If you were to ask me 10 years ago how many of my life sciences clients were deploying systems in the cloud environment I would’ve said may be perhaps one or two. If you ask me today how many of my clients are deploying cloud’s technologies I would say most all of them in one way or another. The adoption of cloud technologies within life sciences companies is expanding at a rapid pace.
From a validation perspective, this trend has profound consequences. Here are some key concerns and questions to be answered for any cloud deployment.
- How do you validate systems in a cloud environment?
- What types of governance do you need to deploy applications in a cloud environment?
- How do you manage change in a cloud environment?
- How do you maintain the validated state in the cloud?
- How can you ensure data integrity in the cloud?
- How do you manage cybersecurity in a cloud environment?
The answers to these questions are obvious and routine to validation engineers managing systems in an on-premise environment where the control of the environment is managed by the internal IT team. They have control over changes, patches, system updates, and other factors that may impact the overall validated state. In a cloud environment, the software, platform and infrastructure is delivered as a SERVICE. By leveraging the cloud, life sciences companies are effectively outsourcing the management and operation of a portion of their IT infrastructure to the cloud provider. However, compliance oversight and responsibility for your validated system cannot be delegated to the cloud provider. Therefore, these services must have a level of control sufficient to support a validated systems environment.
For years, life sciences companies have been accustomed to governing their own systems environments. They control how often systems are updated, when patches are applied, when system resources will be updated, etc. In a cloud environment, control is in the hands of the cloud service provider. Therefore, who you choose as your cloud provider matters.
So what should your strategy be to manage cloud-based systems?
- Choose Your Cloud Provider Wisely – All cloud providers are not created equally. The Cloud Security Alliance (https://cloudsecurityalliance.org/ ) is an excellent starting point for understanding cloud controls. The Cloud Controls Matrix (CCM) is an Excel spreadsheet that allows you to assess a vendors readiness for the cloud. You can download it free of charge from the CSA.
- Establish Governance For The Cloud – You must have an SOP for the management and deployment of the cloud and ensure that this process is closely followed. You also need an SOP for cyber security to provide a process for protecting validated systems against cyber threats.
- Leverage Cloud Supplier Audit Reports For Validation – All cloud providers must adhere to standards for their environments. Typically, they gain 3rd party certification and submit to Service Organization Control (SOC) independent audits. It is recommended that you capture the SOC 1/2/3 and SSAE 16 reports. You also want to understand any certifications that your cloud provider has. I would archive their certifications and SOC reports with the validation package as part of my due diligence for the supplier audit.
- Embrace Lean Validation Principles and Best Practices – eliminating waste and improving efficiency is essential in any validated systems environment. Lean validation is derived from the principles of lean manufacturing. Automation is a MUST. You need to embrace lean principles for greater efficiency and compliance.
- Automate Your Validation Processes – Automation and Lean validation go hand in hand. The testing process is the most laborious process. We recommend using a system like ValidationMaster™ to automate requirements management, test management and execution, incident management, risk management, validation quality management, agile validation project management, and validation content management. ValidationMaster™ is designed to power lean validation processes and includes built-in best practices to support this process.
- Use a Risk-Based Approach To Validation – all validation exercises are not created equal. The level of validation due diligence required for your project should be based on risk – regulatory, technical and business risks. Conduct a risk assessment for all cloud-based systems.
- Adopt Continuous Testing Best Practices – the cloud is under continuous change which seems in and of itself counter-intuitive to the validation process. Continuous testing can be onerous if your testing process is MANUAL. However, if you adopt lean, automated testing processes regression testing is easy. You can establish a routine schedule for testing and if your cloud provider delivers a dashboard that tells you when patches/updates/features have been applied and the nature of them, you can select your regression testing plan based on a risk and impact assessment.
Cloud environments can be validated! A clear, practical approach that embraces lean validation and continuous testing is key. Cloud governance to ensure data integrity and sustained compliance is key.
Cloud technologies are here to stay. Regulators don’t object to the use of the cloud, they want to know how you are managing it and ensuring the integrity of the data. They also want you to confirm that you are maintaining the validated state in the cloud. The principles of validation endure in the cloud. Just because you are in a cloud environment does not mean validation principles no longer apply. Consider the impact of cybersecurity in your cloud environment and adopt continuous testing strategies to ensure sustained compliance.