Migration / Security

How application assessment drives smarter business strategies

Joe Tobias Quest Software
Post author:Written By

How application assessment informs smarter business strategies

Application assessment is a crucial element of IT migration, modernization, cloud transition, and broad-scale security projects. A thorough evaluation of your application portfolio helps you ensure that your project is efficient and cost effective, and that the “after” environment will enable secure and efficient operations.

This article explores what an application assessment is, the key use cases for it, what the process involves, and the best practices for success.

What is an application assessment?

An application assessment is a thorough inventory of all applications in an organization’s IT estate, along with a careful analysis of how those applications relate to each other, the infrastructure, and business requirements.

An effective assessment must cover all relevant applications, whether licensed from third-party vendors or developed internally. Examples include:

  • Enterprise applications such as email and collaboration platforms
  • Web applications like employee portals and customer service dashboards
  • Line-of-business applications like ERP systems, CRM platforms and HR systems
  • Database applications
  • Infrastructure and support applications, such as backup & recovery tools, antivirus software, and auditing solutions

In addition to providing a clear understanding of infrastructure relationships, an application assessment needs to deliver a set of recommendations for how best to handle each application in the context of a modern IT estate or upcoming migration. This process often relies on “the 5 Rs” of modernization: categorizing applications into those that should be retained (no action), re-homed (also called lift and shift), replatformed (optimized for cloud), replaced, or retired.

Additional assessment can be done within each application by examining its source code to identify security flaws, potential vulnerabilities, and areas for improvement. This detailed review helps application teams improve code quality, enhance security, and enforce coding standards, or determine how to replace an application.

What are the main use cases for an application assessment?

There are many scenarios in which an organization needs an application assessment, but here are the top three:

  • Cloud adoption — Many organizations today are making a strategic decision to move more of their data and workloads to the cloud, or even to adopt a cloud-only infrastructure. To achieve this objective, they need a thorough understanding of their current application portfolio and a clear roadmap to ensure they have all the capabilities they need after the migration.
  • Merger and acquisition (M&A) deals — Another key driver of application assessment is an IT migration associated with a merger or acquisition. Integrating the two (or more) IT ecosystems involved in M&A deals is a complex undertaking, and often the migration team is handed a tight deadline for completing the project. Gaining clear visibility into all applications is essential to effective planning. In particular, it can help identify overlapping or redundant applications, uncover integration challenges and opportunities, and pinpoint and mitigate migration risks.
  • Loss of institutional knowledge —When key individuals retire or move on to other jobs, leadership may realize that they lack the level of insight they need into the application portfolio to ensure effective management and governance. With increasing turnover of senior subject matter expertise in legacy platforms, many organizations are challenged to understand their existing portfolio. In that case, an assessment initiative can help leadership understand the IT estate and develop plans to move ahead quickly.

How does an application assessment work?

Before beginning an application assessment, organizations need to understand their goals, identify stakeholders, define the scope, select a partner, and organize existing data. The actual assessment project then proceeds in the following three phases.

Application discovery

The first phase involves identifying all applications in the environment — both sanctioned applications and shadow IT applications. It’s important to locate everything in the scope of the project, which means assessment of all the servers.

Data collection

Next comes the collection of detailed information about each application. Relevant attributes can include the following:

  • Technology stack, including hosting infrastructure
  • Performance metrics
  • Dependencies (databases, other applications, other servers)
  • User base and usage patterns
  • Known security and compliance concerns
  • Business criticality

Analysis and recommendations

The final step is to analyze the collected data and develop recommendations for how best to handle each application moving forward.

What are the steps involved in the application assessment process?

In practice, the assessment process usually needs to involve more than one pass at each phase, which gives stakeholders the opportunity to provide input and offer reality checks. Here is an overview of the steps:

  1. Perform an initial application inventory.
  2. Have stakeholders review the inventory to identify gaps. For example, issues like insufficient permissions or incorrect settings can cause applications to be missed.
  3. Correct any issues and run the discovery again to flesh out the inventory.
  4. Collect data about the discovered applications.
  5. Work with stakeholders to supply any missing information, such as details about custom applications.
  6. Analyze the applications and develop a game plan for how best to handle them. There are five key options:
  • Re-home on prem — Some applications can be migrated to the on-premises target environment via lift-and-shift processes.
  • Re-home on Azure — Some applications can be migrated to the target Azure environment via lift-and-shift processes.
  • Re-platform — This option involves modifying an application to optimize for a new environment. Many application vendors provide a standard path for their portfolio, which greatly reduces risk and provides rapid return on investment.
  • Replace — Some applications can be replaced by a more modern or otherwise better alternative. For example, there are many firms with custom applications that could be replaced with a more secure SaaS offering or a lower cost ‘low code’ alternative like Microsoft Power Platform.
  • Retire — Organizations often find that a significant number of the applications in their portfolio are not actually being used. In fact, some Microsoft estimates suggest that up to a third of enterprise applications don’t have enough usage to justify their continuing operational costs. Retiring these applications will simplify the modernization effort, reduce security risks, and minimize management complexity and overhead.

Why is application assessment important?

