Operating in the
Cloud – Compliance
Challenges
Chris Reid, Integrity Solutions Ltd
GAMP Global Steering Committee
ISPE International Board of Directors
Topics
•
•
•
•
•
GAMP Special Interest Group
Cloud Service Models
Regulated Company / Regulatory Concern
Benefits and Risks
Considerations for Cloud “Management”
Cloud SIG
• Cloud SIG was established early 2013
• Small team representing cross section of large /
small Pharma and cloud service providers
• Goals:
– Ongoing dialogue between GAMP / IPSE and
regulators to understand challenges of operating in
the cloud
– Provide guidance on usage of cloud technologies in
the GxP environment in order to facilitate controlled
adoption by industry
The Problem
• Trends over recent years are challenging us to
think of systems differently
Business Driven
IT Driven


Outsourcing of IT services

Virtualisation of systems and applications
Workplace independent working
(anytime, anywhere, any place, any
device ….)

Bring your own device (BYOD)

Always and anywhere connected
• Pharma companies are in a pressed financial
situation
The Problem
• The amount of information we handle is
exploding – data volume continues to grow
• Need for computing power continues to grow –
consequently the need for IT to continually
manage grows
• Industry is always looking for better, cheaper, and
faster solutions
– Outsourcing to specialised firms who can provide IT
solutions more efficiently
– Leveraging technology to improve information
handling
The Benefits
• Cloud providers offer:
– Extremely fast and flexible solution delivery
– On-demand scalability
– Business continuity solutions
– Easy solutions for backup and archive
• All for a considerably lower cost than
traditional in-house computing solutions
The Cloud Models
Type
Description
Risks
Public Cloud
Service provider offers
services to all
Management controls more
difficult to assess and
enforce
Private Cloud
Cloud Structure with own
data centre or dedicated to
client
Management controls more
easily assessed
Hybrid Cloud
Uses both public or
Depends on scope of
public cloud
Cloud variants
Increasing Scope and Risk
Other Cloud Considerations
Term
Description
Considerations
Multi Tenancy
Multiple customers share a
single application, even
though they only have
access to their own data
How is application and
data access controlled?
Virtualisation
Emulation of computer
hardware and software so
that one or more emulated
computers can run in a
single physical environment
Are there any further
risks from the virtual
infrastructure layer?
Is performance
impacted?
Regulatory Consideration
• Global regulators are interested in the growing utilisation of
cloud environments
• Regulators are not averse to cloud computing, like all new “hot
topics” they need to understand the risks and required controls
• FDA working group on Cloud computing. FDA wants to better
understand:
–
–
–
–
–
What systems are currently outsourced?
What issues or concerns have come up?
What resolutions/mitigations were employed?
Common terminology and definitions for outsourcing IT systems
What type of systems will be outsourced in the future?
FDA viewpoint
• What are regulators interested in when they
discover IT is outsourced?
–
–
–
–
–
–
–
–
Integrity of the Data is assured
Risks clearly identified & mitigated
Client/Provider Contracts
Provider Quality Systems
SOP’s, validation, change control, training
Cybersecurity for Networked Systems
Data Backup/Recovery
Audits of Providers by FDA/Clients Bob Tollefsen, FDA
What are the regulatory expectations for
Infrastructure, Applications and Data?
•
Global regulations expect:
– Applications should be validated
– IT infrastructure should be qualified
– Data integrity and security must be maintained
•
When outsourcing to 3rd parties, accountability for compliance remains with the
regulated company, but compliance controls may be delegated to others with
appropriate management control
•
GAMP® and cross industry guides such as ITIL, ISO 27001, IEEE, ASTM, TickIT,
CMMi provide guidance on Application and Infrastructure Development,
Validation / Qualification, Operation, Support and Retirement
•
These basic premises do not change in an outsourced environment, including
cloud, what changes is the chain of command and trust
Risk Considerations
• Examples:
– Outsourcing
• Surrendered control: Risk
• Outsource company has better processes: Risk
– Virtualisation
• If a physical machine fails, VM moves: Risk
– Data in the cloud
• Better disaster recovery protection: Risk
• Data is not on the regulated company’s asset: Risk
Risk Considerations
• Service Provider:
– Responsibility for application management and
performance with the service provider
– Responsibility for security with service provider
– Management of service change or contract exit
– One sided Service Level Agreements
– Service provider business failure
• Choose carefully
The Basic Issue
Business
Need
Solution
Cloud is here to stay …..
The EFPIA has selected software firm
Solidsoft for its anti-counterfeit European
Medicines Verification System (EMVS)
powered by Microsoft's cloud-based
platform Windows Azure
Security – Differing levels of importance Public
vs. Private Cloud Providers
60%
50%
51%
43%
40%
30%
35%
29%
20%
10%
0%
Private
Public
How confident are you that cloud
applications and resources supplied by
your organisation are secure?
How important is security for meeting
your organization’s IT and data
processing objectives?
