regulatory considerations for use of cloud computing and saas environments

36
Regulatory Considerations for Use of Regulatory Considerations for Use of Cloud Computing and SaaS Environments Institute of Validation Technology Conference Qualifying and Validating Cloud and Virtualized IT Infrastructure Philadelphia PA Chris Wubbolt BS MS Philadelphia PA 21August2012 Chris Wubbolt, BS, MS John Patterson, MSE

Upload: institute-of-validation-technology

Post on 21-Jan-2015

1.996 views

Category:

Health & Medicine


1 download

DESCRIPTION

In this presentation from IVT's Qualifying and Validating Cloud and Virtualized IT Infrastructures, Chris Wubbolt and John Patterson focus on current trends in cloud computing environments, including aspects of cloud computing and Software-as-a-Service (SaaS) providers that may be of interest to US Food and Drug Administration investigators during an FDA inspection. Important compliance related points to consider for software vendors as they shift to becoming SaaS providers are discussed. The presentation also reviews the pros and cons of cloud computing from a business and compliance perspective, including differences between traditional computing environments and private/public clouds. Examples of issues to consider when using cloud computing environments and SaaS providers are also discussed.

TRANSCRIPT

Page 1: Regulatory Considerations for use of Cloud Computing and SaaS Environments

Regulatory Considerations for Use ofRegulatory Considerations for Use of Cloud Computing and SaaS Environments

Institute of Validation Technology ConferenceQualifying and Validating Cloud and Virtualized IT Infrastructure  Philadelphia PA

Chris Wubbolt BS MS

Philadelphia PA 21‐August‐2012

Chris Wubbolt, BS, MS

John Patterson, MSE

Page 2: Regulatory Considerations for use of Cloud Computing and SaaS Environments

h ll /h ll / fi ifi iChallenges / Challenges / DefintionsDefintionsHistorical PerspectiveHistorical PerspectiveRegulatory Requirements for computing service Regulatory Requirements for computing service providersprovidersprovidersprovidersParadigm Shift :  Software Vendors to SoftwareParadigm Shift :  Software Vendors to Software‐‐asas aa ServiceProvidersServiceProvidersasas‐‐aa‐‐Service ProvidersService ProvidersQualification / Validation of hosted applicationsQualification / Validation of hosted applicationsKey Risk AreasKey Risk Areas

2

Page 3: Regulatory Considerations for use of Cloud Computing and SaaS Environments

Challenges Faced by Consumers Contemplating Challenges Faced by Consumers Contemplating CCloud loud CComputing omputing AAdoption Include:doption Include:1

PolicyPolicyTechnologyTechnologyGuidanceGuidanceSecuritySecurityStandardsStandards

3

Page 4: Regulatory Considerations for use of Cloud Computing and SaaS Environments

Cloud Cloud computing is still in an early deployment stage, computing is still in an early deployment stage, and standards are crucial to increased adoption. and standards are crucial to increased adoption. Urgency Urgency is driven by rapid deployment of cloud is driven by rapid deployment of cloud computing in response to financial incentives. computing in response to financial incentives. Strategically, there is a need to augment standards Strategically, there is a need to augment standards and to establish additional security, interoperability, and to establish additional security, interoperability, and portability standards :and portability standards :

to to ensure costensure cost‐‐effective and easy migration, effective and easy migration, to to ensure that missionensure that mission‐‐critical requirements can be met, critical requirements can be met, dd d h k h bld h k h bland and to reduce the risk that sizable investments may to reduce the risk that sizable investments may 

become prematurely technologically obsolete. become prematurely technologically obsolete.  4

Page 5: Regulatory Considerations for use of Cloud Computing and SaaS Environments

Cloud ComputingCloud Computing22

Virtual MachinesVirtual Machines33

InfrastructureInfrastructureas a Serviceas a Service ((IaaSIaaS))22Infrastructure Infrastructure as a Service as a Service ((IaaSIaaS))Platform as a Service (Platform as a Service (PaaSPaaS))22

Software as a Service (Software as a Service (SaaSSaaS))22

5

Page 6: Regulatory Considerations for use of Cloud Computing and SaaS Environments

PublicPublicCloudCloud2‐‐Thecloud infrastructure ismadeavailable toThecloud infrastructure ismadeavailable toPublic Public Cloud Cloud  The cloud infrastructure is made available to The cloud infrastructure is made available to the general public or a large industry group and is owned the general public or a large industry group and is owned by an organization selling cloud servicesby an organization selling cloud services..

