In this presentation from IVT's Qualifying and Validating Cloud and Virtualized IT Infrastructures, Chris Wubbolt and John Patterson focus on current trends in cloud computing environments, including aspects of cloud computing and Software-as-a-Service (SaaS) providers that may be of interest to US Food and Drug Administration investigators during an FDA inspection. Important compliance related points to consider for software vendors as they shift to becoming SaaS providers are discussed. The presentation also reviews the pros and cons of cloud computing from a business and compliance perspective, including differences between traditional computing environments and private/public clouds. Examples of issues to consider when using cloud computing environments and SaaS providers are also discussed.
Regulatory Considerations for use of Cloud Computing and SaaS Environments
1. Regulatory Considerations for Use of
Regulatory Considerations for Use of
Cloud Computing and SaaS Environments
Institute of Validation Technology Conference
Qualifying and Validating Cloud and Virtualized IT Infrastructure
Philadelphia PA
Philadelphia PA
21‐August‐2012
Chris Wubbolt, BS, MS
Chris Wubbolt BS MS
John Patterson, MSE
2. Challenges / Defintions
Challenges / Defintions
h ll / fi i
Historical Perspective
Regulatory Requirements for computing service
providers
Paradigm Shift : Software Vendors to Software‐
Paradigm Shift : Software Vendors to Software‐
as‐ Service Providers
as‐a‐Service Providers
Qualification / Validation of hosted applications
Key Risk Areas
2
5. Cloud Computing2
Virtual Machines3
Infrastructure as a Service (IaaS)2
Infrastructure as a Service
Infrastructure as a Service (IaaS)
Platform as a Service (PaaS) 2
Platform as a Service (PaaS)
Software as a Service (SaaS)2
Software as a Service (SaaS)
5
6. Public Cloud 2‐ The cloud infrastructure is made available to
Public Cloud
Public Cloud The cloud infrastructure is made available to
the general public or a large industry group and is owned
by an organization selling cloud services.
by an organization selling cloud services.
Private Cloud 2‐ The cloud infrastructure is operated solely
for an organization. It may be managed by the organization
for an organization It may be managed by the organization
or a third party and may exist on premise or off premise.
6
8. The capability provided to the consumer is to
p
provision processing, storage, networks, and other
p g, g , ,
fundamental computing resources where the
consumer is able to deploy and run software, which
can include operating systems and applications.
can include operating systems and applications
The consumer does not manage or control the
The consumer does not manage or control the
underlying cloud infrastructure but has control over
operating systems, storage, and deployed
applications; and possibly limited control of select
networking components (e.g., host firewalls).
8
9. The capability provided to the consumer is to
deploy onto the cloud infrastructure consumer‐
p y
created or acquired applications created using
programming languages, libraries, services, and
tools supported by the provider.
tools supported by the provider
The consumer does not manage or control the
The consumer does not manage or control the
underlying cloud infrastructure including network,
servers, operating systems, or storage, but has
control over the deployed applications and possibly
configuration settings for the application‐hosting
environment
environment.
9
10. The capability provided to the consumer is to use the
provider s appls running on a cloud infrastructure.
provider’s appls running on a cloud infrastructure
The apps are accessible from various client devices
The apps are accessible from various client devices
through either a thin client interface, such as a web
browser (e.g., web‐based email), or program interface.
The consumer does not manage or control the
underlying cloud infrastructure including network,
d l i l di f t t i l di t k
servers, operating systems, storage, or even individual
application capabilities, with the possible exception of
pp p , p p
limited user‐specific application configuration settings.
