In 2021, more than a decade after the emergence of the commercial cloud market, you would think that most of the world’s large organizations have made significant progress on their journey to cloud, redeploying on-premises assets to capture IT benefits of cloud technology.
Chris Porter, Corporate Development Officer at 6point6, knows otherwise. If you think getting to cloud is a done deal for most organizations, “you’d be wrong, unfortunately,” said Porter, who recently moderated a masterclass webinar titled Regulatory Compliance in the Cloud, which looks at how the BBC overcame hurdles while they migrated to the cloud. 6point6 is an international consulting firm with a unique and differentiated customer-led offer. They have a diverse client base with strong cyber and defense credentials and products.
For public- and private-sector organizations that operate in heavily regulated environments, “the cloud business case can be undermined by the cost and the risk of regulatory compliance,” Porter said. “Even general regulations pose a significant challenge and a barrier to [cloud] entry.”
Help is on the way.
The Challenges of Compliance
Amazon Web Services (AWS), a major provider of cloud services, is rolling out a global program developed specifically to help organizations with potential pitfalls of regulations in the cloud. The U.K.-based 6point6 is in the process of becoming the program’s first European-based partner.
AWS created its Authority to Operate (ATO) Compliance Acceleration Framework by leveraging deep knowledge of regulatory challenges, including the Federal Risk and Authorization Management Program (FedRAMP). FedRAMP’s stringent requirements govern cloud security for the U.S. government and Defense Department.
Global expansion of AWS’s compliance program seeks to help a larger universe of public- and private-sector organizations who are fearful of incurring massive fines should they run afoul of regulatory requirements, such as those imposed by GDPR. The BBC, by comparison, having determined that cloud technology was critical to its continued success, essentially went at it alone, investing heavily in cloud solutions and advanced business capabilities.
“It seems like there’s a headline every other month about a new company that’s facing severe monetary damages associated with not complying with GDPR,” said Greg Herrmann, Senior Partner Security Strategist at AWS. “Customers are not moving to the cloud [because of] security obligations. They’re not taking advantage of all the benefits the cloud offers. We get rid of that confusion.”
In Europe, one of the biggest concerns is the EU’s General Data Protection Regulation (GDPR), especially given the potential for significant fines for non-compliance. But there are other concerns as well, according to a poll conducted prior to the webinar (see figure above right).
Navigating Cloud Requirements
As recently as 2018, many of AWS’s customers were struggling to navigate the compliance process and regulatory requirements in the cloud. At the time, cloud adoption in the public sector hadn’t taken off to the extent it has today. Building workloads to support government or regulated industry customers encountered a host of challenges, recalled Herrmann:
- Cost – In the U.S., the cost of FedRAMP designation often ran into millions of dollars, unintentionally barring companies from the federal government space – and depriving government agencies of access to effective IT solutions.
- Resources – Compliance also requires technical staff to build and configure cloud solutions to stringent security requirements. “You need that support if you want to get through the process in a timely manner,” Hermann said.
- Documentation – It can take months to develop and address security requirements and document compliance. Most organizations lack the resources to fulfill this requirement.
- Long timeframes – In the time it takes to attain regulatory compliance — up to 24 months — a cloud product “can be born and become obsolete,” Herrmann said.
The Way Forward
The ATO Compliance Acceleration Framework, developed to ease and speed certification, has two main parts.
The ATO on AWS program team comprises AWS security strategists — mostly ex-auditors and assessors who have experience reviewing workloads to ensure security requirements — as well as compliance and security-focused solutions architects. The team delivers no-cost workshops, performs high-level gap analyses, reviews organizations’ architectures, and searches for pain points that impede success.
“Everything we do for our customers is at no cost,” Herrmann said.
In addition, a vast ATO on AWS network of vetted partners draws expertise from three groups of experts. The team’s technology partners are independent vendors of software and security tools, often focused on specific security requirements.
Since its formation less than two years ago, AWS and its partners have assisted more than 1,000 customers to obtain approximately 200 different security and compliance authorizations and certifications.
Find out more about how 6point6 can help you on your cloud journey: 6point6 Cloud Services
Watch the full webinar on-demand here: Masterclass with the BBC: Regulatory Compliance in the Cloud