Maintenance contracts are expiring, hardware is reaching end of life, and BaFin is demanding ever stricter IT security standards. For insurance companies, cloud migration is no longer an optional modernization project — it's a strategic necessity. But how do you plan a migration of 45 applications and 8 petabytes of data without disrupting ongoing operations?

In this case study, we show how an IT Director uses PathHub AI to plan Phase 1 of a cloud migration to AWS. From input to a complete project plan with phases, budget, risks, and KPIs — in less than 30 minutes.

The Starting Point: Expiring Maintenance Contracts and Rising Costs

SecureLife Insurance (name changed) is a mid-sized insurance company with 500 employees headquartered in Düsseldorf. The company has been running its own data center for 15 years, hosting 45 applications, 12 databases, and 8 petabytes of insurance data. Server hardware maintenance contracts expire in 18 months.

IT Director Michael faces a massive challenge: management expects Phase 1 — migrating the 15 most critical applications and 5 databases — to be completed in 20 weeks. At the same time, strict regulatory requirements from BaFin (VAIT) apply, and the core insurance system cannot have a single second of downtime during migration. The situation at a glance:

  • €45,000 monthly operating costs for the in-house data center (power, cooling, hardware maintenance, staff)
  • 15-year-old legacy systems — some still running on Windows Server 2012 and Oracle 11g
  • BaFin requirements (VAIT) mandate complete documentation, encryption, and audit trails
  • Zero-downtime requirement for the core insurance system (24/7 operation, claims processing)
  • 4 internal cloud engineers, but no AWS certifications in the team

Michael knows: planning a cloud migration of this scale manually takes weeks. Coordinating with compliance, security, and the business unit alone consumes enormous time. He decides to use PathHub AI to create a structured migration plan as a discussion basis.

The Input: What the IT Director Enters in PathHub AI

Michael's strength lies in precisely describing the technical constraints. The more detailed the input, the better the AI can account for regulatory requirements and technical dependencies.

Input in PathHub AI
Cloud migration for insurance company. 500 employees, regulated (BaFin/VAIT). 45 applications, 12 databases, 8 PB data. Currently: own data center, maintenance contracts expire in 18 months. Phase 1: migrate 15 critical applications + 5 databases. Target platform: AWS (Frankfurt Region, GDPR-compliant). Budget Phase 1: €280,000. Timeline: 20 weeks. Team: 4 internal cloud engineers, external AWS partner. Special requirements: BaFin requirements (VAIT), encryption for insurance data, zero-downtime migration for core insurance system, disaster recovery concept.

How to get the most out of PathHub AI:

Pro Tip

For cloud migrations in regulated environments, it's crucial to explicitly name compliance requirements in the input. Michael specified BaFin/VAIT, encryption, and zero-downtime as constraints — this allows the AI to align every phase step with compliance requirements. Without these details, the plan would not adequately address the regulatory requirements.

The AI-Generated Migration Plan in Detail

Within 30 seconds, PathHub AI generates a complete project plan with eight phases, a detailed budget, risk analysis, and stakeholder mapping. The plan automatically accounts for BaFin requirements and integrates compliance checks into every phase.

8 phases Over 22 Weeks

EXAMPLE · AI-GENERATED PROJECT PLAN
1

Assessment & Planning

3 weeks
  • Cloud readiness assessment for all 15 prioritized applications
  • 6R analysis per application (Rehost, Replatform, Refactor, Repurchase, Retire, Retain)
  • Compliance check: mapping BaFin/VAIT requirements to AWS services
  • Target architecture design (VPC layout, availability zones, DR concept)
  • TCO comparison and AWS cost model for the next 3 years
2

Network & Identity Setup

3 weeks
  • Set up hybrid connectivity (VPN, ExpressRoute, Direct Connect)
  • Identity provider federation (Active Directory ↔ Azure AD / AWS SSO)
  • Define network segmentation, VPCs/VNets and subnet topology
  • DNS strategy and routing tables for hybrid operation
  • Firewall rules, NSGs/security groups and WAF configuration
3

