Regulatory Considerations for use of Cloud Computing and SaaS Environments

Regulatory Considerations for Use of
Regulatory Considerations for Use of
Cloud Computing and SaaS Environments
Institute of Validation Technology Conference
Qualifying and Validating Cloud and Virtualized IT Infrastructure
Philadelphia PA
Philadelphia PA
21‐August‐2012

Chris Wubbolt, BS, MS
Chris Wubbolt BS MS

John Patterson, MSE

Challenges / Defintions
Challenges / Defintions
h ll / fi i
Historical Perspective
Regulatory Requirements for computing service
providers
Paradigm Shift : Software Vendors to Software‐
Paradigm Shift : Software Vendors to Software‐
as‐ Service Providers
as‐a‐Service Providers
Qualification / Validation of hosted applications
Key Risk Areas
2

Challenges Faced by Consumers Contemplating Cloud
Challenges Faced by Consumers Contemplating C
Computing Adoption Include:1
omputing A
Policy
Technology
Guidance
Security
Standards

3

Cloud computing is still in an early deployment stage,
Cloud computing is still in an early deployment stage,
and standards are crucial to increased adoption.
Urgency is driven by rapid deployment of cloud
Urgency is driven by rapid deployment of cloud
computing in response to financial incentives.
Strategically, there is a need to augment standards
and to establish additional security, interoperability,
and portability standards :
to ensure cost‐
to ensure cost‐effective and easy migration,
to ensure that mission‐
to ensure that mission‐critical requirements can be met,
and to reduce the risk that sizable investments may
and to reduce the risk that sizable investments may
d d h kh bl
become prematurely technologically obsolete. 4

Cloud Computing2
Virtual Machines3
Infrastructure as a Service (IaaS)2
Infrastructure as a Service
Infrastructure as a Service (IaaS)
Platform as a Service (PaaS) 2
Platform as a Service (PaaS)
Software as a Service (SaaS)2
Software as a Service (SaaS)

5

Public Cloud 2‐ The cloud infrastructure is made available to
Public Cloud
Public Cloud The cloud infrastructure is made available to
the general public or a large industry group and is owned
by an organization selling cloud services.
by an organization selling cloud services.

Private Cloud 2‐ The cloud infrastructure is operated solely
for an organization. It may be managed by the organization
for an organization It may be managed by the organization
or a third party and may exist on premise or off premise.

6

A virtual machine is a tightly isolated software
container that can run its own operating systems
p g y
and applications as if it were a physical computer. A
virtual machine behaves exactly like a physical
computer and contains it own virtual (ie, software‐
computer and contains it own virtual (ie software
based) CPU, RAM hard disk and network interface
card (NIC).
( )

7

The capability provided to the consumer is to
p
provision processing, storage, networks, and other
p g, g , ,
fundamental computing resources where the
consumer is able to deploy and run software, which
can include operating systems and applications.
can include operating systems and applications

The consumer does not manage or control the
underlying cloud infrastructure but has control over
operating systems, storage, and deployed
applications; and possibly limited control of select
networking components (e.g., host firewalls).

8

The capability provided to the consumer is to
deploy onto the cloud infrastructure consumer‐
p y
created or acquired applications created using
programming languages, libraries, services, and
tools supported by the provider.
tools supported by the provider

underlying cloud infrastructure including network,
servers, operating systems, or storage, but has
control over the deployed applications and possibly
configuration settings for the application‐hosting
environment
environment.
9

The capability provided to the consumer is to use the
provider s appls running on a cloud infrastructure.
provider’s appls running on a cloud infrastructure

The apps are accessible from various client devices
The apps are accessible from various client devices
through either a thin client interface, such as a web
browser (e.g., web‐based email), or program interface.

underlying cloud infrastructure including network,
d l i l di f t t i l di t k
servers, operating systems, storage, or even individual
application capabilities, with the possible exception of
pp p , p p
limited user‐specific application configuration settings.
1
0

GxP Electronic Recordkeeping Controls
Qualified Infrastructure
Q lifi d I f
Standard Operating Procedures
Trained Personnel (including IT)
Validated Applications

Record Integrity
Record Availability
Record Retention

13

Record Integrity Record Availability Record Retention
Electronic SOPs SOPs
Recordkeeping
Recordkeeping Backup and Backup and
Compliance Restore Restore
Program
Problem
P bl Business
B i
SOPs Reporting Continuity
Validation Business
Business Disaster Recovery
Disaster Recovery
Infrastructure Continuity Plan
Qualification Disaster Recovery Record Retention
Security Program Plan Policy
Training Archival

