Security in Legacy Systems Migration to the Cloud:
A Systematic Mapping Study
Luis Márquez Alcañiz
1
, David G. Rosado
2
, Daniel Mellado
3
and Eduardo Fernández-Medina
2
1
National Competition Commission, Madrid, Spain
2
GSyA Research Group, University of Castilla-La Mancha,
Dept. of Information Systems and Technologies, Ciudad Real, Spain
3
Spanish Tax Agency, Madrid, Spain
Abstract. While cloud computing emerges as a major trend in IT industry, ear-
ly providers and adopters are paving the path with concerns and solutions. One
of the most worrisome challenges that face the corporate clients of this new
form of IT provision is how to maintain the security of their most important
every day apps in the new environment, that is how to migrate securely their
legacy systems that run on data centres fully controlled by the organization's IT
department to a less clearly controlled infrastructure that is managed at least
partly outside the scope of the clients premises and even completely off-shore.
This paper presents a Systematic Mapping Study on the issue as the first step to
analyze the different existing approaches in the literature about migration pro-
cess to Cloud computing where taking into account the security aspects that
have to be also moved to Cloud. We propose four research questions dealing
with the existing strategies to migrate legacy, how they relate to common secu-
rity issues as well as security issues specific to the cloud environment, and how
the proposals are aligned with security standards.
1 Introduction
In early papers relating cloud computing (CC) we could find different definitions of
what CC is, likely referencing one in [1-4]. But, probably, the most widespread today
is the one given by Mell and Grance in [2]; CC is “a model for enabling convenient,
on-demand network access to a shared pool of configurable computing resources that
can be rapidly provisioned and released with minimal management effort or service
provider interaction”. The Gartner's special report by Smith in [5] says in its very
opening statement: “cloud computing is maturing, but it continues to be the latest,
most hyped concept in IT”. The Gartner’s report also shows how the general issue has
just gone over the top of the hype cycle, with general CC security and private CC at
the verge of the peak.
From the very beginning, IT executives have shown a top concern: security [6].
So it was in the first years after the concept emerged [7, 8] and so it is still today [9].
Márquez Alcañiz L., Rosado D., Mellado D. and Fernández-Medina E..
Security in Legacy Systems Migration to the Cloud: A Systematic Mapping Study.
DOI: 10.5220/0004979900260037
In Proceedings of the 11th International Workshop on Security in Information Systems (WOSIS-2014), pages 26-37
ISBN: 978-989-758-031-4
Copyright
c
2014 SCITEPRESS (Science and Technology Publications, Lda.)
For many experts CC poses new risks to the computing environment since it is “at
odds with traditional security models and controls” [10].
Other people, though, see in the CC paradigm a good chance to improve security
of legacy software. For instance, Winkler states in [11] that the migration from legacy
systems to the cloud “gives us hope that we can regain control […] from poorly inte-
grated or after-thought security.”
According to the survey carried out by MeriTalk [12] among 166 Federal IT lead-
ers “47% or IT applications are based on legacy technology in need of moderniza-
tion” and the Federal spending to support legacy apps can be estimated around $35B.
Given that the security is mostly questioned by very same practitioners that will
have to decide, the apparent absence of an acknowledged migration model for legacy
systems with specific security concerns could deter the widespread adoption of the
model. Thence, this seems to be a valuable opportunity for research. As a first step in
the research process we decided to perform a systematic mapping study (SMS) of the
existing CC migration models, with a focus on concrete references to either issue of
security, privacy or system information assurance. Also, to avoid the bias of our re-
search as much as possible we decided to follow a structured method as the ones
introduced in [13] and [14]. Systematic literature reviews and systematic mapping
studies in software engineering are meant to bring some of the better qualities and
sound practices in other research areas like social sciences to the first steps of any
research in the software engineering field. This paper is the result of this systematic
mapping study.
The rest of the paper is structured in 3 more sections. The next section, section 2,
defines with some detail the background, the research question and describes the
SMS process that we have followed. Section 3 presents a mapping study of the se-
lected pieces with links to the research question defined and shows the analysis re-
sults of the comparison performed. And, finally, we close in section 4 with our con-
clusions and agenda for future work.
