Cloud Computing in a Regulated Environment



Similar documents
Cloud Computing; What is it, How long has it been here, and Where is it going?

Clinical Trials in the Cloud: A New Paradigm?

Security Issues in Cloud Computing

Leveraging the Private Cloud for Competitive Advantage

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

GETTING THE MOST FROM THE CLOUD. A White Paper presented by

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

Validating Enterprise Systems: A Practical Guide

Validation of a Cloud-Based ERP system, in practice. Regulatory Affairs Conference Raleigh. 8Th September 2014

Technology & Business Overview of Cloud Computing

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Managing Cloud Computing Risk

Infopaper. Demystifying Platform as a Service

INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS

GAMP 5 as a Suitable Framework for Validation of Electronic Document Management Systems On Premise and 'In the Cloud' Keith Williams CEO GxPi

AskAvanade: Answering the Burning Questions around Cloud Computing

Kent State University s Cloud Strategy

Cloud definitions you've been pretending to understand. Jack Daniel, Reluctant CISSP, MVP Community Development Manager, Astaro

Cloud Computing demystified! ISACA-IIA Joint Meeting Dec 9, 2014 By: Juman Doleh-Alomary Office of Internal Audit

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

CLOUD COMPUTING OVERVIEW

White Paper on CLOUD COMPUTING

Ensuring security the last barrier to Cloud adoption

CSO Cloud Computing Study. January 2012

How To Choose A Cloud Computing Solution

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT

Cloud Computing and Records Management

Cloud Computing. Bringing the Cloud into Focus

Cloud Computing. Course: Designing and Implementing Service Oriented Business Processes

Information Security: Cloud Computing

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

The NREN s core activities are in providing network and associated services to its user community that usually comprises:

Strategies for Secure Cloud Computing

Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services

20 th Year of Publication. A monthly publication from South Indian Bank.

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING

The Need for Service Catalog Design in Cloud Services Development

Cloud Computing in a GxP Environment: The Promise, the Reality and the Path to Clarity

BUSINESS MANAGEMENT SUPPORT

Commercial Software Licensing

Improving IT Service Management Architecture in Cloud Environment on Top of Current Frameworks

Cloud Computing. What is Cloud Computing?

Fundamental Concepts and Models

1 Introduction. 2 What is Cloud Computing?

See Appendix A for the complete definition which includes the five essential characteristics, three service models, and four deployment models.

JISC. Technical Review of Using Cloud for Research. Guidance Notes to Cloud Infrastructure Service Providers. Introduction

White Paper: Vendor Selection for Your Life Science Company Cloud

Cloud Computing Guide & Handbook. SAI USA Madhav Panwar

OVERVIEW Cloud Deployment Services

Essential Characteristics of Cloud Computing: On-Demand Self-Service Rapid Elasticity Location Independence Resource Pooling Measured Service

Private & Hybrid Cloud: Risk, Security and Audit. Scott Lowry, Hassan Javed VMware, Inc. March 2012

ADOPTING CLOUD COMPUTING AS AN ICT DEPLOYMENT STRATEGY FOR DELIVERING SERVICES IN THE GOVERNMENT

Security in the Cloud

journey to a hybrid cloud

NSW Government. Data Centre & Cloud Readiness Assessment Services Standard. v1.0. June 2015

Selecting the right Cloud. Three steps for determining the most appropriate Cloud strategy

Pharma CloudAdoption. and Qualification Trends

Seeing Though the Clouds

How to ensure control and security when moving to SaaS/cloud applications

CONTENTS. List of Tables List of Figures

The Key Components of a Cloud-Based Unified Communications Offering

Guideline on Implementing Cloud Identity and Access Management

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.

Cloud Computing in Banking

A white paper from Fordway on CLOUD COMPUTING. Why private cloud should be your first step on the cloud computing journey - and how to get there

Key Considerations of Regulatory Compliance in the Public Cloud

How To Run A Cloud Based Data Centre

The Elephant in the Room: What s the Buzz Around Cloud Computing?

The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing

Bringing the Cloud into Focus. A Whitepaper by CMIT Solutions and Cadence Management Advisors

WWT View Point. Journey to the Private Cloud: Take the First Steps with FlexPod

Validating Cloud. June 2012 Merry Danley

Hexaware E-book on Q & A for Cloud BI Hexaware Business Intelligence & Analytics Actionable Intelligence Enabled

Cloud Security: Evaluating Risks within IAAS/PAAS/SAAS

Keeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About?