These questions answered by 127 Cloud offering
providers
Differing levels of risk mitigation and emphasis
surveyed from Public Cloud Providers
19
Availability
Highly Publicised Outages
Event
Date
Lighting strike AWS Dublin
08 Aug 2011
Azure Leap year issue
29 Feb 2012
Netflix streaming down (AWS)
24 Dec 2012
Azure SSL Certificate issue
22 Feb 2013
Crawley, 25th April 2013
20
Security
• Main concern with cloud solutions, especially
multi-tenant
• Security can be established at many levels
–
–
–
–
Physical
O/S / Network / Virtualisation
Application
D/B
• Depending on the selected model, your
organisation may be still be in control of several
layers
Due-Diligence
Certification obtained by Amazon/Azure
AWS
Azure
SOC1/SSAE 16/ISAE 3402
✔
✔
SOC2
✔
ISO/IEC 27001:2005
✔
PCI DSS Level 1
✔
FISMA, DIACAP and FedRAMP
✔
ITAR
✔
FIPS 140-2
✔
✔
✔
EU Model Clause/Safe Harbor
HIPAA
✔
MPAA
✔
✔ via BAA
22
SLA and Contracts
Azure Tier Enterprise Support
23
Industry Standards - Security in the
Cloud
• Compliance
– Audit Planning, Independent Audits, Third Party
Audits
– Contact / Authority Maintenance
– Information System Regulatory Mapping
– Intellectual Property
c/o Cloud Security Alliance
Industry Standards - Security in the
Cloud
• Data Governance
– Ownership / Stewardship
– Classification
– Handling / Labelling / Security Policy
– Retention Policy, Secure Disposal
– Information Leakage, Risk Assessments
c/o Cloud Security Alliance
Industry Standards - Security in the
Cloud
• Facility Security
– Policy, User Access, Controlled Access Points
– Secure Area Authorization, Unauthorized Persons
Entry
– Off-Site Authorization, Off-Site Equipment
– Asset Management
• Human Resources Security
– Background Screening, Employment Agreements
& Termination
c/o Cloud Security Alliance
Industry Standards - Security in the
Cloud
• Information Security
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
Management Program, Management Support / Involvement
Policy, Baseline Requirements
User Access Policy, User Access Restriction / Authorization
User Access Revocation, User Access Reviews
Training / Awareness, Industry Knowledge / Benchmarking
Roles / Responsibilities, Management Oversight
Segregation of Duties, User Responsibility
Workspace, Encryption, Encryption Key Management
Vulnerability / Patch Management, Anti-Virus / Malicious Software
Incident Management, Incident Reporting
Incident Response Legal Preparation, Incident Response Metrics
Acceptable Use, Asset Returns, eCommerce Transactions
Audit Tools Access, Diagnostic / Configuration Ports Access
Network / Infrastructure Services, Portable / Mobile Devices
Source Code Access Restriction, Utility Programs Access
c/o Cloud Security Alliance
Industry Standards - Security in the
Cloud
• Legal
– Non-Disclosure Agreements
– Third Party Agreements
• Operations Management
– Policy, Documentation,
– Capacity / Resource Planning
– Equipment Maintenance
• Risk Management
– Program, Assessments, Mitigation / Acceptance
– Business / Policy Change Impacts, Third Party Access
• Release Management
– New Development / Acquisition, Production Changes
– Quality Testing, Outsourced Development
– Unauthorized Software Installations
c/o Cloud Security Alliance
Industry Standards - Security in the
Cloud
• Resiliency
– Business Continuity Planning, Business Continuity Testing
– Environmental Risks, Equipment Location
– Equipment Power Failures, Power / Telecommunications
• Security Architecture
–
–
–
–
–
Customer Access Requirements
User ID Credentials, Data Security / Integrity
Application Security, Data Integrity
Production / Non-Production Environments
Remote User Multi-Factor Authentication
c/o Cloud Security Alliance
Outsourcing Lifecycle
Phase 1:
Business Case
Benefits and
Risk Analysis
Phase 2:
Specification &
Selection
Phase 3:
Implementation
Specification
Planning
Selection
Implementation
Contract
Transition
Phase 4:
Monitor
Service &
Contract
Management
Phase 5:
Change
Change
Management
Exit
Management
Supporting Regulatory Inspection
• Information required during an inspection will be held by
service provider
–
–
–
–
Design documentation
Configuration information
Standards, Processes
Records
• Client company still “accountable” not outsource company
• How will outsource organisation be engaged during an
inspection?
• FDA may inspect outsourced service providers in the
future???
Conclusions (1)
• Cloud computing is here to stay and brings clear
benefits to industry
• The main issue around cloud is delegation of
responsibilities and the need to ensure that service
providers have appropriate controls in place
• Application validation and infrastructure qualification
requirements remain in principle but we may need to
be more innovative in the way we assure controls
• Industry already working towards Cloud Computing
standards, there is no business sense in cloud failures
• As with all industry innovation, there will be regulatory
interest until maturity is demonstrated
Conclusions (2)
• The ability to influence, evaluate and monitor
the performance of the service provided is
important
• GAMP promotes leveraging of supplier effort to
reduce the compliance burden on industry,
with appropriate controls in place there is no
reason why Cloud service providers cannot
support this
Acknowledgements
• Some slides have been leveraged from
QUMAS Ireland following their presentation to
GAMP UK.
• Some slides have been taken from ISPE GAMP
Cloud SIG