Cloud Computing in a GxP-regulated ecosystem
Ankur Mitra
Quality, Regulations, Technology - Connecting the Dots - And a Lot of Questions
Before cloud computing, organizations relied on on-premises IT infrastructure. These involved significant capital investment, ongoing maintenance, and scalability limitations. These limitations were seen as a roadblock to business growth and led to the emergence of cloud. The emergence of cloud computing addressed these challenges by offering scalable, flexible, and cost-effective solutions.
Cloud computing offers on-demand access to computing resources over the internet, enabling businesses to scale dynamically and reduce capital expenditure. The need for scalable, flexible, and cost-effective solutions drove the adoption of cloud services. This adoption has revolutionised the way the healthcare and life sciences industry (like other industries) operates.
A simple way to understand the concept of cloud vis-a-vis the on-prem ecosystem is to understand the difference between owning a book versus renting a book at the library (paying through membership only). While you won't own the library books, you can read as much as you want (similar to a subscription). You have to pay a fraction of what you would have otherwise spent if you had tried owning and maintaining the same lot of books. Moreover, the library allows you to read more than you otherwise would have.
Understanding Cloud Computing, service and deployment model
NIST has defined cloud computing, its characteristics, service models, and deployment models through its special publications. The definition has been prepared for federal agencies and may be used by non-governmental organizations. The NIST definition, by far, is the most accepted way for defining cloud computing and its service and deployment models.
What is cloud computing?
Cloud Computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
In other words, Cloud computing is the delivery of computing services over the internet. It addresses the challenges of traditional IT infrastructure, including scalability, cost efficiency, flexibility, and maintenance. Key attributes include on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service.
Understanding Cloud Service Models
Before we move any further, it is important to understand the cloud service models. Cloud service models are the business models that different cloud service providers offer to users. The most popular ones are SaaS, PaaS and IaaS - these have been defined by NIST as below:
Software as a Service (SaaS): The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited userspecific application configuration settings.
Example: Think of SaaS as renting a fully furnished apartment. You don't need to buy any furniture or worry about maintaining the building. You just move in and use it.?Similarly, with SaaS, you use software applications that run on the internet (cloud) without worrying about the underlying technology. For example, you can access email or a word processor through a web browser, and everything is managed by the service provider.
Platform as a Service (PaaS): The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.
Example: PaaS is like renting an unfurnished apartment where you can bring in your furniture and decorations.?With PaaS, you get a platform to develop and run your applications. The provider manages the infrastructure (like servers and networks), but you have control over your applications and their settings. You can use the tools and services provided to build and deploy your software.
Infrastructure as a Service (IaaS): The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).
Example: IaaS is like renting an empty plot of land where you can build your own house. You have control over what the house looks like and how it's built, but you don't have to worry about things like plumbing or electricity, as these are provided.?With IaaS, you get virtual machines, storage, and networks. You can install and run any software you want, including operating systems, but the physical infrastructure (like the hardware) is managed by the provider.
With the advent of the cloud, newer service models with a broader scope have come up. XaaS is an umbrella term that includes any service delivered over the internet such as Database as a Service (DBaaS), Storage as a Service (STaaS), Network as a Service (NaaS), Function as a Service (FaaS), and many more. Similarly, EaaS is a broader and more encompassing concept that implies the possibility of delivering every aspect of IT and business operations as a service. It extends beyond individual services to include all functions and processes within an organization, potentially integrating them into a unified service-oriented architecture.
Deployment Models
Deployment models in cloud computing provide organizations with flexible options to meet their specific needs for security, scalability and control. The models stem from the varying requirements of different users and industries. A private cloud offers dedicated resources for a single organization, ensuring high security and control, which is essential for regulated industries like healthcare and finance. Public clouds, managed by third-party providers, offer scalable and cost-effective solutions, suitable for general-purpose applications with less stringent security needs. Community clouds serve groups with shared concerns, such as government agencies, providing a collaborative environment while maintaining compliance with common standards. Hybrid clouds combine the benefits of multiple deployment models, allowing data and applications to move between private and public clouds for greater flexibility and optimization. The background of these deployment models lies in the evolution of IT infrastructure, driven by the need to balance cost, performance, security, and compliance. This approach enables organizations to leverage cloud computing's advantages while aligning with their unique operational and regulatory requirements.
Private cloud: The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.
