Compliance in the Cloud or ‘The High Road to GxP?’

‘To the Cloud or not to the Cloud, that is the question.’

While it’s certainly a familiar question, with apologies to Hamlet, there is a question that tends to come first: “What is the Cloud in the first place?” Have you seen this on-line graphic lately of a young child who is just looking at you with the caption – ‘There is no cloud…’

Information Workers

The reality for most ‘information workers’ is that as long as your keyboard, mouse and monitor have something to plug into and data displays, all you really need to see is where that ‘something’ plugs into the wall so you can be sure you have a physical connection.

What’s on the other side of the wall – or even if there is strictly speaking no ‘other side’ – is not the users concern. You don’t need to have physical computing resources right next to you as long as the ‘virtual machine’ you are working on is properly provisioned and the latency (or ‘lag/response time’) isn’t large enough to be an issue.

Enterprise

The physical computing resources matter if you are doing a lab analysis with physical samples on instruments or using an automated line to produce product. In the land of data analysis, reporting and document production, the data needs to be available, not present.

From the enterprise perspective however, what is ‘present’ behind the wall is a true concern. Since compliance to regulations means ‘control,’ how the cloud supplies and protects those resources and the information they provide needs to be documented under a defined quality management system. While cloud vendors are glad to quote services and prices, they have not always been forthcoming about how things are done in their building.

Outsourcing

The move to the cloud is a physical move – of your data, applications and possibly compute and platforms – to somewhere else. The somewhere is physical while your usage and controls become logical and virtual. If that makes you feel uneasy – or if you prefer ‘risk averse’ – you are not alone.

Outsourcing is a concept that brings joy to financial / accounting types, but for those involved with compliance, quality and validation, it brings a new set of challenges and concerns. It should recall the words of Mr. Murphy – “Nothing is as easy as it looks, everything takes longer than you expect AND if anything can go wrong, it will – usually at the worst possible time.”

Current warning letters addressing data integrity have focused on site forensics – data in trash cans, bags of shredded records. When it comes to the cloud, there is no ‘there’ for you to access – unless there are the careful negotiations, detailed SLAs and rigorous audit/ follow-up required to give your enterprise the confidence it needs to move forward.

Do your current internal resources have the expertise and the flexibility to deal with a vendor you have to trust significantly? This is more complex than a contract manufacturer where you can review the SOPs for compliance, watch the process and then have the product independently tested.

GxP Compliance

The draw of the cloud is that everything is ‘out there’ – available ‘just by an e-mail’ – and not running up costs on your premises. What will happen if suddenly it isn’t ‘there?’ Whose fault will it be – oh, must be the vendor. Good idea – blame the vendor – but there’s many a wire between your ‘here ‘ and their ‘there.’

Will it be your communication vendor, some nameless third party supplier or cloud hardware, software or internal network failure? There are many ABCs in the cloud – SaaS, IaaS, PaaS, Haas, AaaS, ITaaS – and the list goes on. It is critical to have the proper support to be able to straighten all those letters out to spell ‘GxP compliance.’

Cloud Provider

Everyone wants their cloud provider to look like the image below. But that will take attention to detail, technical understanding and the ability to ask ‘the next questions’ needed to assure quality and compliance.

Those will include security at multiple levels and how are they going to maintain those perfect cables when the one in the middle breaks?

There are many items to be considered – here are some more:

  • What application(s) and data are going to be ‘sent to the cloud?’
  • What in-house processes / systems need to access that data?
  • Where will the data physically be held and what are the laws in that location if outside of the USA?
  • What are the backup provisions for the cloud providers’ servers and storage?
  • What is the security plan – including physical, logical and access controls?
  • How will your audit resources be granted access and under what ground rules?
  • Does the vendor provide a Quality Manual or Quality Management System document for review?
  • Does their contract include a ‘non-cookie cutter’ Service Level Agreement (SLA) that details your focus points?

About Azzur IT

Azzur_IT

Azzur IT is an Azzur Group Company providing a broad range of services, including IT Quality & Compliance auditing services; computer system validation (CSV); application selection, implementation, integration and project management services; IT infrastructure, operations & data center assessment; risk-based data integrity assessment; compliance remediation projects; SOX consulting; process improvement and change management.

www.azzur.com/it

Author

John English

Computer System Validation and Regulatory Compliance