Compliance and the Cloud. Guiding principles and architecture for addressing Life Science compliance in the cloud



Similar documents
Datacenter Management and Virtualization. Microsoft Corporation

MICROSOFT DYNAMICS CRM Vision. Statement of Direction. Update: May, 2011

Regulated Applications in the Cloud

Private Cloud 201 How to Build a Private Cloud

CRM Form to Web. Internet Lead Capture. Product Registration Instructions VERSION 1.0 DATE PREPARED: 1/1/2013

CRM to Exchange Synchronization

Server Consolidation with SQL Server 2008

MICROSOFT DYNAMICS CRM Roadmap. Release Preview Guide. Q Service Update. Updated: August, 2011

CRM to Exchange Synchronization

Cloud Services. More agility. More freedom. More choice.

CRM Accelerators Overview

Turnkey Technologies- A Closer Look

Lab Answer Key for Module 6: Configuring and Managing Windows SharePoint Services 3.0. Table of Contents Lab 1: Configuring and Managing WSS 3.

Implementing Business Portal in an Extranet Environment

System Requirements for Microsoft Dynamics NAV 2013 R2

Programmabilty. Programmability in Microsoft Dynamics AX Microsoft Dynamics AX White Paper

Datacenter Management Optimization with Microsoft System Center

Windows Azure Pack Installation and Initial Configuration

Cloud Computing: What IT Professionals Need to Know

GAMP 5 as a Suitable Framework for Validation of Electronic Document Management Systems On Premise and 'In the Cloud' Keith Williams CEO GxPi

Privacy in the Cloud A Microsoft Perspective

Microsoft Dynamics NAV 2013 R2 Sizing Guidelines for Multitenant Deployments

Published April Executive Summary

Windows Embedded Security and Surveillance Solutions

Deciding When to Deploy Microsoft Windows SharePoint Services and Microsoft Office SharePoint Portal Server White Paper

Statement of Direction

Please contact Cyber and Technology Training at for registration and pricing information.

BI in the Cloud Sky is the limit


SQL Azure vs. SQL Server

Harnessing the Power of the Microsoft Cloud for Deep Data Analytics

70-243: Administering and Deploying System Center 2012 Configuration Manager : Monitoring and Operating a Private Cloud with System Center 2012

Virtualization. as a key enabler for Cloud OS vision. Vasily Malanin Datacenter Product Management Lead Microsoft APAC

Pipeliner CRM Phaenomena Guide Getting Started with Pipeliner Pipelinersales Inc.

Pipeliner CRM Phaenomena Guide Sales Pipeline Management Pipelinersales Inc.

Overview of Microsoft Office 365 Development

DocAve for Office 365 Sustainable Adoption

Cloud OS. Philip Meyer Partner Technology Specialist - Hosting

CRM to Exchange Synchronization

Microsoft SQL Server 2008 R2 Enterprise Edition and Microsoft SharePoint Server 2010

BEDIFFERENT A C E I N T E R N A T I O N A L

Windows Azure and private cloud

Hyper-V Hosting Guidance:

The Role of the Operating System in Cloud Environments

IT as a Service. Transforming IT with the Windows Azure Platform. November 2010

Microsoft Azure for IT Professionals 55065A; 3 days

Understanding the Microsoft Cloud

CRM and Salesforce Product Comparison

Microsoft Dynamics AX 2012 Security Roles & Licensing. Whitepaper

Cloud Computing An Elephant In The Dark

Deploying Migrated IBM Notes Applications to the Cloud

Implementing Microsoft Azure Infrastructure Solutions

VMware vcloud Architecture Toolkit Public VMware vcloud Service Definition

Clinical Trials in the Cloud: A New Paradigm?

5nine V2V Easy Converter

Configuration Management in the Data Center

Course 20533: Implementing Microsoft Azure Infrastructure Solutions

What is New Whitepaper. White Paper

Finding the right cloud solutions for your organization

Server & Cloud Management

Experience Business Success Invest in Microsoft CRM Today

The Recipe for Sarbanes-Oxley Compliance using Microsoft s SharePoint 2010 platform

AvePoint CRM Migration Manager for Microsoft Dynamics CRM. Release Notes

GETTING THE MOST FROM THE CLOUD. A White Paper presented by

Deploying the Workspace Application for Microsoft SharePoint Online

GET CLOUD EMPOWERED. SEE HOW THE CLOUD CAN TRANSFORM YOUR BUSINESS.