PLATFORM & INFRASTRUCTURE AS A SERVICE

CLOUD MIGRATION STRATEGIES

Information Technology: This Year s Hot Issue - Cloud Computing

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015

Software-as-a-Service: Managing Key Concerns and Considerations

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

White Paper. Cloud Vademecum

A Flexible and Comprehensive Approach to a Cloud Compliance Program

VMware vcloud Architecture Toolkit Public VMware vcloud Service Definition

The Key Components of a Cloud-Based UC Offering

How To Manage Cloud Data Safely

Confidence in the Cloud Five Ways to Capitalize with Symantec

IS PRIVATE CLOUD A UNICORN?

Transcription:

Computing in a Regulated Environment White Paper by David Stephenson CTG Regulatory Compliance Subject Matter Expert February 2014 CTG (UK) Limited, 11 Beacontree Plaza, Gillette Way, READING, Berks RG2 0BS Phone: +44 (0) 118 975 0877 Fax: +44 (0) 118 931 0249 Mobile: +44 (0) 7891 343814 Registered in England and Wales as Computer Task Group (UK) Limited Registered Address: 11 Beacontree Plaza, Gillette Way, Reading, Berkshire RG2 0BS Registration No: 1262284 www.ctg.eu

As enterprises look for innovative ways to save money and increase the trust and value in their information systems, cloud computing has emerged as a potential panacea for meeting computing needs, achieving both cost savings and accomplishing business objectives. However, as cloud computing continues to grow in importance and gradually evolve, we must understand how best to handle this new era of computing and how to control it in a compliant manner, both from a business perspective, but also in terms of compliance and security. In order to understand better what Computing is, we should firstly look at its definition: computing itself can almost be categorised as a utility, where users pay for the service for as long as needed. computing can be defined as: A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. U.S. National Institute of Standards and Technology (NIST) computing itself can almost be categorised as a utility, where users pay for the service for as long as needed. This model has been adopted by the cloud service providers, and as a result, cloud users pay by CPU cycles measured and by the amount of storage required over time, thus providing major cost savings, in the enterprise. However, in order to better manage the cloud, we must understand how it is constructed. In a nutshell, the cloud is made up of five basic characteristics, offering three service models, and is available in four distinct deployment models. These are illustrated below: Inside the Deployment Models Characteristics On Demand Resource Pooling Measured Service Broad Network Access Rapid Elasticity Service Models Software as a Service Platform as a Service Infrastructure as a Service Private Community Public Hybrid Following is a more detailed discussion of the above diagram: Characteristics On-demand self service Broad network access Resource pooling Rapid elasticity Measured service 2

Service Models The cloud has much to offer to entice prospective clients. However, we must be cognisant that there will be a corresponding increase in compliance and security risk, depending on the cloud service and deployment model selected. Infrastructure as-a-service (IaaS) In the most basic cloud service model, cloud providers offer computers as physical or more often as virtual machines and networks. IaaS providers supply these resources on demand from their large pools installed in data centres, with local area networks as part of the offer. For the wide area connectivity, the Internet can be used or, in carrier clouds, dedicated virtual private networks can be configured. To deploy their applications, cloud users then install operating system images on the machines, as well as their application software. In this model, it is the cloud user who is responsible for patching and maintaining the operating systems and application software. ( providers typically bill IaaS services on a utility computing basis, that is, cost will reflect the amount of resources allocated and consumed.) Platform-as-a-Service (PaaS) In the PaaS model, cloud providers deliver a computing platform and/or solution stack typically including operating system, programming language execution environment, database, and web server. Application developers can develop and run their software solutions on a cloud platform without the cost and complexity of buying and managing the underlying hardware and software layers. Software-as-a-Service (SaaS) In this model, cloud providers install and operate application software in the cloud and cloud users access the software from cloud clients. The cloud users do not manage the cloud infrastructure and platform on which the application is running. This aspect eliminates the need to install and run the application on the cloud user s own computers simplifying maintenance and support. What makes a cloud application different from other applications is its elasticity. This can be achieved by cloning tasks onto multiple virtual machines at run-time to meet the changing work demand. Load balancers distribute the work over the set of virtual machines. This process is transparent to the cloud user who sees only a single access point. To accommodate a large number of cloud users, cloud applications can be multitenant, that is, any machine serves more than one cloud user organisation. These Service Models are presented in four Deployment Models: Public Applications, storage, and other resources are made available to the general public by a service provider. Public cloud services may be free or offered on a pay-per-usage model. There are limited service providers who own all of the infrastructure at their data centre and the only access will be through the internet. No direct connectivity is proposed in public cloud architecture Community Community cloud shares infrastructure between several organisations from a specific community with common concerns (security, compliance, etc.), whether managed internally or by a third-party and hosted internally or externally. Hybrid Hybrid cloud is a composition of two or more clouds (private, community or public) that remain unique entities but are bound together, offering the benefits of multiple deployment models. Private Private cloud is infrastructure operated solely for a single organisation, whether managed internally or by a third-party and hosted internally or externally. As shown in the following illustration, it is apparent that the cloud has much to offer to entice prospective clients. However, we must be cognisant that there will be a corresponding increase in compliance and security risk, depending on the cloud service and deployment model selected. 3