Private Cloud Private Cloud 2‐‐The cloud infrastructure is operated solely The cloud infrastructure is operated solely foranorganization Itmaybemanagedbytheorganizationforanorganization Itmaybemanagedbytheorganizationfor an organization.  It may be managed by the organization for an organization.  It may be managed by the organization or a third party and may exist on premise or off premise.or a third party and may exist on premise or off premise.

6

Page 7: Regulatory Considerations for use of Cloud Computing and SaaS Environments

A virtual machine is a tightly isolated software container that can run its own operating systems p g yand applications as if it were a physical computer. A virtual machine behaves exactly like a physical computer and contains it own virtual (ie softwarecomputer and contains it own virtual (ie, software‐based) CPU, RAM hard disk and network interface card (NIC).( )

7

Page 8: Regulatory Considerations for use of Cloud Computing and SaaS Environments

The capability provided to the consumer is to provision processing, storage, networks, and other p p g, g , ,fundamental computing resources where the consumer is able to deploy and run software, which can include operating systems and applicationscan include operating systems and applications. 

The consumer does not manage or control theThe consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls). 

8

Page 9: Regulatory Considerations for use of Cloud Computing and SaaS Environments

The capability provided to the consumer is to deploy onto the cloud infrastructure consumer‐p ycreated or acquired applications created using programming languages, libraries, services, and tools supported by the providertools supported by the provider.

The consumer does not manage or control theThe consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application‐hosting environmentenvironment.

9

Page 10: Regulatory Considerations for use of Cloud Computing and SaaS Environments

The capability provided to the consumer is to use the provider’s appls running on a cloud infrastructureprovider s appls running on a cloud infrastructure. 

The apps are accessible from various client devicesThe apps are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web‐based email), or program interface.

The consumer does not manage or control the d l i l d i f t t i l di t kunderlying cloud infrastructure including network, 

servers, operating systems, storage, or even individual application capabilities, with the possible exception of pp p , p plimited user‐specific application configuration settings. 

10

Page 11: Regulatory Considerations for use of Cloud Computing and SaaS Environments

11

Page 12: Regulatory Considerations for use of Cloud Computing and SaaS Environments

������������

������� �

12

������� �

Page 13: Regulatory Considerations for use of Cloud Computing and SaaS Environments

GxPGxPElectronic Recordkeeping ControlsElectronic Recordkeeping ControlsQ lifi d I fQ lifi d I fQualified InfrastructureQualified InfrastructureStandard Operating ProceduresStandard Operating ProceduresTrained Personnel (including IT)Trained Personnel (including IT)ValidatedApplicationsValidatedApplicationsValidated ApplicationsValidated Applications

Record IntegrityRecord IntegrityRecord IntegrityRecord IntegrityRecord AvailabilityRecord AvailabilityRecord RetentionRecord Retention

13

Page 14: Regulatory Considerations for use of Cloud Computing and SaaS Environments

Electronic Electronic RecordkeepingRecordkeeping

Record Integrity Record Availability Record RetentionSOPsSOPs SOPsSOPs

Recordkeeping Recordkeeping Compliance Compliance ProgramProgram

Backup and Backup and RestoreRestore

P blP bl

Backup and Backup and RestoreRestore

B iB iSOPsSOPs

ValidationValidation

Problem Problem ReportingReporting

BusinessBusiness

Business Business ContinuityContinuity

DisasterRecoveryDisasterRecoveryInfrastructure Infrastructure QualificationQualification

Business Business ContinuityContinuity

Disaster Recovery Disaster Recovery 

Disaster Recovery Disaster Recovery PlanPlan

Record Retention Record Retention Security ProgramSecurity Program

TrainingTraining

PlanPlan PolicyPolicy

ArchivalArchival

14

Page 15: Regulatory Considerations for use of Cloud Computing and SaaS Environments