Configuring and Deploying a Private Cloud

Pipeliner CRM Phaenomena Guide Administration & Setup Pipelinersales Inc.

Open Source at Microsoft. Aras Drives Performance in Product Life-Cycle Processes

Oracle s Cloud Computing Strategy

Microsoft Dynamics NAV

Cloud Computing Submitted By : Fahim Ilyas ( ) Submitted To : Martin Johnson Submitted On: 31 st May, 2009

Logging and Alerting for the Cloud

VMware vcloud Powered Services

Securing the Microsoft Cloud Infrastructure. Reto Häni Chief Security Officer Microsoft Western Europe MEET SWISS INFOSEC!

Developing a Risk-Based Cloud Strategy

CRM Form to Web. Internet Lead Capture. Web Form Configuration Instructions VERSION 1.0 DATE PREPARED: 1/1/2013

NE-20247D Configuring and Deploying a Private Cloud

Microsoft Training and Certification Guide. Current as of March 16, 2015

CLOUD COMPUTING & WINDOWS AZURE

Program Guide for Startups

MICROSOFT DYNAMICS CRM. Comparing the xrm Application Framework and Force.com: A Guide for Technical Decision Makers

Pipeliner CRM Phaenomena Guide Opportunity Management Pipelinersales Inc.

Implementing Microsoft Azure Infrastructure Solutions 20533B; 5 Days, Instructor-led

PANO MANAGER CONNECTOR FOR SCVMM& HYPER-V

Competitive Comparison Between Microsoft and VMware Cloud Computing Solutions

Configuring and Deploying a Private Cloud

Parallel Data Warehouse

Transcription:

Compliance and the Cloud Guiding principles and architecture for addressing Life Science compliance in the cloud Life Sciences Industry Unit Microsoft Corporation June 2012

ii

Legal Disclaimers The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2012 Microsoft Corporation. All rights reserved. Microsoft, Microsoft Office 2010, Microsoft SharePoint 2010, Microsoft Word, Microsoft Excel, Microsoft PowerPoint, Microsoft Rights Management Services, Active Directory, Active Directory Federation Services, Windows Server 2008 R2, Windows 7, Windows Vista, Windows XP, Microsoft Windows, Microsoft Forefront Identity Manager, Microsoft Visual Studio are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. iii

Contents Legal Disclaimers... iii Introduction... 1 Introduction to the Cloud... 2 Cloud Apps across the Value Chain... 6 Drug Discovery... 6 Clinical Trials and Regulatory Affairs... 6 Can the Cloud be Qualified?... Error! Bookmark not defined. Qualification in the Cloud... 8 Summary... 9 iv

Introduction As cloud applications and platforms become increasingly prevalent, the areas in which they can be utilized become more widespread. This is no different in the Life Sciences industry, where cloud apps were originally focused on individual capabilities such as EDC (Electronic Data Capture) in the Clinical Trials space, High Performance Computing in the Cloud used for Drug Discovery and others. For those applications where regulatory compliance (GxP or 21 CFR Part 11) were required, each app, each platform, each data center was individually qualified and then individually validated to the appropriate regulation. Now that the cloud is everywhere, is the industry going to individually qualify and validate each of the building blocks? Over time, wouldn t that make the cloud less compelling? The approach for compliance in the cloud needs to be different. If done correctly, Compliance in the Cloud can be far more efficient than any other means for providing compliant apps. Instead of qualifying each building block, the cloud vendor qualifies the platform once, to many standards and many certifications. The cloud vendor then provides those qualifications to any customers who need to validate their applications on the cloud vendor s platform. Qualify the platform once. The qualification documentation is provided to the customer and becomes part of the validation documentation for any customer who needs it. The implementing party, a customer or partner, validates the application to the appropriate regulations and uses the qualification documentation as input into that process. That is the approach Microsoft is taking: Microsoft qualifies the platform, the customer (or partner) validates the app. Regardless if you are considering Platform as a Service, Infrastructure as a Service, or Software as a Service, thinking of putting your application on Azure, or enabling your business with CRM Online or Office 365, Microsoft s approach is to provide documentation and certifications across a wide range of standards that may then serve to enable customers and partners validated applications. Your mileage may vary. Each customer s QA department has a different view of the necessary qualification documentation to support validated apps. In addition, each application has different risks associated with it. For example, a cloud based clinical trial portal carries a different level of risk than a back-office payroll application and is thus validated to a different level. In turn, Microsoft works with each case as necessary to provide what Microsoft feels is the appropriate level of documentation based on previous customer needs. This whitepaper will consider various approaches to the cloud, how life science organizations are using the cloud across the value chain and what levels of qualification documentation Microsoft provides to customers in regulatory environments. 1

