Validation in a Cloud environment in Oqotech
We analyze what to take into account to ensure the integrity of information when computerized systems operate in cloud environments.
Companies working in highly regulated sectors such as pharmaceuticals, medical devices or cosmetics are progressively moving their computerized systems to cloud environments to improve efficiency and reduce costs.
However, this digitalization process also presents the industry with the challenge of selecting cloud service providers who can control, validate and guarantee the confidentiality, integrity, and availability of the data stored in these systems.
Below, we analyze the industry’s challenges and how to carry out validation in cloud environments.
The Challenge of Data Security in the Cloud
The main challenge for the industry related to cloud systems is, without a doubt, to manage the security and integrity of the data.
Ensuring a cloud implementation that meets regulatory requirements rests on 4 pillars:
- Security: issues related to information integrity, access controls, encryption, and security gap detection.
- Control: manage where and how data and software tools are managed.
- Service level management: define, contract and ensure that service level agreements between all parties involved in data management are met.
- Compliance: To comply with industry regulatory requirements (FDA CFR 21 Part 11 and EU Annex 11)
Faced with security challenges in cloud systems, enterprises must implement technical security controls and risk mitigation policies. For example, to control:
- Malicious use: modification of software to eliminate protection methods (cracking), launching of dynamic attack points, hosting of corrupt data, etc.
- Insecure interfaces and APIs.
- Internal attacks (malicious insiders) that may come from the combination of IT services or the lack of transparency in the security processes of cloud providers.
- Sharing technology issues: CPUs, disk partitions, other shared components not designed for strong compartmentalization.
- Data loss.
- Account hijacking.
The risks associated with cloud computing systems should be assessed through a risk mitigation plan that considers the following approach:
- Identification and evaluation of cloud components: what components define the configured cloud, where are they (public, private, hybrid, community, combined cloud), how many applications are running in the cloud, how many of those applications are GxP compliant, how are changes communicated and controlled, how is data integrity and security provided in the cloud?
- Implementing controls: change management, security, performance monitoring, periodic review In addition, for cloud systems, additional controls must be implemented such as cloud configuration management; server management; network administration; helpdesk services; backup, restore and archiving; disaster recovery plan; vendor management.
- Seguridad de los datos: es fundamental comprender quién tiene acceso a los datos y si necesitan acceso. La segregación de datos es crítica; los datos en la nube generalmente se alojan en un entorno compartido junto con los datos de otras empresas. El cifrado y la separación de los datos propios de los de otras empresas es fundamental para garantizar la integridad de datos. La recuperación es otro factor crítico para garantizar la integridad de los datos mediante los procedimientos de copia de seguridad y restauración. La gestión de cambios es también crítica y debe definirse claramente en los acuerdos de nivel de servicio y los procedimientos de proveedores.
- Data security: It is critical to understand who has access to the data and whether they need access. Data segregation is critical; cloud data is typically hosted in a shared environment along with data from other companies. Encryption and separation of your own data from other companies’ data are critical to ensure data integrity. Recovery is another critical factor in ensuring data integrity through backup and restore procedures. Change management is also critical and must be clearly defined in service level agreements and supplier procedures.
Validation in Cloud Environments
One of the key areas in cloud validation is the assessment of vendors to determine the vendor’s ability to meet the controls necessary to ensure security, data integrity, compliance with customer procedures, and regulatory requirements.
The selection process of cloud system providers (SaaS, IaaS, PaaS) is usually done in 3 steps:
- Review of vendor information to see if they already work with other customers in regulated industries and whether their infrastructure is qualified to provide a GxP-compliant service. This first step should result in a list of approximately 5 potential providers.
- Assessment and audit: send the shortlist of potential providers a questionnaire with questions about their quality management system, procedures, IT infrastructure qualification, staff training, backups, contingency plans, change control/audit trails, where the servers physically reside, physical data center security, encryption, and key management. This second step usually reduces the vendor list to 2.
- Generate a service level agreement (SLA) This document is a commitment between the service provider and the company. This contract should cover at least:
- Customer responsibilities.
- Service provider’s responsibilities.
- Availability and performance.
- Change management.
- Quality of service.
- Data backup and restoration (procedure, frequency).
- Staff qualification.
- Incident management and reports.
- Support and maintenance.
- Service guarantee.
According to the responsibilities defined in the SLA, the service provider is responsible for the management of the hosting environment, its security and its maintenance. As such, it must provide the customer with procedures and documentation governing these activities, such as:
- Security Policy.
- Business continuity plan.
- Backup and Restore Procedure.
- Change management procedure.
From these steps, the validation process in cloud environments is the same as for computerized systems installed and maintained in the company’s facilities (on-demand).
The validation of cloud systems must be carried out on the basis of a risk and criticality analysis. User requirements must be created to ensure that the system meets the necessary technical specifications. Installation Qualification (IQ) should be simple and based on the hardware and software requirements for the system. Operation Qualification (OQ) should be based on verification of the critical high-risk functions of the system and include the following:
- Security and data integrity.
- Audit trails.
- Electronic signatures.
- High and medium risk requirements.
Process Qualification (PQ) activities should verify that all predefined requirements and specifications are met and that the evidence is properly documented.
Cloud systems enable rapid implementation, improve efficiency and reduce costs. Security challenges must be clearly understood and mitigated. Service level agreements are critical to communicate customer expectations to the provider and ensure compliance with regulatory requirements.
However, another major challenge that highly regulated companies face, with respect to validation in cloud environments, is translating the industry’s regulatory requirements into provider services.
At Oqotech we can help you analyze the requirements, select the appropriate technology providers and computerized systems, and accompany you in the implementation and maintenance of technological solutions. Contact our team.