Operating in the Cloud Compliance Challenges

Transcription

1 Operating in the Cloud Compliance Challenges Chris Reid, Integrity Solutions Ltd GAMP Global Steering Committee ISPE International Board of Directors

2 Topics GAMP Special Interest Group Cloud Service Models Regulated Company / Regulatory Concern Benefits and Risks Considerations for Cloud Management

3 Cloud SIG Cloud SIG was established early 2013 Small team representing cross section of large / small Pharma and cloud service providers Goals: Ongoing dialogue between GAMP / IPSE and regulators to understand challenges of operating in the cloud Provide guidance on usage of cloud technologies in the GxP environment in order to facilitate controlled adoption by industry

4 The Problem Trends over recent years are challenging us to think of systems differently Business Driven IT Driven Workplace independent working (anytime, anywhere, any place, any device.) Outsourcing of IT services Virtualisation of systems and applications Bring your own device (BYOD) Always and anywhere connected Pharma companies are in a pressed financial situation

5 The Problem The amount of information we handle is exploding data volume continues to grow Need for computing power continues to grow consequently the need for IT to continually manage grows Industry is always looking for better, cheaper, and faster solutions Outsourcing to specialised firms who can provide IT solutions more efficiently Leveraging technology to improve information handling

6 The Benefits Cloud providers offer: Extremely fast and flexible solution delivery On-demand scalability Business continuity solutions Easy solutions for backup and archive All for a considerably lower cost than traditional in-house computing solutions

7 The Cloud Models Type Description Risks Public Cloud Private Cloud Service provider offers services to all Cloud Structure with own data centre or dedicated to client Management controls more difficult to assess and enforce Management controls more easily assessed Hybrid Cloud Uses both public or Depends on scope of public cloud

8 Cloud variants

9 Increasing Scope and Risk

10 Other Cloud Considerations Term Description Considerations Multi Tenancy Virtualisation Multiple customers share a single application, even though they only have access to their own data Emulation of computer hardware and software so that one or more emulated computers can run in a single physical environment How is application and data access controlled? Are there any further risks from the virtual infrastructure layer? Is performance impacted?

11 Regulatory Consideration Global regulators are interested in the growing utilisation of cloud environments Regulators are not averse to cloud computing, like all new hot topics they need to understand the risks and required controls FDA working group on Cloud computing. FDA wants to better understand: What systems are currently outsourced? What issues or concerns have come up? What resolutions/mitigations were employed? Common terminology and definitions for outsourcing IT systems What type of systems will be outsourced in the future?

12 FDA viewpoint What are regulators interested in when they discover IT is outsourced? Integrity of the Data is assured Risks clearly identified & mitigated Client/Provider Contracts Provider Quality Systems SOP s, validation, change control, training Cybersecurity for Networked Systems Data Backup/Recovery Audits of Providers by FDA/Clients Bob Tollefsen, FDA

13 What are the regulatory expectations for Infrastructure, Applications and Data? Global regulations expect: Applications should be validated IT infrastructure should be qualified Data integrity and security must be maintained When outsourcing to 3rd parties, accountability for compliance remains with the regulated company, but compliance controls may be delegated to others with appropriate management control GAMP and cross industry guides such as ITIL, ISO 27001, IEEE, ASTM, TickIT, CMMi provide guidance on Application and Infrastructure Development, Validation / Qualification, Operation, Support and Retirement These basic premises do not change in an outsourced environment, including cloud, what changes is the chain of command and trust

14 Risk Considerations Examples: Outsourcing Surrendered control: Risk Outsource company has better processes: Risk Virtualisation If a physical machine fails, VM moves: Risk Data in the cloud Better disaster recovery protection: Risk Data is not on the regulated company s asset: Risk

15 Risk Considerations Service Provider: Responsibility for application management and performance with the service provider Responsibility for security with service provider Management of service change or contract exit One sided Service Level Agreements Service provider business failure Choose carefully

16 The Basic Issue Business Need Solution

17 Cloud is here to stay.. The EFPIA has selected software firm Solidsoft for its anti-counterfeit European Medicines Verification System (EMVS) powered by Microsoft's cloud-based platform Windows Azure

18 60% 50% Security Differing levels of importance Public vs. Private Cloud Providers 43% 51% 40% 30% 20% 10% 29% 35% 0% Private Public How confident are you that cloud applications and resources supplied by your organisation are secure? How important is security for meeting your organization s IT and data processing objectives? These questions answered by 127 Cloud offering providers