Introduction to the Cloud There are many different definitions of The Cloud, as many different definitions as there are implementations. Rather than define what the cloud is, why not look at what the cloud does the promise of the cloud - and allow any architecture that delivers that to fit under the cloud umbrella. What the cloud delivers is information and communication technology as a service. Whether deployed using an entity s own resources (internally or externally hosted), or shared with other entities in a multi-tenant environment, the promise of the cloud is on-demand, scalable, flexible, self-service, pay as you go access to data storage, processing and sharing. In general, most people agree on three categories of cloud, depending on the service that is consumed, and the level of control that an organization s IT want: Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Software as a Service (SaaS) Software as a Service (SaaS) In Life Sciences, the Software as a Service (SaaS) model has been around for quite a while. Examples of this model in Life Sciences include clinical trials EDC software. Examples in the consumer space are e-mail applications such as Hotmail. Both types of software are provided completely hosted, completely managed, so that the customer need not worry about servers or storage capacity or infrastructure management. Examples of Software as a Service include software in such categories as: Business Productivity, Email, and Collaboration Services, such as Microsoft Office 365 CRM and XRM services, such as is found in Microsoft Dynamics CRM Online Electronic Data Capture (EDC) in Clinical Trials, such as you can get from BioClinica Regulated Document Management services, such as you can get from NextDocs or Qumas Clinical Trial Portal, such as you can get from ilink, epharmasolutions or NextDocs Consumer focused applications, such as Hotmail or XBox Live. o Note that XBox and Kinect with XBox Live have been used in clinical situations already, from allowing physicians access to X-Rays without having to leave the OR, check the X- Ray, then scrub back into surgery. Or even in clinical trials run by large academic research institutions that are measuring range of motion over time in Alzheimer s patients. 2

This application category is quite mature in Life Sciences with many companies having adopted SaaS platforms, in effect outsourcing those applications to 3 rd party vendors. Platform as a Service (PaaS) Platform as a Service (PaaS) compared to SaaS is relatively new to the industry and is best represented by the Windows Azure platform. With Platform as a Service, the vendor is essentially providing an operating system and database services in the Cloud, on which the customer can deploy applications they ve written or can utilize applications that a partner has written and to which they can subscribe. Examples of applications using PaaS include: NCBI Blast which has been ported by Microsoft and NIH to the Windows Azure platform Other discovery focused applications such as are available from TeraDiscoveries, which takes an Inverse Design methodology that utilizes high performance computing in addition to their unique algorithms. Umthunzi, which provides a Safety Surveillance application that runs on Windows Azure. Numira BioSciences which provides imaging study software that also runs on Windows Azure This PaaS segment is quickly growing as well. The interesting part of PaaS is that we re seeing a number of PaaS vendors who are utilizing the new Metro User Interface, even going so far as to have Windows 8 interfaces to their back end applications and data storage. While none of the vendors listed above fall into that category, it is interesting to note that this movement exists. Many companies consider PaaS when they think about the HPC and scalability components that are provided in PaaS architectures, especially as they develop applications, and even more so those applications focused in the drug discovery phase of the value chain. Infrastructure as a Service Infrastructure as a Service (IaaS) in most implementations enables companies to load virtual machines onto cloud infrastructure and was perhaps the first category of cloud computing to be widely accepted by Life Science companies. Public, Private and Hybrid Cloud Whether it s IaaS, PaaS or SaaS, there are also choices to be made regarding the mode of deployment of cloud services. Depending on their comfort level with cloud vendors, security and compliance risks, concerns over sovereignty over data, or even a desire to build on investments already made, organizations can choose to deploy in one of the following ways: Private cloud, where you or a partner controls your own separate infrastructure using cloud enabled products (on-premises or hosted by a third party). Public cloud where the platform is managed for you in Microsoft s data centers. Hybrid cloud where you have a mix of the two. 3

