The Cloud in Regulatory Affairs

(1)

www.cunesoft.com

Rainer Schwarz – Cunesoft

Holger Spalt – iVigilance

45 min Webinar:

November 14th, 2014

- Validation, Risk Management and Chances -

(2)

www.cunesoft.com

Rainer Schwarz – Cunesoft

PART I - INTRODUCTIONS

PART II - Cloud Computing Case Study

Risk Classification, Validation, Quality Checklist

(3)

Confidential Information – Do not Distribute

Who of you is using cloud based solutions already?

(4)

(5)

Your are probably joining this webinar, because….

You have heard about cloud benefits



Economies of scale of a cloud



Increased operational effectiveness



Reduced IT maintenance costs / reduced hardware costs



Immediate availability



...

But how can life sciences regulations be achieved in the cloud



Are all cloud environments the same ?



Do FDA validation requirements apply to the cloud ?



Can a cloud be maintained in a valdiated state ?



Can I apply a risk based validation approach ?



What are the critical risks ?



Can data center certficates substitute an onsite audit ?

(6)

www.cunesoft.com

Holger Spalt – iVigilance

PART I - INTRODUCTIONS

PART II - Cloud Computing Case Study

Risk Classification, Validation, Quality Checklist

(7)

Cloud Terminology Definitions

Risk Assessment and Validation

Approach

(8)

What is Cloud Computing (CC) ?

• “Hosted / managed IT services” - “Software as a Service” - …

• Definitions developed by the US National Institute of

Standards and Technology (NIST), known as NIST SP 800-145

“The NIST Definition of Cloud Computing”

• NIST Cloud Computing Definition: “… a model for enabling

ubiquitous, convenient, on-demand network access to a

shared pool of configurable computing resources (e.g.,

networks, servers, storage, applications, and services) that

can be rapidly provisioned and released with minimal

management effort or service provider interaction.”

• => 5 essential characteristics which

should be fulfilled if a service is

(9)

5 essential Aspects of CC

Characteristics

Description

On-Demand Self-Service

A consumer can unilaterally provision computing capabilities, such as computing power or storage, as needed automatically without requiring human interaction with each service provider.

BroadNetwork Access

Capabilities are available over the network and accessed through standard

mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, PC’s).

Resource Pooling (Resource Sharing) => Pricing Model (PPU)

The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model with different physical and virtual resources dynamically

assigned and reassigned according to consumer demand.

There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources: storage, processing, and network bandwidth.

Rapid Elasticity

(Scaleup&down) => Pricing Model

Capabilities can be elastically provisioned and released, in some cases, automatically, to scale rapidly outward and inward commensurate with demand.

To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.

Measured Service

=> Pricing Model

Cloud systems automatically control and optimize resource use by leveraging a metering capability, at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts).

(10)

Cloud Computing vs. Hosting/ASP

Characteristics

Cloud

Computing

Hosting

or ASP

On-Demand Self-Service

Yes

No

Broad Network Access

Yes

Resource Pooling

Yes

No

Rapid Elasticity

Yes

No

Measured Service

Yes

Static

Dyn.

(11)

Cloud Categories

IaaS

(12)

Cloud Categories

PaaS

(Platform as a Svc)

=build your own SW

IaaS

(13)

Cloud Categories

SaaS = OOTB-SW

(Software as a Svc)

Cloud

Operator

Responsibility

(=Value)

PaaS

(Platform as a Svc)

=build your own SW

IaaS

(14)

Cloud Categories

SaaS

(Software as a Svc)

= OOTB-SW

PaaS

(Platform as a Svc)

=build your own SW

(15)

(16)

(17)

(18)

Cloud Terminology Definitions

Risk Assessment and Validation

Approach

(19)

Risk Management using a

Risk Management Framework

(used for Risk Assessment,

Evaluation/Selection, Validation)

Level 1:

Control Domains

Level 2:

Controls

Level 3:

Control Details

(20)

Control Domains (17)

Class Domain Akr

Management Risk Assessment RA Management Planning PL Management System and Services Acquisition SA Management Certification, Accreditation, Security Assessments CA Operational Personnel Security PS Operational Physical and Environmental Protection PE Operational Contingency Planning CP Operational Configuration Management CM Operational Maintenance MA Operational System and Information Integrity SI Operational Media Protection MP Operational Incident Response IR Operational Awareness and Training AT Technical Identification and Authentication IA Technical Access Control AC Technical Audit and Accountability AU Technical System and Communications Protection SC

Level 1:

Le

vel

2

(21)

• Access Control (AC): Organizations must limit information system access to authorized user

processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise. • Awareness and Training (AT): Organizations must: (i) ensure that managers and users of

organizational information systems are made aware of the security risks associated with their activities and of the applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures related to the security of organizational information systems; and (ii) ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.

• Audit and Accountability (AU): Organizations must: (i) create, protect, and retain information

system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.

• Certification, Accreditation, and Security Assessments (CA): Organizations must: (i) periodically

assess the security controls in organizational information systems to determine if the controls are effective in their application; (ii) develop and implement plans of action designed to correct

deficiencies and reduce or eliminate vulnerabilities in organizational information systems; (iii) authorize the operation of organizational information systems and an associated information system connections; and (iv) monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.

• Configuration Management (CM): Organizations must: (i) establish and maintain baseline

configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and (ii) establish and enforce security configuration settings for information technology products employed in organizational information systems.

Control Domains Details……..

(22)

Control Domains Details……..