14

Pharma A Data Center Inc

GxPElectronic Recordkeeping Controls
STILL NEED
STILL NEED Qualified Infrastructure
QualifiedInfrastructure
15

A computerised
A computerised system is a set of software and hardware
components which together fulfill certain functionalities
Applications should be validated
IT infrastructure should be qualified
IT infrastructure should be qualified
Hardware and software such as networking software and operation
systems which makes it possible for the application to function
systems which makes it possible for the application to function
y p pp
Risk Management
Risk Management
Extent of validation and data integrity controls patient safety, data
Extent ofvalidationand dataintegritycontrols – patient safety, data
dataintegritycontrols–
integrity, product quality
integrity, product quality

16

Suppliers and Service Providers
Suppliers and Service Providers
Formal Agreements required to include
clear statements of responsibilities
clear statements of
clear statements of responsibilities
Provide Configure Validate Modify
Install
ll Integrate Maintain
i i Retain
i

IT departments should be considered
IT d
departments should be considered
h ld b d d
analogous
g
17

GxPElectronic Recordkeeping Controls
p g
TrainedPersonnel(includingIT)
Qualified Infrastructure
18

Quality System
SLC Processes
SLC P
Software Vendor Customer Support
pp
Typically not directly regulated or inspected by regulatory agencies.
Audited by clients for adherence to standards.
A di db li f dh d d
Quality of SLC Documentation, Testing, etc. varies considerably for each vendor.
S
Sponsor responsible for installation, validation, and electronic recordkeeping
ibl f i t ll ti lid ti d l t i dk i
controls at sponsor location.

19

Electronic Recordkeeping Backup and Restore
Compliance Program
l Problem Reporting
Problem Reporting
SOPs Business Continuity
y
Validation Disaster Recovery Plan
Infrastructure Qualification Record Retention Policy
Record Retention Policy
Security Program Archival
Training

20

Electronic Recordkeeping Compliance Program Electronic Recordkeeping Compliance Program
SOPs
SOP SOPs
SOP
Validation Validation / SDLC
Infrastructure Qualification Infrastructure Program
Security Program Security Program
Training Training
Problem Reporting
ProblemReporting Backup and Restore
Backup and Restore
BackupandRestore
Backup andRestore
Business Continuity Plan Problem Reporting
Problem Reporting
Record Retention Policy Business Continuity
Disaster Recovery Plan
Record Retention Policy
Archival

21

Validation Validation
SOPs
SOPs
SDLC Methodology
User Requirements
User Requirements
Functional Specification
Specification
Configuration
User Acceptance Testing
U A t T ti
Installation (IQ)
(Performance
Qualification) System Testing (Operational
Qualification)
Traceability System Release to Customer
System Acceptance Traceability
22

Specifications
Not complete
Not updated periodically after changes
Test Records
Test Records
Not pre‐
Not pre‐approved
Results not reviewed by second person
R lt t i d b d
Integrity of test results
No approved summary reports
Release Management
Release Management
23

Test Record Integrity
Results typed into Word document or Excel
spreadsheet
No failures documented
Test dates and times do not correlate
Test dates and times do not correlate
24

Quality System
Quality System
SLC Processes
SLC Processes
SLC P
Customer Support Hosted Environment
Software Vendor Customer Support
Validation pp
Record Keeping Controls
Hosted Environment is used for a direct GxP function (record keeping) and is
Hosted Environment is used for a direct GxPfunction (record keeping) and is
more likely to be inspected by regulatory agencies.
Audited by clients for adherence to standards (GxP, Part 11).
Audited by clients for adherence to standards (GxP, Part 11).
QualityofSLCDocumentation Testing etc variesconsiderably foreachvendor
Quality of SLC Documentation, Testing, etc. varies considerablyforeach vendor
varies considerably for each vendor.
Sponsor responsible for installation, validation, and electronic recordkeeping
SaaSprovider responsible for some aspects of installation, validation, and
SaaS provider responsible for some aspects of installation, validation, and
controls at sponsor location.
electronic recordkeeping controls.
electronic recordkeeping controls.