Microsoft is investing heavily in the concept of the hybrid cloud. In this case, it is not just about having capabilities in public or private, but it is about bridging the two together, about taking advantage of the commonalities between the public and private approaches to the cloud. These commonalities include identity, virtualization, management and application development and are what makes the Microsoft platform very unique. The Microsoft public cloud is characterized by platforms and applications such as Office 365, Dynamics CRM Online, Windows Intune and Windows Azure. 4

The Microsoft private cloud is characterized by Microsoft Office, Microsoft Dynamics, SQL Service, System Center and Windows Server, and Hyper-V. As Life Science companies move from solely IaaS and SaaS implementations, the trend for many of our largest Pharmaceutical, Biotechnology and Medical Device customers appears to be moving toward the Hybrid Cloud of both public and private cloud technologies. 5

Cloud Apps across the Value Chain When one considers the value chain of a typical life science company, one tends to think of Drug and Device Discovery, Clinical Trials and Regulatory Affairs, Sales and Marketing, and Manufacturing and Supply Chain. And when you consider each segment you think of the focus areas that characterize each segment. Those focus areas, those challenges provide opportunity for cloud-based applications. As mentioned before, the clinical trials and regulatory affairs area represented one of the largest implementation areas for cloud technology. But now, with the advent of Platform as a Service, we re seeing a greater amount of uptake in the drug discovery segment than in the other areas. Drug Discovery Applications that rely on High Performance Computing are rapidly being moved into the Public Cloud. As mentioned previously, we have seen applications varying from algorithms available from the National Institutes for Health (NIH) in the US to apps like that available from TeraDiscoveries that enables novel methods for drug discovery. What both of these examples have in common is the need for a rapid scale-up in the number of nodes used, as well as the ability to run parallel algorithms across those nodes. Applications residing on a PaaS infrastructure in a Public Cloud are especially suited to these types of applications. The infrastructure enables customers to configure many nodes for their computations, without needing to build out huge HPC clusters in their own data centers. Clinical Trials and Regulatory Affairs While SaaS applications in clinical trials have been around quite a while as discussed earlier, there is a nascent move towards PaaS applications also residing in the public cloud. Examples of PaaS applications in the public cloud include apps aimed at Safety Surveillance and similar workloads. Umthunzi is a company that is providing just such services and has seen interest in the applications they offer that reside in the Windows Azure platform. 6