Compliance Cube These risks can be described as: When contemplating transferring critical organisational data to the cloud computing platform, it is important to understand who and where all of the companies are that may touch the enterprise data. This includes not only the CSP, but all vendors that are in the critical path of the CSP. Data location Regardless of the deployment model selected, customers may not know the physical location of the server used to store and process their data and applications. The data may reside anywhere. Co-mingled data Many clients will use the same application on the same server concurrently, which may result in the clients data being stored in the same data files. security policy/procedure transparency Some Service Providers (CSPs) may have less transparency than others when it comes to their current information security policies. data ownership The CSP may believe they own the data placed in the cloud computing environment that it maintains, and may also require significant service fees for data to be returned to clients if and when a cloud computing services agreement terminates. CSP business viability As cloud computing continues to mature, there will be CSPs going out of business. Clients need to consider the risk and how data and applications can be easily transferred back to the traditional enterprise or to another CSP. Record protection for audits Clients must also consider the availability of data and records if required for audits. Since data may have been co-mingled and migrated among multiple servers located widely apart, it may be possible that the data for a specific point in time cannot be identified. Identity and access management (IAM) Current CSPs may not develop and implement adequate user access privilege controls. Penetration detection Consideration should be given to whether the CSP has a penetration detection system in use. If such a system is in use, it is important to ensure that it has the required sophistication to monitor all cloud computing activities adequately. Public cloud server owners due diligence When contemplating transferring critical organisational data to the cloud computing platform, it is important to understand who and where all of the companies are that may touch the enterprise data. This includes not only the CSP, but all vendors that are in the critical path of the CSP. Data erasure for current SaaS or PaaS applications When an application and data are transferred from one server to another, the earlier application and data files may remain and may not be erased. Their space on the original hard drives is now available for overwrites. The original data files may still be available for copying up to the third rewrite of the original disk space. 4

Disaster recovery In traditional hosting or co-location sites, customers know exactly where their data is in the event that they need to quickly retrieve them, this is not necessarily the case in the cloud. We consider the three critical steps to take in evaluating the as a platform in a highlyregulated industry like pharmaceuticals. In order to address these issues, an understanding of the regulators viewpoint is required We must therefore consider a quote from Robert Tollefsen of the FDA, who said: regulators are interested in the following when they discover that IT is outsourced : Risks are clearly identified and mitigated Data integrity is assured Data backup/recovery is in place and tested Cybersecurity exists for networked systems Contracts exist between clients and providers The provider has a quality system The provider and client have SOPs Validation, change control, training etc An audit of the provider has been carried out by the client In order to comply with these requirements and address the issues above in a higly regulated industry like pharmaceuticals, we need to have a coherent cloud assessment strategy and an ongoing cloud management framework. This can best be achieved by applying the following three steps: Step 1 Due Diligence Step 1 Due Diligence In this step, we need to initially look at the cloud provider s Ongoing background, length of time in service, Step and general Provider approach to security Step and data etc. This can best be achieved by following 2 Risk the process flow, outlined in the diagram 3 Compliance below: Assessment Framework Figure 1 Due Diligence Workflow Provider Track Record How long has the provider been supplying IT services? New to market Long standing provision Is the provider aware of the life sciences environment? Has the provider worked in the life sciences industry previously? Have they worked in both European and U.S. arena s? Has the provider filled in the Security Alliance questionnaire? Does the provider have ISO 27001 certification? Is the provider aware of Security Alliance? Have they checked themselves against the questions in the Consensus Assessment Initiative questionnaire? Has the provider taken the time to ensure that their security initiatives and processes are of a recognised standard? Does the provider use a framework to manage their processes, COBIT, ITIL, etc.? Has the provider taken the time to ensure that their processes followed a proven methodology? Audit Provider OK? Risk Assess Capability Audit the provider, using a tool designed for regulatory outsourcing GAMP 5, and for the, i.e., The DSA Controls Matrix. Consider another provider If the audit of the provider is not acceptable, we may need to look for another provider. 5

