November 2, 2025
Cloud migrations are complex enough without regulatory constraints. When one of our clients — a financial services firm regulated under NYS DFS Part 500 — decided to migrate from AWS to GCP, we had to ensure continuous compliance throughout the transition. Here's how we did it.
The firm held SOC 2 Type 2 certification and was subject to NYS DFS Part 500, which mandates specific controls around data encryption, access management, audit trails, and incident response. A migration that broke any of these controls — even temporarily — could result in regulatory findings.
We ran both AWS and GCP environments simultaneously for the duration of the migration. This meant maintaining compliance controls in both clouds, which doubled the operational burden but eliminated any gap in coverage.
Before moving a single workload, we mapped every existing AWS control to its GCP equivalent:
Each mapping was validated against both SOC 2 trust service criteria and DFS Part 500 requirements.
We migrated workloads in order of increasing sensitivity. Non-regulated internal tools moved first, giving us confidence in the GCP control environment before we touched any regulated data.
We kept our external auditors informed throughout the process. They reviewed our migration plan, validated our control mappings, and confirmed that the parallel-environment approach would satisfy continuous monitoring requirements.
The migration completed over five months with zero compliance gaps. The firm passed their next SOC 2 audit without any migration-related findings, and their DFS Part 500 examination showed no control deficiencies during the transition period.
Whether you're designing a new platform, scaling an existing one, or navigating a compliance milestone — we'll meet you where you are.