Deploying the Cloud in GxP Environments

Meeting the stringent cloud compliance and regulatory requirements in pharma

The traditional IT infrastructure for most life sciences organizations was not designed to meet the business challenges that companies are faced with today. It can take significant, sustained, and hugely disruptive investment in new technologies and infrastructure to bring internal systems to the required security, performance, and compliance level. At the same time, a life sciences company must do much more than maintain “business as usual.” It must reduce costs and increase productivity and innovation against a backdrop of continually changing market pressures and regulatory requirements. This is the reason that we’re seeing greater cloud adoption in other parts of the life sciences business. However, good practice quality guidelines (GxP) environments have their own unique requirements. There are very strict guidelines around application and system usage in key business functions, such as research and development, clinical trials, quality, and manufacturing, set by the FDA and other global regulators. This article looks at the cloud deployment models available for GxP environments and how to select the right one for a pharmaceutical company’s cost constraints and regulatory profile.

Three types of cloud service

The strengths and weaknesses of internal IT deployments are similar across industries. They are, however, exacerbated in the regulatory environment. A large life sciences company can have thousands of different IT architecture combinations and a large proportion of its overall IT budget is taken up with simply operating, maintaining, and supporting these existing systems. More importantly, the result can often be a lack of agility, if it takes IT too long to respond to changing business requirements. With the additional compliance constraints, it can take many months to deploy a new module or just add extra computing or storage capacity. In addition, users are often faced with slow and inefficient legacy systems and, worse, much of their data remains under-utilized, due to its storage in inaccessible silos throughout the organization.

Cloud services can help overcome many of the drawbacks of existing internal systems. There are infinite combinations of cloud deployments, however; generally, the following delivery types can enable a company to decide which elements of its IT infrastructure to continue to operate internally and which to have executed by a cloud service provider.

• Infrastructure as a service (IaaS). IaaS provides a service to establish and run virtualized computer resources over the internet. Virtualization is the creation of virtual-rather than actual-versions of IT infrastructure, such as operating systems, servers, or storage devices. The services provider is responsible for managing and delivering hardware, storage, servers, and data center space that form the foundation of a cloud environment. 

• Platform as a service (PaaS). PaaS is a cloud computing service that provides all the platform-hardware, middleware, and operating system-components needed for a company to develop, run, and manage applications. The cloud technology provider takes care of all the infrastructure while the pharma company manages its own application portfolio.

• Application as a service (AaaS). Also known as software as a service, AaaS provides a completely hosted-and managed if required-IT package. The provider makes applications available to the company over the internet via a thin client PC.

Four types of cloud deployment 

Before looking at the four cloud deployment models, it’s worth considering the characteristics that all cloud services have in common. Using the internet allows many companies to connect securely to the same service, enabling collaboration and information sharing. Companies using the cloud service have access to shared resources that are continually improving so that they should always have access to the latest and best

performing systems. With some cloud service providers, the service is delivered on-demand. Life sciences companies access the service as required and usage can be metered or architected in such a way that they only pay for what they use.

A major benefit of the cloud is its virtually limitless scalability and geographic agnosticism-that can be applied extremely quickly to meet demand. One life sciences company found that it would require 250 internal servers to meet peak processing times during certain phases of global clinical trials. This meant waiting for internal resource to be freed up, and as the project was estimated to cost $150 per second, that was a very costly delay.¹ Switching to a cloud service meant that the company not only could meet its computing requirements quickly, but it could scale up for peak processing and scale down afterwards-only paying for the resource they used.

Further qualifying the virtualization tools themselves can greatly reduce qualification time, especially in the scenario where the underlying specifications of the servers are identical, allowing the rapid deployment of pre-qualified server packages.

The cloud deployment models available allow a company to access the benefits of cloud computing while ensuring that its working within the performance, security, and risk levels of the organization’s requirements.