Sales and Marketing Another segment of the value chain where companies are using SaaS and PaaS apps is in Sales and Marketing. There are a number of vendors that are utilizing the SaaS approach to sales and marketing, but there are an increasing number of vendors and customers who are matching their SaaS platforms that run the traditional CRM with PaaS platforms that run deep analytics and business intelligence that is then delivered to the consumer either through web browsers or other PaaS specific front end services or a hybrid model that crunches the number in a PaaS service and then delivers the data into the traditional SaaS front end. Some examples: Microsoft Dynamics CRM Online is both a Platform as a Service (PaaS) application as well as a Software as a Service (SaaS) application. In this instance, customers are utilizing the SaaS capabilities for tracking visits to individual doctors, for tracking the interaction with the doctor and etc. Pretty straightforward SaaS capabilities that rival those of any cloud CRM vendor. What is new though is the XRM capabilities that now make Dynamics CRM Online extensible, doing extensive workflow, integrating with other applications, and etc that make Dynamics CRM Online a good choice for applications that would like to integrate with their CTMS, or their Investigator Recruitment, or their prescribing history data. All of this integration and number crunching is due to the Extended, Configurable and Programmable capabilities in Microsoft Dynamics CRM Online. This make it both a SaaS offering as well as a PaaS offering that can solve many needs in the Sales & Marketing Space. Manufacturing and Supply Chain One would think that since the manufacturing plant s devices are so local that the computing power must be local as well. Nothing is further from the truth. As with all the segments so far, the Manufacturing & Supply Chain segment started out by heavily virtualizing their servers to gain significant economies of scale, they moved forward by implementing hybrid clouds with some parts local and some services in the cloud. But now as the various platforms have become more mature, so has the implementations even within Manufacturing and Supply Chain. Consider the following: Microsoft has announced that our Dynamics AX product, aimed at large pharma subsidiaries as well as Tier 2 and Tier 3 Life Science companies, will soon be available as a Cloud Service. Customers like Eli Lilly have gone on record stating their movement towards IaaS, PaaS and SaaS across their value chain, including manufacturing. Vendors are jumping on board the bandwagon as well, with a number of Manufacturing and Supply Chain vendors having proofs of concepts underway that will demonstrate the viability of their applications running in the Microsoft Cloud Qualification, Validation, Certification which is right? A frequently asked question is Has your cloud offering been certified by the FDA?. The answer, of course, is that the FDA doesn t certify cloud applications. What the FDA does do is look at 7

implementations of hardware and software by regulated companies to determine if they are compliant with the necessary regulations. The application vendors themselves are not responsible for compliance, but simply for providing documentation to the customer. Another question that is frequently encountered is Is the cloud validated? Again, the answer is that cloud vendors do not provide validated applications, but rather provide applications that are qualified through standard IQ and OQ approaches that are well documented. Of course, the implementing company is responsible for validating their application against the guiding regulations and standards. In the Life Science industry, those include GxP and 21 CFR Part 11. And so the question remains, can the cloud be qualified? Can applications in the cloud demonstrate a Software Quality Assurance (SQA) approach? Can applications or platforms in the cloud provide documentation against such standards as SAS70 Type II, ISO27001 or even FISMA? The answer to those questions is a resounding Yes! Qualification in the Cloud Microsoft provides documentation for these standards in a number of ways. The first method is through documentation of development practices. There are any number of books on the market that detail Microsoft s software development practices that are adopted across the company. A good example of these books is the Security Development Lifecycle by Michael Howard and Steve Lipner, two engineers in Microsoft s Trustworthy Computing team. This approach also includes whitepapers on the topic of Microsoft and the V-Model. This whitepaper takes Microsoft s standard development methodology and translates it into Life Sciences terminology by mapping it to the industry accepted V-Model. Another whitepaper along these lines is a document that discusses how to configure SharePoint 2010 for 21 CFR Part 11 and compliance with those regulations pertaining to the FDA, and goes step by step in how companies can utilize the SharePoint platform to manage regulated content. Microsoft also provides direct documentation and certifications across a number of standards and for a variety of regulations. These include, but are not limited to (as of this writing): SAS 70 Type II ISO27001, ISO 27002 FISMA HIPAA w/ BAA For each of these, Microsoft will provide proof of qualification as required by each customer. It is important to restate, Microsoft s approach is to qualify the platform and to provide those certificates or pieces of documentation to each customer as needed. The customer then validates their application or use of the service against the regulations for which they are responsible. 8

The vendor qualifies (SQA) and the customer validates (against regulations): a guiding principle that can help drive the behavior of cloud vendors and customers alike. Summary And so you can see from Microsoft s Point-of-View on the Cloud that there are three components: Infrastructure as a Service Platform as a Service Software as a Service And each of these and combinations of them can be implemented in three ways: Public Cloud Private Cloud Hybrid Cloud More importantly, we ve demonstrated examples where this approach can be utilized across the value chain, with demonstrated case studies in each segment: We hope that by taking this approach, you ve been able to see the expansiveness of our implementation and vision while also seeing the relevance of the approach to the business problems you need to solve. 9

10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information