White Paper
by David Stephenson CTG
Regulatory Compliance Subject Matter Expert February 2014
CTG (UK) Limited, 11 Bea-contree Plaza, Gillette Way, READING, Berks RG2 0BS Phone: +44 (0) 118 975 0877 Fax: +44 (0) 118 931 0249 Mobile: +44 (0) 7891 343814 Registered in England and Wales as Computer Task Group (UK) Limited
Registered Address: 11 Bea-contree Plaza, Gillette Way, Reading, Berkshire RG2 0BS Registration No: 1262284 www.ctg.eu
Cloud computing itself can almost be
catego-rised as a “utility”, where users pay for the service
for as long as needed.
As enterprises look for innovative ways to save money and increase the trust and value in their information systems, cloud computing has emerged as a potential panacea for meeting computing needs, achieving both cost savings and accomplishing business objec-tives. However, as cloud computing continues to grow in importance and gradually evolve, we must understand how best to handle this new era of computing and how to control it in a compliant manner, both from a business perspective, but also in terms of compliance and security.
In order to understand better what Cloud Computing is, we should firstly look at its defini-tion:
Cloud computing can be defined as: A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. net-works, servers, storage applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
U.S. National Institute of Standards and Technology (NIST)
Cloud computing itself can almost be categorised as a “utility”, where users pay for the service for as long as needed. This model has been adopted by the cloud service providers, and as a result, cloud users pay by CPU cycles measured and by the amount of storage required over time, thus providing major cost savings, in the enterprise. However, in order to better manage the cloud, we must understand how it is constructed.
In a nutshell, the cloud is made up of five basic characteristics, offering three service mod-els, and is available in four distinct deployment models. These are illustrated below:
Following is a more detailed discussion of the above diagram:
On Demand Measured Service Software as a Service Platform as a Service Infrastructure as a Service Resource
Pooling Elasticity Rapid Broad Network Access Private Cloud Community Cloud Public Cloud Hybrid Cloud Cloud
Characteristics Service Models Cloud
Cloud Deployment Models
The cloud has much to
offer to entice prospec-tive clients. However,
we must be cognisant that there will be a
corresponding increase in compliance and
security risk, depend-ing on the cloud service
and deployment model selected.
Cloud Service Models
• Infrastructure–as-a-Service (IaaS)—In the most basic cloud service model, cloud providers offer computers as physical—or more often as virtual—machines and net-works. IaaS providers supply these resources on demand from their large pools installed in data centres, with local area networks as part of the offer. For the wide area connec-tivity, the Internet can be used or, in carrier clouds, dedicated virtual private networks can be configured. To deploy their applications, cloud users then install operating sys-tem images on the machines, as well as their application software. In this model, it is the cloud user who is responsible for patching and maintaining the operating systems and application software. (Cloud providers typically bill IaaS services on a utility com-puting basis, that is, cost will reflect the amount of resources allocated and consumed.) • Platform-as-a-Service (PaaS)—In the PaaS model, cloud providers deliver a
comput-ing platform and/or solution stack typically includcomput-ing operatcomput-ing system, programmcomput-ing language execution environment, database, and web server. Application developers can develop and run their software solutions on a cloud platform without the cost and complexity of buying and managing the underlying hardware and software layers. • Software-as-a-Service (SaaS)—In this model, cloud providers install and operate
ap-plication software in the cloud and cloud users access the software from cloud clients. The cloud users do not manage the cloud infrastructure and platform on which the application is running. This aspect eliminates the need to install and run the applica-tion on the cloud user’s own computers simplifying maintenance and support. What makes a cloud application different from other applications is its elasticity. This can be achieved by cloning tasks onto multiple virtual machines at run-time to meet the changing work demand. Load balancers distribute the work over the set of virtual machines. This process is transparent to the cloud user who sees only a single access point. To accommodate a large number of cloud users, cloud applications can be multi-tenant, that is, any machine serves more than one cloud user organisation.