1
0
14. Record Integrity Record Availability Record Retention
Electronic SOPs SOPs
Recordkeeping
Recordkeeping Backup and Backup and
Compliance Restore Restore
Program
Problem
P bl Business
B i
SOPs Reporting Continuity
Validation Business
Business Disaster Recovery
Disaster Recovery
Infrastructure Continuity Plan
Qualification Disaster Recovery Record Retention
Security Program Plan Policy
Training Archival
14
15. Pharma A Data Center Inc
GxPElectronic Recordkeeping Controls
GxP Electronic Recordkeeping Controls
Trained Personnel (including IT)
STILL NEED
STILL NEED Qualified Infrastructure
QualifiedInfrastructure
Validated Applications
Standard Operating Procedures
Standard Operating Procedures
15
19. Quality System
SLC Processes
SLC P
Software Vendor Customer Support
pp
Typically not directly regulated or inspected by regulatory agencies.
Typically not directly regulated or inspected by regulatory agencies.
Audited by clients for adherence to standards.
Audited by clients for adherence to standards.
A di db li f dh d d
Quality of SLC Documentation, Testing, etc. varies considerably for each vendor.
Quality of SLC Documentation, Testing, etc. varies considerably for each vendor.
S
Sponsor responsible for installation, validation, and electronic recordkeeping
ibl f i t ll ti lid ti d l t i dk i
controls at sponsor location.
19
20. Electronic Recordkeeping Backup and Restore
Compliance Program
l Problem Reporting
Problem Reporting
SOPs Business Continuity
y
Validation Disaster Recovery Plan
Infrastructure Qualification Record Retention Policy
Record Retention Policy
Security Program Archival
Training
20
21. Electronic Recordkeeping Compliance Program Electronic Recordkeeping Compliance Program
SOPs
SOP SOPs
SOP
Validation Validation / SDLC
Infrastructure Qualification Infrastructure Program
Security Program Security Program
Training Training
Problem Reporting
ProblemReporting Backup and Restore
Backup and Restore
BackupandRestore
Backup andRestore
Business Continuity Plan Problem Reporting
Problem Reporting
Record Retention Policy Business Continuity
Disaster Recovery Plan
Record Retention Policy
Archival
21
22. Validation Validation
SOPs
SOPs
SDLC Methodology
User Requirements
User Requirements
Functional Specification
Specification
Configuration
User Acceptance Testing
U A t T ti
Installation (IQ)
(Performance
Qualification) System Testing (Operational
Qualification)
Traceability System Release to Customer
System Acceptance Traceability
22
23. Specifications
Not complete
Not updated periodically after changes
Test Records
Test Records
Not pre‐
Not pre‐approved
Results not reviewed by second person
R lt t i d b d
Integrity of test results
No approved summary reports
Release Management
Release Management
23
24. Test Record Integrity
Results typed into Word document or Excel
spreadsheet
No failures documented
Test dates and times do not correlate
Test dates and times do not correlate
24
25. Quality System
Quality System
SLC Processes
SLC Processes
SLC P
Customer Support Hosted Environment
Software Vendor Customer Support
Validation pp
Record Keeping Controls
Hosted Environment is used for a direct GxP function (record keeping) and is
Typically not directly regulated or inspected by regulatory agencies.
Hosted Environment is used for a direct GxPfunction (record keeping) and is
Typically not directly regulated or inspected by regulatory agencies.
more likely to be inspected by regulatory agencies.
Audited by clients for adherence to standards.
Audited by clients for adherence to standards.
Audited by clients for adherence to standards (GxP, Part 11).
Audited by clients for adherence to standards (GxP, Part 11).
Quality of SLC Documentation, Testing, etc. varies considerably for each vendor.
Quality of SLC Documentation, Testing, etc. varies considerably for each vendor.
QualityofSLCDocumentation Testing etc variesconsiderably foreachvendor
Quality of SLC Documentation, Testing, etc. varies considerably for each vendor.
Quality of SLC Documentation, Testing, etc. varies considerablyforeach vendor
varies considerably for each vendor.
Sponsor responsible for installation, validation, and electronic recordkeeping
SaaSprovider responsible for some aspects of installation, validation, and
SaaS provider responsible for some aspects of installation, validation, and
controls at sponsor location.
electronic recordkeeping controls.
electronic recordkeeping controls.
