Keith Williams CEO Regulated Applications in the Cloud Aspects of Security and Validation
Statement on the Cloud and Pharma s added Complexity Clouds already make sense for many small and mediumsize businesses, but technical, operational and financial hurdles will need to be overcome before clouds will be used extensively by large public and private enterprises. Rather than create unrealizable expectations for internal clouds, CIOs should focus now on the immediate benefits of virtualizing server storage, network operations, and other critical building blocks. For Pharma and Life Sciences you can add Quality, Compliance, Validation, Security and Regulatory Hurdles to that list
Identifying, assessing and mitigating, the risks of hosting GxP-Regulated applications in the cloud Risks Data/Information Security (VPN and Encryption) Platform and application architecture (e.g. Multi-tenancy) Providers don t understand Pharma security and regulatory requirements Providers will have an emphasis that suits them as a business Private vs Public clouds (different levels of security) Continuity of service (especially internet access at customer end) Data migration problems when changing the cloud provider (security validation etc.) Performance (bandwidth)- what happens at client side? User s privacy leading to breaches of Identity Management- who is accessing Data Privacy Legislation You can t always audit the specific physical site where you data is being kept Qualification and Validation can help to mitigate these risks, and provide auditable evidence of how this has been done.
Security aspects
The Types of Cloud and Security implications
Security- Differing levels of importance Public vs Private Cloud providers These questions answered by 127 Cloud offering providers
Differing levels of risk mitigation and emphasis surveyed from Public Cloud Providers Questions answered by 127 Cloud offering providers
Options on Platform set up in Pharma Cloud (SP Example)
Some elements of Best Practice to consider for security risk mitigation VM-level security Multi-layered defence Patch management Data protection and encryption Regulatory compliance
Validation aspects
Qualifying a cloud-based environment versus Validating an application in a regulatory framework. The application should be validated; IT infrastructure should be qualified. (EU GMP Annex 11, 2011) GAMP (Good Automated Manufacturing Practice) provides guidance on Infrastructure Qualification, as well as validation of applications Typical Qualification documents include Specifications, IQ documentation scripts, plans and reports, agreements with service providers, operational procedures etc. etc. Infrastructure Qualification documents are still needed when a regulated / validated application is hosted in a cloud environment The need for Validation of the application does not change, wherever the application may be installed
Some component and provider examples in the Software Platform Infrastructure Model
Who should do what for a GxP Hosted Application? Service Components GAMP Category What to do? Who? IaaS Hardware, Internet Connectivity, Power, Servers, Storage and RAM, VMWare, Hyper-V 1 Qualify and manage infrastructure. Audit procedures. Infrastructure Vendor (IV) Platform Vendor (PV) Application Vendor(AV) or Sponsor PaaS O/S, Windows Server, SharePoint and SQL 1 Qualify the stack. Manage / control ongoing changes. Audit procedures. PV AV or Sponsor SaaS e.g. x-docs 3/4 Validate the hosted application. URS and UAT AV Sponsor
A QA Perspective on Pharma Cloud Validation GxP applications will still need to be validated if/when hosted in cloud environments If you have data privacy needs these should be tested as part of the validation testing and formally documented Enhanced validation processes (because the application is in the cloud) should ensure that risk are managed IaaS offers opportunities for easy scale-up of Development and Test Environments currently The more the IaaS vendors (IV) understand Pharma requirements their infrastructure can be qualified for Production uses as well PaaS offers the opportunity to have qualified stacks consisting of O/S, middleware and Base Software Platform ready for applications to be loaded on and configured from a Platform Vendor (PV) There are already SaaS examples where Pharma is using private cloud arrangements and Software Applications should be validated
Practical Experience of Validation in the Pharma Cloud Use Case 1 (Courtesy of PRISM forum) Cloud computing is exploited as public/private-hybrid, utility-based computing and storage that is scalable on-demand and is pay for what you use. This pharmaceutical company has many current cloud activities and use cases including: highperformance computing (HPC), external collaboration, scratch storage, back-up and archiving, development/test environments and capital expenditure (CapEx) to operating expenditure (OpEx) transfer. Project areas include advanced modelling and simulation, image processing and translational medicine. Some specific examples include: ascertain final drug clinical dosing models in days rather than months; drug clinical dosing models calculated in-house saves US$350,000 per study by not outsourcing; shorten response time for US Food and Drug Administration (FDA) reconstruct a 100 computed tomography (CT)-scan image study in two days rather than 92 days; 100,000 molecule file processed in 45 minutes compared with seven hours on a scientist s local machine; in only four months, implement an informatics data warehouse enabling scientists and investigators to research drug and clinical trial information in one location. (Would have taken nine to 12 months internally); and reliable storage and rapid retrieval times (currently storing ~20 TB). Validation activities as required depending on the stage of the R&D process the cloud activity is addressing and risk
Practical Experience of Validation in the Pharma Cloud Use Case 2 (Courtesy of PRISM forum) If cloud computing is to be successfully exploited in the regulated domains of the pharmaceutical industry, the pharmaceutical industry and the cloud vendors must work together on a methodology to provide a unified common validation scheme. Current concepts of computer system validation (CSV) do not work well, e.g., how does one perform an installation qualification (IQ) in the cloud when one does not know the serial number of the machine on which the software will be installed, nor indeed its location? So we must pay attention to the purpose of the IQ, not to the implementation of the IQ and, by extension, we must consider the purpose of CSV, not just its current practice. Any task carried out in the regulated domain should have at least the following attributes whether paper-based or computer-based in house or in the cloud: 1. non-repudiation; 2. repeatability; 3. audit trail. The real point here is control of your data, specifically who can access it, what can they do (and did to it!) with it once accessed
Conclusions (Security) Risks around security need to be identified, managed and documented There is little to differentiate the regulatory and security requirements to manage financial legal and IP data from what the regulators require of GxP data To maximise effectiveness and minimise risk (and ultimately cost), security and privacy must be considered from the outset of any cloud implementation not after implementation and deployment Cloud computing should be approached carefully with due consideration to the sensitivity of data being managed and its security Cloud providers (Iaas and Paas) are generally not aware of a specific sectors security, privacy and regulatory needs of our sector Cloud computing encompasses both a server and a client side, make sure you don t neglect the security of the client side by focussing only on the server side
Conclusions 2 Don t lose the focus that anything is validatable- There will be more validated applications, in qualified cloud-based environments both private as now, and public in the future (hybrid also based on risk) Generally you should have security and validation elements in place for cloudbased applications that are commensurate with or surpass those used if the applications were deployed in-house Advice and guidance is available already around
Links and references EU Annex 11: http://ec.europa.eu/health/files/eudralex/vol-4/annex11_01-2011_en.pdf Security of Cloud Computing Providers Study: http://www.ca.com/~/media/files/industryresearch/security-ofcloud-computing-providers-final-april-2011.pdf GAMP 5: http://www.ispe.org/gamp-5 PRISM Forum: http://www.prismforum.org/ Cloud Security Alliance https://cloudsecurityalliance.org/research/initiatives/securityguidance/