Example: Owning a private house exclusively for yourself or your family. You manage and control everything in this house, whether it's located on your property or somewhere else. The cloud infrastructure is provisioned for exclusive use by a single organization. It can be owned, managed, and operated by the organization, a third party, or a combination of both, and it can exist on or off-premises.
Community cloud: The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.
Example: Living in a gated community where multiple families share common facilities (like a pool or park) because they have similar interests or needs. Each family has its own house, but the shared areas are maintained collectively. The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It can be owned, managed, and operated by one or more organizations in the community, a third party, or a combination of both, and it can exist on or off-premises.
Public cloud: The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.
Example: Renting an apartment in a large building where many different people live. You have your own private space, but you share the building's facilities with other residents. The cloud infrastructure is provisioned for open use by the general public. It can be owned, managed, and operated by a business, academic, or government organization, or some combination of these. It exists on the premises of the cloud provider.
Hybrid cloud: The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).
Example: Having a primary residence and a vacation home. You use your primary home most of the time but can also use your vacation home when needed. Both homes are part of your living arrangement and are connected in a way that allows you to move between them as necessary. The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).
Cloud Computing Stack
Cloud is comprised of different layers depicted in a stack format. Each layer of the cloud computing stack corresponds to a component or function in a typical computer system, working together to create a cohesive and efficient computing environment. Let us look at each layer individually and then try to understand their working together through an example.
Let us try to understand the various layers through the analogy of a personal computer system.
The networking layer is like your computer’s network card and internet connection, enabling your computer to communicate with other devices and access the internet. Inside your computer, you have a storage system, such as a hard drive or SSD, where all your files and data are stored securely and can be accessed when needed. Your computer has a server component, similar to the CPU, which performs all the necessary computing tasks to run programs and processes. Virtualization in your computer is like running multiple operating systems or applications within a single system using virtual machines, allowing you to use resources more efficiently without adding extra hardware. The operating system (OS) is the main software, like Windows, macOS, or Linux, that manages all the hardware resources and provides a platform for other software to run. Middleware acts like software that helps different applications on your computer communicate and work together, similar to how a database or a web server operates. Runtime is the environment provided by your computer that allows applications to run, such as the Java Runtime Environment (JRE) or .NET Runtime, providing necessary services for the execution of software. The data layer consists of the information processed and stored by applications, like the documents, photos, and files you create and save on your computer. Finally, applications are the software programs you use to perform specific tasks on your computer, such as a word processor, web browser, or email client.
Cloud layer verification approach
In any quality ecosystem, it is important to understand how we will ensure the quality of that ecosystem. It is often said that the quality of an end product is the sum of the quality of the individual components and their interactions. So, we will look at how we will ensure the quality of each cloud layer and their interactions.
It is important to understand that each layer is an engineering stream in itself and there are different ways of assuring quality, which the respective stream experts are best suited to suggest. So, in consultation with those experts, as quality assurance custodians, we should, at minimum, look at the mentioned artefacts to gain the trust and confidence that quality considerations are met as required during the building of these layers.
Networking
Verification Steps:
Documentation:
Storage
Verification Steps:
Documentation:
Servers
Verification Steps:
Documentation:
Virtualization
Verification Steps:
Documentation:
Operating System
Verification Steps:
Documentation:
Middleware
Verification Steps:
Documentation:
Runtime
领英推荐
Verification Steps:
Documentation:
Data
Verification Steps:
Documentation:
Application
Verification Steps:
Documentation:
Reiterating here that verification of each layer should be defined by the intended purpose of each layer and their interaction through the ecosystem. Verification of their interaction is equally important. The stream expert's guidance should be sought for verification steps, documentation, and the extent of both.
Moving onto the 'GxP-regulated ecosystem' - If you use it, you validate it
Due to the increasing benefits, the healthcare and life sciences industry also embraced the cloud. However, given the regulated nature of the industry, ensuring its adherence to GxP requirements became the prime ask of the industry. Validating cloud services ensures compliance with regulatory requirements, guarantees data integrity, and secures sensitive information. It ensures that data is managed in an accurate, reliable and consistent ecosystem. In GxP environments, validation is also crucial to comply with regulations like 21 CFR Part 11, EU Annex 11, etc.
Starting with the (in)famous Validation Strategy
Validating cloud services (SaaS, PaaS, and IaaS) in a GxP (Good Practice) environment involves ensuring compliance with regulatory requirements such as 21 CFR Part 11, EU Annex 11, and other relevant guidelines. It also ensures that the cloud will be fit for the intended purpose for which it is provisioned or set up.
