This document debunks 7 common myths about validating software-as-a-service (SaaS) applications in a regulated environment. It explains that cloud providers can securely store data in specific geographic locations and use encryption. It also argues that virtual servers can be validated through traceable IDs and documented system development processes. Further, pre-validated multi-tenant systems and vendor-managed updates may not require revalidation if changes are properly tested and controlled. The document aims to demonstrate that SaaS applications can meet regulatory requirements if the appropriate security, documentation and change controls are implemented and audited.

1. GxP Validation In The
Cloud
Debunking The Most Popular Myths To Validating
SaaS Apps In A GxP Environment
By: Ed Morris, The Morris Group, LLC

2. Ed Morris, Managing Member
The Morris Group, LLC
2
• Twenty plus years consulting to Life Sciences clients related to regulatory compliance (21 CFR Part 210/211,
820, PDMA, GAMP, 21 CFR Part 11) Core expertise in system implementation and validation as well as data
management and analytics. Hands-on experience with validation strategy and IT governance related to new
architectures including Cloud, SaaS and SOA based systems. IT Quality Assurance related to Software
Development Lifecycle (SDLC) and change control
• Consulting Services
• Systems Implementation / Validation
• Audits and Assessments
• Remediation
• Technology Evaluation & Selection
• Performance Optimization
• Project Management
• Operational Domains
• Quality Assurance
• Pharmacovigilance
• Clinical Development
• Regulatory Affairs
• Manufacturing / Shop Floor
• Commercial Operations
• Current Projects
• IT Governance / Validation Strategy For Cloud
Based Clinical Data Management Platform
• Network security breach investigation /
remediation
• Clinical Vendor Qualification Audits
• For Cause audits / Root Cause Analysis

3. ZenQMS
3
• Jeff Thomas, Vice President email: jeff@zenqms.com
• ZenQMS offers a robust, affordable cloud-based QMS
• No Seat Licenses, Full access, Straightforward pricing
www.zenqms.com

4. • Software as a Service (SaaS)
Applications Allow For Easier & More
Affordable Implementations.
• Getting to SaaS requires an
understanding of the facts and the myths.
SaaS / Cloud Based Solutions

5. Myth 1:
My data is ‘floating’ around the Internet
5
• High availability gives the illusion that data
is “everywhere”
• Most Tier 1 cloud providers support the
ability to specify a geographic location or
region e.g. by country, state or city.

6. Myth 2:
My Data is Not Secure
6
• Often, cloud providers have multiple layers of security
including network and server based intrusion detection,
antivirus and malware systems.
• Data can be encrypted in-transit and at rest. The
majority of Tier 1 Cloud providers operate HIPAA
specific environments that are separate from the
general public cloud infrastructures

7. Myth 3: Without A Serial Number, a
Server Can’t Be Validated
7
● Traceability
● Virtual Machines should have a traceable
Instance ID
● Focus should be on the Systems Development
LifeCycle (SDLC)
● If SDLC follows GAMP V with a traceable ID, the
system can be considered compliant

8. Myth 4: There’s No Such Thing As A
“Pre-validated” System
• A validated system is less about the infrastructure or where it resides
and more about when it was installed and/or customized
• For instance, if a basic Customer Relationship Management (CRM)
system is installed and configured according to a set of base
requirements, it can be validated in that state.
• Theoretically, an organization can begin using the system provided
no changes are made to the configuration e.g. data fields, screens,
reports.
8

9. Myth 4: There’s No Such Thing As A
“Pre-validated” System (continued)
• Multi-tenant Systems. Execute a full validation of the “core system”
which is available for immediate use by new clients.
• Becomes the Gold Copy
• Any proposed configurations must be assessed for regulatory risk to
determine if additional validation is necessary.
• If so, the client specific user requirements are documented and a UAT
protocol is written and executed. Most user specific validations are
very brief and can be fully executed in just a few weeks.
9

10. Myth 5:
Cloud Providers Cannot Be Audited
• Physical audits of cloud data centers are typically not possible due to
strict premises security controls.
• TMG performs multiple IT QA audits per year. Rarely do they include
a detailed tour of the data center.
• Occasionally, we do make a brief visit to the data center to verify
certain controls such as physical access and fire suppression.
• Maintenance logs including backups, outages, patches and updates
are accessed outside of the data center itself.
1
0

11. Myth 5:
Cloud Providers Cannot Be Audited (cont’d)
• Twenty years ago, data centers were busy places with lots of
activity by operators running printers, loading tapes and launching
jobs. Today, all of those functions have been eliminated or
automated leaving data centers dark with no human presence
whatsoever
• If you were to audit a data center today what would you examine?
There’s just not much to see anymore
• The real audit is done through interviews with key personnel and
documentation reviews.
1
1

12. Myth 6:
I Am Not In Control Of My Data
● Control Vs. Possession?
○ Clients always own their data. It is their intellectual property.
○ The best way to control data is to manage its flow from entry, through
processing, storing, integration and archiving.
● All of this is defined in the SDLC of the given system by
documenting and testing integrations including:
○ Subscribers and Publishers – Unique Identification
○ Data Fields – Transport Mechanism - Encryption
○ Authentication - Boundaries
1
2

13. Myth 7: Automatic Software
Updates Require Re-validation
• Built-in maintenance and updates that come as part
of the subscription are one of the major values of a
SaaS or cloud based system.
• Your Vendor is responsible for change control and
re-validation if necessary
• Check with your vendor to understand frequency of
updates as well as the testing period available.
1
3

14. Review and Discussion
• Myth 1: My Data is ‘floating’ around the Internet
• Myth 2: My Data is Not Secure
• Myth 3: Without A Serial Number, a Server Can’t Be Validated
• Myth 4: There’s No Such Thing as A “Pre-validated” System
• Myth 5: Cloud Providers Cannot Be Audited
• Myth 6: I Am Not In Control Of My Data
• Myth 7: Automatic Software Updates Require Re-validation

15. Contact Information
• Ed Morris
• The Morris Group
• Ed.morris@themorrisgrp.com
• 973 713 2211
• www.themorrisgrp.com
• Jeff Thomas
• ZenQms
• jeff@zenqms.com
• 267 672 8999
• www.zenqms.com