Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Regulatory Considerations for use of Cloud Computing and SaaS Environments


Published on

In this presentation from IVT's Qualifying and Validating Cloud and Virtualized IT Infrastructures, Chris Wubbolt and John Patterson focus on current trends in cloud computing environments, including aspects of cloud computing and Software-as-a-Service (SaaS) providers that may be of interest to US Food and Drug Administration investigators during an FDA inspection. Important compliance related points to consider for software vendors as they shift to becoming SaaS providers are discussed. The presentation also reviews the pros and cons of cloud computing from a business and compliance perspective, including differences between traditional computing environments and private/public clouds. Examples of issues to consider when using cloud computing environments and SaaS providers are also discussed.

Published in: Health & Medicine
  • Be the first to comment

Regulatory Considerations for use of Cloud Computing and SaaS Environments

  1. 1. Regulatory Considerations for Use of Regulatory Considerations for Use ofCloud Computing and SaaS EnvironmentsInstitute of Validation Technology ConferenceQualifying and Validating Cloud and Virtualized IT Infrastructure  Philadelphia PA Philadelphia PA21‐August‐2012Chris Wubbolt, BS, MSChris Wubbolt BS MSJohn Patterson, MSE
  2. 2. Challenges / DefintionsChallenges / Defintions h ll / fi iHistorical PerspectiveRegulatory Requirements for computing service providersParadigm Shift :  Software Vendors to Software‐Paradigm Shift :  Software Vendors to Software‐as‐ Service Providersas‐a‐Service ProvidersQualification / Validation of hosted applicationsKey Risk Areas 2
  3. 3. Challenges Faced by Consumers Contemplating Cloud Challenges Faced by Consumers Contemplating CComputing Adoption Include:1 omputing A Policy Technology Guidance Security Standards 3
  4. 4. Cloud computing is still in an early deployment stage, Cloud computing is still in an early deployment stage, and standards are crucial to increased adoption. Urgency is driven by rapid deployment of cloud Urgency is driven by rapid deployment of cloud computing in response to financial incentives. Strategically, there is a need to augment standards and to establish additional security, interoperability, and portability standards : to ensure cost‐ to ensure cost‐effective and easy migration,  to ensure that mission‐ to ensure that mission‐critical requirements can be met,  and to reduce the risk that sizable investments may  and to reduce the risk that sizable investments may  d d h kh bl become prematurely technologically obsolete.  4
  5. 5. Cloud Computing2Virtual Machines3Infrastructure as a Service (IaaS)2Infrastructure as a Service Infrastructure as a Service (IaaS)Platform as a Service (PaaS) 2Platform as a Service (PaaS)Software as a Service (SaaS)2Software as a Service (SaaS) 5
  6. 6. Public Cloud 2‐ The cloud infrastructure is made available toPublic Cloud Public Cloud  The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud an organization selling cloud services.Private Cloud 2‐ The cloud infrastructure is operated solely for an organization.  It may be managed by the organization for an organization It may be managed by the organizationor a third party and may exist on premise or off premise. 6
  7. 7. A virtual machine is a tightly isolated software container that can run its own operating systems  p g yand applications as if it were a physical computer. A virtual machine behaves exactly like a physical computer and contains it own virtual (ie, software‐computer and contains it own virtual (ie softwarebased) CPU, RAM hard disk and network interface card (NIC). ( ) 7
  8. 8. The capability provided to the consumer is to pprovision processing, storage, networks, and other  p g, g , ,fundamental computing resources where the consumer is able to deploy and run software, which can include operating systems and applications. can include operating systems and applicationsThe consumer does not manage or control theThe consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).  8
  9. 9. The capability provided to the consumer is to deploy onto the cloud infrastructure consumer‐ p ycreated or acquired applications created using programming languages, libraries, services, and tools supported by the supported by the provider The consumer does not manage or control the The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application‐hosting environmentenvironment. 9
  10. 10. The capability provided to the consumer is to use the provider s appls running on a cloud infrastructure. provider’s appls running on a cloud infrastructureThe apps are accessible from various client devices The apps are accessible from various client devicesthrough either a thin client interface, such as a web browser (e.g., web‐based email), or program interface.The consumer does not manage or control the underlying cloud infrastructure including network,  d l i l di f t t i l di t kservers, operating systems, storage, or even individual application capabilities, with the possible exception of  pp p , p plimited user‐specific application configuration settings.  1 0