Foundation & Landing Zone

4 weeks
  • Set up AWS Landing Zone (multi-account strategy, AWS Organizations)
  • VPC and network design (subnets, NAT gateways, Transit Gateway to on-premise)
  • IAM concept with least-privilege principle and MFA for all admin access
  • Encryption strategy with AWS KMS (at-rest and in-transit)
  • Set up monitoring and logging (CloudWatch, CloudTrail, AWS Config Rules as compliance-as-code)
4

Pilot Migration

3 weeks
  • Migrate 3 non-critical applications as proof of concept
  • Create migration playbook (documented, repeatable process)
  • Measure performance baseline (latency, throughput, response times)
  • Security scan of migrated environment (vulnerability assessment)
  • Document lessons learned and optimize playbook for main migration
5

Main Migration

5 weeks
  • Migrate remaining 12 critical applications in 3 waves
  • Database migration via AWS DMS (Database Migration Service) for 5 databases
  • Zero-downtime strategy for core insurance system (blue/green deployment)
  • Application-specific rollback plans with defined rollback criteria
  • Continuous data synchronization until final cutover
6

Testing & Compliance

4 weeks
  • End-to-end tests for all migrated applications and data flows
  • Penetration tests by external service provider (BaFin requirement)
  • BaFin compliance audit: VAIT conformity check of the cloud environment
  • Disaster recovery test (complete failover and recovery)
  • Performance validation and documentation for the supervisory authority
7

Disaster Recovery & Backup

2 weeks
  • Define backup strategy per workload class (3-2-1 rule)
  • Develop disaster recovery plans with RTO/RPO per service
  • Perform failover tests (region failover, AZ failover)
  • Configure cross-region replication for critical data
  • Document runbooks for DR scenarios and train the team
8

Go-Live & Optimization

3 weeks
  • Final cutover weekend with defined rollback window
  • DNS switch and traffic routing to AWS infrastructure
  • Create on-premise decommissioning plan (data carrier destruction, hardware disposal)
  • Cost optimization: configure Reserved Instances and Savings Plans
  • Operations runbook and handover to IT operations

Simplified example — the actual AI output is significantly more detailed, with specific dates, responsibilities, and data tailored to your project.

Eight phases, 22 weeks, 30 concrete tasks. The AI automatically extended the original 20-week timeline to 22 weeks — a more realistic timeframe that builds in buffer for the extensive compliance phase. What would have taken Michael weeks of manual planning is ready in 30 seconds. Particularly notable: the automatic integration of compliance-as-code in the landing zone phase and the separate testing phase with an explicit BaFin audit.

The Migration Timeline: 22 Weeks at a Glance

The timeline illustrates the four major blocks of the migration. Especially important: the pilot migration serves as proof of concept and delivers the playbook for the main migration. Without this intermediate step, the risk of migrating critical systems would be significantly higher.

Week 1–3
Assessment & Planning
Cloud readiness assessment, 6R analysis for all 15 applications, BaFin compliance mapping, target architecture and cost model. Result: an approval-ready migration plan with prioritization and dependencies.
Week 4–7
Foundation & Landing Zone
Build AWS infrastructure: multi-account setup, network, IAM, encryption, monitoring. Implement compliance-as-code. Result: production-ready, BaFin-compliant cloud environment.
Week 8–15
Migration (Pilot + Main)
First 3 non-critical apps as pilot, then 12 critical apps and 5 databases in waves. Zero-downtime for core insurance system via blue/green deployment. Rollback plans for each application.
Week 16–22
Testing, Go-Live & Optimization
End-to-end tests, penetration tests, BaFin compliance audit, disaster recovery test. Final cutover weekend, DNS switch and cost optimization. Handover to IT operations.
Pro Tip

The pilot migration is the most important step in the entire process. Many companies skip it under time pressure and migrate critical systems directly — that's a mistake. The 3-week pilot saves weeks of troubleshooting later. Michael accelerated the main migration by 40% using the pilot playbook, because the team already knew all the pitfalls.