������� �����

Pharma A Data Center Inc

GxPGxPElectronic Recordkeeping ControlsElectronic Recordkeeping ControlsQualifiedInfrastructureQualifiedInfrastructure

Trained Personnel (including IT)Trained Personnel (including IT)STILLNEEDSTILLNEED

15

Qualified InfrastructureQualified InfrastructureStandard Operating Standard Operating ProceduresProcedures

Validated ApplicationsValidated ApplicationsSTILL NEEDSTILL NEED

Page 16: Regulatory Considerations for use of Cloud Computing and SaaS Environments

A A computerisedcomputerisedsystem is a set of software and hardware system is a set of software and hardware components which together fulfill certain functionalitiescomponents which together fulfill certain functionalities

Applications should be validatedApplications should be validated

IT infrastructureshouldbequalifiedIT infrastructureshouldbequalifiedIT infrastructure should be qualifiedIT infrastructure should be qualified

Hardware and software such as networking software and operation Hardware and software such as networking software and operation systems which makes it possible for the application to systems which makes it possible for the application to functionfunctiony p ppy p pp

Risk Risk Management Management ExtentofvalidationanddataintegritycontrolsExtentofvalidationanddataintegritycontrols––patientsafety,datapatientsafety,dataExtent of validation and data integrity controls Extent of validation and data integrity controls  patient safety, data patient safety, data integrity, product integrity, product qualityquality

16

Page 17: Regulatory Considerations for use of Cloud Computing and SaaS Environments

Suppliers Suppliers and Service Providersand Service ProvidersFormal Agreements required to include Formal Agreements required to include clear statements ofclear statements of responsibilitiesresponsibilitiesclear statements of clear statements of responsibilitiesresponsibilities

Provide

ll

Configure Modify

i

Validate

i i

d h ld b d dd h ld b d d

Install Integrate RetainMaintain

IT IT departments should be considered departments should be considered analogousanalogousgg

17

Page 18: Regulatory Considerations for use of Cloud Computing and SaaS Environments

GxPGxPElectronic Recordkeeping ControlsElectronic Recordkeeping ControlsTrainedPersonnel(includingIT)TrainedPersonnel(includingIT)

18

������ �p gp g

Qualified InfrastructureQualified InfrastructureStandard Operating Standard Operating ProceduresProcedures

Trained Personnel (including IT)Trained Personnel (including IT)Validated ApplicationsValidated Applications

Page 19: Regulatory Considerations for use of Cloud Computing and SaaS Environments

Quality SystemQuality System

SLCPSLCP

Software Vendor Software Vendor 

SLC Processes SLC Processes 

Customer SupportCustomer Supportpppp

Typically not Typically not directly regulated or inspected by directly regulated or inspected by regulatory agencies.regulatory agencies.

A di db li f dhA di db li f dh d dd dAudited by clients for adherence to Audited by clients for adherence to standards.standards.

Quality of SLC Documentation, Testing, etc. varies Quality of SLC Documentation, Testing, etc. varies considerably considerably for each for each vendor.vendor.

S ibl f i t ll ti lid ti d l t i dk iS ibl f i t ll ti lid ti d l t i dk iSponsor responsible for installation, validation, and electronic recordkeeping Sponsor responsible for installation, validation, and electronic recordkeeping controls at sponsor location.controls at sponsor location.

19

Page 20: Regulatory Considerations for use of Cloud Computing and SaaS Environments

Electronic Recordkeeping Electronic Recordkeeping ll

Backup and RestoreBackup and RestoreCompliance ProgramCompliance Program

SOPsSOPsProblem Problem ReportingReporting

Business ContinuityBusiness ContinuityValidationValidation

Infrastructure QualificationInfrastructure Qualification

yy

Disaster Recovery PlanDisaster Recovery Plan

RecordRetentionPolicyRecordRetentionPolicySecurity ProgramSecurity Program

TrainingTraining

Record Retention PolicyRecord Retention Policy

ArchivalArchivalTrainingTraining

20

Page 21: Regulatory Considerations for use of Cloud Computing and SaaS Environments

