regulatory considerations for use of cloud computing and saas environments
DESCRIPTION
In this presentation from IVT's Qualifying and Validating Cloud and Virtualized IT Infrastructures, Chris Wubbolt and John Patterson focus on current trends in cloud computing environments, including aspects of cloud computing and Software-as-a-Service (SaaS) providers that may be of interest to US Food and Drug Administration investigators during an FDA inspection. Important compliance related points to consider for software vendors as they shift to becoming SaaS providers are discussed. The presentation also reviews the pros and cons of cloud computing from a business and compliance perspective, including differences between traditional computing environments and private/public clouds. Examples of issues to consider when using cloud computing environments and SaaS providers are also discussed.TRANSCRIPT
Regulatory Considerations for Use ofRegulatory Considerations for Use of Cloud Computing and SaaS Environments
Institute of Validation Technology ConferenceQualifying and Validating Cloud and Virtualized IT Infrastructure Philadelphia PA
Chris Wubbolt BS MS
Philadelphia PA 21‐August‐2012
Chris Wubbolt, BS, MS
John Patterson, MSE
h ll /h ll / fi ifi iChallenges / Challenges / DefintionsDefintionsHistorical PerspectiveHistorical PerspectiveRegulatory Requirements for computing service Regulatory Requirements for computing service providersprovidersprovidersprovidersParadigm Shift : Software Vendors to SoftwareParadigm Shift : Software Vendors to Software‐‐asas aa ServiceProvidersServiceProvidersasas‐‐aa‐‐Service ProvidersService ProvidersQualification / Validation of hosted applicationsQualification / Validation of hosted applicationsKey Risk AreasKey Risk Areas
2
Challenges Faced by Consumers Contemplating Challenges Faced by Consumers Contemplating CCloud loud CComputing omputing AAdoption Include:doption Include:1
PolicyPolicyTechnologyTechnologyGuidanceGuidanceSecuritySecurityStandardsStandards
3
Cloud Cloud computing is still in an early deployment stage, computing is still in an early deployment stage, and standards are crucial to increased adoption. and standards are crucial to increased adoption. Urgency Urgency is driven by rapid deployment of cloud is driven by rapid deployment of cloud computing in response to financial incentives. computing in response to financial incentives. Strategically, there is a need to augment standards Strategically, there is a need to augment standards and to establish additional security, interoperability, and to establish additional security, interoperability, and portability standards :and portability standards :
to to ensure costensure cost‐‐effective and easy migration, effective and easy migration, to to ensure that missionensure that mission‐‐critical requirements can be met, critical requirements can be met, dd d h k h bld h k h bland and to reduce the risk that sizable investments may to reduce the risk that sizable investments may
become prematurely technologically obsolete. become prematurely technologically obsolete. 4
Cloud ComputingCloud Computing22
Virtual MachinesVirtual Machines33
InfrastructureInfrastructureas a Serviceas a Service ((IaaSIaaS))22Infrastructure Infrastructure as a Service as a Service ((IaaSIaaS))Platform as a Service (Platform as a Service (PaaSPaaS))22
Software as a Service (Software as a Service (SaaSSaaS))22
5
PublicPublicCloudCloud2‐‐Thecloud infrastructure ismadeavailable toThecloud infrastructure ismadeavailable toPublic Public Cloud Cloud The cloud infrastructure is made available to The cloud infrastructure is made available to the general public or a large industry group and is owned the general public or a large industry group and is owned by an organization selling cloud servicesby an organization selling cloud services..
Private Cloud Private Cloud 2‐‐The cloud infrastructure is operated solely The cloud infrastructure is operated solely foranorganization Itmaybemanagedbytheorganizationforanorganization Itmaybemanagedbytheorganizationfor an organization. It may be managed by the organization for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.or a third party and may exist on premise or off premise.
6
A virtual machine is a tightly isolated software container that can run its own operating systems p g yand applications as if it were a physical computer. A virtual machine behaves exactly like a physical computer and contains it own virtual (ie softwarecomputer and contains it own virtual (ie, software‐based) CPU, RAM hard disk and network interface card (NIC).( )
7
The capability provided to the consumer is to provision processing, storage, networks, and other p p g, g , ,fundamental computing resources where the consumer is able to deploy and run software, which can include operating systems and applicationscan include operating systems and applications.