Performing a thorough application assessment as an early part of modernization or security projects is essential. Not having insight into your application estate and a clear plan for how each application should be handled can lead to serious consequences, both technical and business-related. They include:

  • Project delays or failure — A clear understanding of application dependencies, architecture, and readiness is necessary for effective planning and execution of many projects. Without it, projects may take significantly longer than planned and go over budget due to emergency fixes, or simply fail outright. This is especially true in AD migrations and cloud transition initiatives.
  • Increased costs — Maintaining applications that are no longer needed obviously wastes time and money, including unnecessary cloud hosting expenses. But migrating applications that should be re-platformed or replaced is also wasteful since the work will need to be done later and the organization will suffer productivity losses in the interim from suboptimal tools.
  • Business disruption or downtime — An unclear or incomplete picture of an application portfolio increases the probability of disruption and downtime because key elements of the estate are unmonitored or unmanaged. Missing critical dependencies, such as which databases, infrastructure, and authentication systems an application relies upon, can break functionality. As a result, the organization can suffer application crashes or performance degradation, expensive rework, lost productivity, increased helpdesk tickets, and loss of revenue from customer-facing apps.
  • Security vulnerabilities — Without an assessment, old or misconfigured apps with known vulnerabilities may be migrated as-is. This larger attack surface increases the risk of costly data breaches and other security incidents. In addition, many organizations have applications in their environment that are not included in the application inventory, thus making them unmonitored or unmanaged risk vectors.
  • Technical debt — Most organizations operate with a certain degree of technical debt. However, without an understanding of the application portfolio, the technical debt becomes unmanaged. In order to manage this debt, the estate must be understood so the business can begin to reduce complexity and cost.
  • Compliance penalties — Improper handling or loss of regulated data can result in violations of strict mandates like GDPR, PCI DSS, and HIPAA. A proper application assessment enables the firm to manage these requirements and ensure compliance.

What are the best practices for application assessment?

The following best practices can help ensure that your application assessment delivers maximum value:

Automate application and data discovery.

Legacy methods of application discovery, such as interviews and manual data entry, have left many organizations with an understanding of the application portfolio that is stale or incomplete. Leverage modern tools to reduce manual errors, ensure completeness, and accelerate the assessment. However, as noted earlier, be sure to build in steps for human review and amendment.

Leverage advanced tools for application analysis.

Determining the best path forward for each application requires careful consideration of a wide range of data, from details about the application itself to considerations about its interactions and dependencies in the broader IT ecosystem. Modern AI tools can be immensely useful for tackling this data efficiently, consistently, and accurately. Still, it’s smart to have IT professionals review the resulting recommendations based on their experience and expertise.

Engage the right stakeholders.

Ensuring that you locate all applications in scope, collect all relevant data about them, and produce an accurate game plan for migrating them is team effort. Stakeholders can include:

  • Application owners
  • Business users
  • Business leaders
  • IT operations
  • Security and compliance teams
  • Finance
  • IT support staff

Don’t underestimate application complexity.

Be sure to allow sufficient time for deep-dive technical reviews. In particular, legacy applications often have undocumented dependencies and customizations, and bespoke applications can require significant analysis work. A proper assessment will identify all of the inbound and outbound traffic and thus address some of the technical complexity, but understanding business processes takes time.

Visualize information.

Visualizations are invaluable for facilitating understanding and decision-making. For example, you can use dashboards and other visual tools to effectively illustrate the application landscape, highlight dependencies, and communicate migration readiness.

Work with an experienced partner.

All the steps in the application process will benefit from an experienced hand. For instance, discovering all the applications in an Active Directory (AD) environment and mapping out their dependencies requires a deep understanding of how AD works; otherwise, important information is likely to be misconstrued or missed altogether. As Gartner states:

A successful AD migration requires management support, a clear communications plan, project management support, planning, training, testing and provisions for rollback. A key challenge often cited by Gartner clients is the necessity to properly inventory all applications and services integrated with AD, and to understand their AD integration patterns.

 Gartner, Inc., “A Well-Run Active Directory Requires Strong Identity Controls” (ID G00830063), Paul Rabinovich, 8 May 2025.

Top-notch tools are also required to analyze all the data and deliver sound recommendations, so you want to make sure to choose a vendor with a track record of building quality solutions in your particular type of IT environment.

Final thoughts

Application assessment is not just a housekeeping exercise; it delivers significant value by providing deep insight into your application estate. Indeed, organizations often reap benefits almost immediately by identifying applications that can be retired, which simplifies their migration project, eliminates licensing costs, and reduces administrative overhead.

Beyond that initial win, the assessment provides a clear game plan for your other applications. As a result, you can take an iterative approach to application migration, starting with the easy applications and then moving on to the ones that are more difficult to migrate. Each step will enable you to further reduce your attack surface, improve the user experience, lower infrastructure costs, and enable more agile access management.

Application Migration Assessment from Quest

Discover a comprehensive application assessment that provides the insights and detailed recommendations needed for an effective migration or modernization strategy.

Learn More

About the Author

Joe Tobias

Joe is a Director in Quest’s Customer Experience team, where he helps customers secure their computing environments and accelerate cloud adoption. He leads the development of Quest’s security services strategy and portfolio, driving market growth and overseeing cybersecurity incident response initiatives. Joe also manages certification standards and partner enablement programs to ensure teams are equipped to deliver successful outcomes using the Quest software suite. A proactive, results-driven leader with over 20 years of experience, Joe has successfully managed diverse teams across technology adoption, project management, service delivery, sales, and cybersecurity. His broad expertise makes him a trusted advisor on both security strategies and M&A integration programs, with a consistent focus on team growth and delivering world-class client service.

Related Articles