Since the start of the New Year there’s been quite a debate about the ‘acceptability’ of the big, non-specialist Cloud Service Providers (such as Amazon Web Services, Microsoft Azure and others) with respect to GxP data and applications.
Quite rightly, security has featured in those debates and the ability of such providers to assure data integrity and security certainly needs to be assured beyond any reasonable doubt. We agree with that point, but have relatively few issues in this regard because
- Information security assessments and audits are a well understood discipline (at least when you can get on site to do this)
- The best Cloud providers are generally more secure (with respect to the security controls they are responsible for) than most regulated companies. The question isn’t whether they are secure, but whether this can be assessed to be sufficient when you can’t get on site to do an audit.
This issue can’t be ignored, but if tackled properly it can be addressed.
Cloud Service Providers
One of the other issues being debated is whether or not the infrastructure used by these providers can be considered ‘qualified’ and controlled. It’s certainly true that it isn’t qualified by traditional means (i.e. under a ‘Qualification Plan’, with a ‘Qualification Report’), but we would argue (based upon regulatory guidance) that taking a traditional approach isn’t necessary if the Provider has good processes based on IT industry good practices – see our earlier article “Qualifying Basic IaaS in the Cloud”
How then should we be assessing these suppliers (Cloud Service Providers) and what should we be looking for? This is something that industry has been debating and since our last article was published we’ve been thinking about what we ourselves ask when we assess such Providers on behalf of our clients and what we expect to see. As usual, we prefer to be leaders rather than followers and have decided to publish our thoughts on what we feel is not only necessary, but practical.
How Do You Audit When You Can’t Audit?
The first thing to acknowledge is that small-medium size regulated companies are never going to be big or profitable enough to these Providers to demand an on-site audit. This simply isn’t economical for the Providers and isn’t going to happen. Our advice here is simple – “Accept it, deal with it and move on”.
Regulatory and industry guidelines don’t mandate a supplier audit, but do require an assessment of suppliers – which can range from a market survey for general acceptability, through a ‘postal’ audit / remote document review, through to an on-site audit. Assuming that suitable documentation can be provided by the Providers, for relatively low risk services (and we’re talking about IaaS here,not PaaS or SaaS) there’s no reason why an on-site audit should be mandated.
Here at Convalido we’ve got our own Cloud Services Provider Supplier Assessment document which we’ve developed over the year’s. It was originally based on the GAMP and PDA TC32 checklists (details of which which we won’t bore you with), has been extended over the years as technologies and services have changed, and which has specifically been extended for “Cloud”.
This is quite a lengthy document (too large to reproduce here) but it includes a a list of what we consider to be crucial things we’re looking for, specifically for Infrastructure as a Service (there are of course lots of separate and additional issues for Platform and Software as a Service which we’re not covering here).
Dear Mr Cloud Services Provider…
The following are the key questions we’d like answering and information we’d like providing as part of a ‘postal audit’ (remote documentation review). We’d expect to either receive this information in response to a supplier assessment questionnaire, or have the relevant information otherwise made available i.e. via the Providers website or customer portal.
Are you ISO 27001 / ISO 27017 Registered?
Ideally the answer is ‘Yes’ – failing this we’d expect security to be demonstrably equivalent to ISO 27001 / ISO 27017 – which means we would come and so a security audit on-site.
Can we see your ISO 27001 / ISO 27017 certificates?
Ideally the answer is ‘Yes’. If not, were going to be suspicious.
Can we see your last ISO 27001 / ISO 27017 audit reports?
Ideally ‘Yes’. The certificate itself doesn’t tell us a lot about what security risks you’ve considered or the controls you have in place – we want to see an independent third party report from someone who specialises in IT security and Cloud Security, describing the in-scope controls and confirming that they’re effective (e.g. that you do penetration testing and that the results were acceptable). If we can see that report we don’t need to conduct our own security audit.
Do you have a formal Quality Management System?
If not, we’re not going to work with you.
Are you ISO 9001 registered?
