• No results found

Developing a Risk-Based Cloud Strategy

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Developing a Risk-Based Cloud Strategy"

Copied!
28
0
0

Loading.... (view fulltext now)

Download now ( 28 Page )

Full text

(1)

23rd April 2015, Chertsey 1

Developing a Risk-Based

Cloud Strategy

Trevor Simmons, ZigZag

Associates Ltd

(2)

23rd April 2015, Chertsey 2

Introductions

• Tell us briefly

– Who you are

– Who you work for

– What experience you and/or your organization

have had with Clouded data/applications

• Non-GxP? • Low Risk? • High Risk?

(3)

23rd April 2015, Chertsey 3

Background

• Cloud Computing is here to stay

– Recognised by the regulators

– Of some concern to the regulators

• The question is no long whether to Cloud

• The questions are

– What to Cloud?

– Who to Cloud with?

• Organisations need to develop a Cloud

Strategy

(4)

23rd April 2015, Chertsey 4

Discussion

• How has Cloud worked out for you?

– How much have you Clouded?

– What have you Clouded?

– What sort of Cloud models are you using?

– What problems have you encountered?

(5)

Exercise Overview

• Let’s review the capabilities of five different cloud services providers

– Look at the business requirements for deploying five new platforms / applications

• In five groups we’ll consider a different platform and will define

1. The service model you might look to utilise

2. How the cloud service providers would be assessed

• What questions would you ask / verify?

(6)

Cloud Infrastructure as

a Service

• NIST definition

– The capability provided to the consumer is to

provision processing, storage, networks, and other fundamental computing resources where the

consumer is able to deploy and run arbitrary software, which can include operating systems and

applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and

deployed applications; and possibly limited control of select networking components (e.g., host firewalls).

(7)

Cloud Platform as a

Service

• NIST definition

– The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming

languages, libraries, services, and tools supported by the provider. The consumer does not manage or

control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and

possibly configuration settings for the application-hosting environment.

(8)

Cloud Software as a

Service

• NIST definition

– The capability provided to the consumer is to use the provider’s applications running on a cloud

infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud

infrastructure including network, servers, operating systems, storage, or even individual application

capabilities, with the possible exception of limited user-specific application configuration settings.

(9)

Private Cloud

• NIST definition

– The cloud infrastructure is provisioned for

exclusive use by a single organization

comprising multiple consumers (e.g.,

business units). It may be owned, managed,

and operated by the organization, a third

party, or some combination of them, and it

may exist on or off premises.

(10)

Community Cloud

• NIST definition

– The cloud infrastructure is provisioned for

exclusive use by a specific community of

consumers from organizations that have

shared concerns (e.g., mission, security

requirements, policy, and compliance

considerations). It may be owned, managed,

and operated by one or more of the

organizations in the community, a third party,

or some combination of them, and it may exist

on or off premises.

(11)

Public Cloud

• NIST definition

– The cloud infrastructure is provisioned for

open use by the general public. It may be

owned, managed, and operated by a

business, academic, or government

organization, or some combination of them. It

exists on the premises of the cloud provider.

(12)

Hybrid Cloud

• NIST definition

– The cloud infrastructure is a composition of

two or more distinct cloud infrastructures

(private, community, or public) that remain

unique entities, but are bound together by

standardized or proprietary technology that

enables data and application portability (e.g.,

cloud bursting for load balancing between

(13)

Risk Considerations

• GxP Significance

• Data Integrity / Protection

• Protection of Intellectual Property

• General Security / Access Controls

(14)

Platform A - Extranet

• Your regulated company is looking to

deploy a new SharePoint platform

(document libraries, lists, calendars, work

sites etc.)

– Requirements are defined including

• GxP significant functionality, including a repository for GMP electronic documents, CAPA lists etc

• Collaborative working with Contract Manufactures

– Future requirements are undefined, but

manufacturing, QA and sales/marketing are

all stakeholders in the project

(15)

Platform B – Adverse

Events Signal Detection

• Following recent MHRA regulatory enforcement

action your regulated company is looking to

implement a new AE signal detection platform

– Needs to analyse data from multiple databases including manufacturing records, CAPA records, complaints, AERS and social networking sites

– You have a team of requirements analysts ready to start work with a technical development team and the project will be managed by your own IT department – Requirements are defined but no COTS solution will

(16)

System C – Enterprise

Resource Planning

• Your regulatory company is soon to begin manufacturing your first parenteral product with very specific and

complex QA release, identification and storage requirements

• As a small start up you have limited funds to implement a new ERP system

• A number of commercial ERP systems can be configured to meet your requirements

– The traditional route of working with a system integrator and hosting internally looks expensive

(17)

System D – Clinical

Data Warehouse

• Your regulatory company is struggling to analyse data from across multiple clinical trials

• It has been decided to implement a new clinical trials

data warehouse based on CDISC standards with a suite of analytical tools

• Your review of the market has identified two potential vendors with COTS products

– Vendor 1 has a very professional data centre and a SaaS solution, but will not modify their SaaS solution to meet your specific process workflow requirements

– Vendor 2 also cannot meet your specific workflow needs ‘out-of-the-box’ but has a suite of development tools and PaaS offering which you can use to extend their solution. However, they have no IaaS or SaaS offering.