2 Background and Method
To carry on our SMS we decided to follow the method presented in [13]. The goal of
a SMS is to collect and evaluate as much research as possible related to a given ques-
tion so that the result is as repeatable, auditable and unbiased as possible. We adapted
slightly the method presented in [13] to our specific needs.
It might look that the process is linear in nature. Actually, the results are produced
through some iterations of the main cycle. Each cycle allows us to refine the process
until we get the appropriate results.
2.1 Background: Legacy Systems Migration
The problem of software with poor quality from the perspective of its maintainability
and adaptability and how it can evolve along its lifetime is not new. But the problem
changes along with new technologies. When a new technology emerges, the products
27
that were developed or deployed with the preceding technologies can become legacy.
Legacy is an ambiguous adjective: for the business management it means a valuable
asset, for the IT department it means risk.
There are many definitions for what a legacy system is, but probably the most
acknowledged is the one shared in [15] and [16]: systems become legacy systems
when they begin to resist modification and evolution. Some authors like Somerville
point out that legacy systems are somehow socio-technical systems that include not
only software and hardware, but business processes and people.
The frame for legacy evolution is presented in [17], where Bisbal et al. classify
the evolutionary solutions when dealing with legacy from mild wrapping to redevel-
opment, being the final result of the evolutionary process a mix of different compo-
nents each one with a particular solution. Migration happens to be in between the
extremes and, actually, takes techniques from both of them. In [16], Seacord et al also
give an approach for a risk driven modernization as part of a spiral development pro-
cess and delivers a model that depicts a horseshoe and that is in use at the Carnegie
Mellon SEI. This horse model is applicable also to the cloud. There is little work on
migration from legacy to service oriented architectures (SOA). In [18], Heckel et al
justify this little work in the fact that the SOA reengineering area is quite new. But,
when focused on the more specific world of CC, the alternatives are even less.
2.2 Research Questions
Before carrying out the actual mapping study, we performed a preliminary analysis to
search for existing cloud migration methods for legacy systems that take into account
security in their proposals. This analysis showed a lack of publications dealing with
these issues. Some proposals for cloud migration migrations have been made in [19-
21], but few of them deal with “security” or “privacy” or any other related. Further-
more, current migration proposals seldom deal with CC security particularities.
A critical step in a SMS process is to specify the research questions. In our case,
the research questions will focus on identifying existing proposals for migrate legacy
systems to different CC schemes that deal with the security explicitly and thoroughly.
Thence, the scope defined is twofold.
The review is aimed at comprehensive proposals, that is, that deal with all the
security aspects that may arise during the migration, from adapting the security
requirements already present in the target legacy system to improving the security
properties of the target.
The approaches must consider the particular characteristics of CC. Only those
studies that deal specifically with the CC model have been taken into account. To
attain the scope we have devised four research questions given in table 1.
Table 1. The research questions.
ID Question
RQ1
What types of CC migration strategies are proposed for legacy systems?
RQ2
How CC migration strategies deal with the security issues raised from legacy?
RQ3
How CC migration processes deal with the security issues raised from the CC model?
RQ4
How CC migration processes are aligned with security standards?
28
2.3 Review Protocol
From [12] we know that we had to define in advance a detailed review protocol. This
is both to allow us to plan the activities and to avoid biased results in the SMS. In this
section we present the protocol that we defined and followed in the SMS.
Once the research questions were settled, a set of search terms was extracted from
them. These terms, aka keywords, were used in the review to identify all the relevant
approaches that were related to the research questions and to attempt to answer them.
A precise definition of the keywords is vital if comprehensive results are to be
retrieved without neglecting important approaches.
Considering that the proposed research questions include characteristics from
different research areas, it was necessary to define the keywords in such a way that
none of them was excluded. We also joined some synonyms of the keywords to
prevent a proposal being ignored because of alternate vocabulary use. In the end, the
proposed keywords that were used combined in different ways in our SMS were the
following: Migration/reengineering; Strategy/process; Combined in expressions such
as “migration strategy” and “migration process”; Legacy system/software; Cloud
Computing; and Security/Privacy Standard/ISO/COBIT.
We tried to keep this set of keywords a bit fuzzy and generic in an attempt to
compile all the proposals related to include security requirements in the migration of
legacy systems to the CC. Thence, it was expected that the search for these terms
should return some additional results that were not strictly related to the review’s goal
(for instance, “migration process” may. Selection filters were subsequently applied in
order to frame the relevant studies.