The consumer does not manage or control theThe consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).
8
The capability provided to the consumer is to deploy onto the cloud infrastructure consumer‐p ycreated or acquired applications created using programming languages, libraries, services, and tools supported by the providertools supported by the provider.
The consumer does not manage or control theThe consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application‐hosting environmentenvironment.
9
The capability provided to the consumer is to use the provider’s appls running on a cloud infrastructureprovider s appls running on a cloud infrastructure.
The apps are accessible from various client devicesThe apps are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web‐based email), or program interface.
The consumer does not manage or control the d l i l d i f t t i l di t kunderlying cloud infrastructure including network,
servers, operating systems, storage, or even individual application capabilities, with the possible exception of pp p , p plimited user‐specific application configuration settings.
10
11
������������
������� �
12
������� �
GxPGxPElectronic Recordkeeping ControlsElectronic Recordkeeping ControlsQ lifi d I fQ lifi d I fQualified InfrastructureQualified InfrastructureStandard Operating ProceduresStandard Operating ProceduresTrained Personnel (including IT)Trained Personnel (including IT)ValidatedApplicationsValidatedApplicationsValidated ApplicationsValidated Applications
Record IntegrityRecord IntegrityRecord IntegrityRecord IntegrityRecord AvailabilityRecord AvailabilityRecord RetentionRecord Retention
13
Electronic Electronic RecordkeepingRecordkeeping
Record Integrity Record Availability Record RetentionSOPsSOPs SOPsSOPs
Recordkeeping Recordkeeping Compliance Compliance ProgramProgram
Backup and Backup and RestoreRestore
P blP bl
Backup and Backup and RestoreRestore
B iB iSOPsSOPs
ValidationValidation
Problem Problem ReportingReporting
BusinessBusiness
Business Business ContinuityContinuity
DisasterRecoveryDisasterRecoveryInfrastructure Infrastructure QualificationQualification
Business Business ContinuityContinuity
Disaster Recovery Disaster Recovery
Disaster Recovery Disaster Recovery PlanPlan
Record Retention Record Retention Security ProgramSecurity Program
TrainingTraining
PlanPlan PolicyPolicy
ArchivalArchival
14
������� �����
Pharma A Data Center Inc
GxPGxPElectronic Recordkeeping ControlsElectronic Recordkeeping ControlsQualifiedInfrastructureQualifiedInfrastructure
Trained Personnel (including IT)Trained Personnel (including IT)STILLNEEDSTILLNEED
15
Qualified InfrastructureQualified InfrastructureStandard Operating Standard Operating ProceduresProcedures
Validated ApplicationsValidated ApplicationsSTILL NEEDSTILL NEED
A A computerisedcomputerisedsystem is a set of software and hardware system is a set of software and hardware components which together fulfill certain functionalitiescomponents which together fulfill certain functionalities
Applications should be validatedApplications should be validated
IT infrastructureshouldbequalifiedIT infrastructureshouldbequalifiedIT infrastructure should be qualifiedIT infrastructure should be qualified
Hardware and software such as networking software and operation Hardware and software such as networking software and operation systems which makes it possible for the application to systems which makes it possible for the application to functionfunctiony p ppy p pp
Risk Risk Management Management ExtentofvalidationanddataintegritycontrolsExtentofvalidationanddataintegritycontrols––patientsafety,datapatientsafety,dataExtent of validation and data integrity controls Extent of validation and data integrity controls patient safety, data patient safety, data integrity, product integrity, product qualityquality
16
Suppliers Suppliers and Service Providersand Service ProvidersFormal Agreements required to include Formal Agreements required to include clear statements ofclear statements of responsibilitiesresponsibilitiesclear statements of clear statements of responsibilitiesresponsibilities
Provide
ll
Configure Modify
i
Validate
i i
d h ld b d dd h ld b d d
Install Integrate RetainMaintain
IT IT departments should be considered departments should be considered analogousanalogousgg
17
GxPGxPElectronic Recordkeeping ControlsElectronic Recordkeeping ControlsTrainedPersonnel(includingIT)TrainedPersonnel(includingIT)
18
������ �p gp g
Qualified InfrastructureQualified InfrastructureStandard Operating Standard Operating ProceduresProcedures
Trained Personnel (including IT)Trained Personnel (including IT)Validated ApplicationsValidated Applications
Quality SystemQuality System
SLCPSLCP
Software Vendor Software Vendor
SLC Processes SLC Processes
Customer SupportCustomer Supportpppp
Typically not Typically not directly regulated or inspected by directly regulated or inspected by regulatory agencies.regulatory agencies.