These Cloud Service Models are presented in four Deployment Models:
• Public Cloud—Applications, storage, and other resources are made available to the general public by a service provider. Public cloud services may be free or offered on a pay-per-usage model. There are limited service providers who own all of the infrastruc-ture at their data centre and the only access will be through the internet. No direct connectivity is proposed in public cloud architecture
• Community Cloud—Community cloud shares infrastructure between several organ-isations from a specific community with common concerns (security, compliance, etc.), whether managed internally or by a third-party and hosted internally or externally. • Hybrid Cloud—Hybrid cloud is a composition of two or more clouds (private,
commu-nity or public) that remain unique entities but are bound together, offering the benefits of multiple deployment models.
Cloud Compliance Cube
These risks can be described as:
• Data location—Regardless of the deployment model selected, customers may not know the physical location of the server used to store and process their data and ap-plications. The data may reside anywhere.
• Co-mingled data—Many clients will use the same application on the same server con-currently, which may result in the clients’ data being stored in the same data files. • Cloud security policy/procedure transparency—Some Cloud Service Providers
(CSPs) may have less transparency than others when it comes to their current informa-tion security policies.
• Cloud data ownership—The CSP may believe they own the data placed in the cloud computing environment that it maintains, and may also require significant service fees for data to be returned to clients if and when a cloud computing services agreement terminates.
• CSP business viability—As cloud computing continues to mature, there will be CSPs going out of business. Clients need to consider the risk and how data and applications can be easily transferred back to the traditional enterprise or to another CSP.
• Record protection for audits—Clients must also consider the availability of data and records if required for audits. Since data may have been co-mingled and migrated among multiple servers located widely apart, it may be possible that the data for a specific point in time cannot be identified.
• Identity and access management (IAM)—Current CSPs may not develop and implement adequate user access privilege controls.
• Penetration detection—Consideration should be given to whether the CSP has a penetration detection system in use. If such a system is in use, it is important to ensure that it has the required sophistication to monitor all cloud computing activities adequately.
• Public cloud server owners’ due diligence—When contemplating transferring critical organisational data to the cloud computing platform, it is important to understand who and where all of the companies are that may touch the enterprise data. This When contemplating
transferring critical
organisational data to the cloud computing
platform, it is important to understand who and
where all of the compa-nies are that may touch
the enterprise data. This includes not only
the CSP, but all vendors that are in the critical
• Disaster recovery—In traditional hosting or co-location sites, customers know exactly where their data is in the event that they need to quickly retrieve them, this is not necessarily the case in the cloud.
In order to address these issues, an understanding of the regulators’ viewpoint is required We must therefore consider a quote from Robert Tollefsen of the FDA, who said: “regula-tors are interested in the following when they discover that IT is outsourced”:
• Risks are clearly identified and mitigated • Data integrity is assured
• Data backup/recovery is in place and tested • Cybersecurity exists for networked systems • Contracts exist between clients and providers • The provider has a quality system
• The provider and client have SOPs Validation, change control, training etc • An audit of the provider has been carried out by the client
In order to comply with these requirements and address the issues above in a higly regulated industry like pharmaceuticals, we need to have a coherent cloud assessment strategy and an ongoing cloud management framework. This can best be achieved by applying the following three steps:
Step 1—Due Diligence
In this step, we need to initially look at the cloud provider’s background, length of time in service, and general approach to security and data etc. This can best be achieved by fol-lowing the process flow, outlined in the diagram below:
Figure 1—Due Diligence Workflow Cloud Provider
Track Record
Is the provider aware of the life sciences
environment?
Has the provider filled in the Cloud Security Alliance questionnaire?
Does the provider have ISO 27001
certification?
Does the provider use a framework to manage their processes, COBIT,
ITIL, etc.?
Consider another provider
Audit Provider
OK? Risk Assess Capability
• How long has the provider been supplying IT services? • New to market • Long standing provision • Has the provider worked in the
life sciences industry previously?
• Have they worked in both European and U.S. arena’s? • Is the provider aware of Cloud Security Alliance?
• Have they checked themselves against the questions in the Consensus Assessment Initiative questionnaire?
• Has the provider taken the time to ensure that their security initiatives and processes are of a recognised standard?
• Has the provider taken the time to ensure that their processes followed a proven methodology?