  11. 11. 11
  12. 12. 12
  13. 13. GxP Electronic Recordkeeping ControlsQualified InfrastructureQ lifi d I fStandard Operating ProceduresTrained Personnel (including IT)Validated ApplicationsValidated Applications Record Integrity Record Availability Record Retention 13
  14. 14. Record Integrity Record Availability Record Retention Electronic  SOPs SOPs Recordkeeping  Recordkeeping Backup and  Backup and  Compliance  Restore Restore Program Problem  P bl Business  B i SOPs Reporting Continuity Validation Business  Business Disaster Recovery  Disaster Recovery Infrastructure  Continuity Plan Qualification Disaster Recovery  Record Retention  Security Program Plan Policy Training Archival 14
  15. 15. Pharma A Data Center Inc GxPElectronic Recordkeeping Controls GxP Electronic Recordkeeping Controls Trained Personnel (including IT)STILL NEEDSTILL NEED Qualified Infrastructure QualifiedInfrastructure Validated Applications Standard Operating Procedures Standard Operating Procedures 15
  16. 16. A computerisedA computerised system is a set of software and hardware components which together fulfill certain functionalitiesApplications should be validatedIT infrastructure should be qualifiedIT infrastructure should be qualified Hardware and software such as networking software and operation  systems which makes it possible for the application to function systems which makes it possible for the application to function y p ppRisk Management Risk Management  Extent of validation and data integrity controls  patient safety, data  Extent ofvalidationand dataintegritycontrols – patient safety, data dataintegritycontrols– integrity, product quality integrity, product quality 16
  17. 17. Suppliers and Service ProvidersSuppliers and Service Providers Formal Agreements required to include  clear statements of responsibilities clear statements of  clear statements of responsibilities Provide Configure Validate Modify Install ll Integrate Maintain i i Retain i IT departments should be considered  IT d departments should be considered  h ld b d d analogous g 17
  18. 18. GxPElectronic Recordkeeping ControlsGxP Electronic Recordkeeping Controls p g TrainedPersonnel(includingIT) Trained Personnel (including IT)Qualified Infrastructure Validated ApplicationsStandard Operating ProceduresStandard Operating Procedures 18
  19. 19. Quality System SLC Processes  SLC PSoftware Vendor  Customer Support pp Typically not directly regulated or inspected by regulatory agencies. Typically not directly regulated or inspected by regulatory agencies. Audited by clients for adherence to standards. Audited by clients for adherence to standards. A di db li f dh d d Quality of SLC Documentation, Testing, etc. varies considerably for each vendor. Quality of SLC Documentation, Testing, etc. varies considerably for each vendor. S Sponsor responsible for installation, validation, and electronic recordkeeping  ibl f i t ll ti lid ti d l t i dk i controls at sponsor location. 19
  20. 20. Electronic Recordkeeping  Backup and RestoreCompliance Program l Problem Reporting Problem ReportingSOPs Business Continuity yValidation Disaster Recovery PlanInfrastructure Qualification Record Retention Policy Record Retention PolicySecurity Program ArchivalTraining 20
  21. 21. Electronic Recordkeeping Compliance Program Electronic Recordkeeping Compliance ProgramSOPsSOP SOPs SOPValidation Validation / SDLCInfrastructure Qualification Infrastructure ProgramSecurity Program Security ProgramTraining TrainingProblem ReportingProblemReporting Backup and Restore Backup and Restore BackupandRestore Backup andRestoreBusiness Continuity Plan Problem Reporting Problem ReportingRecord Retention Policy  Business Continuity Disaster Recovery Plan Record Retention Policy Archival 21
  22. 22. Validation Validation SOPs SOPs SDLC Methodology User Requirements  User Requirements Functional Specification Specification Configuration User Acceptance Testing  U A t T ti Installation (IQ) (Performance  Qualification) System Testing (Operational  Qualification) Traceability System Release to Customer System Acceptance Traceability 22
  23. 23. Specifications Not complete Not updated periodically after changesTest RecordsTest Records Not pre‐ Not pre‐approved Results not reviewed by second person R lt t i d b d Integrity of test results No approved summary reportsRelease ManagementRelease Management 23
  24. 24. Test Record Integrity Results typed into Word document or Excel  spreadsheet No failures documented Test dates and times do not correlate Test dates and times do not correlate  24