Ideally the answer is ‘Yes’ – failing this we’d expect an established Quality Management System to be demonstrably equivalent to ISO 9001, and ideally the 2015 version of ISO 9001, which is risk-based
Can we see your ISO 9001 certificate?
Ideally the answer is ‘Yes’. If not, were going to be suspicious.
Can we see your last ISO 9001 audit reports?
Again, the certificate doesn’t say a lot – we want to understand the scope, the processes and whether you follow them. We want evidence from a credible third party that all the processes we expect to see in place are within the scope of your ISO 9001 QMS, for the specific location and services we’re contracting for, and that the processes are under control and are effective.
Please give us a list of your processes
We’d like to understand for ourselves how your processes are organised, so that we can align our own processes with yours, so that we can ensure that there are no gaps between your roles and responsibilities, and our own roles and responsibilities.
Are these formalised in procedures?
Although ISO 9001 can be process based, we’d like to see that you have proper controlled and auditable procedures in place, with defined process owners and roles and responsibilities – that’s just what we expect in our industry
If so, can we see (read) the procedures corresponding to the processes defined in the GAMP Infrastructure and Operations Good Practice Guides – and also your training procedures as well?
We understand that your ISO 9001 auditor has audited your processes, and that you might be leveraging IT industry good practices, but there are certain expectations in the Life Sciences industry that we expect to be there. You should have them if you’re leveraging IT industry best practices e.g. ISO 20000 (ITIL v3), but we need to read some of your procedures just to make sure. We’re happy to sign a non-disclosure agreement, but we really need to read them to fully understand the value of your certifications).
Although we’re not looking for you to do things in exactly the same way as Regulated Companies have been doing things, we do expect you to have equivalent processes in place and we do expect to be able to understand the processes you’re following to specify, build/install, verify, change, configure, maintain, repair etc the infrastructure. To be sure that your processes/procedures are equivalent we need to read them.
We understand that you can’t tell us which servers our applications will run on, or what internal VLANs our data will pass through, or which discs our data will be stored on at any given point in time, so you can’t show us evidence of how ‘our’ infrastructure is qualified. That’s because all of your infrastructure is potentially our infrastructure. We therefore need to to understand how ALL of the infrastructure is specified, built, installed, verified, repaired, maintained, changed etc and we want assurance by way of trusted third party audit reports (that we can read for ourselves) that you’re following your own procedures.
Making the Assessment Pragmatic
As an industry we need to understand that cost effective Cloud Service Providers can’t have every single small client coming in and doing on-site audits – to support that would put the costs of these services up considerably (you’ve only got to compare costs between the big Cloud Providers and the niche GxP Cloud Providers to realise that)
However, if the big non-specialised Providers have invested in ISO 9001, ISO 27001 etc, rather than audit for ourselves we should expect – and can accept – to have the audit reports from trusted third parties made available to us, to prove that the processes and controls are appropriate, and that they’re followed.
Here at Convalido it’s not that we don’t trust the best Cloud Service Providers, but we believe strongly in “trust, but verify “.
We also understand that it’s going to take some time to make this documentation available (under a suitable non-disclosure agreement of course) and that the Providers will incur additional costs to make that level of documentation available to us and to keep it up-to-date. The key surely is to provide it to us as cost effectively as possible and amortise the costs across all of the Life Sciences companies that need to see it.
Hard Copies
We accept that some Providers might want us to read hard copies while we’re on their site, because these processes are their proprietary, confidential information. Ideally however we’d like remote, secure access to this information and that shouldn’t be too difficult.
So that we can prove to the regulators that we’ve done our due diligence all we ask is that Providers give us an option to access this documentation via their customer portal. Providers can surely provide read-only access to the documentation as another ‘on-demand self-service’ option – just bundle the documentation up in a non-downloadable “GxP Compliance Set” and we’ll pay a reasonable amount for on-going access to the documentation.
Clearly the big IaaS players are taking GxP more seriously – the recent white papers show that, but they need to listen to what we really need by way of demonstrable compliance, not just what they think we need.
Come on AWS, MS Azure and the likes – who wants to be first to really facilitate regulated companies to assess you in a lean, pragmatic, cost-effective and justifiably compliant manner?
