Cloud Computing and SaaS Environments

(1)

Regulatory Considerations for Use of

Cloud Computing and SaaS Environments

Institute of Validation Technology Conference Qualifying and Validating Cloud and Virtualized IT Infrastructure Philadelphia PA

Chris Wubbolt BS MS

Philadelphia PA 21‐August‐2012

Chris Wubbolt, BS, MS

John Patterson, MSE

(2)

h ll

/

h ll

/

fi i

Challenges /

Challenges / Defintions

Defintions

Historical Perspective

Regulatory Requirements for computing service

providers

Paradigm Shift : Software Vendors to Software

Paradigm Shift : Software Vendors to Software‐‐

as

as aa Service Providers

Service Providers

as

as‐‐aa‐‐Service Providers

Service Providers

Qualification / Validation of hosted applications

Key Risk Areas

2

(3)

Challenges Faced by Consumers Contemplating

Challenges Faced by Consumers Contemplating C

Cloud

loud

C

Computing

omputing A

Adoption Include:

doption Include:

1

Policy Policy Technology Technology Guidance Guidance Security Security Standards Standards

(4)

Cloud

Cloud computing is still in an early deployment stage,

computing is still in an early deployment stage,

and standards are crucial to increased adoption.

Urgency

Urgency is driven by rapid deployment of cloud

is driven by rapid deployment of cloud

computing in response to financial incentives.

Strategically, there is a need to augment standards

and to establish additional security, interoperability,

and portability standards :

to

to ensure costensure cost‐‐effective and easy migration, effective and easy migration, to

to ensure that missionensure that mission‐‐critical requirements can be met, critical requirements can be met, d d dd hh k hk h blbl and and to reduce the risk that sizable investments may to reduce the risk that sizable investments may become prematurely technologically obsolete. become prematurely technologically obsolete. ₄

(5)

Cloud Computing

22

Virtual Machines

33

Infrastructure

Infrastructure as a Service

as a Service ((IaaS

IaaS))

22

Infrastructure

Infrastructure as a Service

as a Service ((IaaS

IaaS))

Platform as a Service (

Platform as a Service (PaaS

PaaS))

22

Software as a Service (

(6)

Public

Public CloudCloud2_‐‐_{The cloud infrastructure is made available to}_{The cloud infrastructure is made available to}

Public

Public Cloud Cloud The cloud infrastructure is made available to The cloud infrastructure is made available to the general public or a large industry group and is owned the general public or a large industry group and is owned by an organization selling cloud services

by an organization selling cloud services..

Private Cloud

Private Cloud 2_‐‐_{The cloud infrastructure is operated solely}_{The cloud infrastructure is operated solely} for an organization It may be managed by the organization for an organization It may be managed by the organization for an organization. It may be managed by the organization for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.

or a third party and may exist on premise or off premise.

(7)

A virtual machine is a tightly isolated software container that can run its own operating systems p g y and applications as if it were a physical computer. A virtual machine behaves exactly like a physical

computer and contains it own virtual (ie software computer and contains it own virtual (ie, software‐ based) CPU, RAM hard disk and network interface card (NIC).( )

(8)

The capability provided to the consumer is to

provision processing, storage, networks, and other

p p g, g , ,

fundamental computing resources where the

consumer is able to deploy and run software, which can include operating systems and applications

can include operating systems and applications. The consumer does not manage or control the The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls). 8

(9)

The capability provided to the consumer is to deploy onto the cloud infrastructure consumer‐p y created or acquired applications created using programming languages, libraries, services, and tools supported by the provider

tools supported by the provider.

The consumer does not manage or control the The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application‐hosting environment environment.

(10)

The capability provided to the consumer is to use the provider’s appls running on a cloud infrastructure

provider s appls running on a cloud infrastructure. The apps are accessible from various client devices The apps are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web‐based email), or program interface. The consumer does not manage or control the d l i l d i f t t i l di t k underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of pp p , p p limited user‐specific application configuration settings. 1 0

(11)

(12)

(13)

GxP

GxP Electronic Recordkeeping Controls

Electronic Recordkeeping Controls

Q lifi d I f

Qualified Infrastructure

Standard Operating Procedures

Trained Personnel (including IT)

Validated Applications

Record Integrity Record Integrity Record Integrity Record Integrity Record Availability Record Availability Record Retention Record Retention

(14)