25

This could now be the documentation used to
This could now be the documentation used to
support your validation effort!
Make sure you understand (and audit) your SaaS
Make sure you understand (and audit) your SaaS
Service Providers Validation/Qualification Procedures
and Documentation
dD i
26

SAS 70 / SSAE‐
SAS 70 / SSAE‐16
Internationally recognized financial auditing standard
nternationally recognized financial auditing standard
nternationally recognized financial auditing standard
developed by the AICPA
developed by the AICPA
SAS 70 was replaced by SSAE
SAS 70 was replaced by SSAE 16 in June 2011
SAS 70 was replaced by SSAE‐16 in June 2011
SSAE‐
There is no SAS 70 / SSAE‐16 certification
There is no SAS 70 / SSAE‐
There is no list of published SAS 70 / SSAE 16
There is no list of published SAS 70 / SSAE‐16
SSAE‐
standards

27

SAS 70 / SSAE‐
SAS 70 / SSAE‐16
Requires a description of controls and attestation of
controls by management
CPA firms issue Type I (design) and Type II (design
CPA firms issue Type I (design) and Type II (design
and effectiveness) reports
Neither SAS 70 or SSAE‐
Neither SAS 70 or SSAE‐16 discuss qualification or
q
validation of network infrastructure

28

A SAS 70 Report by itself may not be sufficient to assure
regulatory requirements are being met.
g y q g

29

System Unavailable
System Down
Connection Problems
Data Center Disaster
Legal / Contractual Disputes

Make sure your Business Continuity Plans are
established.

Be sure your legal contracts are carefully constructed
and reviewed.
and reviewed
30

Change
Change Control
Change Control
In a shared environment with multiple customers,
how are hardware or software platform changes
how are hardware or software platform changes
communicated or approved?
How are application upgrades handled?
How are application upgrades handled?
Backups
What is the frequency of the backup?
What is the freq enc of the back p?
What happens if a backup fails?
Security
S i
Who has access to the computing environment
(logically or physically)?
(l i ll h i ll )?
31

Disaster Recovery
Disaster Recovery
Where are the backup locations in the event of a
disaster?
How is the disaster recovery program tested?
Environmental Controls
E i t lC t l
What are the requirements for monitoring of
environmental controls?
en ironmental controls?

A Service Level Agreement is a KEY document to
A Service Level Agreement is a KEY document to
maintain compliance with a SaaS provider.
maintain compliance with a SaaS

32

Formal Agreements (e.g. SLAs) in Place with Cloud
Providers to include:
Security/Incident/Problem/Change Mgt.
Back‐up Recovery/Business Continuity
Back‐ R
B k /B i C ti it
Periodic Review/Monitoring
Interface Management
Ensuring alignment of Cloud Providers/Consumers
Ensuring alignment of Cloud Providers/Consumers
control processes

33

1. NIST Special Publication 500‐293, US Government Cloud
NIST Special Publication 500‐
Computing Technology Roadmap , Volume I, Release 1.0
(draft) ,  High‐Priority Requirements to Further USG Agency
(draft) ,
( f ) High‐Priority Requirements to Further USG Agency
Cloud Computing Adoption,  November 2011
Cloud Computing Adoption,  November 2011
2. NIST Special Publication 800 145, The NIST Definition of Cloud
2 NIST Special Publication 800‐145 The NIST Definition of Cloud
NIST Special Publication 800‐
Computing,   September 2011
Computing,   September 2011
3. VMWare (http://www.vmware.com/virtualization/virtual‐machine.html)
p // / / )
4. Federal Cloud Computing Strategy, The White House,
February 8, 2011

35

Chris Wubbolt, BS, MS www.QACVConsulting.com
Principal Consultant 3242 Regal Road
QACV Consulting, LLC
QACV Consulting LLC Bethlehem, PA 18020 USA
Bethlehem, PA 18020 USA
hl h

Telephone:  610‐442‐
Telephone:  610‐442‐2250
E‐mail:  chris.wubbolt@QACVConsulting.com
mail:  chris.wubbolt@QACVConsulting.com

John Patterson, MSE 1 Merck Drive
Executive  Director – Whitehouse Station NJ  08889
Compliance;
Manufacturing , Supply
f i l
Chain IT; Merck & Co. Telephone:  908‐423‐5675
Telephone:  908‐423‐
E‐mail:  john.patterson@merck.com

36

Regulatory Considerations for use of Cloud Computing and SaaS Environments

More Related Content

What's hot

Viewers also liked

Similar to Regulatory Considerations for use of Cloud Computing and SaaS Environments

More from Institute of Validation Technology

Recently uploaded

Regulatory Considerations for use of Cloud Computing and SaaS Environments