A di db li f dhA di db li f dh d dd dAudited by clients for adherence to Audited by clients for adherence to standards.standards.
Quality of SLC Documentation, Testing, etc. varies Quality of SLC Documentation, Testing, etc. varies considerably considerably for each for each vendor.vendor.
S ibl f i t ll ti lid ti d l t i dk iS ibl f i t ll ti lid ti d l t i dk iSponsor responsible for installation, validation, and electronic recordkeeping Sponsor responsible for installation, validation, and electronic recordkeeping controls at sponsor location.controls at sponsor location.
19
Electronic Recordkeeping Electronic Recordkeeping ll
Backup and RestoreBackup and RestoreCompliance ProgramCompliance Program
SOPsSOPsProblem Problem ReportingReporting
Business ContinuityBusiness ContinuityValidationValidation
Infrastructure QualificationInfrastructure Qualification
yy
Disaster Recovery PlanDisaster Recovery Plan
RecordRetentionPolicyRecordRetentionPolicySecurity ProgramSecurity Program
TrainingTraining
Record Retention PolicyRecord Retention Policy
ArchivalArchivalTrainingTraining
20
Electronic Recordkeeping Compliance ProgramElectronic Recordkeeping Compliance Program
SOPSOP
Electronic Recordkeeping Compliance ProgramElectronic Recordkeeping Compliance Program
SOPSOPSOPsSOPs
ValidationValidation
Infrastructure QualificationInfrastructure Qualification
SOPsSOPs
Validation / SDLCValidation / SDLC
Infrastructure ProgramInfrastructure Program
Security ProgramSecurity Program
TrainingTraining
ProblemReportingProblemReporting
Security ProgramSecurity Program
TrainingTraining
BackupBackupandRestoreandRestoreProblem ReportingProblem Reporting
Business Continuity PlanBusiness Continuity Plan
Record Retention Policy Record Retention Policy
Backup Backup and Restoreand Restore
Problem Problem ReportingReporting
Business ContinuityBusiness Continuity
Disaster Recovery PlanDisaster Recovery Plan
Record Retention PolicyRecord Retention Policy
ArchivalArchival
21
ValidationValidation ValidationValidation
SOPsSOPs
UserRequirementsUserRequirements
SOPsSOPs
SDLC MethodologySDLC MethodologyUser Requirements User Requirements SpecificationSpecification
U A t T tiU A t T ti
Functional SpecificationFunctional Specification
ConfigurationConfigurationUser Acceptance Testing User Acceptance Testing (Performance (Performance Qualification)Qualification)
Installation (IQ)Installation (IQ)
System Testing (Operational System Testing (Operational Qualification)Qualification)
TraceabilityTraceabilityQualification)Qualification)
System Release to CustomerSystem Release to CustomerSystem AcceptanceSystem Acceptance
22
TraceabilityTraceability
SpecificationsSpecificationsSpecificationsSpecifications
Not completeNot complete
Not updated periodically after changesNot updated periodically after changes
TestRecordsTestRecordsTest RecordsTest Records
Not Not prepre‐‐approvedapproved
R lt t i db dR lt t i db dResults not reviewed by second personResults not reviewed by second person
Integrity of test resultsIntegrity of test results
No approved summary reportsNo approved summary reports
ReleaseManagementReleaseManagement
23
Release ManagementRelease Management
Test Record IntegrityTest Record Integrity
Results typed into Word document or Excel Results typed into Word document or Excel spreadsheetspreadsheet
No failures documentedNo failures documented
TestdatesandtimesdonotcorrelateTestdatesandtimesdonotcorrelate
24
Test dates and times do not correlate Test dates and times do not correlate
Quality SystemQuality System
SLCPSLCP
Quality SystemQuality System
SLC Processes SLC Processes
Software Vendor Software Vendor
SLC Processes SLC Processes
Customer SupportCustomer SupportCustomer SupportCustomer Support
ValidationValidation
Hosted EnvironmentHosted Environment
pppp
Typically not Typically not directly regulated or inspected by directly regulated or inspected by regulatory agencies.regulatory agencies.