Migration Strategy by Application Type

Not every application is migrated the same way. The AI recognizes the different requirements and suggests the appropriate strategy for each category:

Application Type Migration Strategy AWS Target Service
Core Insurance System Replatform (Blue/Green Deployment) EC2, RDS Multi-AZ, ALB
Oracle Databases Replatform via DMS RDS for Oracle / Aurora PostgreSQL
Document Management Rehost (Lift & Shift) EC2, S3, EFS
Web Portals Refactor (Containerization) ECS Fargate, CloudFront

Budget: €280,000 Strategically Allocated

PathHub AI automatically creates a detailed budget plan covering all cost items for an enterprise cloud migration. Michael specified €280,000 as the budget for Phase 1. The AI distributes this budget across eight line items:

EXAMPLE · AI-GENERATED BUDGET BREAKDOWN
Cost Item Amount Share Details
External AWS Partner 95.000 € 34% Architecture, migration, knowledge transfer
AWS Infrastructure (6 months) 56.000 € 20% EC2, RDS, S3, network, support
Internal Personnel Costs 45.000 € 16% 4 cloud engineers, proportional over 22 weeks
Security & Compliance €28,000 10% Penetration tests, compliance audit, certification
Migration Tool Licenses 19.000 € 7% AWS DMS, CloudEndure, migration software
Testing & QA €16,000 6% Test environments, load tests, DR tests
Risk Buffer 21.000 € 7% Reserve for unforeseen complexity
Total 280.000 € 100% 22 weeks project duration

Simplified example — the actual AI output is significantly more detailed, with specific dates, responsibilities, and data tailored to your project.

Particularly notable: the AI allocated the largest share (34%) to the external AWS partner — realistic, since the internal team has no AWS certifications. The partner handles not only the technical implementation but also the knowledge transfer, so the team can act more independently after Phase 1. The 7% risk buffer is tight for regulated migrations; Michael should consider whether 10% would be more realistic.

ROI Calculation: When the Investment Pays Off

The current on-premise infrastructure costs SecureLife €45,000 per month — for power, cooling, hardware maintenance, and proportional staff costs for data center operations. After migration to AWS, the AI forecasts monthly cloud costs of approximately €28,000 (including Reserved Instances after the first 6 months).

The monthly savings of €17,000 result in annual savings of €204,000. With an investment of €280,000 for Phase 1, the migration pays off in just under 17 months. Additional non-monetary benefits include: scalability during peak loads, increased reliability through multi-AZ deployment, and elimination of future hardware renewal cycles.

The numbers at a glance: €280,000 investment for Phase 1. Monthly savings: €17,000 (€45,000 on-premise minus €28,000 AWS). Break-even after 17 months. From month 18: €204,000 annual savings. Over 5 years: over €740,000 net savings. Plus: no more hardware renewal cycles needed (estimated €600,000 every 5 years).

Risks and Countermeasures

Cloud migrations in regulated environments carry an elevated risk profile. PathHub AI automatically identifies the five most critical risks and suggests concrete countermeasures:

EXAMPLE · AI-GENERATED RISK ANALYSIS
1. Data Loss During Migration KRITISCH

8 PB of insurance data must be migrated without any loss. Data loss would have legal and regulatory consequences.

Countermeasure: Full backups before each migration wave, test migration with checksum validation, verified rollback plan per application, 72-hour parallel operation after cutover.

2. BaFin Compliance Violation KRITISCH

The cloud environment does not meet all VAIT requirements. In the worst case, regulatory action is threatened.

Countermeasure: Compliance-as-code with AWS Config Rules from day 1, regular audits in every phase, document VAIT mapping to AWS services, early coordination with internal compliance department and external auditor.

