As organizations increasingly move their regulated environments to the cloud, AWS has become a go-to platform because of its security features and compliance capabilities.
One of my favorite sessions from “Day 1” of the re:Invent 2024 was on "Migrating regulated workloads onto AWS at scale." My favorite quote of the talk was, "It's better for the companies to strive for the culture of quality, and compliance will follow naturally.". It makes all the sense because, otherwise, compliance becomes the factor that slows the workflows and system down instead of being the driving factor for a quality environment. It should not be built around the system, but rather the system should be built with compliance at its core.
I'm excited to share key insights from the talk going over the best practices for successfully navigating the complex process of "compliant" migration to the cloud.
So, what are the regulated workloads? They are workloads that must comply with specific industry standards or government regulations. These compliance standards can influence both the architecture of individual workloads and the overall AWS account structure. The table below shows the most common standards per domain.
Domain |
Acronym |
Standard |
Purpose |
Things to Consider |
Healthcare data |
HIPAA GxP |
Health Insurance Portability and Accountability Act Good x Practices (where x depends on the industry)
|
Guidelines for the protection of PHI data Ensuring quality throughout the IT lifecycle of pharmaceuticals, biotechnology, medical devices, etc |
|
Financial information |
PCI DSS, SOX |
Payment Card Industry Data Security Standard |
Secure payment card transactions |
|
Personal data |
GDPR, CCPA |
- General Data Protection Regulation - California Consumer Privacy Act |
Protect the personal data of EU citizens. The right to know about the personal information a business collects |
|
Government systems |
FedRAMP |
Federal Risk and Authorization Management Program |
Ensure secure cloud usage for U.S. federal agencies |
|
Energy and utilities |
CEII |
Critical Energy/Electric Infrastructure Information |
Protect information on critical infrastructure assets |
|
This specific re:Invent talk concentrated on GxP. For those new to this topic, GxP was established by the Food and Drug Administration (FDA) to ensure the minimum standards that pharmaceutical and food product manufacturers must adhere to so that their products are of high quality and safe for consumers and the public. This term refers to a wide spectrum of compliance activities, including Good Laboratory Practices (GLP), Good Clinical Practices (GCP), and Good Manufacturing Practices (GMP), among others. Each GxP standard carries specific requirements tailored to the type of product being produced and the country where it is marketed. When life sciences organizations utilize computerized systems for GxP-related activities, they must ensure these systems are properly developed, validated, and operated in alignment with their intended purpose.
The difference between a regular vs. regulated migration has many implications, and cost is one of them for sure. It takes more time to assess, develop, and validate a compliance environment. In order to speed up this process, AWS has developed the LZA, which is the set of configuration files designed to address the specific requirements of healthcare-related organizations. It utilizes AWS best practices along with migration experience from regulated industries in mind. Here is what can be quickly created using this accelerator:
By discovering the regulated workload and understanding which best practices and standards apply to it, organizations will be able to tailor their unique approach to migration. For the GxP applications, using Landing Zone Accelerator (LZA) for Healthcare could speed up the migration process by months and ensure that the transition of the regulated workloads to AWS at scale is successful. This approach leverages the full power of AWS services to enhance security, scalability, and operational efficiency. This will produce a validated and verifiable environment of great quality.
If you need help figuring out the regulated workload migration, contact us and we will be happy to assist.