Irrespective of the type of cloud service, you will start with vendor assessment to identify if the cloud service provider is fit to provide services in a GxP-regulated ecosystem if you are contracting for cloud services.
Cloud Service Provider (CSP) Assessment
Once the contract is signed, the execution will happen as per the service model and defined responsibilities. Do note that deployment models will play a key role in shaping your role and responsibility. Example, in a private cloud, everything (all cloud layers) will be your responsibility. The same gets shared as the deployment model changes. Consider the deployment models as well, when defining the cloud validation strategy.
Widely popular models - SaaS, PaaS, IaaS - generally have layers bundled as part of business offerings by the cloud service providers. The responsibility matrix is, often, similar to below:
This diagram (commonly used and available) shows how each cloud service model allocates management responsibilities between the cloud provider and the user. In the SaaS model, the provider handles all aspects, including applications, data, runtime, middleware, operating system, virtualization, servers, storage, and networking, leaving the user to simply interact with the software. For PaaS, the provider manages the underlying infrastructure including runtime, middleware, operating systems, virtualization, servers, storage, and networking, while the user is responsible for managing their applications and data. In the IaaS model, the provider is responsible for the core infrastructure components like virtualization, servers, storage, and networking, but the user takes control of the operating systems, middleware, runtime, data, and applications. This delineation helps organizations choose the appropriate model based on the level of control and responsibility they require over their IT resources.
Let us look at the validation strategy of each of these in detail.
Software as a Service (SaaS) - If you decide to take SaaS from the CSP
User Requirements Specification (URS): Define and document the business and regulatory requirements for the application.
Risk Assessment: Perform a risk assessment to identify potential risks to data integrity, security, and compliance.
Validation Planning: Develop a validation plan outlining the scope, approach, resources, and deliverables.
Functional Testing: Execute test scripts to verify that the SaaS application meets user requirements and functions correctly. Include testing for GxP-related functionalities, such as electronic signatures, audit trails, and data integrity.
Performance Qualification (PQ): Conduct performance testing to ensure the application performs reliably under expected load conditions.
User Acceptance Testing (UAT): Perform UAT to ensure the application meets user needs and regulatory requirements.
Maintain detailed documentation of all validation activities, including test scripts, results, and any deviations. Implement procedures for continuous monitoring and periodic re-evaluation of the SaaS application to ensure ongoing compliance.
Impact due to deployment models: When deploying SaaS in different cloud models, the validation strategy must adapt to the specifics of each model. In a private cloud, validation focuses on ensuring that the SaaS application integrates seamlessly within the organization's internal environment, with strict controls over data privacy and security. For public cloud deployments, the validation strategy emphasizes compliance with external standards and regulatory requirements, relying heavily on the provider's certifications and audit reports. In a community cloud, shared among organizations with common interests, validation includes ensuring consistent security policies and compliance requirements across all participants. Hybrid cloud deployments necessitate a flexible validation strategy that addresses integration and data flow between private and public clouds, ensuring robust data integrity, security, and compliance across both environments.
Platform as a Service (PaaS)- If you decide to take PaaS from the CSP
User Requirements Specification (URS): Document the requirements for the development and deployment platform.
Risk Assessment: Conduct a risk assessment focusing on platform availability, data integrity, and security.
Validation Planning: Develop a validation plan for the platform and the applications developed on it.
Platform Qualification: Perform Installation Qualification (IQ) to ensure the platform is installed correctly and configured as per specifications. Conduct Operational Qualification (OQ) to verify that the platform functions as intended under normal and stress conditions. Leverage the verification approach mentioned above for verification of the layers that is part of your responsibility.
Application Validation: Validate each application developed on the PaaS platform, including functional, performance, and security testing.
Maintain comprehensive documentation of the platform and application validation activities. Continuously monitor the platform for performance, security, and compliance. Periodically review and re-validate as needed.
Impact due to deployment models: For PaaS, validation strategies must consider the deployment model to address different levels of control and security. In a private cloud, the validation strategy focuses on ensuring the platform supports the organization's specific compliance requirements and integrates well with existing internal systems. Public cloud PaaS validation emphasizes verifying the provider’s adherence to industry standards and regulatory requirements, alongside continuous monitoring of the platform’s security and performance. In a community cloud, the validation strategy includes ensuring that the platform meets the collective compliance and security standards of all participating organizations. Hybrid cloud PaaS deployments require validation of the interoperability between the private and public components, ensuring consistent security controls and compliance across the entire environment.
