In 2021, more than a decade after the emergence of the commercial cloud market, you would think that most of the world’s large organisations have made significant progress on their journey to cloud, redeploying on-premises assets to capture IT benefits of cloud technology.

Our Corporate Development Office, Chris Porter, knows otherwise. If you think getting to cloud is a done deal for most organisations, “you’d be wrong, unfortunately,” said Porter, who recently moderated a masterclass webinar titled Regulatory Compliance in the Cloud, which looks at how the BBC overcame hurdles while they migrated to the cloud.

For public- and private-sector organisations that operate in heavily regulated environments, “the cloud business case can be undermined by the cost and the risk of regulatory compliance,” Porter said. “Even general regulations pose a significant challenge and a barrier to [cloud] entry.”

Help is on the way.

The challenges of compliance

AWS, a major provider of cloud services, is rolling out a global programme developed specifically to help organisations potential pitfalls of regulations in the cloud. We are the programme’s first European-based partner.

AWS created its Authority to Operate (ATO) Compliance Acceleration Framework by leveraging deep knowledge of regulatory challenges, including the Federal Risk and Authorization Management Programme (FedRAMP). FedRAMP’s stringent requirements govern cloud security for the U.S. government and Defence Department.

Global expansion of AWS’s compliance programme seeks to help a larger universe of public- and private-sector organisations who are fearful of incurring massive fines should they run afoul of regulatory requirements, such as those imposed by GDPR. The BBC, by comparison, having determined that cloud technology was critical to its continued success, essentially went at it alone, investing heavily in cloud solutions and advanced business capabilities.

“It seems like there’s a headline every other month about a new company that’s facing severe monetary damages associated with not complying with GDPR,” said Greg Herrmann, Senior Partner Security Strategist at AWS. “Customers are not moving to the cloud [because of] security obligations. They’re not taking advantage of all the benefits the cloud offers. We get rid of that confusion.”

In Europe, one of the biggest concerns is the EU’s General Data Protection Regulation (GDPR), especially given the potential for significant fines for non-compliance. But there are other concerns as well, according to a poll conducted prior to the webinar (see figure below).

Navigating cloud requirements

As recently as 2018, many of AWS’s customers were struggling to navigate the compliance process and regulatory requirements in the cloud.  At the time, cloud adoption in the public sector hadn’t taken off to the extent it has today. Building workloads to support government or regulated industry customers encountered a host of challenges, recalled Herrmann:

• Cost – In the U.S., the cost of FedRAMP designation often ran into millions of dollars, unintentionally barring companies from the federal government space – and depriving government agencies of access to effective IT solutions.
• Resources – Compliance also requires technical staff to build and configure cloud solutions to stringent security requirements. “You need that support if you want to get through the process in a timely manner,” Hermann said.
• Documentation – It can take months to develop and address security requirements and document compliance. Most organisations lack the resources to fulfil this requirement.
• Long timeframes – In the time it takes to attain regulatory compliance — up to 24 months — a cloud product “can be born and become obsolete,” Herrmann said.

The way forward

The ATO Compliance Acceleration Framework, developed to ease and speed certification, has two main parts.

The ATO on AWS programme team comprises AWS security strategists — mostly ex-auditors and assessors who have experience reviewing workloads to ensure security requirements — as well as compliance and security-focused solutions architects. The team delivers no-cost workshops, performs high-level gap analyses, reviews organisations’ architectures, and searches for pain points that impede success.

“Everything we do for our customers is at no cost,” Herrmann said.

In addition, a vast ATO on AWS network of vetted partners draws expertise from three groups of experts. The team’s technology partners are independent vendors of software and security tools, often focused on specific security requirements.

Since its formation less than two years ago, AWS and its partners have assisted more than 1,000 customers to obtain approximately 200 different security and compliance authorisations and certifications.

We’re here to help.