25
27. SAS 70 / SSAE‐
SAS 70 / SSAE‐16
Internationally recognized financial auditing standard
nternationally recognized financial auditing standard
nternationally recognized financial auditing standard
developed by the AICPA
developed by the AICPA
SAS 70 was replaced by SSAE
SAS 70 was replaced by SSAE 16 in June 2011
SAS 70 was replaced by SSAE‐16 in June 2011
SSAE‐
There is no SAS 70 / SSAE‐16 certification
There is no SAS 70 / SSAE‐
There is no list of published SAS 70 / SSAE 16
There is no list of published SAS 70 / SSAE‐16
SSAE‐
standards
27
28. SAS 70 / SSAE‐
SAS 70 / SSAE‐16
Requires a description of controls and attestation of
Requires a description of controls and attestation of
Requires a description of controls and attestation of
controls by management
CPA firms issue Type I (design) and Type II (design
CPA firms issue Type I (design) and Type II (design
and effectiveness) reports
Neither SAS 70 or SSAE‐
Neither SAS 70 or SSAE‐16 discuss qualification or
q
validation of network infrastructure
28
30. System Unavailable
System Down
Connection Problems
Data Center Disaster
Legal / Contractual Disputes
Make sure your Business Continuity Plans are
established.
Be sure your legal contracts are carefully constructed
and reviewed.
and reviewed
30
31. Change
Change Control
Change Control
In a shared environment with multiple customers,
how are hardware or software platform changes
how are hardware or software platform changes
communicated or approved?
How are application upgrades handled?
How are application upgrades handled?
Backups
What is the frequency of the backup?
What is the freq enc of the back p?
What happens if a backup fails?
Security
S i
Who has access to the computing environment
(logically or physically)?
(l i ll h i ll )?
31
32. Disaster Recovery
Disaster Recovery
Where are the backup locations in the event of a
disaster?
How is the disaster recovery program tested?
Environmental Controls
E i t lC t l
What are the requirements for monitoring of
environmental controls?
en ironmental controls?
A Service Level Agreement is a KEY document to
A Service Level Agreement is a KEY document to
maintain compliance with a SaaS provider.
maintain compliance with a SaaS
32
33. Formal Agreements (e.g. SLAs) in Place with Cloud
Providers to include:
Security/Incident/Problem/Change Mgt.
Back‐up Recovery/Business Continuity
Back‐ R
B k /B i C ti it
Periodic Review/Monitoring
Interface Management
Ensuring alignment of Cloud Providers/Consumers
Ensuring alignment of Cloud Providers/Consumers
control processes
33
35. 1. NIST Special Publication 500‐293, US Government Cloud
NIST Special Publication 500‐
Computing Technology Roadmap , Volume I, Release 1.0
(draft) , High‐Priority Requirements to Further USG Agency
(draft) ,
( f ) High‐Priority Requirements to Further USG Agency
Cloud Computing Adoption, November 2011
Cloud Computing Adoption, November 2011
2. NIST Special Publication 800 145, The NIST Definition of Cloud
2 NIST Special Publication 800‐145 The NIST Definition of Cloud
NIST Special Publication 800‐
Computing, September 2011
Computing, September 2011
3. VMWare (http://www.vmware.com/virtualization/virtual‐machine.html)
p // / / )
4. Federal Cloud Computing Strategy, The White House,
February 8, 2011
35
36. Chris Wubbolt, BS, MS www.QACVConsulting.com
Principal Consultant 3242 Regal Road
QACV Consulting, LLC
QACV Consulting LLC Bethlehem, PA 18020 USA
Bethlehem, PA 18020 USA
hl h
Telephone: 610‐442‐
Telephone: 610‐442‐2250
E‐mail: chris.wubbolt@QACVConsulting.com
mail: chris.wubbolt@QACVConsulting.com
John Patterson, MSE 1 Merck Drive
Executive Director – Whitehouse Station NJ 08889
Compliance;
Manufacturing , Supply
f i l
Chain IT; Merck & Co. Telephone: 908‐423‐5675
Telephone: 908‐423‐
E‐mail: john.patterson@merck.com
36