeholder could veto this project today, who is it and what evidence would flip them to 'go'?
- Which of these stakeholders need to sign off before cutover (select all that apply)?
- What are the top 3 acceptance criteria each of these groups will require (security, finance, procurement)?
- How does your organization quantify acceptable residual risk—by financial exposure, incident likelihood, regulatory penalty, or another metric?
- Who is authorized to approve emergency changes during migration and what governance is required afterwards?
What Would a Zero‑Surprise Migration Day Look Like?
- Imagine day‑one cutover with zero customer complaints—what three things went exactly right?
- Has data classification been completed for the workloads you plan to migrate?
- Which pre‑cutover controls must be validated before any traffic is shifted (select all that apply)?
- Do you have reserved capacity or committed instances planned for cutover to prevent throttling or runaway costs?
- What is your preferred migration window cadence (weekend, nights, phased waves) and why?
- Describe your rollback criteria—what exact symptoms or failures would trigger an immediate reversal?
Operational Readiness: Who Does What When?
- If something breaks within 60 minutes post‑cutover, who is the single point of contact and what is their first action?
- Which runbook and automation artifacts must exist before migration (select all that apply)?
- Do your engineers prefer Terraform, Pulumi, or another IaC for onboarding and ongoing ops?
- Who will be the dedicated solutions architect or AE counterpart on your side during the first 6 months?
- What level of runbook testing do you require prior to cutover (table‑top, dry‑run, live failover)?
- What monitoring, alert thresholds, and escalation SLAs must be in place day‑one?
Evidence & Audit: How Will We Prove It?
- If an auditor asked for proof of controls 24 hours after cutover, which artifacts would you need to hand them immediately?
- Which of the following audit outputs are mandatory for you (select all that apply)?
- Do you require third‑party pen tests and, if so, do you accept vendor‑led remediation windows or insist on independent verification?
- What data retention and logging retention durations are non‑negotiable for your compliance posture?
- Have you had any recent audits with findings relevant to cloud migration? If so, summarize the finding and remediation status.
Commitments, Pricing, and Procurement Red Lines
- What contractual term would most likely cause procurement to stop negotiations (the deal‑breaker)?
- Which commercial protections do you require before signing (select all that apply)?
- How long is your typical procurement cycle from RFP to signature for cloud infrastructure?
- Will your finance team treat this as OPEX consumption or require capital treatment for committed spend?
- Who in procurement/legal needs to be engaged early to avoid last‑minute redlines (name/role)?
- Are there any regulator‑mandated contract clauses (e.g., specific data handling language) we must include up front?
Next Steps & Red Flags: What Would Make You Pause?
- If we leave this conversation without a plan, what single signal would tell you this project is unlikely to proceed in the next quarter?
- List the top three unresolved risks today that, if mitigated, would unlock fast approval.
- On a 1–10 scale, how ready is your organization to begin a compliant migration program right now?
- How soon could you assign an internal owner and a small working team to begin runbook and IaC onboarding?
- Would you be open to a short technical spike (PoC) to validate cost models, compliance controls, and cutover playbooks? If yes, what success criteria would make it worthwhile?
- Preferred next contact method and timing to follow up on readiness artifacts (email, calendar invite, technical workshop)?
-
Deployment Enablement
Schedule waves, coordinate teams, onboard Terraform/Pulumi configurations, runbooks, and execute migrations with clear owners and rollback plans.
-
Validation Checklist
Run acceptance tests, audit logging validation, compliance checks, and cost verification to confirm go‑live criteria are met.
Validation Questions
Quick Pulse: Is Today a Good Day to Validate?
- How ready does your team feel to run validation activities right now?
- Who will be the primary owner coordinating validation activities for this workload?
- Which environments should we use for validation (select all that apply)?
- Are there any recent changes (config, network, third‑party) made in the last 30 days that might affect validation?
- Do you have a preferred go/no‑go meeting cadence and a hard deadline for the validation window?
If We Go Live, What Keeps You Up at Night?
- If we flipped the switch tomorrow, what single failure would you classify as a show‑stopper or regulatory incident?
- Which kinds of compliance violations would force you to pause or reverse go‑live immediately?
- Have you experienced a similar production incident in the past 24 months? If so, briefly what happened and what recovery looked like?
- When you imagine that incident, which impact concerns you most—regulatory fines, customer trust, outage duration, or financial loss?
- Which executives or external stakeholders must be notified within specific timeframes if a critical issue appears?
Where Do Our Tests Actually Prove Anything?
- Which acceptance test do you trust least to reflect real production behavior—and why?
- Which user journeys or system flows must pass validation to be confident (select all that apply)?
- Do you have automated test suites tied to CI/CD for these journeys, and what percentage of those critical paths are covered?
- What explicit pass/fail thresholds should we apply for latency, error rates, and throughput during validation?
- Who owns the test artifacts and long‑term maintenance of the validation suites?
Can You Trust the Audit Trail When It Matters?
- If an auditor demanded a tamper‑proof timeline of access to regulated data, could you produce it within 24 hours?
- Which logging sources are considered authoritative for your compliance posture (pick all that apply)?
- Where are logs stored and what is your minimum retention requirement for compliance evidence?
- How do you detect and respond to gaps or tampering in logs (e.g., integrity checks, write‑once storage, chain of custody)?
- What proof artifacts will auditors accept for encryption, access reviews, and privileged access events?
Who Will Raise the Red Flag and How?
- When the first sign of trouble appears, who must be in the room within the first hour, and who is hardest for you to call?
- Do you have runbooks and incident playbooks for Sev1/Sev2 events, and how recently were they exercised?
