Regulatory Considerations for Use of Cloud Computing and SaaS Environments Institute of Validation Technology Conference Qualifying and Validating Cloud and Virtualized IT Infrastructure Philadelphia PA 21 August 2012 Chris Wubbolt, BS, MS John Patterson, MSE
Challenges hll / Defintions i Historical Perspective Regulatory Requirements for computing service providers Paradigm Shift : Software Vendors to Software as a Service a Providers Qualification / Validation of hosted applications Key Risk Areas 2
Challenges Faced by Consumers Contemplating Cloud Computing Adoption Include: 1 Policy Technology Guidance Security Standards 3
Cloud computing is still in an early deployment stage, and standards are crucial to increased adoption. Urgency is driven by rapid deployment of cloud computing in response to financial incentives. Strategically, there is a need to augment standards and to establish additional security, interoperability, and portability standards : to ensure cost effective and easy migration, to ensure that mission critical requirements can be met, and to reduce the risk that sizable investments may become prematurely technologically obsolete. 4
Cloud Computing 2 Virtual Machines 3 Infrastructure as a Service (IaaS IaaS) 2 Platform as a Service (PaaS) 2 Software as a Service (SaaS) 2 5
Public Cloud 2 The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. Private Cloud 2 The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise. 6
A virtual machine is a tightly isolated software container that can run its own operating systems and applications as if it were a physical computer. A virtual machine behaves exactly like a physical computer and contains it own virtual (ie, softwarebased) CPU, RAM hard disk and network interface card (NIC). 7
The capability provided to the consumer is to provision processing, storage, g, networks, and other fundamental computing resources where the consumer is able to deploy and run software, which can include operating systems and applications. Theconsumer does not manageor control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls). 8
The capability provided to the consumer is to deploy onto the cloud infrastructure consumer created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. Theconsumer does not manageor control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application hosting environment. 9
The capability provided to the consumer is to use the provider s appls running on a cloud infrastructure. Theapps areaccessible accessible fromvarious client devices through either a thin client interface, such as a web browser (e.g., web based email), or program interface. The consumer does not manage or control the underlying cloud dinfrastructure t including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user specific application configuration settings. 1 0
11
12
GxP Electronic Recordkeeping Controls Qualified If Infrastructure Standard Operating Procedures Trained Personnel (including IT) Validated Applications Record Integrity Record Availability Record Retention 13
Record Integrity Record Availability Record Retention Electronic SOPs SOPs Recordkeeping Backup and Backup and Compliance Restore Restore Program Problem Business SOPs Reporting Continuity Validation Business Disaster Recovery Infrastructure Qualification Continuity Disaster Recovery Plan Record Retention Security Program Plan Policy Training Archival 14
Pharma A Data Center Inc STILL NEED GxPElectronic Recordkeeping Controls QualifiedInfrastructure Standard Operating Procedures Trained Personnel (including IT) Validated Applications 15
A computerised system is a set of software and hardware components which together fulfill certain functionalities Applications should be validated IT infrastructure should be qualified Hardware and software such as networking software and operation systems which makes it possible for the application to function Risk Management Extent ofvalidationand and dataintegritycontrols patient safety, data integrity, product quality 16
Suppliers and Service Providers Formal Agreements required to include clear statements of responsibilities Provide Configure Validate Modify Install Integrate Maintain i Retain IT departments should ldb be considered d analogous 17
GxPElectronic Recordkeeping Controls Qualified Infrastructure Standard Operating Procedures TrainedPersonnel(includingIT) Validated Applications 18
Software Vendor Quality System SLC Processes Customer Support Typically not directly regulated or inspected by regulatory agencies. Audited Adi db by clients for adherence to standards. d Quality of SLC Documentation, Testing, etc. varies considerably for each vendor. Sponsor responsible for installation, ti validation, and electronic recordkeeping controls at sponsor location. 19