Electronic Recordkeeping Compliance ProgramElectronic Recordkeeping Compliance Program

SOPSOP

Electronic Recordkeeping Compliance ProgramElectronic Recordkeeping Compliance Program

SOPSOPSOPsSOPs

ValidationValidation

Infrastructure QualificationInfrastructure Qualification

SOPsSOPs

Validation / SDLCValidation / SDLC

Infrastructure ProgramInfrastructure Program

Security ProgramSecurity Program

TrainingTraining

ProblemReportingProblemReporting

Security ProgramSecurity Program

TrainingTraining

BackupBackupandRestoreandRestoreProblem ReportingProblem Reporting

Business Continuity PlanBusiness Continuity Plan

Record Retention Policy Record Retention Policy 

Backup Backup and Restoreand Restore

Problem Problem ReportingReporting

Business ContinuityBusiness Continuity

Disaster Recovery PlanDisaster Recovery Plan

Record Retention PolicyRecord Retention Policy

ArchivalArchival

21

Page 22: Regulatory Considerations for use of Cloud Computing and SaaS Environments

ValidationValidation ValidationValidation

SOPsSOPs

UserRequirementsUserRequirements

SOPsSOPs

SDLC MethodologySDLC MethodologyUser Requirements User Requirements SpecificationSpecification

U A t T tiU A t T ti

Functional SpecificationFunctional Specification

ConfigurationConfigurationUser Acceptance Testing User Acceptance Testing (Performance (Performance Qualification)Qualification)

Installation (IQ)Installation (IQ)

System Testing (Operational System Testing (Operational Qualification)Qualification)

TraceabilityTraceabilityQualification)Qualification)

System Release to CustomerSystem Release to CustomerSystem AcceptanceSystem Acceptance

22

TraceabilityTraceability

Page 23: Regulatory Considerations for use of Cloud Computing and SaaS Environments

SpecificationsSpecificationsSpecificationsSpecifications

Not completeNot complete

Not updated periodically after changesNot updated periodically after changes

TestRecordsTestRecordsTest RecordsTest Records

Not Not prepre‐‐approvedapproved

R lt t i db dR lt t i db dResults not reviewed by second personResults not reviewed by second person

Integrity of test resultsIntegrity of test results

No approved summary reportsNo approved summary reports

ReleaseManagementReleaseManagement

23

Release ManagementRelease Management

Page 24: Regulatory Considerations for use of Cloud Computing and SaaS Environments

Test Record IntegrityTest Record Integrity

Results typed into Word document or Excel Results typed into Word document or Excel spreadsheetspreadsheet

No failures documentedNo failures documented

TestdatesandtimesdonotcorrelateTestdatesandtimesdonotcorrelate

24

Test dates and times do not correlate Test dates and times do not correlate 

Page 25: Regulatory Considerations for use of Cloud Computing and SaaS Environments

Quality SystemQuality System

SLCPSLCP

Quality SystemQuality System

SLC Processes SLC Processes 

Software Vendor Software Vendor 

SLC Processes SLC Processes 

Customer SupportCustomer SupportCustomer SupportCustomer Support

ValidationValidation

Hosted EnvironmentHosted Environment

pppp

Typically not Typically not directly regulated or inspected by directly regulated or inspected by regulatory agencies.regulatory agencies.

Record Keeping ControlsRecord Keeping Controls

Hosted Environment is used for a direct Hosted Environment is used for a direct GxPGxPfunction (record keeping) and is function (record keeping) and is 

Audited by clients for adherence to Audited by clients for adherence to standards.standards.

Quality of SLC Documentation, Testing, etc. varies Quality of SLC Documentation, Testing, etc. varies considerably considerably for each for each vendor.vendor.

more likely to be inspected by regulatory agencies.more likely to be inspected by regulatory agencies.

Audited by clients for adherence to Audited by clients for adherence to standards (standards (GxPGxP, Part 11)., Part 11).

