Ippon Blog

Cloud Migration for Regulated Workloads

Written by Iryna Chmelyk | Dec 3, 2024 5:38:25 PM

As organizations increasingly move their regulated environments to the cloud, AWS has become a go-to platform because of its security features and compliance capabilities. 

One of my favorite sessions from “Day 1” of the re:Invent 2024 was on "Migrating regulated workloads onto AWS at scale." My favorite quote of the talk was, "It's better for the companies to strive for the culture of quality, and compliance will follow naturally.". It makes all the sense because, otherwise, compliance becomes the factor that slows the workflows and system down instead of being the driving factor for a quality environment. It should not be built around the system, but rather the system should be built with compliance at its core.

I'm excited to share key insights from the talk going over the best practices for successfully navigating the complex process of "compliant" migration to the cloud.

Regulatory Standards

So, what are the regulated workloads? They are workloads that must comply with specific industry standards or government regulations. These compliance standards can influence both the architecture of individual workloads and the overall AWS account structure. The table below shows the most common standards per domain.

Domain

Acronym

Standard

Purpose

Things to Consider

Healthcare data

HIPAA

GxP

Health Insurance Portability and Accountability Act

Good x Practices (where x depends on the industry)

 

Guidelines for the protection of PHI data

Ensuring quality  throughout the IT lifecycle of pharmaceuticals, biotechnology, medical devices, etc

  • Data Encryption
  • Audit Trails
  • Dedicated Environments
  • Data Deletion
  • Account Structure

Financial information

PCI DSS, SOX

Payment Card Industry Data Security Standard

Secure payment card transactions

  • Network Isolation
  • Access Controls
  • Real-Time Monitoring
  • Account Structure

Personal data

GDPR, CCPA

- General Data Protection Regulation

- California Consumer Privacy Act 

Protect the personal data of EU citizens.

The right to know about the personal information a business collects 

  • Data Residency
  • Data Deletion (to support the "right to be forgotten")
  • Encryption
  • Account Structure

Government systems 

FedRAMP

Federal Risk and Authorization Management Program

Ensure secure cloud usage for U.S. federal agencies

  • Authorized Services
  • Enhanced Security
  • Incident Response
  • Account Structure

Energy and utilities

CEII

Critical Energy/Electric Infrastructure Information

Protect information on critical infrastructure assets

  • Data Residency
  • Encryption
  • Private Connectivity
  • Monitoring and Logging
  • Network Isolation
  • Account Structure

 

GxP

This specific re:Invent talk concentrated on GxP. For those new to this topicGxP was established by the Food and Drug Administration (FDA) to ensure the minimum standards that pharmaceutical and food product manufacturers must adhere to so that their products are of high quality and safe for consumers and the public. This term refers to a wide spectrum of compliance activities, including Good Laboratory Practices (GLP), Good Clinical Practices (GCP), and Good Manufacturing Practices (GMP), among others. Each GxP standard carries specific requirements tailored to the type of product being produced and the country where it is marketed. When life sciences organizations utilize computerized systems for GxP-related activities, they must ensure these systems are properly developed, validated, and operated in alignment with their intended purpose.

MAP for the Regulated Workloads
The Migration Acceleration Program (MAP) is the program offered by AWS and their partners, like Ippon, that uses a proven methodology and AWS funding for qualified small and large-scale cloud migrations. MAP for GxP workloads is a little different from the other use cases, especially when it comes to the mobilize phase of the MAP. It is so because during this phase the landing zone is being prepared to host the workloads. It is either reviewed, validated, and extended or created from scratch. With regulated applications, this part of the migration journey is more complex as the organizations need to ensure the new environment would be compliant with all of the necessary standards, or as the speaker phrased it, "Compliance boundaries are set in Mobilize." Below is the slide of the MAP program showing where the regulated workloads' migration differs from the ordinary one.
 
 
Landing Zone Accelerator (LZA) for Healthcare

The difference between a regular vs. regulated migration has many implications, and cost is one of them for sure. It takes more time to assess, develop, and validate a compliance environment. In order to speed up this process, AWS has developed the LZA, which is the set of configuration files designed to address the specific requirements of healthcare-related organizations. It utilizes AWS best practices along with migration experience from regulated industries in mind. Here is what can be quickly created using this accelerator:

 
 
Activities for GxP migration
There are commonly a lot of things to do during the migration planning and the move, but the regulated workloads take these actions to the next level. The migration waves here depend not only on the interdependencies and communication between the applications but also on the "compliance boundaries." A little overwhelming, but a very informative slide below shows how the activities per workstream look like for the GxP use cases:
 
 

Conclusion

By discovering the regulated workload and understanding which best practices and standards apply to it, organizations will be able to tailor their unique approach to migration. For the GxP applications, using Landing Zone Accelerator (LZA) for Healthcare could speed up the migration process by months and ensure that the transition of the regulated workloads to AWS at scale is successful. This approach leverages the full power of AWS services to enhance security, scalability, and operational efficiency. This will produce a validated and verifiable environment of great quality. 

If you need help figuring out the regulated workload migration, contact us and we will be happy to assist.