• Contingency Planning (CP): Organizations must establish, maintain, and effectively implement plans

for emergency response, backup os, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and ops-continuity in emergency situations. • Identification and Authentication (IA): Organizations must identify information system users,

processes acting on behalf of users, or devices and authenticate (or verify) the identities of those

users,processes,or devices, as a prerequisite to allowing access to organizational informationsystems. • Incident Response (IR): Organizations must: (i) establish an operational incident handling capability

for organizational information systems that includes adequate preparation, detection, analysis,

containment, recovery, and user response activities; and (ii) track, document, and report incidents to appropriate organizational officials and/or authorities.

• Maintenance (MA): Organizations must: (i) perform periodic and timely maintenance on

organizational information systems; and (ii) provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.

• Media Protection (MP): Organizations must: (i) protect information system media, both paper and

digital; (ii) limit access to information on information system media to authorized users; and (iii) sanitize or destroy information system media before disposal or release for reuse.

• Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to

information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide

supporting utilities for information systems; (iv) protect information systems against environmental hazards; (v) provide appropriate environmental controls in facilities containing information systems. • Planning (PL): Organizations must develop, document, periodically update, and implement security

plans for organizational information systems that describe the security controls in place or planned for the information systems and the rules of behavior for individuals accessing the information systems.

(23)

• Personnel Security (PS): Organizations must: (i) ensure that individuals occupying positions of

responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions; (ii) ensure that organizational information and information systems are protected during and after personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel failing to comply with organizational security policies and procedures.

• Risk Assessment (RA): Organizations must periodically assess the risk to organizational

operations (including mission, functions, image, or reputation), organizational assets, and

individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of organizational information.

• System and Services Acquisition (SA): Organizations must: (i) allocate sufficient resources to

adequately protect organizational information systems; (ii) employ system development life cycle processes that incorporate information security considerations; (iii) employ software usage and installation restrictions; and (iv) ensure that third-party providers employ adequate security

measures to protect information, applications, and/or services outsourced from the organization. • System and Communications Protection (SC): Organizations must: (i) monitor, control, and

protect organizational communications (i.e., information transmitted or received by

organizational information systems) at the external boundaries and key internal boundaries of the information systems; and (ii) employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within

organizational information systems.

• System and Information Integrity (SI): Organizations must: (i) identify, report, and correct

information and information system flaws in a timely manner; (ii) provide protection from malicious code at appropriate locations within organizational information systems; (iii) monitor information system security alerts and advisories and take appropriate actions in response.

Control Domains Details……..

(24)

(25)

Control Details

(26)

300+ Controls => Questions => Answers

(27)

Cloud Terminology Definitions

Risk Assessment and Validation

Approach

(28)

Summary

Q: Can a cloud based regulatory environment be

validated (according to FDA standards) ?

A: Yes

Q: How?

A: By establishing appropriate Quality Criteria

(29)

Benefits

of

cloud

based

eCTD system

1. Commercial

• On Demand Subscription – Save (IT) Preparation, Pay Per Use – Pricing

Model, No upfront investment – CAPEX free

2. Time to Use

• Available within very short setup period, Pre-configured

acc.Best-Practice-Guidelines, Location independence (Anywhere – Anytime

3. Performance & Software Management

• Automatic Software Updates, Optimized Performance (due

Platform), Metered/Monitored Performance, Constant Backup,

Guaranteed Uptime

4. Collaboration

(30)

Costs: On-Premises vs. Cloud Computing

Customization & Implementation Hardware IT Personnel Maintenance Training

On-Premises

Ongoing Costs

- Annual Support & Maintenance Fee - Training

- Configuration

- Apply Fixes, Patches, Upgrade - Downtime

- Performance tuning

- Upgrade dependent applications - Ongoing burden on IT

- Maintain & upgrade network / security / database

(31)

(32)

Risks for a cloud-based eCTD system

1. Compliance

2. Data Security

3. Service Reliability

(33)

Mitigation of Risks

1. Compliance

Without full control over the infrastructure,

how can IQ, OQ, PQ validation be completed.

Cloud Provider Responsibilities:

1)Infrastructure provided with full IQ validation

2)Provide OQ, PQ validation scripts and support

3)Support Datacenter Audits

4)Functional compliance such as electronic

(34)

Mitigation of Risks

2. Data Security

Limited transparency/control into security elements used

by the cloud provider. Risk of possible data breach/theft.

Cloud Provider Responsibilities:

1) Secure connection to the cloud (VPN)

2) System access protection & user management

3) Seperate, secure data storage including encryption

4) Data center location (EU data protection act)

(35)

Mitigation of Risks

2. Data Security

Limited transparency/control into security elements used

by the cloud provider. Risk of possible data breach/theft.

Cloud Provider technical A

rchi

tecture:

.

Encrypted customer storage Encrypted customer storagee

(36)

Mitigation of Risks

3. Service Reliability

Cloud provider subject to data center outages.

Cloud Provider Responsibilities:

1)Local Data Synchronization (i.e. dropbox concept)

2)Backup Strategy (redundant data center)

3)Detailed Service Level Agreement (SLA)

4)Service Monitoring and Reporting

5)Scalable server sizing & load balancing

(37)

Mitigation of Risks

4. Software Management

Without control over the software, the software

update process is intransparent/cannot be validated

Cloud Provider Responsibilities:

1)Each customer/tenant has ist own Database

(38)

www.cunesoft.com

Rainer Schwarz - Cunesoft

Holger Spalt – iVigilance

PART I - INTRODUCTIONS

PART II - Cloud Computing Case Study

Risk Classification, Validation, Quality Checklist

(39)