QualityofSLCDocumentation Testing etc variesQualityofSLCDocumentation Testing etc variesconsiderablyconsiderablyforeachforeachvendorvendorSponsor responsible for installation, validation, and electronic recordkeeping Sponsor responsible for installation, validation, and electronic recordkeeping controls at sponsor location.controls at sponsor location.

Quality of SLC Documentation, Testing, etc. varies Quality of SLC Documentation, Testing, etc. varies considerably considerably for each for each vendor.vendor.

SaaSSaaSprovider responsible provider responsible for for some aspects of installationsome aspects of installation, validation, and , validation, and electronic recordkeeping electronic recordkeeping controls.controls.

25

Page 26: Regulatory Considerations for use of Cloud Computing and SaaS Environments

This could now be This could now be the documentation used to the documentation used to support your validation effort!support your validation effort!

Make sure you understand (and audit) your Make sure you understand (and audit) your SaaSSaaSService Providers Validation/Qualification Procedures Service Providers Validation/Qualification Procedures 

dD idD i26

and Documentationand Documentation

Page 27: Regulatory Considerations for use of Cloud Computing and SaaS Environments

SAS 70  / SSAESAS 70  / SSAE‐‐1616IInternationallynternationally recognizedrecognizedfinancialauditingfinancialauditingstandardstandardIInternationally nternationally recognized recognized financial auditing financial auditing standard standard developed by the developed by the AICPAAICPASAS70wasSAS70wasreplacedbySSAEreplacedbySSAE‐‐16 in June201116 in June2011SAS 70 was SAS 70 was replaced by SSAEreplaced by SSAE 16 in June 201116 in June 2011There is no SAS 70 / SSAEThere is no SAS 70 / SSAE‐‐16 certification 16 certification There isno listofpublishedSAS70/SSAEThere isno listofpublishedSAS70/SSAE‐‐1616There is no list of published SAS 70 / SSAEThere is no list of published SAS 70 / SSAE 16 16 standardsstandards

27

Page 28: Regulatory Considerations for use of Cloud Computing and SaaS Environments

SAS 70  / SSAESAS 70  / SSAE‐‐1616RequiresRequiresadescriptionofcontrolsandattestationofadescriptionofcontrolsandattestationofRequires Requires a description of controls and attestation of a description of controls and attestation of controls by managementcontrols by managementCPAfirms issueType I (design)andType II (designCPAfirms issueType I (design)andType II (designCPA firms issue Type I (design) and Type II (design CPA firms issue Type I (design) and Type II (design and effectiveness) reportsand effectiveness) reportsNeither SAS 70 or SSAENeither SAS 70 or SSAE‐‐16 discuss qualification or 16 discuss qualification or qqvalidation of network infrastructurevalidation of network infrastructure

28

Page 29: Regulatory Considerations for use of Cloud Computing and SaaS Environments

A SAS 70 Report by itself may not be sufficient to assure A SAS 70 Report by itself may not be sufficient to assure regulatory requirements are being met.regulatory requirements are being met.

29

g y q gg y q g

Page 30: Regulatory Considerations for use of Cloud Computing and SaaS Environments

System UnavailableSystem UnavailableSystem DownSystem DownConnection ProblemsConnection ProblemsData Center DisasterData Center DisasterLegal / Contractual DisputesLegal / Contractual Disputes

Make sure your Business Continuity Plans are Make sure your Business Continuity Plans are established.established.

Be sure your legal contracts are carefully constructed Be sure your legal contracts are carefully constructed andreviewedandreviewed

30

and reviewed.and reviewed.

Page 31: Regulatory Considerations for use of Cloud Computing and SaaS Environments

ChangeChangeControlControlChange Change ControlControlIn a shared environment with multiple customers, In a shared environment with multiple customers, howarehardwareorsoftwareplatformchangeshowarehardwareorsoftwareplatformchangeshow are hardware or software platform changes how are hardware or software platform changes communicated or approved?communicated or approved?Howareapplicationupgradeshandled?Howareapplicationupgradeshandled?How are application upgrades handled?How are application upgrades handled?

BackupsBackupsWhat is the freq enc of theback p?What is the freq enc of theback p?What is the frequency of the backup?What is the frequency of the backup?What happens if a backup fails?What happens if a backup fails?

