Developing a Risk-Based Cloud Strategy

Similar documents
Validation of a Cloud-Based ERP system, in practice. Regulatory Affairs Conference Raleigh. 8Th September 2014

Cloud definitions you've been pretending to understand. Jack Daniel, Reluctant CISSP, MVP Community Development Manager, Astaro

Cloud Computing. Course: Designing and Implementing Service Oriented Business Processes

IS PRIVATE CLOUD A UNICORN?

Strategies for Secure Cloud Computing

CSO Cloud Computing Study. January 2012

Incident Handling in the Cloud and Audit s Role

CLOUD ARCHITECTURE DIAGRAMS AND DEFINITIONS


See Appendix A for the complete definition which includes the five essential characteristics, three service models, and four deployment models.

The NIST Definition of Cloud Computing (Draft)

WHAT S ON YOUR CLOUD? Workload Deployment Strategies for Private and Hybrid Clouds RESEARCH AND ANALYSIS PROVIDED BY TECHNOLOGY BUSINESS RESEARCH

GAMP 5 as a Suitable Framework for Validation of Electronic Document Management Systems On Premise and 'In the Cloud' Keith Williams CEO GxPi

The NIST Definition of Cloud Computing

Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate.

Compliant Cloud Computing Managing the Risks

Compliant Cloud Computing Managing the Risks

Enterprise Governance and Planning

Legal Issues in the Cloud: A Case Study. Jason Epstein

White Paper on CLOUD COMPUTING

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

WHITE PAPER: STRATEGIC IMPACT PILLARS FOR EFFICIENT MIGRATION TO CLOUD COMPUTING IN GOVERNMENT

Business Intelligence (BI) Cloud. Prepared By: Pavan Inabathini

Cloud Computing demystified! ISACA-IIA Joint Meeting Dec 9, 2014 By: Juman Doleh-Alomary Office of Internal Audit

ADOPTING CLOUD COMPUTING AS AN ICT DEPLOYMENT STRATEGY FOR DELIVERING SERVICES IN THE GOVERNMENT

Managing Cloud Computing Risk

A white paper from Fordway on CLOUD COMPUTING. Why private cloud should be your first step on the cloud computing journey - and how to get there

PLATFORM & INFRASTRUCTURE AS A SERVICE

DEPARTMENT OF VETERANS AFFAIRS VA DIRECTIVE 6517 CLOUD COMPUTING SERVICES

Cloud for Credit Unions Leveraging New Solutions to Increase Efficiency & Reduce Costs Presented by: Hugh Smallwood, Chief Technology Officer

Validating Enterprise Systems: A Practical Guide

Cloud Computing; What is it, How long has it been here, and Where is it going?

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

Kent State University s Cloud Strategy

The HIPAA Security Rule: Cloudy Skies Ahead?

Tutorial on Client-Server Architecture

Capability Paper. Today, aerospace and defense (A&D) companies find

CLOUD COMPUTING DEMYSTIFIED

The Hybrid Cloud: Bringing Cloud-Based IT Services to State Government

Radware Cloud Solutions for Enterprises. How to Capitalize on Cloud-based Services in an Enterprise Environment - White Paper

Pharma CloudAdoption. and Qualification Trends

BEDIFFERENT A C E I N T E R N A T I O N A L

LEGAL ISSUES IN CLOUD COMPUTING

Where in the Cloud are You? Session Thursday, March 5, 2015: 1:45 PM-2:45 PM Virginia (Sheraton Seattle)

VIRTUALIZED WEB DESKTOP Towards a Faster Web Cloud Operating System

Cloud service model provides levels of abstraction and automation for those tasks

Federal Cloud Computing Initiative Overview

Compliance and the Cloud. Guiding principles and architecture for addressing Life Science compliance in the cloud

Cloud Computing Service Models, Types of Clouds and their Architectures, Challenges.

Guideline on Implementing Cloud Identity and Access Management

agility made possible Steven Romero Robert E Stroud

Capturing the New Frontier:

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS

Qualification Guideline

Technology & Business Overview of Cloud Computing

12/1/2014. Cybersecurity and Cloud Services Compliance Considerations. Community Medical Centers. Cedars-Sinai. Dec. 5, 2014 San Francisco

CLOUD COMPUTING SECURITY CONCERNS

ICT priorities in Canada

Clinical Trials in the Cloud: A New Paradigm?

