Regulated Applications
in the Cloud
Aspects of Security and Validation
Keith Williams
CEO
Statement on the Cloud and Pharma’s added
Complexity
• “Clouds already make sense for many small and
medium-size businesses, but technical, operational and financial
hurdles will need to be overcome before clouds will be used
extensively by large public and private enterprises. Rather
than create unrealizable expectations for “internal clouds”,
CIOs should focus now on the immediate benefits of
virtualizing server storage, network operations, and other
critical building blocks”.
• For Pharma and Life Sciences you can add ‘Quality,
Compliance, Validation, Security and Regulatory Hurdles’
to that list……
Identifying, assessing and mitigating, the risks of hosting
GxP-Regulated applications in the cloud
Risks
•
Data/Information Security (VPN and Encryption)
•
Platform and application architecture (e.g. Multi-tenancy)
•
Providers don’t understand Pharma security and regulatory requirements
•
Providers will have an emphasis that suits them as a business
•
Private vs Public clouds (different levels of security)
•
Continuity of service (especially internet access at customer end)
•
Data migration problems when changing the cloud provider (security validation etc.)
•
Performance (bandwidth)- what happens at client side?
•
User’s privacy leading to breaches of Identity Management- who is accessing
•
Data Privacy Legislation
•
You can’t always audit the specific ‘physical’ site where you data is being kept
Qualification and Validation can help to mitigate these risks,
and provide auditable evidence of how this has been done.
Security- Differing levels of importance Public vs Private
Cloud providers
These questions answered by 127 Cloud offering
providers
Differing levels of risk mitigation and emphasis surveyed
from Public Cloud Providers
Some elements of Best Practice to consider for security
risk mitigation
• VM-level security
• Multi-layered defence
• Patch management
• Data protection and encryption
• Regulatory compliance
“Qualifying” a cloud-based environment versus
“Validating” an application in a regulatory framework.
•
“The application should be validated; IT infrastructure should be qualified.” (EU
GMP Annex 11, 2011)
•
GAMP© (Good Automated Manufacturing Practice) provides guidance on
Infrastructure Qualification, as well as validation of applications
•
Typical Qualification documents include Specifications, IQ documentation
scripts, plans and reports, agreements with service providers, operational
procedures…… etc. etc.
•
Infrastructure Qualification documents are still needed when a regulated /
validated application is hosted in a cloud environment
•
The need for Validation of the application does not change, wherever the
application may be installed
Some component and provider examples in the
Software Platform Infrastructure Model
Who should do what for a GxP Hosted Application?
Service Components GAMP©
Category What to do? Who?
IaaS Hardware, Internet
Connectivity, Power, Servers, Storage and RAM, VMWare, Hyper-V
1 Qualify and manage
infrastructure. Audit procedures. Infrastructure Vendor (IV) Platform Vendor (PV) Application Vendor(AV) or Sponsor
PaaS O/S, Windows Server,
SharePoint and SQL 1 Qualify the stack. Manage / control ongoing changes. Audit procedures.
PV
AV or Sponsor
SaaS e.g. x-docs™ 3/4 “Validate” the
hosted application. URS and UAT
AV
A QA Perspective on ‘Pharma Cloud’ Validation
• GxP applications will still need to be validated if/when hosted in cloud environments
• If you have data privacy needs these should be tested as part of the validation testing and
formally documented
• Enhanced validation processes (because the application is in the cloud) should ensure that
risk are managed
• IaaS offers opportunities for easy scale-up of ‘Development and Test Environments’
currently
• The more the IaaS vendors (IV) understand Pharma requirements their infrastructure can
be qualified for ‘Production’ uses as well
• PaaS offers the opportunity to have ‘qualified’ stacks consisting of O/S, middleware and
Base Software Platform ready for applications to be loaded on and configured from a Platform Vendor (PV)
• There are already SaaS examples where Pharma is using private cloud arrangements and
Practical Experience of Validation in the Pharma Cloud
Use Case 1
(Courtesy of PRISM forum)‘Cloud computing is exploited as public/private-hybrid, utility-based computing and storage that is ‘scalable on-demand’ and is ‘pay for what you use.
This pharmaceutical company has many current cloud activities and use cases including: high-performance computing (HPC), external collaboration, scratch storage, back-up and archiving, development/test environments and capital expenditure (CapEx) to operating expenditure (OpEx) transfer.
Project areas include advanced modelling and simulation, image processing and translational medicine. Some specific examples include:
ascertain final drug clinical dosing models in days rather than months;
drug clinical dosing models calculated in-house – saves US$350,000 per study by not outsourcing; shorten response time for US Food and Drug Administration (FDA) reconstruct a 100 computed tomography (CT)-scan image study in two days rather than 92 days;
100,000 molecule file processed in 45 minutes compared with seven hours on a scientist’s local machine;
in only four months, implement an informatics data warehouse enabling scientists and investigators to research drug and clinical trial information in one location. (Would have taken nine to 12 months internally); and
reliable storage and rapid retrieval times (currently storing ~20 TB).’
Validation activities as required depending on the stage of the R&D process
the cloud activity is addressing and risk
Practical Experience of Validation in the Pharma Cloud
Use Case 2
(Courtesy of PRISM forum)If cloud computing is to be successfully exploited in the regulated domains of the pharmaceutical industry, the pharmaceutical industry and the cloud vendors must work together on a methodology to provide a unified common validation scheme.
Current concepts of computer system validation (CSV) do not work well, e.g., how does one perform an installation qualification (IQ) in the cloud when one does not know the serial number of the
machine on which the software will be installed, nor indeed its location?
So we must pay attention to the purpose of the IQ, not to the implementation of the IQ and, by extension, we must consider the purpose of CSV, not just its current practice.
Any task carried out in the regulated domain should have at least the following attributes whether paper-based or computer-based in house or in the cloud:
1. non-repudiation; 2. repeatability; 3. audit trail.
The real point here is control of your data, specifically who can access it, what
can they do (and did to it!) with it once accessed
Conclusions (Security)
• Risks around security need to be identified, managed and documented
• There is little to differentiate the regulatory and security requirements to manage
financial legal and IP data from what the regulators require of GxP data
• To maximise effectiveness and minimise risk (and ultimately cost), security and privacy
must be considered from the outset of any cloud implementation not after implementation and deployment
• Cloud computing should be approached carefully with due consideration to the
sensitivity of data being managed and its security