S iS iSecuritySecurityWho has access to the computing environment Who has access to the computing environment (l i ll h i ll )?(l i ll h i ll )?

31

(logically or physically)?(logically or physically)?

Page 32: Regulatory Considerations for use of Cloud Computing and SaaS Environments

DisasterRecoveryDisasterRecoveryDisaster Recovery Disaster Recovery Where are the backup locations in the event of a Where are the backup locations in the event of a disaster?disaster?disaster?disaster?How is the disaster recovery program tested?How is the disaster recovery program tested?

E i t l C t lE i t l C t lEnvironmental ControlsEnvironmental ControlsWhat are the requirements for monitoring of What are the requirements for monitoring of en ironmentalcontrols?en ironmentalcontrols?environmental controls?environmental controls?

AServiceLevelAgreement isaKEYdocument toAServiceLevelAgreement isaKEYdocument toA Service Level Agreement is a KEY document to A Service Level Agreement is a KEY document to maintain compliance with a maintain compliance with a SaaSSaaSprovider.provider.

32

Page 33: Regulatory Considerations for use of Cloud Computing and SaaS Environments

Formal Agreements (e.g. SLAs) in Place with Cloud Formal Agreements (e.g. SLAs) in Place with Cloud Providers to include:Providers to include:

Security/Incident/Problem/Change Mgt.Security/Incident/Problem/Change Mgt.

B kB k R /B i C ti itR /B i C ti itBackBack‐‐up Recovery/Business Continuityup Recovery/Business Continuity

Periodic Review/MonitoringPeriodic Review/Monitoring

Interface ManagementInterface Management

EnsuringalignmentofCloudProviders/ConsumersEnsuringalignmentofCloudProviders/ConsumersEnsuring alignment of Cloud Providers/Consumers Ensuring alignment of Cloud Providers/Consumers control processescontrol processes

33

Page 34: Regulatory Considerations for use of Cloud Computing and SaaS Environments

34

Page 35: Regulatory Considerations for use of Cloud Computing and SaaS Environments

1.1. NIST Special Publication 500NIST Special Publication 500‐‐293, US Government Cloud 293, US Government Cloud Computing Technology Roadmap , Volume I, Release 1.0 Computing Technology Roadmap , Volume I, Release 1.0 ( f )( f )(draft) ,  (draft) ,  HighHigh‐‐Priority Priority Requirements to Further USG Agency Requirements to Further USG Agency Cloud Computing Cloud Computing Adoption,  Adoption,  November November 2011 2011 

22 NISTNISTSpecialPublicationSpecialPublication800800 145 TheNISTDefinitionofCloud145 TheNISTDefinitionofCloud2.2. NIST NIST Special Publication Special Publication 800800‐‐145, The NIST Definition of Cloud 145, The NIST Definition of Cloud ComputingComputing,   September ,   September 20112011

3.3. VMWareVMWare ((http://www.vmware.com/virtualization/virtual‐machine.html)(( p // / / )

4.4. Federal Cloud Computing Strategy, The White House, Federal Cloud Computing Strategy, The White House, February 8, 2011February 8, 2011

35

Page 36: Regulatory Considerations for use of Cloud Computing and SaaS Environments

www.QACVConsulting.comwww.QACVConsulting.com3242 Regal Road3242 Regal Road

hl hhl h

Chris Wubbolt, BS, MSPrincipal ConsultantQACV Consulting LLC Bethlehem, PA 18020 Bethlehem, PA 18020 USAUSA

TelephoneTelephone:  610:  610‐‐442442‐‐22502250

QACV Consulting, LLC

EE‐‐mailmail:  :  [email protected]@QACVConsulting.com

1 Merck Drive1 Merck DriveWhitehouse Station NJ  08889Whitehouse Station NJ  08889

John Patterson, MSEExecutive  Director –Compliance; 

f i lTelephone:  908Telephone:  908‐‐423423‐‐56755675EE‐‐mail:  [email protected]:  [email protected]

Manufacturing , Supply Chain IT; Merck & Co.

36