Seeing Though the Clouds

Improving IT Service Management Architecture in Cloud Environment on Top of Current Frameworks

Creating Dynamic IT Infrastructure at Reduced Cost with Cloud Computing

BEDIFFERENT ACE G E R M A N Y. aras.com. Copyright 2012 Aras. All Rights Reserved.

Infrastructure as a Service (IaaS) Dancik International and Peak 10

SURVEY OF ADAPTING CLOUD COMPUTING IN HEALTHCARE

Private Cloud 201 How to Build a Private Cloud

Transformational Benefits of the Cloud. Information & Communication technology October 2013

Leveraging the Private Cloud for Competitive Advantage

OVERVIEW Cloud Deployment Services

Cloud Computing. Bringing the Cloud into Focus

Regulated Documents. A concept solution for SharePoint that enables FDA 21CFR part 11 compliance when working with digital documents

Cloud Security Alliance New Zealand Contribution to the Privacy Commissioner. 23 February 2012

Survey on important Cloud Service Provider attributes using the SMI Framework

How To Run A Cloud Based Data Centre

Cloud Computing Flying High (or not) Ben Roper IT Director City of College Station

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

The Cloud Opportunity: Italian Market 01/10/2010

THE CLOUD- CHANGING THE INDIAN HEALTHCARE SYSTEM

Transcription:

Developing a Risk-Based Cloud Strategy Trevor Simmons, ZigZag Associates Ltd David Stokes, Venostic Consulting 23rd April 2015, Chertsey 1

Introductions Tell us briefly Who you are Who you work for What experience you and/or your organization have had with Clouded data/applications Non-GxP? Low Risk? High Risk? 23rd April 2015, Chertsey 2

Background Cloud Computing is here to stay Recognised by the regulators Of some concern to the regulators The question is no long whether to Cloud The questions are What to Cloud? Who to Cloud with? Organisations need to develop a Cloud Strategy 23rd April 2015, Chertsey 3

Discussion How has Cloud worked out for you? How much have you Clouded? What have you Clouded? What sort of Cloud models are you using? What problems have you encountered? Have the promised cost savings emerged? 23 rd April 2015, Chertsey 4

Exercise Overview Let s review the capabilities of five different cloud services providers Look at the business requirements for deploying five new platforms / applications In five groups we ll consider a different platform and will define 1. The service model you might look to utilise 2. How the cloud service providers would be assessed What questions would you ask / verify? 3. What your final cloud services model looks like

Cloud Infrastructure as a Service NIST definition The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).

Cloud Platform as a Service NIST definition The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the applicationhosting environment.

Cloud Software as a Service NIST definition The capability provided to the consumer is to use the provider s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.

Private Cloud NIST definition The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.

Community Cloud NIST definition The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.

Public Cloud NIST definition The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.

Hybrid Cloud NIST definition The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).

Risk Considerations GxP Significance Data Integrity / Protection Protection of Intellectual Property General Security / Access Controls

Platform A - Extranet Your regulated company is looking to deploy a new SharePoint platform (document libraries, lists, calendars, work sites etc.) Requirements are defined including GxP significant functionality, including a repository for GMP electronic documents, CAPA lists etc Collaborative working with Contract Manufactures Future requirements are undefined, but manufacturing, QA and sales/marketing are all stakeholders in the project

Platform B Adverse Events Signal Detection Following recent MHRA regulatory enforcement action your regulated company is looking to implement a new AE signal detection platform Needs to analyse data from multiple databases including manufacturing records, CAPA records, complaints, AERS and social networking sites You have a team of requirements analysts ready to start work with a technical development team and the project will be managed by your own IT department Requirements are defined but no COTS solution will fulfil the requirements (even with customisation)

System C Enterprise Resource Planning Your regulatory company is soon to begin manufacturing your first parenteral product with very specific and complex QA release, identification and storage requirements As a small start up you have limited funds to implement a new ERP system A number of commercial ERP systems can be configured to meet your requirements The traditional route of working with a system integrator and hosting internally looks expensive Time is of the essence the patent clock is ticking