Electronic Electronic

Recordkeeping Recordkeeping

Record Integrity Record Availability Record Retention

SOPs

SOPs SOPsSOPs

Recordkeeping Recordkeeping Compliance Compliance Program Program Backup and Backup and Restore Restore P bl P bl Backup and Backup and Restore Restore B i B i SOPs SOPs Validation Validation Problem Problem Reporting Reporting Business Business Business Business Continuity Continuity Disaster Recovery Disaster Recovery Infrastructure Infrastructure Qualification Qualification Business Business Continuity Continuity Disaster Recovery Disaster Recovery Disaster Recovery Disaster Recovery Plan Plan Record Retention Record Retention Security Program Security Program Training Training Plan

Plan PolicyPolicy

Archival Archival

(15)

Pharma A Data Center Inc

GxP

GxPElectronic Recordkeeping ControlsElectronic Recordkeeping Controls QualifiedInfrastructure

QualifiedInfrastructure Trained Personnel (including IT)Trained Personnel (including IT)

STILL NEED

STILL NEED Qualified InfrastructureQualified Infrastructure

Validated Applications Validated Applications

STILL NEED STILL NEED

(16)

A

A computerisedcomputerised system is a set of software and hardware system is a set of software and hardware components which together fulfill certain functionalities components which together fulfill certain functionalities Applications should be validated

Applications should be validated IT infrastructure should be qualified IT infrastructure should be qualified IT infrastructure should be qualified IT infrastructure should be qualified Hardware and software such as networking software and operation Hardware and software such as networking software and operation systems which makes it possible for the application to systems which makes it possible for the application to functionyy pp pppp function Risk Risk Management Management

Extent ofvalidationand dataintegritycontrols

Extent ofvalidationand dataintegritycontrols––patient safety, datapatient safety, data Extent of validation and data integrity controls

Extent of validation and data integrity controls patient safety, data patient safety, data integrity, product

integrity, product qualityquality

(17)

Suppliers

Suppliers and Service Providers

and Service Providers

Formal Agreements required to include

clear statements of

clear statements of responsibilities

responsibilities

clear statements of

clear statements of responsibilities

responsibilities

Provide ll Configure Modify i Validate i i

d

h ld b

d

h ld b

d

Install Integrate Maintain Retain

IT

IT departments should be considered

departments should be considered

analogous

(18)

GxP GxPElectronic Recordkeeping ControlsElectronic Recordkeeping Controls TrainedPersonnel(includingIT) TrainedPersonnel(includingIT) 18 p g p g Qualified Infrastructure Qualified Infrastructure Standard Operating Standard Operating ProceduresProcedures Trained Personnel (including IT) Trained Personnel (including IT) Validated Applications Validated Applications

(19)

Quality System

SLC P

Software Vendor Software Vendor

SLC Processes

Customer Support

pp

9

9 Typically not Typically not directly regulated or inspected by directly regulated or inspected by regulatory agencies.regulatory agencies. 9

9 A di db liA di db li ff dhdh d dd d 9

9 Audited by clients for adherence to Audited by clients for adherence to standards.standards. 9

9 Quality of SLC Documentation, Testing, etc. varies Quality of SLC Documentation, Testing, etc. varies considerably considerably for each for each vendor.vendor. 9

9 SS ibl f i t ll tiibl f i t ll ti lid tilid ti d l td l t ii dkdk ii 9

9 Sponsor responsible for installation, validation, and electronic recordkeeping Sponsor responsible for installation, validation, and electronic recordkeeping controls at sponsor location.

(20)

Electronic Recordkeeping Electronic Recordkeeping ll Backup and Restore Backup and Restore Compliance Program Compliance Program SOPs SOPs Problem Problem ReportingReporting Business Continuity Business Continuity Validation Validation Infrastructure Qualification Infrastructure Qualification yy Disaster Recovery Plan Disaster Recovery Plan Record Retention Policy Record Retention Policy Security Program Security Program Training Training Record Retention Policy Record Retention Policy Archival Archival Training Training 20

(21)

Electronic Recordkeeping Compliance Program Electronic Recordkeeping Compliance Program SOP SOP Electronic Recordkeeping Compliance Program Electronic Recordkeeping Compliance Program SOP SOP SOPs SOPs Validation Validation Infrastructure Qualification Infrastructure Qualification SOPs SOPs Validation / SDLC Validation / SDLC Infrastructure Program Infrastructure Program Security Program Security Program Training Training ProblemReporting ProblemReporting Security Program Security Program Training Training Backup BackupandRestoreandRestore Problem Reporting Problem Reporting Business Continuity Plan Business Continuity Plan Record Retention Policy Record Retention Policy Backup Backup and Restoreand Restore Problem Problem ReportingReporting Business Continuity Business Continuity Disaster Recovery Plan Disaster Recovery Plan Record Retention Policy Record Retention Policy Archival Archival