3. Zero-Downtime Not Achievable HIGH

The core insurance system must be available 24/7. Every minute of downtime affects claims processing and customer portals.

Countermeasure: Blue/green deployment with immediate rollback, feature flags for gradual switching, weekend cutover with 4-hour rollback window, load-balancer-based traffic shifting.

4. Costs Higher Than Planned MEDIUM

AWS costs can quickly escalate if instances are not properly sized or forgotten services keep running.

Countermeasure: Set up AWS Cost Explorer and budget alerts from day 1, book Reserved Instances after the stabilization phase, establish FinOps process, weekly cost review in the project team.

5. Team Skill Gap MEDIUM

The 4 internal cloud engineers have no AWS certifications. This increases dependency on the external partner and slows decision-making.

Countermeasure: Start AWS training (Solutions Architect Associate) in parallel with Phase 1, pair programming with the external partner in every phase, complete documentation of all architectural decisions and runbooks.

Simplified example — the actual AI output is significantly more detailed, with specific dates, responsibilities, and data tailored to your project.

Stakeholder Mapping

A cloud migration in the insurance environment touches almost every part of the organization. The AI identifies eight key stakeholders and assigns them by role:

EXAMPLE · AI-GENERATED STAKEHOLDER MAPPING
IT Director (Michael)
Project lead, overall technical responsibility
CTO
Architecture decisions, technology strategy
Compliance Officer
BaFin/VAIT compliance, audit support
External AWS Partner
Technical implementation, knowledge transfer
CISO
IT security, encryption, penetration tests
Insurance Business Unit
Business testing, acceptance of core insurance system
Geschäftsführung
Budget approval, strategic decisions
Works Council
Data protection, employee concerns

Simplified example — the actual AI output is significantly more detailed, with specific dates, responsibilities, and data tailored to your project.

Particularly notable: the AI automatically recognizes the works council as a stakeholder — an aspect often overlooked in technically driven migrations. In regulated companies, the works council has a say in topics like data protection and workplace changes. The AI also identifies the CISO as a separate stakeholder alongside the compliance officer, since security and compliance are related but distinct areas of responsibility.

KPIs: Making Migration Success Measurable

A cloud migration without clear KPIs is like flying blind. PathHub AI suggests four key metrics that Michael should track from day one.

Current: 0/15
Target: 15/15
Applications Migrated
Current: 99.5%
Target: 99.9%+
System Availability
Current: €45,000/month
Target: under €30,000/month
Infrastructure Costs
Current: Under Review
Target: 100% VAIT-compliant
Compliance Score

Measurement happens through various channels: AWS CloudWatch for availability and performance, AWS Cost Explorer for infrastructure costs, an internal migration tracking board for progress, and regular compliance audits for the VAIT score. Michael sets up a weekly status dashboard showing all four KPIs at a glance.

Why these four KPIs? They cover all dimensions of a cloud migration: progress (applications migrated), quality (availability), cost efficiency (infrastructure costs), and compliance (VAIT score). Missing any dimension creates a blind spot. A migration can be technically complete but still miss compliance targets or blow the budget.

Comparison: Manual Planning vs. PathHub AI

What would Michael have done without AI support? A realistic comparison:

Criterion Manual IT Planning PathHub AI
Time for initial plan 3–4 weeks 30 minutes
Budget planning Rough estimate, often without risk buffer 8 line items with percentages and details
Risk analysis Focus on technical risks 5 risks incl. compliance and skill gaps
Stakeholder mapping IT team and management 8 stakeholders incl. works council and CISO
Compliance integration Separate workstream, often added later Integrated into every phase
Migration strategy Often blanket lift & shift Differentiated 6R analysis per application
ROI calculation Simplified estimate Detailed TCO analysis with break-even
KPI definition Technical metrics only 4 KPIs across all dimensions
Total planning costs Approx. €15,000–25,000 (consulting + internal) Under €100 (tool usage)

The biggest advantage is completeness and speed. The AI thinks of the works council, of compliance-as-code in the landing zone, of knowledge transfer through the external partner, and of cost optimization after go-live. Of course, Michael must review every point and adapt it to SecureLife's specific situation — but he starts from a professional, well-thought-out foundation.