Another crucial point when doing a SMS is the selection of the sources. We used
search engines from the following sites: Google Scholar, Elsevier, IEEE Xplore,
ACM Digital Library and Science Direct.
Because of language limitations, only studies written in English were to be
considered in this review. And, because we are dealing with a very recent and rapidly
changing research area we also decided to restrict the time scope to those items
published from 2008, year in which the term “cloud computing” became widely used
within the academia.
From [12] we also know that it's advised to include in the SMS protocol a
preliminary search in seek of already published reviews on the subject. This was done
by querying for the more general “cloud computing” filtered with the term “literary
review” and “mapping study”. In our case, and probably because of the lack of
maturity of the research topic, we promptly realised that our available resources did
not contain any publications dealing with the proposed research questions. The SMS
process consequently should continue with the search for primary studies which
contained the aforementioned keywords.
A combination of the previous search terms was filled to the forms of the
aforementioned engines. So we got a first approximation to our research question that
allowed us to get a list of probably relevant primary studies. Complementary to the
results obtained from the search engines, we got some material from experts in the
field and other colleagues who had been working in related fields to whom we
consulted.
Then, we had to filter the results to extract those pieces of literature that better
29
satisfied the SMS conditions. We did this through a first scan of the title of the article
and the keywords, and later a second pass by browsing the abstracts. These proposals
were further narrowed through the definition of a set of inclusion and exclusion
criteria, which had to be objective in order to reduce the bias of the results and to ease
the repeatability of the SMS process.
One of the objectives pinpointed in this SMS was that of compiling a
comprehensive catalogue of migration frameworks from legacy applications to the
cloud. Another inclusion criterion was to ensure that we selected proposals dealt with
SOA and or cloud migration with some mention to security aspects. An objective
criterion was established by relying on an accepted and widespread security standard:
the ISO/IEC 27000 standard family.
This group of criteria was used to narrow down the initiatives obtained by the first
search. In most cases, it was sufficient to contrast the title and abstract or executive
summary with the proposed criteria to decide whether to include or exclude the
proposal. Nevertheless, when in doubt it was, in some cases, necessary to analyze the
whole text in order to make the appropriate decision.
The quality assessment of the selection of publications performed was conducted
in the aforementioned multistage process. As previously stated, the SMS was
executed iteratively, signifying that the results were analyzed after each cycle to
confirm whether we were heading in the right direction. The final list of papers
obtained is given in Table 2.
Table 2. Selected papers.
ID Paper Reference
[RR1]
An Analysis of Security and Privacy Issues in Smart Grid Software
Architectures on Clouds
[22]
[RR2]
Digital Stakes at Risk! Modernizing Legacy Systems
[19]
[RR3]
The CloudMIG Approach: Model-Based Migration of Software Systems to
Cloud-Optimized Applications
[20]
[RR4]
Migrating Legacy Applications to the Service Cloud
[21]
[RR5]
Cloudward Bound: Planning for Beneficial Migration of Enterprise Applications
to the Cloud
[23]
[RR6]
REMICS-REuse and Migration of Legacy Applications to Interoperable Cloud
Services
[24]
[RR7]
Decision Support Tools for Cloud Migration in the Enterprise
[25]
[RR8]
Service Migration in a Cloud Architecture
[26]
[RR9]
Dynamic Service and Data Migration in the Clouds
[27]
[RR10]
Automatic conformance checking for migrating software systems to cloud infra-
structures and platforms
[28]
3 Data Extraction and Comparison
This section contains the summary of the information extracted from each of the
pieces of literature found by our SMS process. A brief description of each is provided
30
along with the most relevant aspects related to the comparative criteria previously
defined.
3.1 An Analysis of Security and Privacy Issues in Smart Grid Software
Architectures on Clouds [RR1]
This paper presents some security issues arisen when dealing with a cloud implemen-
tation for managing a grid of devices connected to meters (smart grid) that includes
some legacy applications and hardware in their edge devices.