19 Differing levels of risk mitigation and emphasis surveyed from Public Cloud Providers 19

20 Availability Highly Publicised Outages Event Date Lighting strike AWS Dublin 08 Aug 2011 Azure Leap year issue 29 Feb 2012 Netflix streaming down (AWS) 24 Dec 2012 Azure SSL Certificate issue 22 Feb 2013 Crawley, 25th April

21 Security Main concern with cloud solutions, especially multi-tenant Security can be established at many levels Physical O/S / Network / Virtualisation Application D/B Depending on the selected model, your organisation may be still be in control of several layers

22 Due-Diligence Certification obtained by Amazon/Azure AWS Azure SOC1/SSAE 16/ISAE 3402 SOC2 ISO/IEC 27001:2005 PCI DSS Level 1 FISMA, DIACAP and FedRAMP ITAR FIPS EU Model Clause/Safe Harbor HIPAA via BAA MPAA 22

23 SLA and Contracts Azure Tier Enterprise Support 23

24 Industry Standards - Security in the Compliance Cloud Audit Planning, Independent Audits, Third Party Audits Contact / Authority Maintenance Information System Regulatory Mapping Intellectual Property c/o Cloud Security Alliance

25 Industry Standards - Security in the Cloud Data Governance Ownership / Stewardship Classification Handling / Labelling / Security Policy Retention Policy, Secure Disposal Information Leakage, Risk Assessments c/o Cloud Security Alliance

26 Industry Standards - Security in the Cloud Facility Security Policy, User Access, Controlled Access Points Secure Area Authorization, Unauthorized Persons Entry Off-Site Authorization, Off-Site Equipment Asset Management Human Resources Security Background Screening, Employment Agreements & Termination c/o Cloud Security Alliance

27 Industry Standards - Security in the Cloud Information Security Management Program, Management Support / Involvement Policy, Baseline Requirements User Access Policy, User Access Restriction / Authorization User Access Revocation, User Access Reviews Training / Awareness, Industry Knowledge / Benchmarking Roles / Responsibilities, Management Oversight Segregation of Duties, User Responsibility Workspace, Encryption, Encryption Key Management Vulnerability / Patch Management, Anti-Virus / Malicious Software Incident Management, Incident Reporting Incident Response Legal Preparation, Incident Response Metrics Acceptable Use, Asset Returns, ecommerce Transactions Audit Tools Access, Diagnostic / Configuration Ports Access Network / Infrastructure Services, Portable / Mobile Devices Source Code Access Restriction, Utility Programs Access c/o Cloud Security Alliance

28 Industry Standards - Security in the Cloud Legal Non-Disclosure Agreements Third Party Agreements Operations Management Policy, Documentation, Capacity / Resource Planning Equipment Maintenance Risk Management Program, Assessments, Mitigation / Acceptance Business / Policy Change Impacts, Third Party Access Release Management New Development / Acquisition, Production Changes Quality Testing, Outsourced Development Unauthorized Software Installations c/o Cloud Security Alliance

29 Industry Standards - Security in the Cloud Resiliency Business Continuity Planning, Business Continuity Testing Environmental Risks, Equipment Location Equipment Power Failures, Power / Telecommunications Security Architecture Customer Access Requirements User ID Credentials, Data Security / Integrity Application Security, Data Integrity Production / Non-Production Environments Remote User Multi-Factor Authentication c/o Cloud Security Alliance

30 Outsourcing Lifecycle Phase 1: Phase 2: Phase 3: Phase 4: Phase 5: Business Case Specification & Selection Implementation Monitor Change Benefits and Risk Analysis Specification Planning Service & Contract Management Change Management Selection Implementation Exit Management Contract Transition

31 Supporting Regulatory Inspection Information required during an inspection will be held by service provider Design documentation Configuration information Standards, Processes Records Client company still accountable not outsource company How will outsource organisation be engaged during an inspection? FDA may inspect outsourced service providers in the future???

32 Conclusions (1) Cloud computing is here to stay and brings clear benefits to industry The main issue around cloud is delegation of responsibilities and the need to ensure that service providers have appropriate controls in place Application validation and infrastructure qualification requirements remain in principle but we may need to be more innovative in the way we assure controls Industry already working towards Cloud Computing standards, there is no business sense in cloud failures As with all industry innovation, there will be regulatory interest until maturity is demonstrated

33 Conclusions (2) The ability to influence, evaluate and monitor the performance of the service provided is important GAMP promotes leveraging of supplier effort to reduce the compliance burden on industry, with appropriate controls in place there is no reason why Cloud service providers cannot support this

34 Acknowledgements Some slides have been leveraged from QUMAS Ireland following their presentation to GAMP UK. Some slides have been taken from ISPE GAMP Cloud SIG