(22)

Validation

SOPs SOPs User Requirements User Requirements SOPs SOPs SDLC Methodology SDLC Methodology User Requirements User Requirements Specification Specification U A t T ti U A t T ti Functional Specification Functional Specification Configuration Configuration User Acceptance Testing User Acceptance Testing (Performance (Performance Qualification) Qualification) Installation (IQ) Installation (IQ) System Testing (Operational System Testing (Operational Qualification) Qualification) Traceability Traceability Qualification) Qualification) System Release to Customer System Release to Customer System Acceptance System Acceptance 22 Traceability Traceability

(23)

Specifications

Not complete Not complete Not updated periodically after changes Not updated periodically after changes

Test Records

Not

Not prepre‐‐approvedapproved

R lt t i d b d R lt t i d b d Results not reviewed by second person Results not reviewed by second person Integrity of test results Integrity of test results No approved summary reports No approved summary reports

Release Management

(24)

Test Record Integrity

Results typed into Word document or Excel Results typed into Word document or Excel spreadsheet spreadsheet No failures documented No failures documented

Test dates and times do not correlate Test dates and times do not correlate

24 Test dates and times do not correlate

(25)

Quality System

SLC P

Quality System Quality System SLC Processes SLC Processes Software Vendor Software Vendor

SLC Processes

Customer Support

Customer Support Customer Support Validation Validation Hosted Environment Hosted Environment

pp

9

9 Typically not Typically not directly regulated or inspected by directly regulated or inspected by regulatory agencies.regulatory agencies.

Record Keeping Controls Record Keeping Controls

9

9 Hosted Environment is used for a direct Hosted Environment is used for a direct GxPGxPfunction (record keeping) and is function (record keeping) and is 9

9 Audited by clients for adherence to Audited by clients for adherence to standards.standards. 9

9 Quality of SLC Documentation, Testing, etc. varies Quality of SLC Documentation, Testing, etc. varies considerably considerably for each for each vendor.vendor. more likely to be inspected by regulatory agencies.

more likely to be inspected by regulatory agencies. 9

9 Audited by clients for adherence to Audited by clients for adherence to standards (standards (GxPGxP, Part 11)., Part 11). 9

9 QualityofSLCDocumentation Testing etc variesQualityofSLCDocumentation Testing etc variesconsiderablyconsiderablyforeachforeachvendorvendor 9

9 Sponsor responsible for installation, validation, and electronic recordkeeping Sponsor responsible for installation, validation, and electronic recordkeeping controls at sponsor location.

controls at sponsor location. 9

9 Quality of SLC Documentation, Testing, etc. varies Quality of SLC Documentation, Testing, etc. varies considerably considerably for each for each vendor.vendor. 9

9 SaaSSaaSprovider responsible provider responsible for for some aspects of installationsome aspects of installation, validation, and , validation, and electronic recordkeeping

(26)

This could now be

This could now be the documentation used to

the documentation used to

support your validation effort!

Make sure you understand (and audit) your Make sure you understand (and audit) your SaaSSaaS Service Providers Validation/Qualification Procedures Service Providers Validation/Qualification Procedures d D i d D i 26 and Documentation and Documentation

(27)

SAS 70 / SSAE

SAS 70 / SSAE‐‐16

16

IInternationallynternationally recognizedrecognized financial auditingfinancial auditing standardstandard IInternationally nternationally recognized recognized financial auditing financial auditing standard standard developed by the

developed by the AICPAAICPA SAS 70 was

SAS 70 was replaced by SSAEreplaced by SSAE‐‐16 in June 201116 in June 2011 SAS 70 was

SAS 70 was replaced by SSAEreplaced by SSAE 16 in June 201116 in June 2011 There is no SAS 70 / SSAE

There is no SAS 70 / SSAE‐‐16 certification 16 certification There is no list of published SAS 70 / SSAE There is no list of published SAS 70 / SSAE‐‐1616 There is no list of published SAS 70 / SSAE

There is no list of published SAS 70 / SSAE 16 16 standards

(28)

SAS 70 / SSAE

SAS 70 / SSAE‐‐16

16

Requires

Requires a description of controls and attestation ofa description of controls and attestation of Requires

Requires a description of controls and attestation of a description of controls and attestation of controls by management

controls by management

CPA firms issue Type I (design) and Type II (design CPA firms issue Type I (design) and Type II (design CPA firms issue Type I (design) and Type II (design CPA firms issue Type I (design) and Type II (design and effectiveness) reports and effectiveness) reports Neither SAS 70 or SSAE Neither SAS 70 or SSAE‐‐16 discuss qualification or 16 discuss qualification or qq validation of network infrastructure validation of network infrastructure 28