The paper is mainly a taxonomical analysis, and does not propose a detailed
method or procedure for integrating or migrating legacy apps and or data on the edge,
though it gives a possible approach that consist in virtualization. Otherwise the paper
only points out the compatibility issue with both existing and new apps. Mostly, the
proposal for dealing with legacy applications and or hardware is the coexistence of
legacy platforms with the parts of the system that has been migrated to the cloud, as
well as virtualization of legacy applications into environments “with identical
configuration as the legacy” and running all the software stack on cloud
infrastructure.
This paper also points out the necessity of negotiating and monitoring the
enforcement of SLA with some security standards related to web services like WS-
Policy, WS-Security and XACML.
3.2 Digital Stakes at Risk! Modernizing Legacy Systems [RR2]
The report presents quite a lot of information about studies done on legacy systems in
the public sector in USA, their characterization and drivers to its moderniza-
tion/migration. It also presents seven surveys on modernization/migration of legacy
systems. The 4th survey is specific on security and enterprise risks.
The report does not presents in detail any specific method or procedure for
migrate and or integrate legacy applications, but it points out to the main different
approaches that the interviewees have applied: wrapping, automated migration, data
conversion, extension, rehosting/replatforming, reengineering and replacing with
commercial-of-the-self, re-architecting/renovation, SOA integration, Enterprise
Application Integration (EAI), virtualization/emulation (VM) and others.
Some of the strategies presented cannot be regarded as migrations dealing with
software engineering (e.g. virtualization), but give us an idea about the trends and
options when modernizing legacy systems and the success rate that can be expected
with each strategy.
Though the report deals specifically with security and risks, there is no link
between the methods pointed out and the risks associated to each method. Actually,
most of the risk that are mentioned in the report are not related to information
security, but to enterprise risks.
31
3.3 The CloudMIG Approach: Model-based Migration of Software Systems to
Cloud-optimized Applications [RR3]
This presents a specific model for migrating legacy systems into the cloud called
CloudMIG. The model presents six activities that aim to transform the legacy system
into a cloud ready one; namely: extraction, selection, generation, adaptation, evalua-
tion and transformation.
The work does not deal with security issues, though the 3rd activity (Generation)
provides a model with the target architecture violations of the cloud environment
constraints (CEC). But they are generic constraints, the paper is not specific about
security constraints neither of the legacy nor the target, and though we assume that
security constraints could be modelled as CEC there is no clue about how to do it.
It does not relate the model to any security standard nor any process aimed to
ensure the security requirements of the target or the artefacts produced, though the
Kwoledge Discovery Metamodel (KDM) is proposed in the first activity as a suitable
model for building the original legacy software architecture.
3.4 Migrating Legacy Applications to the Service Cloud [RR4]
This paper presents a process for migrating legacy software into software-as-a-service
architecture in seven steps. It relies on model driven architecture (MDA) transfor-
mations and the Software Engineering Institute horse model [16]. The seven steps are
the following: architectural representation of the legacy, redesign of the architecture,
MDA transformation, web service generation, web service based invocation of legacy
functionalities, selection of the CC platform and web service deployment. They apply
the model to a case of study for migrating a legacy application in the area of oil risk
analysis.
The paper does not deal with security issues but in the last step (migration to the
cloud). And there only mention security in a general non specific way along with
scalability and networking. Nor it seems to make detailed questioning about security
constraints of the legacy. The paper does not mention any security standard nor any
activity nor task nor process related to integration or review of the security constraints
of the target.
3.5 Cloudward Bound: Planning for Beneficial Migration of Enterprise
Applications to the Cloud [RR5]
This paper presents a model to deploy enterprise applications in a hybrid cloud envi-
ronment; where applications are partly hosted within the organization premises. It
gives an in detail model to evaluate which components of a legacy application can be
migrated to the cloud, and which components must stay. The authors illustrate the
model with a real case use at a large university involving the migration of their Enter-
prise Resource Planning (ERP) system.
The paper deals specifically with the migration of access control lists and their
definition in the firewalls of the organization. Nevertheless, it does not deal with
32
security requirements of the application, but the security requirements of the commu-
nications (firewall contexts and ACL rules).
The model is not a software engineering one, but a systems oriented one. Thence,
the requirements of security or the migration from the application perspective is not
addressed. The paper does not mention any security standard.