System D Clinical Data Warehouse Your regulatory company is struggling to analyse data from across multiple clinical trials It has been decided to implement a new clinical trials data warehouse based on CDISC standards with a suite of analytical tools Your review of the market has identified two potential vendors with COTS products Vendor 1 has a very professional data centre and a SaaS solution, but will not modify their SaaS solution to meet your specific process workflow requirements Vendor 2 also cannot meet your specific workflow needs out-ofthe-box but has a suite of development tools and PaaS offering which you can use to extend their solution. However, they have no IaaS or SaaS offering.

System E CRM System Your medical devices company sells diagnostic instruments and consumables aimed at the home care market and is starting to provide patient care services as part of a new revenue generation plan Your need a new CRM systems for the new patient care division to manage Traditional sales call management Sample management Call centre (including complaints management) Patient records You have identified three CRM systems that can be configured to meet your needs, but they are the most expensive on the market Investment funds are limited

Your Mission... Get into a like minded group to discuss a system / challenge that interests you Discuss how Cloud can be leveraged as part of your solution Think about how you will assess potential Cloud service providers What will to ask / check Consider the following 5 Cloud Service Providers 23rd April 2015, Chertsey 19

Remember As the consumer you can look to any Cloud service model you like On-Premise or Off-Premise IaaS, PaaS or SaaS Private, Community, Public or Hybrid Your model could leverage more than one Provider Costs savings are an objective Off-Premise generally has lower investment costs than On- Premise Private is more expensive than Community and both are more expensive that Public

Cloud Service Provider 1 Internal IT department within the regulated company Fully compliant IT quality management system, with trained staff and all IT infrastructure is fully qualified Already managing a number of highly critical, validated GxP significant applications Limited experience with virtualised infrastructure and no formal experience with Cloud

Cloud Service Provider 2 External Infrastructure-as-a-Service cloud services provider Specialise in providing services to the regulated industries Fully compliant IT quality management system, trained staff and all IT infrastructure is fully qualified Significant experience with virtualised infrastructure and good track record in providing Infrastructure-as-a- Service to other life sciences companies Broad technical knowledge of most mainstream technologies and platforms

Cloud Service Provider 3 External Infrastructure-as-a-Service and Platform-as-a- Service cloud services provider Provide a broad range of software development tools, utilities and libraries as PaaS Capable of supporting developed applications using their own Infrastructure-as-a-Service solutions Do not specialise in supporting life sciences customers Staff have no GxP training IT infrastructure is not formally qualified Their IT quality management system is not based on any defined standard Limited experience deploying technology other than their own

Cloud Service Provider 4 External Infrastructure-as-a-Service and Software-as-a- Service cloud services provider Sell fully configurable versions of an ERP, CRM and EDMS application Also provision 3 applications as SaaS ERP with no configuration flexibility CRM with limited configuration flexibility EDMS with significant configuration flexibility Do not focus on Life Sciences industry Very professional, secure data centre with accredited IT QMS and security Staff have no GxP training IT infrastructure is not formally qualified

Cloud Service Provider 5 External IaaS, PaaS and SaaS cloud services provider Provide a broad range of software development tools, utilities and libraries as PaaS Capable of supporting developed applications using their own Infrastructure-as-a-Service solutions Provision a range of SaaS, developed using their own tools, including CRM with no configuration flexibility EDMS with no configuration flexibility Do not focus on Life Sciences industry But can provision separate Test/QA instance at additional cost New data centre No IT QMS Staff have no documented training IT infrastructure is not formally qualified

Feedback Each group to provide feedback What working assumptions did you make? What Cloud model(s) did you go for? If any What were the things you considered? What questions would you have asked? 23 rd April 2015, Chertsey 26

Discussion What are the issues to consider when developing a Cloud Strategy? Where do the following fit in? Functional risk Data integrity Different Cloud models The ability to conduct assessments / audits The role of preferred provider 23 rd April 2015, Chertsey 27

Thank You! 23rd April 2015, Chertsey 28

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information