Step 2 Risk Assessment ce Step 2 Provider Risk Assessment Once we have Ongoing gone through the initial Due Diligence, we are faced with a provider that Step appears to comply with the necessary requirements, and is aware of the intricacies 3 of working Compliance in the pharmaceutical arena. We can then move forward and perform a risk assessment, Framework in order to mitigate the issues/risks that we have previously identified. If we apply a risk management process similar to that of GAMP 5, we can address the risks in the following manner: We can now move forward, putting our present cloud scenario into these 5 process blocks: A supplier of cloud services may create competitive advantage in a regulatory compliant industry, if they adopted these compliance approaches and demands, in the set-up of their facilities and services. Stage 1 Initial risk assessment and system impact What are the regulatory/business/security risks if data security or data retrieval is compromised? Stage 2 Identification of the functions which may impact on patient safety, product quality and data integrity What could go wrong (Who controls what, is our data safe)? Where is our data? Who controls the data? Who can access our data? Can we retrieve our data? Stage 3 Perform a functional risk assessment and identify controls What controls does the provider have in place? Are they adequate? Will they put additional controls in place? What controls do we put in place? Stage 4 Implement and verify appropriate controls Implement the control measures from the previous step Are they adequate? Are they acceptable to the business? Stage 5 Review risks and monitor controls Carry out a periodic assessment to ensure controls are still valid and appropriate 6

Step 3 Ongoing Compliance Framework t Step 3 Ongoing Compliance Framework The strategy above should be carried out with the involvement of all relevant stakeholders within the business, and should be led by someone with knowledge of both the cloud and regulatory expectations. Once the service has been implemented, we need to ensure that business as usual processes are robust and reporting is adequate, as we may be operating in a scenario where the responsibility and control of the IT processes is in the hands of a third party. Therefore it is imperative to have a coherent and robust framework in place that provides processes within the regulated business aligned to that of the service providers, e.g., change control, configuration management, validation and qualification, etc. David Stephenson is a highly experienced Computer Systems Validation Consultant, with detailed knowledge of Computer System Validation and particular expertise in IT Infrastructure. He was a member of the GAMP Special Interest Group that was responsible for authoring the Good Practice Guide for Infrastructure Compliance. David is presently the Regulatory Compliance Subject Matter Expert for CTG. Currently in his role, David is looking into cloud solutions and the synergy between data management/protection standards and the requirements of the regulated industries For more information, contact: David Stephenson at david.stephenson@ctg.com Mob 07891 343814 Regular monitoring of the service should be set up, with a focus on the quality of the service and adherence to procedure/process. This monitoring should be backed up by a set of robust operational or service level agreements, with roles and responsibilities, expectations and penalties singled out and understood. This then provides us with a model for ongoing compliance of our cloud service provision, including monitoring and feedback, but we must also be prepared to rescind our agreement, if the cloud service does not meet agreement, or proves to be too costly. We therefore need to be aware of: Contractual penalties Management of the cloud provider during the withdrawal period Return of data and deletion within the cloud How the service required will be managed in-house, or once more outsourced to another provider. Conclusion From the above methodology, it can be seen that selection, control and management of cloud provision, can be brought into a compliant state, as long as we follow a defined framework or lifecycle. The onus is on the company who is contemplating using cloud services to carry out the due diligence required, to assess the risk and potential impact of using the service (in terms of regulatory, security and business risk), and finally to set up a mutually managed interface with the supplier. The relationship should be backed up by clearly defined contractual clauses to support the relationship that can then be used to ensure service performance and compliance with regulatory requirements. An important closing thought: A supplier of cloud services may create competitive advantage in a regulatory compliant industry, if they adopted these compliance approaches and demands, in the set-up of their facilities and services. 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information