3.6 REMICS-reuse and Migration of Legacy Applications to Interoperable
Cloud Services [RR6]
This report presents a tool-supported MDA methodology for migrating legacy appli-
cations to cloud. The model presents four activities: recover, migrate, model driven
interoperability, validate control and supervise and forward MDA through cloud.
The paper does not deal specifically with security, nor risks, nor any standard of
security. They refer to the REMICS project web page for further publications and the
state of the art, but we have not been able to trace any further progress.
3.7 Decision Support Tools for Cloud Migration in the Enterprise [RR7]
This paper presents in further detail the decision support system mentioned in the
previous paper. It proposes a model for risks assessment when migrating legacy ap-
plications to the cloud and tries to identify a template for risk evaluation and mitiga-
tion approaches.
The paper does not propose a detailed legacy application migration process, nor
deals with security constraints of the legacy apps, nor mention any standard of securi-
ty. Nevertheless, they give five risks associated with security according to a survey
that the authors have made within 50 academic papers.
3.8 Service Migration in a Cloud Architecture [RR8]
This paper present several security and integration issues related to the migration of
existing applications within three support areas: acquisition, implementation and
security. In section 4.3 presents several concerns on security that organizations that
plan to migrate must take into account.
It states that, “presently, cloud computing cannot support users who cannot switch
from legacy applications because equivalent cloud applications do not exist”.
In the security section it gives questions that the practitioner should ask himself or
herself like the fact that “data must often be retained locally to satisfy regulatory
requirements” or regulatory and legal issues related to the security of data and /or its
availability. It does not present a technical process for migration nor align any activity
with the security process or with any security standard.
3.9 Dynamic Service and Data Migration in the Clouds [RR9]
This paper presents a framework to ease the migration of services to the cloud and
33
gives a a decision model to select the services that can be moved. It does so from the
point of view of the supporting SOA services, where the general computing platform
(GCP) is also regarded as a service that uses VM technologies.
The paper states that a GCP that uses VM solves some of the security problems
but that there still remain some that must be specifically address through an authenti-
cation framework and the use of certificates and certificate authorities (CA). All the
security model proposed relies on this issue. It does not align the use of the frame-
work with any security requirement specific to the legacy application migrated, nor
gives any process to integrate security into the target. It does not link security with
any security standard or model.
3.10 An Extensible Architecture for Detecting Violations of a Cloud
Environment's Constraints during Legacy Software System Migration
[RR10]
This paper presents a detailed description of CloudMIG and explains more thorough-
ly than the one in [RR3] the mechanisms to deal with the target architecture violations
of the cloud environment constraints. It also gives a metamodel that should help to
semiautomatically migrate legacy systems to the cloud.
The process deals with risks related to the migration process, namely: the runtime
constraints, but not specifically to the security constraints of the legacy or the target
platform. It does not relate the model to any security standard nor any process aimed
to ensure the security requirements of the target or the artefacts produced.
3.11 Literature Comparison
In the paper reviewed we can largely find two main groups of research interest. One
of the groups deals with the research question about specific strategies to migrate to
cloud computing (RQ1) and the other group deals with issues on security general
(RQ2), security specific to cloud (RQ3) and linked to standards (RQ4). Table 3
shows the mapping of the papers reviewed and how they relate to the research ques-
tions.
As we can see, most of the proposals only deal with the general strategies, and the
ones that deal with the security issues don't propose any strategy; perhaps with the
exception of RR5 which is focused only on hybrid CC proposals. The only one that
names (though does not develop) some security standards does not give any strategy
to migrate legacy, but deals with security from a descriptive perspective.
Although there are seven publications that mention security aspects to take into
account in the migration (RQ2), none of them presents an approach indicating which
are the most important issues to consider, how to perform the migration of these as-
pects of security, what set of security requirements have to consider, which are the
most appropriate mechanisms used to implement certain security services for the
Cloud, what security standards are more appropriate taking into account different
standards for areas such as healthcare (e.g., Health Insurance Portability and Ac-
countability Act (HIPAA)), finance (e.g., Payment Card Industry Data Security
34
Standard (PCI DSS)), security (e.g., ISO 27001, ITIL, COBIT), and audit (e.g.,
Standards for Attestation Engagements (SSAE) No. 16), and so on. That is, a migra-
tion process to guide and indicate to us the steps, tasks, recommendations, mecha-
nisms, standards, and decisions to follow with the main objective of migrating securi-
ty aspects and services to the Cloud.