Infrastructure as a Service (IaaS)- If you decide to take IaaS from the CSP
User Requirements Specification (URS): Define the requirements for the infrastructure, including performance, availability, and security.
Risk Assessment: Perform a risk assessment focusing on infrastructure reliability, data integrity, and security.
Validation Planning: Develop a validation plan outlining the scope and approach for validating the infrastructure.
Infrastructure Qualification: Perform Installation Qualification (IQ) to ensure the infrastructure components (e.g., virtual machines, storage) are set up correctly. Conduct Operational Qualification (OQ) to verify that the infrastructure performs as expected. Perform Performance Qualification (PQ) to ensure the infrastructure meets performance and scalability requirements. Leverage the verification approach mentioned above for verification of the layers that is part of your responsibility.
Application Validation: Validate any applications running on the IaaS, ensuring they meet GxP requirements.
Disaster Recovery and Backup Testing: Test disaster recovery and data backup processes to ensure data integrity and availability.
Maintain detailed documentation of the infrastructure setup, configuration, and validation activities. Implement continuous monitoring of the infrastructure for performance, security, and compliance. Periodically review and re-validate as needed.
Impact due to deployment models: IaaS validation strategies differ significantly based on the deployment model due to varying levels of control and security needs. In a private cloud, the strategy involves rigorous validation of the infrastructure's integration with the organization's existing IT environment, focusing on security, compliance, and performance. For public cloud IaaS, the strategy emphasizes validating the provider’s infrastructure, ensuring it meets regulatory standards and includes robust security measures. In community cloud deployments, validation must ensure that the shared infrastructure complies with the security and regulatory requirements of all member organizations. Hybrid cloud IaaS validation involves ensuring seamless integration and data consistency between private and public cloud components, with a focus on maintaining security and compliance across the entire infrastructure.
Common Validation Activities Across All Models
Ensure compliance with 21 CFR Part 11 and EU Annex 11 requirements for electronic records and electronic signatures. This will include controls including (but not limited to):
Audit Trails: Verify that audit trails are enabled, secure, and properly reviewed.
Data quality, Integrity, and security: Ensure data quality and integrity throughout the system lifecycle, including data capture, storage, processing, and retrieval. Ensure data security throughout the cloud service lifecycle, including encryption, access controls, and monitoring.
Change and Configuration Management: Implement a robust change control process to manage changes to the system and applications. Managing changes to the cloud service to ensure they do not adversely affect system performance or compliance.
Continuous Monitoring and Periodic Review: Ongoing monitoring and regular review of the cloud service to ensure continued compliance and performance
Training: Provide training to users on GxP requirements and the proper use of the cloud services.
In a nutshell, you select the cloud service provider who has been assessed and found fit to provide service for the layer that they are being considered for. If you are confident, you draw a contract clearly defining the roles and responsibilities. Whatever you are not able to assess or trust, you validate or develop controls to manage.
In conclusion
Cloud computing continues to evolve, with advancements in artificial intelligence, machine learning, and quantum computing promising to further enhance cloud services. Validating these technologies in GxP environments will be critical to ensuring their safe and effective use. As regulatory requirements evolve, staying abreast of changes and adopting best practices for cloud validation will be essential for maintaining compliance and leveraging the full potential of cloud computing.
References
Disclaimer: The article is the author's point of view on the subject based on his understanding and interpretation of the regulations and their application. Do note that AI has been leveraged for the article's first draft to build an initial story covering the points provided by the author. Post that, the author has reviewed, updated, and appended to ensure accuracy and completeness to the best of his ability. Please use this after reviewing it for the intended purpose. It is free for use by anyone till the author is credited for the piece of work.
CSV Professional|Trackwise |eDMS|Valgenesis|LIMS|TMS| IT Compliance |Risk Management| Audit & Complaince | Ex.Lupin, Ex. Emcure
2 个月Insightful for Cloud and it's GxP Compliance
Great insights, Ankur Mitra! Your detailed article sheds light on the importance of compliant cloud computing in a GxP-regulated ecosystem.
Nicely explained, nice article Ankur Mitra
CSV Advisor/Scrum Master Certified (CSM)/GXP/ SAP Validation/Track & Trace /DeltaV/LIMS/Clinical Trail Management System/ELN/Audit Trail/GAMP5/Data Integrity/Agile/Devops/Automation/Audit/CAPA/Change Management
3 个月Thanks for sharing
Manager- Application Support IT at Teva Pharmaceuticals
3 个月Very informative