  25. 25. Quality System Quality System SLC Processes  SLC Processes  SLC P Customer Support Hosted EnvironmentSoftware Vendor  Customer Support Validation pp Record Keeping Controls Hosted Environment is used for a direct GxP function (record keeping) and is  Typically not directly regulated or inspected by regulatory agencies. Hosted Environment is used for a direct GxPfunction (record keeping) and is  Typically not directly regulated or inspected by regulatory agencies. more likely to be inspected by regulatory agencies. Audited by clients for adherence to standards. Audited by clients for adherence to standards. Audited by clients for adherence to standards (GxP, Part 11). Audited by clients for adherence to standards (GxP, Part 11). Quality of SLC Documentation, Testing, etc. varies considerably for each vendor. Quality of SLC Documentation, Testing, etc. varies considerably for each vendor. QualityofSLCDocumentation Testing etc variesconsiderably foreachvendor Quality of SLC Documentation, Testing, etc. varies considerably for each vendor. Quality of SLC Documentation, Testing, etc. varies considerablyforeach vendor varies considerably for each vendor. Sponsor responsible for installation, validation, and electronic recordkeeping  SaaSprovider responsible for some aspects of installation, validation, and  SaaS provider responsible for some aspects of installation, validation, and  controls at sponsor location. electronic recordkeeping controls. electronic recordkeeping controls. 25
  26. 26. This could now be the documentation used to This could now be the documentation used to  support your validation effort! Make sure you understand (and audit) your SaaS Make sure you understand (and audit) your SaaS Service Providers Validation/Qualification Procedures  and Documentation dD i 26
  27. 27. SAS 70  / SSAE‐SAS 70  / SSAE‐16 Internationally recognized financial auditing standard nternationally recognized financial auditing standard  nternationally recognized financial auditing standard  developed by the AICPA developed by the AICPA SAS 70 was replaced by SSAE SAS 70 was replaced by SSAE 16 in June 2011 SAS 70 was replaced by SSAE‐16 in June 2011 SSAE‐ There is no SAS 70 / SSAE‐16 certification  There is no SAS 70 / SSAE‐ There is no list of published SAS 70 / SSAE 16  There is no list of published SAS 70 / SSAE‐16 SSAE‐ standards 27
  28. 28. SAS 70  / SSAE‐SAS 70  / SSAE‐16 Requires a description of controls and attestation of  Requires a description of controls and attestation of  Requires a description of controls and attestation of controls by management CPA firms issue Type I (design) and Type II (design  CPA firms issue Type I (design) and Type II (design and effectiveness) reports Neither SAS 70 or SSAE‐ Neither SAS 70 or SSAE‐16 discuss qualification or  q validation of network infrastructure 28
  29. 29. A SAS 70 Report by itself may not be sufficient to assure  regulatory requirements are being met. g y q g 29
  30. 30. System Unavailable System Down Connection Problems Data Center Disaster Legal / Contractual Disputes Make sure your Business Continuity Plans are  established. Be sure your legal contracts are carefully constructed  and reviewed. and reviewed 30
  31. 31. ChangeChange ControlChange Control In a shared environment with multiple customers,  how are hardware or software platform changes  how are hardware or software platform changes communicated or approved? How are application upgrades handled? How are application upgrades handled?Backups What is the frequency of the backup? What is the freq enc of the back p? What happens if a backup fails?SecurityS i Who has access to the computing environment  (logically or physically)? (l i ll h i ll )? 31
  32. 32. Disaster RecoveryDisaster Recovery  Where are the backup locations in the event of a  disaster? How is the disaster recovery program tested?Environmental ControlsE i t lC t l What are the requirements for monitoring of  environmental controls? en ironmental controls? A Service Level Agreement is a KEY document to  A Service Level Agreement is a KEY document to maintain compliance with a SaaS provider. maintain compliance with a SaaS 32
  33. 33. Formal Agreements (e.g. SLAs) in Place with Cloud Providers to include: Security/Incident/Problem/Change Mgt. Back‐up Recovery/Business Continuity Back‐ R B k /B i C ti it Periodic Review/MonitoringInterface Management Ensuring alignment of Cloud Providers/Consumers  Ensuring alignment of Cloud Providers/Consumers control processes 33
  34. 34. 34
  35. 35. 1. NIST Special Publication 500‐293, US Government Cloud  NIST Special Publication 500‐ Computing Technology Roadmap , Volume I, Release 1.0  (draft) ,  High‐Priority Requirements to Further USG Agency  (draft) ,   ( f ) High‐Priority Requirements to Further USG Agency  Cloud Computing Adoption,  November 2011  Cloud Computing Adoption,  November 2011 2. NIST Special Publication 800 145, The NIST Definition of Cloud 2 NIST Special Publication 800‐145 The NIST Definition of Cloud NIST Special Publication 800‐ Computing,   September 2011 Computing,   September 20113. VMWare (‐machine.html) p // / / )4. Federal Cloud Computing Strategy, The White House,  February 8, 2011 35
  36. 36. Chris Wubbolt, BS, MS www.QACVConsulting.comPrincipal Consultant 3242 Regal RoadQACV Consulting, LLCQACV Consulting LLC Bethlehem, PA 18020 USA Bethlehem, PA 18020 USA hl h Telephone:  610‐442‐ Telephone:  610‐442‐2250 E‐mail: mail:  chris.wubbolt@QACVConsulting.comJohn Patterson, MSE 1 Merck DriveExecutive  Director – Whitehouse Station NJ  08889Compliance; Manufacturing , Supply  f i lChain IT; Merck & Co. Telephone:  908‐423‐5675 Telephone:  908‐423‐ E‐mail: 36