Table 3. Literature mapped to research questions
ID RQ1 RQ2 RQ3 RQ4
RR1
Smart Grids Smart Grids
Only names (WS
oriended)
RR2
Non CC specific
Partly
RR3
RR4
SOA
RR5
Hybrid CC
ACL Only hybrid CC
RR6
RR7
Only DSS List risk List risk
RR8
No Only questions Only questions
RR9
GCP via VM
VM & CA VM & CA
RR10
Runtime violation detection
RQ1: What types of CC migration strategies are proposed for legacy systems?
RQ2: How CC migration strategies deal with the security issues raised from legacy?
RQ3: How CC migration processes deal with the security issues raised from the CC model?
RQ4: How CC migration processes are aligned with security standards?
Legend: ACL: access control lists, VM: virtual machine, CA: certificate authority, GCP: general
computing platform; WS: web services.
4 Conclusions and Further Research
In the previous sections we have seen, the results of following a structured process to
try to answer a set of research questions relating security in the migration of legacy
systems to the cloud computing paradigm.
As we said in section 1 and 2, we decided to follow a systematic approach to
avoid biases and to make the mapping study as repeatable as possible. That is the
purpose of using a process as the ones proposed by Petersen et al in [13] and Kitch-
enham in [14].
From our systematic approach we can state that there is a lack of research in the
field and that this lack of research points out to a gap that should be filled if cloud
computing services are meant to be incorporated into the large corporate businesses.
As we have justified, to replace the legacy cloud proposals must address the issue of
security in a structured way and, up to date, there is no overall approximation strategy
to the cloud migration that deals with security in a straightforward manner.
Given that there are no initiatives where a migration process is proposed for secu-
rity aspects, something that, as we have seen, managers regard as one of the most
important issues for a core application that has to be migrated to the Cloud, we feel
35
that there is an urgent need to provide methodologies, techniques and tools not only
for giving access to the cloud for the data and services which are locked in these
closed legacy parts of the core information system, while maintaining the security
standards, but also to provide a strategy that ease the certification of this security and
process.
Our next step will be identifying existing migration processes that, though focused
on other technologies, would address the security of legacy integrated into the process
so that we could develop from there a common strategy and adapt it to the cloud spec-
ificities. Other point of interest of our research will be making up a catalogue of secu-
rity standards related to web services and IT in general so that we take them into
account when developing our strategy. And a final issue that will concern us is how
to adapt the certification processes for software engineering with the details of the
cloud computing delivering model.
Acknowledgements
This research is part of the following projects: GEODAS (TIN2012-37493-C03-01)
and SIGMA-CC (TIN2012-36904) financed by the “Ministerio de Economía y Com-
petitividad and Fondo Europeo de Desarrollo Regional FEDER” (Spain).
References
1. Buyya, R., et al., Cloud computing and emerging IT platforms: Vision, hype,and reality for
delivering computing as the 5th utility. Future Generation Comp. Syst., 2009. 25(6): p.
599-616.
2. NIST, The NIST Definition of Cloud Computing, P. Mell and T. Grance, Editors. 2009,
National Institute of Standards and Technology.
3. Vaquero, L.M., et al., A break in the clouds: towards a cloud definition. SIGCOMM Com-
put. Commun. Rev., 2008. 39: p. 50-55.
4. Wang, L., et al., Scientific Cloud Computing: Early Definition and Experience. High Per-
formance Computing and Communications, 2008: p. 825-830.
5. Smith, D.M., Hype Cycle for Cloud Computing, in Gartner Research Report. 2011. p. 9-11.
6. KPMG, From Hype to Future. KPMG's 2010 Cloud Computing Survey. 2010.
7. Christiansen, C.A., et al., Identity and Access Management for Approaching Clouds, in
IDC White Paper. 2010.
8. Gens, F., IT Cloud Services User Survey, pt.2: Top Benefits & Challenges, in IDC Ex-
change. 2008.
9. The Open Group, The Open Group Cloud Computing Survey. 2011.
10. Jansen, W. and T. Grance, Guidelines on Security and Privacy in Public Cloud Computing,
NIST Special Publication 800-144, Editor. 2011.