Record Keeping ControlsRecord Keeping Controls
Hosted Environment is used for a direct Hosted Environment is used for a direct GxPGxPfunction (record keeping) and is function (record keeping) and is
Audited by clients for adherence to Audited by clients for adherence to standards.standards.
Quality of SLC Documentation, Testing, etc. varies Quality of SLC Documentation, Testing, etc. varies considerably considerably for each for each vendor.vendor.
more likely to be inspected by regulatory agencies.more likely to be inspected by regulatory agencies.
Audited by clients for adherence to Audited by clients for adherence to standards (standards (GxPGxP, Part 11)., Part 11).
QualityofSLCDocumentation Testing etc variesQualityofSLCDocumentation Testing etc variesconsiderablyconsiderablyforeachforeachvendorvendorSponsor responsible for installation, validation, and electronic recordkeeping Sponsor responsible for installation, validation, and electronic recordkeeping controls at sponsor location.controls at sponsor location.
Quality of SLC Documentation, Testing, etc. varies Quality of SLC Documentation, Testing, etc. varies considerably considerably for each for each vendor.vendor.
SaaSSaaSprovider responsible provider responsible for for some aspects of installationsome aspects of installation, validation, and , validation, and electronic recordkeeping electronic recordkeeping controls.controls.
25
This could now be This could now be the documentation used to the documentation used to support your validation effort!support your validation effort!
Make sure you understand (and audit) your Make sure you understand (and audit) your SaaSSaaSService Providers Validation/Qualification Procedures Service Providers Validation/Qualification Procedures
dD idD i26
and Documentationand Documentation
SAS 70 / SSAESAS 70 / SSAE‐‐1616IInternationallynternationally recognizedrecognizedfinancialauditingfinancialauditingstandardstandardIInternationally nternationally recognized recognized financial auditing financial auditing standard standard developed by the developed by the AICPAAICPASAS70wasSAS70wasreplacedbySSAEreplacedbySSAE‐‐16 in June201116 in June2011SAS 70 was SAS 70 was replaced by SSAEreplaced by SSAE 16 in June 201116 in June 2011There is no SAS 70 / SSAEThere is no SAS 70 / SSAE‐‐16 certification 16 certification There isno listofpublishedSAS70/SSAEThere isno listofpublishedSAS70/SSAE‐‐1616There is no list of published SAS 70 / SSAEThere is no list of published SAS 70 / SSAE 16 16 standardsstandards
27
SAS 70 / SSAESAS 70 / SSAE‐‐1616RequiresRequiresadescriptionofcontrolsandattestationofadescriptionofcontrolsandattestationofRequires Requires a description of controls and attestation of a description of controls and attestation of controls by managementcontrols by managementCPAfirms issueType I (design)andType II (designCPAfirms issueType I (design)andType II (designCPA firms issue Type I (design) and Type II (design CPA firms issue Type I (design) and Type II (design and effectiveness) reportsand effectiveness) reportsNeither SAS 70 or SSAENeither SAS 70 or SSAE‐‐16 discuss qualification or 16 discuss qualification or qqvalidation of network infrastructurevalidation of network infrastructure
28
A SAS 70 Report by itself may not be sufficient to assure A SAS 70 Report by itself may not be sufficient to assure regulatory requirements are being met.regulatory requirements are being met.
29
g y q gg y q g
System UnavailableSystem UnavailableSystem DownSystem DownConnection ProblemsConnection ProblemsData Center DisasterData Center DisasterLegal / Contractual DisputesLegal / Contractual Disputes
Make sure your Business Continuity Plans are Make sure your Business Continuity Plans are established.established.
Be sure your legal contracts are carefully constructed Be sure your legal contracts are carefully constructed andreviewedandreviewed
30
and reviewed.and reviewed.