(29)

A SAS 70 Report by itself may not be sufficient to assure A SAS 70 Report by itself may not be sufficient to assure

regulatory requirements are being met. regulatory requirements are being met.gg y qy q gg

(30)

System Unavailable

System Down System Down Connection Problems Connection Problems Data Center Disaster Data Center Disaster Legal / Contractual Disputes Legal / Contractual Disputes Make sure your Business Continuity Plans are Make sure your Business Continuity Plans are established. established. Be sure your legal contracts are carefully constructed Be sure your legal contracts are carefully constructed and reviewed and reviewed 30 and reviewed. and reviewed.

(31)

Change

Change Control

Control

Change

Change Control

Control

In a shared environment with multiple customers, In a shared environment with multiple customers, how are hardware or software platform changes how are hardware or software platform changes how are hardware or software platform changes how are hardware or software platform changes communicated or approved?

communicated or approved?

How are application upgrades handled? How are application upgrades handled? How are application upgrades handled? How are application upgrades handled?

Backups

What is the freq enc of the back p? What is the freq enc of the back p? What is the frequency of the backup? What is the frequency of the backup? What happens if a backup fails? What happens if a backup fails?

S

i

S

i

Security

Who has access to the computing environment Who has access to the computing environment (l i ll h i ll )? (l i ll h i ll )? (logically or physically)? (logically or physically)?

(32)

Disaster Recovery

Where are the backup locations in the event of a Where are the backup locations in the event of a disaster? disaster? disaster? disaster? How is the disaster recovery program tested? How is the disaster recovery program tested?

E i

t l C t l

E i

t l C t l

Environmental Controls

What are the requirements for monitoring of What are the requirements for monitoring of en ironmental controls? en ironmental controls? environmental controls? environmental controls?

A Service Level Agreement is a KEY document to A Service Level Agreement is a KEY document to A Service Level Agreement is a KEY document to A Service Level Agreement is a KEY document to

maintain compliance with a

maintain compliance with a SaaSSaaS provider.provider.

(33)

Formal Agreements (e.g. SLAs) in Place with Cloud

Providers to include:

Security/Incident/Problem/Change Mgt. Security/Incident/Problem/Change Mgt. B k B k RR /B i/B i C ti itC ti it Back Back‐‐up Recovery/Business Continuityup Recovery/Business Continuity Periodic Review/Monitoring Periodic Review/Monitoring

Interface Management

Ensuring alignment of Cloud Providers/Consumers Ensuring alignment of Cloud Providers/Consumers Ensuring alignment of Cloud Providers/Consumers Ensuring alignment of Cloud Providers/Consumers control processes

(34)

(35)

1.

1. NIST Special Publication 500NIST Special Publication 500‐‐293, US Government Cloud 293, US Government Cloud Computing Technology Roadmap , Volume I, Release 1.0 Computing Technology Roadmap , Volume I, Release 1.0

( f )

(draft) ,

(draft) , HighHigh‐‐Priority Priority Requirements to Further USG Agency Requirements to Further USG Agency Cloud Computing

Cloud Computing Adoption, Adoption, November November 2011 2011 2

2 NISTNIST Special PublicationSpecial Publication 800800 145 The NIST Definition of Cloud145 The NIST Definition of Cloud 2.

2. NIST NIST Special Publication Special Publication 800800‐‐145, The NIST Definition of Cloud 145, The NIST Definition of Cloud Computing

Computing, September , September 20112011 3.

3. VMWareVMWare((((http://www.vmware.com/virtualization/virtual‐machine.htmlp // / / )) 4.

4. Federal Cloud Computing Strategy, The White House, Federal Cloud Computing Strategy, The White House, February 8, 2011

(36)

www.QACVConsulting.com www.QACVConsulting.com 3242 Regal Road 3242 Regal Road hl h hl h Chris Wubbolt, BS, MS Principal Consultant

QACV Consulting LLC _{Bethlehem, PA 18020}_{Bethlehem, PA 18020 USA}_USA

Telephone

Telephone: 610: 610‐‐442442‐‐22502250

QACV Consulting, LLC

EE‐‐mailmail: : [email protected]@QACVConsulting.com

1 Merck Drive 1 Merck Drive Whitehouse Station NJ 08889 Whitehouse Station NJ 08889 John Patterson, MSE Executive Director – Compliance; f i l Telephone: 908 Telephone: 908‐‐423423‐‐56755675 EE‐‐mail: [email protected]: [email protected] Manufacturing , Supply Chain IT; Merck & Co. 36