In 2021, more than a decade after the emergence of the commercial cloud market, you would think that most of the world’s large organisations have made significant progress on their journey to cloud, redeploying on-premises assets to capture IT benefits of cloud technology.
Our Corporate Development Office, Chris Porter, knows otherwise. If you think getting to cloud is a done deal for most organisations, “you’d be wrong, unfortunately,” said Porter, who recently moderated a masterclass webinar titled Regulatory Compliance in the Cloud, which looks at how the BBC overcame hurdles while they migrated to the cloud.
For public- and private-sector organisations that operate in heavily regulated environments, “the cloud business case can be undermined by the cost and the risk of regulatory compliance,” Porter said. “Even general regulations pose a significant challenge and a barrier to [cloud] entry.”
Help is on the way.
AWS, a major provider of cloud services, is rolling out a global program developed specifically to help organisations potential pitfalls of regulations in the cloud. We are in the process of becoming the program’s first European-based partner.
AWS created its Authority to Operate (ATO) Compliance Acceleration Framework by leveraging deep knowledge of regulatory challenges, including the Federal Risk and Authorization Management Program (FedRAMP). FedRAMP’s stringent requirements govern cloud security for the U.S. government and Defence Department.
Global expansion of AWS’s compliance program seeks to help a larger universe of public- and private-sector organisations who are fearful of incurring massive fines should they run afoul of regulatory requirements, such as those imposed by GDPR. The BBC, by comparison, having determined that cloud technology was critical to its continued success, essentially went at it alone, investing heavily in cloud solutions and advanced business capabilities.
“It seems like there’s a headline every other month about a new company that’s facing severe monetary damages associated with not complying with GDPR,” said Greg Herrmann, Senior Partner Security Strategist at AWS. “Customers are not moving to the cloud [because of] security obligations. They’re not taking advantage of all the benefits the cloud offers. We get rid of that confusion.”
In Europe, one of the biggest concerns is the EU’s General Data Protection Regulation (GDPR), especially given the potential for significant fines for non-compliance. But there are other concerns as well, according to a poll conducted prior to the webinar (see figure below).
As recently as 2018, many of AWS’s customers were struggling to navigate the compliance process and regulatory requirements in the cloud. At the time, cloud adoption in the public sector hadn’t taken off to the extent it has today. Building workloads to support government or regulated industry customers encountered a host of challenges, recalled Herrmann:
The ATO Compliance Acceleration Framework, developed to ease and speed certification, has two main parts.
The ATO on AWS program team comprises AWS security strategists — mostly ex-auditors and assessors who have experience reviewing workloads to ensure security requirements — as well as compliance and security-focused solutions architects. The team delivers no-cost workshops, performs high-level gap analyses, reviews organisations’ architectures, and searches for pain points that impede success.
“Everything we do for our customers is at no cost,” Herrmann said.
In addition, a vast ATO on AWS network of vetted partners draws expertise from three groups of experts. The team’s technology partners are independent vendors of software and security tools, often focused on specific security requirements.
Since its formation less than two years ago, AWS and its partners have assisted more than 1,000 customers to obtain approximately 200 different security and compliance authorisations and certifications.