Electronic Recordkeeping Compliance Program SOPs Validation Infrastructure Qualification Security Program Training Backup and Restore Problem Reporting Business Continuity Disaster Recovery Plan Record Retention Policy Archival 20
Electronic Recordkeeping Compliance Program SOPs Validation Infrastructure Qualification Security Program Training ProblemReporting Business Continuity Plan Record Retention Policy Electronic Recordkeeping Compliance Program SOPs Validation / SDLC Infrastructure Program Security Program Training BackupandRestore andrestore Problem Reporting Business Continuity Disaster Recovery Plan Record Retention Policy Archival 21
Validation SOPs User Requirements Specification User Acceptance Testing (Performance Qualification) Traceability System Acceptance Validation SOPs SDLC Methodology Functional Specification Configuration Installation (IQ) System Testing (Operational Qualification) System Release to Customer Traceability 22
Specifications Not complete Not updated periodically after changes Test Records Not pre approved Results not reviewed db by second person Integrity of test results No approved summary reports Release Management 23
Test Record Integrity Results typed into Word document or Excel spreadsheet No failures documented Test dates and times do not correlate 24
Software Vendor Quality System Quality System SLC Processes SLC Processes Customer Support Customer Support Validation Record Keeping Controls Hosted Environment Hosted Typically Environment not directly regulated is used for or a inspected direct GxPfunction by regulatory (record agencies. keeping) and is more likely to be inspected by regulatory agencies. Audited by clients for adherence to standards. Audited by clients for adherence to standards (GxP, Part 11). Quality of SLC Documentation, Testing, etc. varies considerably for each vendor. QualityofSLCDocumentation Documentation, Testing, etc. variesconsiderably considerablyfor eachvendor vendor. Sponsor SaaSprovider responsible responsible for installation, for some aspects validation, of installation, and electronic validation, recordkeeping and controls electronic at recordkeeping sponsor location. controls. 25
This could now be the documentation used to support your validation effort! Make sure you understand (and audit) your SaaS Service Providers Validation/Qualification Procedures and dd Documentation 26
SAS 70 / SSAE 16 Internationally recognized financial auditing standard developed by the AICPA SAS 70 was replaced by SSAE 16 in June 2011 There is no SAS 70 / SSAE 16 certification There is no list of published SAS 70 /SSAE 16 standards 27
SAS 70 / SSAE 16 Requires a description of controls and attestation of controls by management CPA firms issue Type I(design) and Type II (design and effectiveness) reports Neither SAS 70 or SSAE 16 discuss qualification or validation of network infrastructure 28
A SAS 70 Report by itself may not be sufficient to assure regulatory requirements are being met. 29
System Unavailable System Down Connection Problems Data Center Disaster Legal / Contractual Disputes Make sure your Business Continuity Plans are established. Be sure your legal contracts are carefully constructed and reviewed. 30
Change Control In a shared environment with multiple customers, how are hardware or software platform changes communicated or approved? How are application upgrades handled? Backups What is the frequency enc of the backup? What happens if a backup fails? Security Who has access to the computing environment (logically ll or physically)? 31
Disaster Recovery Where are the backup locations in the event of a disaster? How is the disaster recovery program tested? Environmental lc Controls What are the requirements for monitoring of environmental controls? AService Level Agreement is akey document to maintain compliance with a SaaS provider. 32
Formal Agreements (e.g. SLAs) in Place with Cloud Providers to include: Security/Incident/Problem/Change Mgt. Back up Recovery/Business Continuity it Periodic Review/Monitoring Interface Management Ensuring alignment of Cloud Providers/Consumers control processes 33
34
1. NIST Special Publication 500 293, US Government Cloud Computing Technology Roadmap, Volume I, Release 1.0 (draft) f), High Priority Requirements to Further USG Agency Cloud Computing Adoption, November 2011 2. NIST Special Publication 800 145, The NIST Definition of Cloud Computing, September 2011 3. VMWare (http://www.vmware.com/virtualization/virtual machine.html) p// / / 4. Federal Cloud Computing Strategy, The White House, February 8, 2011 35
Chris Wubbolt, BS, MS www.qacvconsulting.com Principal Consultant 3242 Regal Road QACV Consulting, LLC Bethlehem, h PA 18020 USA Telephone: 610 442 22502250 E mail: chris.wubbolt@qacvconsulting.com John Patterson, MSE Executive Director Compliance; Manufacturing, Supply Chain IT; Merck & Co. 1 Merck Drive Whitehouse Station NJ 08889 Telephone: 908 423 5675 E mail: john.patterson@merck.com 36