Pro Tip

Use AI as an accelerator, not an autopilot. The best workflow for cloud migrations: AI generates the initial plan, your team and the external partner review it for technical feasibility, the compliance officer validates the regulatory aspects. Then use the AI again to integrate the changes into the overall plan. This combines speed with expertise.

Michael's Verdict After 10 Weeks

Ten weeks into the project, SecureLife has its landing zone in production and the pilot migration successfully completed. Three non-critical applications are running stably on AWS Frankfurt. The migration playbook is in place, and the team approaches the main migration with significantly more confidence.

"The AI-generated plan didn't just save us 3 weeks of planning time — it massively improved the quality of our planning. The automatic integration of VAIT requirements into every phase immediately convinced our compliance officer. And the stakeholder mapping alerted us to involve the works council early — otherwise we would only have realized that when it was too late."

How to Start Your Own Cloud Migration

If you are planning a similar cloud migration, here are the three most important steps:

  1. Document the current state: Record all applications, databases, and their dependencies. Measure current operating costs and availability. Without a baseline, you cannot calculate ROI.
  2. Clarify regulatory requirements: Talk to your compliance officer early. BaFin, VAIT, GDPR — every requirement affects the architecture and migration strategy.
  3. Use AI as a starting point: Describe your project in PathHub AI in as much detail as possible. The AI knows cloud migration best practices, but not your specific legacy dependencies.

Frequently Asked Questions

How long does a cloud migration take?

The duration of a cloud migration depends heavily on complexity. For a mid-sized company with 15–20 applications, Phase 1 typically takes 16–24 weeks. A complete migration of all systems can take 12–18 months. AI-assisted planning can reduce the planning phase from weeks to hours, but the actual migration remains a technically demanding project requiring careful execution.

What does a cloud migration cost for mid-sized companies?

For a Phase 1 migration with 15–20 applications and 5 databases, mid-sized companies should budget €200,000–400,000. This includes external consulting (the largest item), infrastructure costs, security measures, migration tools, and internal personnel costs. ROI comes from saved data center costs and typically takes 12–20 months. Long-term savings clearly outweigh the investment.

How do you ensure BaFin compliance in the cloud?

BaFin compliance in the cloud requires adherence to VAIT (Insurance Supervisory Requirements for IT). In practice: data must remain in the EU (e.g., AWS Frankfurt Region), all data encrypted at-rest and in-transit with AWS KMS, complete audit trails via CloudTrail, documented exit strategy, regular penetration tests, and compliance-as-code implementation with AWS Config Rules for continuous monitoring.

What is an AWS Landing Zone?

An AWS Landing Zone is the secure, scalable foundation infrastructure for the cloud environment. It includes the account structure (multi-account setup with AWS Organizations), network design (VPCs, subnets, Transit Gateway), IAM concept (roles and policies), logging and monitoring (CloudWatch, CloudTrail), and encryption strategy. The landing zone is the foundation of every enterprise cloud migration and should be established before the actual data migration.

Kann KI bei der Cloud-Migrations-Planung helfen?

Ja, AI-Tools wie PathHub AI können die Planungsphase einer Cloud-Migration erheblich beschleunigen. Die KI generiert automatisch Phasen, Aufgaben, Budget, Risikoanalyse und Stakeholder-Mapping basierend auf den Projektparametern. Besonders wertvoll ist die vollständige Berücksichtigung aller Aspekte: Compliance, Rollback-Strategien, Skill-Gaps und Cost-Optimization. Die KI ersetzt nicht die technische Expertise, liefert aber ein professionelles Fundament für die weitere Planung.