By Steven de Bruijn
Private and business users benefit from cloud technology everyday, however it is not used to its full potential by the average regulated company yet. We need to understand what the cloud means for these companies, what the perceived obstacles are, and how to overcome these obstacles while fulfilling the regulator’s expectations.
Before we start, let’s define what the cloud is, and explore what flavors the market has to offer. Cloud computing is a very generic term, and suggests the idea of a “black box”. And in fact, this is quite accurate as the cloud is an abstract mixture of IT infrastructural components. Furthermore various sorts of applications can be deployed in the cloud, such as collaborative tools, ERP systems, procurement platforms, document management systems, and so on.
Typically, three models of services are distinguished for cloud computing:
- Software as a Service (Saas) – Configured applications, containing all infrastructure and platform components including hosting facilities, are delivered to the regulated company.
- Platform as a Service (PaaS) – Middleware, including all infrastructure and hosting facilities, is delivered to the regulated company. Middleware configuration, application installation and configuration are done by the regulated company.
- Infrastructure as a Service (IaaS) – Computational and storage resources, including all network components and hosting facilities, are delivered to the regulated company. Depending on contract conditions, the regulated company can install, configure and maintain the OS, middleware and software applications.
Another classification is found in the type of cloud, namely Public, Private, Hybrid, or Community. Simply put, in a public cloud the end users do not know who else has jobs running on the same external server, network or disks. While in a private cloud the infrastructure is designed and delivered for the exclusive use by the regulated company and may be located in-house or externally. For the specifics of each type, visit the National Institute of Standards and Technology (NIST) website at www.nist.gov.
Cloud providers offer several clear benefits such as extremely fast and flexible solution delivery, on-demand scalability, business continuity solutions, relatively easy solutions for backup and archiving, and reduced TCO on infrastructure components. This is a strong proposition at considerably lower cost than traditional in-house computing. So why not start immediately?
So aren’t there any drawbacks to cloud computing and its providers at all? Experience shows that many suppliers offer cloud services but lack understanding of the needs of a regulated company. They fail to recognize the most significant GxP risks. Chances are that dropping the term “Annex 11” will not ring too many bells. However, if regulated content is managed in the cloud, the solution should go beyond what is required of most non-regulated business applications. Most importantly, the cloud solution should be validated and auditable.
Some companies in the regulated industry seem to have a lack of understanding of what cloud computing is and, equally important, what the cloud is not. There still is a lot of ground to cover when it comes to agreeing on consistent terms that apply to the whole company, to understand the enabling technologies, and to recognize the interactions between the cloud and other applications. Such insights will convince your Quality department and prevent your quality controllers from misunderstanding the concept of a private or public cloud and overestimate the regulatory needs causing them not to allow for any cloud functionality at all. Last but not least, many regulated companies struggle to define their methods for validating cloud solutions. How to break down this struggle into manageable pieces focusing on regulator’s areas of interest?
For computer system validation, the regulated companies traditionally rely on their IT department which owns and manages the corporate IT infrastructure. This way the regulated company would set up and qualify their own machines, platforms, and environments for development, acceptance testing and live use. The software supplier would be audited, and ultimately the implemented system would be validated.
In case of cloud computing, an entirely different approach is required depending on the cloud model used. In any case, the regulated company is accountable to the regulatory authorities for the compliance of the IT infrastructure (IaaS and PaaS) and (GxP-)applications (SaaS) that are used. This accountability cannot be transferred to cloud providers. The central goal of validation for the regulated company is to verify that the cloud provider conducts appropriate control over the cloud solution. This all starts with auditing the supplier to clarify what services will be provided and how they will be implemented, managed and controlled, and maintained.
In models 2 & 3 (PaaS and IaaS), the supplier qualifies and controls the infrastructure. It is the responsibility of the regulated company to verify that appropriate control is in place. Applications are owned and controlled by the regulated company in this scenario. Therefore, the validation of the applications will be similar to validating applications the traditional way, apart from some cloud-specific risks or issues.
Validation becomes more complex in a model 1 (SaaS) scenario, because the regulated company is not the owner and controller of the application, yet still responsible for validating the GxP SaaS application. The application is already installed and configured by the supplier and can’t always be reconfigured or customized to meet the regulated company’s requirements. The approach we propose is to assure that the application meets the requirements by verification through formal testing. Furthermore, verify that the split of responsibilities and tasks between the cloud provider and regulated company are documented in e.g. a formal SLA, as this is an Annex 11 (§3.1) requirement. Also ensure that appropriate control is conducted by the cloud provider, and establish procedures for use of the application.
Why go through all this qualification and validation effort?
Besides obvious reasons such as mitigation of your GxP and business risks, another driver should be the fact that the regulators are increasingly sticking their heads in the cloud as well. An auditor will be interested in what risks have been defined and how these are mitigated. Attention will be paid to how the integrity of your regulated data is assured, and what data backup and recovery measures have been taken. Compared to a traditional hosting model, more emphasis will be placed on cyber security for the networked cloud systems and to what extent privacy is safeguarded. Because a system in the cloud is as secure as its host, regulators will examine your supplier audits, assess SLAs and contracts you agreed on with your supplier, and inspect the supplier’s quality system.
New approaches for auditing are crucial, requiring cloud-specific IT technology knowledge, awareness of current IT certifications, understanding of legal aspects, and GxP & CSV knowledge. Goldfish ICT is developing compliant strategies and validation best practices on utilization of the cloud in a regulated environment. We enable our relations to adopt this technology, while maintaining control of their IT landscape in a consistent manner. We would be very interested to share our findings and current state of knowledge with you. If you have any questions or remarks, please contact Steven de Bruijn, who is more than willing to get in touch on cloud computing in a GxP context.