• Audit the provider, using a tool designed for regulatory outsourcing “GAMP 5”, and for the Cloud, i.e., The DSA Cloud Controls Matrix.
• If the audit of the provider is not acceptable, we may need to look for another provider.
Step
1 Diligence Due Step 2
Cloud Provider Risk Assessment Step 3 Ongoing Cloud Compliance Framework
We consider the three
critical steps to take in evaluating the Cloud as
a platform in a highly-regulated industry like
Step 2—Risk Assessment
• Once we have gone through the initial “Due Diligence”, we are faced with a provider that appears to comply with the necessary requirements, and is aware of the intrica-cies of working in the pharmaceutical arena. We can then move forward and perform a risk assessment, in order to mitigate the issues/risks that we have previously identified. • If we apply a risk management process similar to that of GAMP 5, we can address the
risks in the following manner: We can now move forward, putting our present cloud scenario into these 5 process blocks:
• Stage 1—Initial risk assessment and system impact
• What are the regulatory/business/security risks if data security or data retrieval is compromised?
• Stage 2—Identification of the functions which may impact on patient safety,
product quality and data integrity
• What could go wrong (Who controls what, is our data safe)? — Where is our data?
— Who controls the data? — Who can access our data? — Can we retrieve our data?
• Stage 3—Perform a functional risk assessment and identify controls
• What controls does the provider have in place? — Are they adequate?
— Will they put additional controls in place? — What controls do we put in place?
• Stage 4—Implement and verify appropriate controls
Step
1 Diligence Due Step 2
Cloud Provider Risk Assessment Step 3 Ongoing Cloud Compliance Framework A supplier of cloud
services may create com-petitive advantage in a
regulatory compliant industry, if they adopted
these compliance ap-proaches and demands,
Step 3—Ongoing Cloud Compliance Framework
The strategy above should be carried out with the involvement of all relevant stakeholders within the business, and should be led by someone with knowledge of both the cloud and regulatory expectations.
Once the service has been implemented, we need to ensure that business as usual pro-cesses are robust and reporting is adequate, as we may be operating in a scenario where the responsibility and control of the IT processes is in the hands of a third party. Therefore it is imperative to have a coherent and robust framework in place that provides processes within the regulated business aligned to that of the service providers, e.g., change control, configuration management, validation and qualification, etc.
Regular monitoring of the service should be set up, with a focus on the quality of the ser-vice and adherence to procedure/process. This monitoring should be backed up by a set of robust operational or service level agreements, with roles and responsibilities, expectations and penalties singled out and understood.
This then provides us with a model for ongoing compliance of our cloud service provi-sion, including monitoring and feedback, but we must also be prepared to rescind our agreement, if the cloud service does not meet agreement, or proves to be too costly. We therefore need to be aware of:
• Contractual penalties
• Management of the cloud provider during the withdrawal period • Return of data and deletion within the cloud
• How the service required will be managed in-house, or once more outsourced to an-other provider.
Conclusion
From the above methodology, it can be seen that selection, control and management of cloud provision, can be brought into a compliant state, as long as we follow a defined framework or lifecycle. The onus is on the company who is contemplating using cloud services to carry out the due diligence required, to assess the risk and potential impact of using the service (in terms of regulatory, security and business risk), and finally to set up a mutually managed interface with the supplier. The relationship should be backed up by clearly defined contractual clauses to support the relationship that can then be used to ensure service performance and compliance with regulatory requirements.
An important closing thought: A supplier of cloud services may create competitive advan-tage in a regulatory compliant industry, if they adopted these compliance approaches and demands, in the set-up of their facilities and services.
Step
1 Diligence Due Step 2
Cloud Provider Risk Assessment Step 3 Ongoing Cloud Compliance Framework David Stephenson is a highly experienced Computer Systems Validation Consultant, with de-tailed knowledge of Computer System Validation and particu-lar expertise in IT Infrastruc-ture. He was a member of the GAMP Special Interest Group that was responsible for author-ing the Good Practice Guide for Infrastructure Compliance. David is presently the Regula-tory Compliance Subject Matter Expert for CTG.
Currently in his role, David is looking into cloud solutions and the synergy between data man-agement/protection standards and the requirements of the regulated industries