- What escalation SLAs do you expect from the vendor and from your internal teams for critical incidents?
- How do you want post‑incident accountability handled (immediate actions, blameless post‑mortem, external reporting)?
- Do you require the vendor to run tabletop or live incident drills before go‑live? If yes, what cadence?
Are Costs Going to Surprise Anyone?
- Which line item on the bill would cause the most executive friction if it doubled unexpectedly?
- Which cost drivers should we prioritize during validation modeling?
- How accurately have you modeled committed‑spend versus expected usage—what margin of error is acceptable?
- Do you want cost‑governance gates during validation (alerts, auto‑throttles, budget caps)? If so, which?
- Who in your organization will own cost reconciliation against committed spend after go‑live?
Acceptance Criteria: Are We Signing for the Right Thing?
- If you had to sign off today, what single unmet acceptance criterion would force you to delay go‑live?
- Which modules must meet acceptance before sign‑off (choose all required)?
- Which compliance baselines must be demonstrably met with artifacts (select all that apply)?
- What concrete artifacts do you require for acceptance (e.g., test reports, immutable logs, pen‑test results, SLA statements)?
- Who are the required signatories for final acceptance and what authority level must they hold?
- Describe the rollback criteria that would trigger an immediate revert during the validation window.
Final Checklist — Can We Prove it in 48 Hours?
- If we gave you 48 hours of focused validation support, what three outcomes would convince you to greenlight go‑live?
- Can you run a dry‑run or smoke migration during that 48‑hour window?
- Which stakeholders must be available during the 48‑hour validation window (select all who must be on call)?
- Which dashboards, metrics, or success signals will you monitor in real time to declare the window successful?
- After go‑live, how long should we keep heightened monitoring and rapid rollback capability before transitioning to steady state?
- What immediate post‑go‑live optimizations or compliance follow‑ups should we prioritize in the first 30 days?
-
-
Success
Review outcomes against success signals, plan estate consolidation and next migrations, and maintain a shared channel for issues and enhancements.
Success Reviews
- Success Review & Validation
- Estate Consolidation & Next-Migration Planning
- Committed Spend & Cost Optimization Review
- Operational Rhythm: Issues, Enhancements & Shared Channel Governance
- Quarterly Success Steering (Executive Review)
Issues & Enhancements
- Provision the shared channels, add initial members and post the triage matrix and runbook links.
- Ensure capacity and cost implications are modeled for committed-spend planning.
- Surface high-risk migrations requiring additional validation or pilot activity.
- Publish the wave plan as a living artifact with owners, dates, acceptance criteria, and runbook links.
- Perform PoC/pilot for any top-risk workload identified before scheduling full migration.
- Update committed-spend forecast to reflect reserved capacity or tier changes required by planned waves.
- Spend vs Commitment Summary
- Reconcile committed spend and confirm any required adjustments or additional purchases.
- Identify immediate cost-reduction actions that do not compromise compliance or availability.
- Agree on financial owner actions and timeline for implementing optimizations.
- Deliver a detailed cost report with recommendations and estimated savings for each optimization.
- Execute agreed reserved capacity purchases or contract amendments via procurement.
- Track and report savings in the next success review cycle.
- Shared Channel Purpose & Access
- Create a single source-of-truth shared channel with clear access, triage, and escalation rules.
- Define SLAs and owners to reduce time-to-resolution for incidents.
- Establish a repeatable enhancement intake and prioritization process tied to business and compliance value.
- Introductions & Purpose
- Populate the enhancement backlog with initial candidate items and score them for prioritization.
- Schedule recurring triage and grooming meetings and publish the cadence to stakeholders.
- One-sentence Current State
- Secure executive approval for the next migration waves and any committed-spend changes.
- Align senior stakeholders on strategic priorities, risk acceptances, and reporting expectations.
- Ensure funding and procurement path is clear for proposed expansions.
- Produce an executive one-pager summarizing KPIs, risks, proposed waves, and decision requests.
- Obtain formal sign-off on budget/commit changes and document procurement actions.
- Schedule the next quarterly steering meeting and assign a dashboard owner for monthly updates.
- Demonstrate evidence that each agreed success signal has been met or document precise remediation required.
- Obtain customer validation and formal acceptance (or a documented remediation plan with owners and deadlines).
- Identify and prioritize any critical residual risks that block broader estate migration.
- Deliver a packaged acceptance artifact set (metrics, logs, compliance evidence) for archiving and audit.
- Create remediation tickets with owners, SLAs, and verification steps for unmet success signals.
- Schedule follow-up validation meeting aligned to remediation completion dates.
- Inventory Snapshot & Dependencies
- Produce an agreed prioritized migration backlog (waves) with owners and acceptance criteria for each wave.
- Egress, Storage & Tiering Analysis
- Prioritization Criteria
- KPIs & Success Signals Review
- Triage Workflow & Severity Matrix
- Current State (one-sentence)
- Strategic Opportunities & Risks
- Outcome Metrics & Evidence
- Wave Definition & Templates
- Reserved Capacity & Discount Opportunities
- Response & Resolution SLAs
- Cost & Capacity Modelling per Wave
- Recommended Next-Wave Investments
- Enhancement Backlog Process
- Consequence Assessment
- Quick Wins & Optimization Roadmap
- Gaps, Remediations & Timeline
- Decisions & Approvals
- Forecast & Contract Implications
- Timeline, Windows & Owners
- Meeting Cadence & Reporting
- Acceptance Decision & Sign-off Criteria
- Finance & Procurement Next Steps
- Runbooks, Playbooks & Tooling Links
- Risk Register & Mitigation
- Governance & Reporting Cadence