11. Winkler, V., Securing the Cloud. Cloud Computer Security Techniques and Tactics. 2011:
Elsevier Inc.
12. Tobin, M. and B. Bass, Federal Application Modernization Road Trip: Express Lane or
Detour Ahead? 2011, Meritalk.
13. Petersen, K., et al., Systematic mapping studies in software engineering, in Proceedings of
the 12th international conference on Evaluation and Assessment in Software Engineering.
36
2008, British Computer Society: Italy. p. 68-77.
14. Kitchenham, B. and S. Charters, Guidelines for performing Systematic Literature Reviews
in Software Engineering. Version 2.3. 2007, University of Keele (Software Engineering
Group, School of Computer Science and Mathematics) and Durham (Department of Con-
puter Science).
15. Brodie, M.L. and M. Stonebraker, eds. Migrating Legacy Systems: Gateways, Interfaces &
the Incremental Approach. ed. M.K.S.i.D.M. Systems. Vol. 1st Ed. 1996, Morgan Kauf-
mann Pub.
16. Seacord, R., D. Plakosh, and G. Lewis, Modernizing Legacy Systems: Software Technolo-
gies, Engineering Processes, and Business Practices. 1st ed. 2003: Addison Wesley.
17. Bisbal, J., et al., Legacy Information Systems: Issues and Directions. IEEE Softw., 1999.
16(5): p. 103-111.
18. Heckel, R., et al., Architectural Transformations: From Legacy to Three-Tier and Services.
Software Evolution, 2008: p. 139-170.
19. NASCIO, Digital Stakes at Risk! Modernizing Legacy Systems. 2008.
20. Frey, S. and W. Hasselbring, The CloudMIG Approach: Model-Based Migration of Soft-
ware Systems to Cloud-Optimized Applications, . International Journal on Advances in
Software, 2011. 4(3 & 4): p. 342-353.
21. Zhang, W., et al., Migrating Legacy Applications to the Service Cloud, in 14th Conference
companion on Object Oriented Programming Systems Languages and Applications
(OOPSLA 2009). 2009: Orlando, Florida, USA. p. 59-68.
22. Simmhan, Y., et al., An Analysis of Security and Privacy Issues in Smart Grid Software
Architectures on Clouds, in IEEE International Conference on Cloud Computing, CLOUD
2011. 2011: Washington, DC, USA.
23. Hajjat, M.Y., et al., Cloudward bound: planning for beneficial migration of enterprise
applications to the cloud, in Proceedings of the ACM SIGCOMM 2010 Conference on Ap-
plications, Technologies, Architectures, and Protocols for Computer Communications, New
Delhi, India, August 30 -September 3, 2010. 2010, The Association for Computing Ma-
chinery, Inc.: New York, USA. p. 243-254.
24. Parastoo, M., et al., Reuse and Migration of Legacy Systems to Interoperable Cloud Ser-
vices- The REMICS project. 4th Workshop on Modeling, Design, and Analysis for the Ser-
vice Cloud (Mda4ServiceCloud'10), 2010.
25. Khajeh-Hosseini, A., et al., Decision Support Tools for Cloud Migration in the Enterprise,
in IEEE 4th International Conference on Cloud Computing. 2011: Washinton DC, USA.
26. Kaisler, S. and W.H. Money, Service Migration in a Cloud Architecture, in 44th Hawaii
International International Conference on Systems Science (HICSS-44 2011), Proceedings,
4-7 January 2011, Koloa, Kauai, HI, USA. 2011, IEEE Computer Society: Washington,
DC, USA. p. 1-10.
27. Hao, W., I.-L. Yen, and B. Thuraisingham, Dynamic Service and Data Migration in the
Clouds, in Proceedings of the 33rd Annual IEEE International Computer Software and Ap-
plications Conference, COMPSAC 2009, Seattle, Washington, USA, 20-24 July 2009.
2009, IEEE Computer Society: Washington, DC, USA. p. 134-139.
28. Frey, S., W. Hasselbring, and B. Schnoor, Automatic conformance checking for migrating
software systems to cloud infrastructures and platforms. Journal of Software Maintenance
and Evolution Research and Practice, 2012.
37