(18)

System E –

CRM System

• Your medical devices company sells diagnostic instruments and consumables aimed at the home care market and is starting to provide patient care services as part of a new revenue generation plan

• Your need a new CRM systems for the new patient care division to manage

– Traditional sales call management – Sample management

– Call centre (including complaints management) – Patient records

• You have identified three CRM systems that can be configured to meet your needs, but they are the most expensive on the market

(19)

Your Mission...

• Get into a like minded group to discuss a

system / challenge that interests you

• Discuss how Cloud can be leveraged as

part of your solution

– Think about how you will assess potential

Cloud service providers

– What will to ask / check

• Consider the following 5 Cloud Service

Providers

(20)

Remember

• As the ‘consumer’ you can look to any Cloud service model you like

– On-Premise or Off-Premise – IaaS, PaaS or SaaS

– Private, Community, Public or Hybrid

• Your model could leverage more than one Provider • Costs savings are an objective

– Off-Premise generally has lower investment costs than On-Premise

– Private is more expensive than Community and both are more expensive that Public

(21)

Cloud Service

Provider 1

• Internal IT department within the regulated company • Fully compliant IT quality management system, with

trained staff and all IT infrastructure is fully qualified

• Already managing a number of highly critical, validated GxP significant applications

• Limited experience with virtualised infrastructure and no formal experience with Cloud

(22)

Cloud Service

Provider 2

• External Infrastructure-as-a-Service cloud services provider

• Specialise in providing services to the regulated industries

• Fully compliant IT quality management system, trained staff and all IT infrastructure is fully qualified

• Significant experience with virtualised infrastructure and good track record in providing

Infrastructure-as-a-Service to other life sciences companies

• Broad technical knowledge of most mainstream technologies and platforms

(23)

Cloud Service

Provider 3

• External Infrastructure-as-a-Service and Platform-as-a-Service cloud services provider

– Provide a broad range of software development tools, utilities and libraries as PaaS

– Capable of supporting developed applications using their own Infrastructure-as-a-Service solutions

• Do not specialise in supporting life sciences customers

– Staff have no GxP training

– IT infrastructure is not formally qualified

• Their IT quality management system is not based on any defined standard

• Limited experience deploying technology other than their own

(24)

Cloud Service

Provider 4

• External Infrastructure-as-a-Service and Software-as-a-Service cloud services provider

• Sell fully configurable versions of an ERP, CRM and EDMS application

• Also provision 3 applications as SaaS

– ERP with no configuration flexibility

– CRM with limited configuration flexibility

– EDMS with significant configuration flexibility

• Do not focus on Life Sciences industry

• Very professional, secure data centre with accredited IT QMS and security

– Staff have no GxP training

(25)

Cloud Service

Provider 5

• External IaaS, PaaS and SaaS cloud services provider

– Provide a broad range of software development tools, utilities and libraries as PaaS

– Capable of supporting developed applications using their own Infrastructure-as-a-Service solutions

– Provision a range of SaaS, developed using their own tools, including

• CRM with no configuration flexibility • EDMS with no configuration flexibility

• Do not focus on Life Sciences industry

– But can provision separate Test/QA instance at additional cost

• New data centre

– No IT QMS

– Staff have no documented training

(26)

23rd April 2015, Chertsey 26

Feedback

• Each group to provide feedback

– What working assumptions did you make?

– What Cloud model(s) did you go for?

• If any…

– What were the things you considered?

– What questions would you have asked?

(27)

23rd April 2015, Chertsey 27

Discussion

• What are the issues to consider when

developing a Cloud Strategy?

• Where do the following fit in?

– Functional risk

– Data integrity

– Different Cloud models

– The ability to conduct assessments / audits

– The role of ‘preferred provider’

(28)

23rd April 2015, Chertsey 28

References

Download now ( PDF - 28 Page - 276.96 KB )

Related documents

Direct Measurements of Minimum Detectable Vapor Concentrations Using Passive Infrared Optical Imaging Systems

Since signal attenuation can be fit functionally using measurable data taken at known concentrations one can easily determine when this signal will be equal to the measured

An exploration of the influence of technology upon the composer’s process

In pieces such as Circling Below, I started to explore the recording process in a live setting to try and be more transparent in the electronic processes that I was using.. An

OESCA. The Journey To The Cloud As a Shared Service: Silver Lining or Dark Days Ahead? mc oecn. Annual Conference September 13, :30 3:30 PM

The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed

A REVIEW ON CLOUD COMPUTING

The consumer does not manage or control the underlying cloud infrastructure, network, servers, operating systems, or storage, but the consumer has control over

Enterprise Governance and Planning

The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed

Cloud Models and Platforms

underlying cloud infrastructure, network, servers, operating systems, or storage, but the consumer has control over the deployed applications and possibly application hosting

Geospatial techniques for assessment of bank erosion and accretion in the Marala Alexandria Reach of the River Chenab, Pakistan

Landsat satellite images for the years 1999, 2007 and 2011 were processed to analyze the river channel migration, changes in the river width and the rate of erosion and

ADSSC Design Standards Manual

Flow division control facilities shall be provided as necessary to ensure organic and hydraulic loading control to plant process units and shall be designed for easy operator