ChangeChangeControlControlChange Change ControlControlIn a shared environment with multiple customers, In a shared environment with multiple customers, howarehardwareorsoftwareplatformchangeshowarehardwareorsoftwareplatformchangeshow are hardware or software platform changes how are hardware or software platform changes communicated or approved?communicated or approved?Howareapplicationupgradeshandled?Howareapplicationupgradeshandled?How are application upgrades handled?How are application upgrades handled?
BackupsBackupsWhat is the freq enc of theback p?What is the freq enc of theback p?What is the frequency of the backup?What is the frequency of the backup?What happens if a backup fails?What happens if a backup fails?
S iS iSecuritySecurityWho has access to the computing environment Who has access to the computing environment (l i ll h i ll )?(l i ll h i ll )?
31
(logically or physically)?(logically or physically)?
DisasterRecoveryDisasterRecoveryDisaster Recovery Disaster Recovery Where are the backup locations in the event of a Where are the backup locations in the event of a disaster?disaster?disaster?disaster?How is the disaster recovery program tested?How is the disaster recovery program tested?
E i t l C t lE i t l C t lEnvironmental ControlsEnvironmental ControlsWhat are the requirements for monitoring of What are the requirements for monitoring of en ironmentalcontrols?en ironmentalcontrols?environmental controls?environmental controls?
AServiceLevelAgreement isaKEYdocument toAServiceLevelAgreement isaKEYdocument toA Service Level Agreement is a KEY document to A Service Level Agreement is a KEY document to maintain compliance with a maintain compliance with a SaaSSaaSprovider.provider.
32
Formal Agreements (e.g. SLAs) in Place with Cloud Formal Agreements (e.g. SLAs) in Place with Cloud Providers to include:Providers to include:
Security/Incident/Problem/Change Mgt.Security/Incident/Problem/Change Mgt.
B kB k R /B i C ti itR /B i C ti itBackBack‐‐up Recovery/Business Continuityup Recovery/Business Continuity
Periodic Review/MonitoringPeriodic Review/Monitoring
Interface ManagementInterface Management
EnsuringalignmentofCloudProviders/ConsumersEnsuringalignmentofCloudProviders/ConsumersEnsuring alignment of Cloud Providers/Consumers Ensuring alignment of Cloud Providers/Consumers control processescontrol processes
33
34
1.1. NIST Special Publication 500NIST Special Publication 500‐‐293, US Government Cloud 293, US Government Cloud Computing Technology Roadmap , Volume I, Release 1.0 Computing Technology Roadmap , Volume I, Release 1.0 ( f )( f )(draft) , (draft) , HighHigh‐‐Priority Priority Requirements to Further USG Agency Requirements to Further USG Agency Cloud Computing Cloud Computing Adoption, Adoption, November November 2011 2011
22 NISTNISTSpecialPublicationSpecialPublication800800 145 TheNISTDefinitionofCloud145 TheNISTDefinitionofCloud2.2. NIST NIST Special Publication Special Publication 800800‐‐145, The NIST Definition of Cloud 145, The NIST Definition of Cloud ComputingComputing, September , September 20112011
3.3. VMWareVMWare ((http://www.vmware.com/virtualization/virtual‐machine.html)(( p // / / )
4.4. Federal Cloud Computing Strategy, The White House, Federal Cloud Computing Strategy, The White House, February 8, 2011February 8, 2011
35
www.QACVConsulting.comwww.QACVConsulting.com3242 Regal Road3242 Regal Road
hl hhl h
Chris Wubbolt, BS, MSPrincipal ConsultantQACV Consulting LLC Bethlehem, PA 18020 Bethlehem, PA 18020 USAUSA
TelephoneTelephone: 610: 610‐‐442442‐‐22502250
QACV Consulting, LLC
EE‐‐mailmail: : [email protected]@QACVConsulting.com
1 Merck Drive1 Merck DriveWhitehouse Station NJ 08889Whitehouse Station NJ 08889
John Patterson, MSEExecutive Director –Compliance;
f i lTelephone: 908Telephone: 908‐‐423423‐‐56755675EE‐‐mail: [email protected]: [email protected]
Manufacturing , Supply Chain IT; Merck & Co.
36