Hosted public internet

A public cloud is a publicly accessible cloud environment owned by a third-party cloud service provider (CSP). Services are provisioned in a multi-tenant environment where many customers are using the same service. The infrastructure may be hosted on the premises of the service provider, a third-party data center, or, possibly, multiple third-party facilities and, further, may reside on equipment owned or leased by the CSP. It is vital before engaging with such a provider that a pharma company fully understands its provider’s architecture, the layers of service-level agreements (SLAs), and the relationships between all of the delivery partners. Ultimately, though, the environment will be operated by whoever is making use of it, be it life sciences companies, government organizations, or academic institutions. 

The service is delivered across the public internet and accessed via thin clients at the customer site. The main features of hosted public cloud include:

• Fast and easy deployment of standardized solutions.

• Easy to connect and collaborate with external customers, partners, and suppliers.

• Complete management and support of IT infrastructure.

• System performance and continuity guaranteed under SLA.

• Reasonable levels of security.

• Lack of auditability-while most public cloud providers will offer standard third-party audited accreditations, such as ISO27001 or SOC 2, they will not generally permit traditional GxP audits.

While companies have access to the latest web security standards, the hosted public cloud will not deliver the highest levels of security possible and is likely not to be up to the companies’ requirements if this is a foremost concern. 

In addition, the cloud provider is responsible for the creation and ongoing maintenance of the public cloud and its IT resources. It is more difficult to control patching and upgrade frequency and it is likely that the user will have little-to-no transparency over what happens below the operating system. 

Where application and infrastructure qualification and validation assurance is essential, a pharma company will need to find ways of working with the cloud provider to gain all the information it needs to meet the organization’s compliance requirements. Appendix 11 of the ISPE GAMP Good Practice Guide for IT Infrastructure Control and Compliance² provides strategies for qualifying the suppliers for each of the different engagement types.

Hosted private network

A private cloud, as the name suggests, is solely owned by the cloud service provider. Deployed internally or externally, a hosted private network offers high levels of security using the provider’s private cloud and delivers data management and business continuity services. It is the ideal choice for organizations that need to manage their host applications and other applications used by their customers. The main features of a hosted private network are:

• Ability to retain existing IT system customizations.

• Flexibility to modify systems as required.

• Flexibility on the control of upgrade and patch frequency.

• Maximum levels of reliability and scalability.

• Maximum levels of security.

• Greater control over cloud infrastructure.

• Typically running on dedicated hardware (though private clouds can be virtualized).

There isn’t a great deal of difference in the design structure between hosted public cloud and hosted private network. The biggest difference for the latter is that the provider is, effectively, delivering a single tenant service over a multi-tenant architecture. It is essential that the provider can prove complete customer and data isolation-that a company’s applications and data are completely isolated from that of any other customer using the provider’s services. As such, the security, performance, and compliance benefits of the private model will come at an increased cost.

Hybrid cloud

A hybrid cloud contains the best parts of the hosted public cloud and hosted private network models. In a hybrid cloud deployment, the cloud environment is comprised of two or more different cloud deployment models. For example, one may choose to deploy cloud services processing sensitive data to a private cloud and other, less-sensitive cloud services to a public cloud. A hybrid cloud delivers superior data management, security, scalability, and performance, but adds complexity in terms of management and reliability due to the diverse configurations that this model can create. The hybrid model potentially provides the best opportunity of balance for a GxP-regulated entity; higher-risk GxP applications and services can reside in a qualified cloistered environment, while non-GxP applications can exist outside of the more constrictive GxP control set. The main features of hybrid cloud are:

• Ability to deploy primary solution on premise.

• Ability to retain existing IT system customizations.

• Flexibility to modify systems as required.

• Flexibility on the control of upgrade and patch frequency.

• Flexibility to deploy business continuity and disaster recovery capabilities externally.

• High levels of reliability and scalability.

• High levels of security.

• Greater control over cloud infrastructure.

Hybrid cloud deployments can be complex and challenging to create and maintain due to the potential disparity in cloud environments. Life sciences companies need to work closely with the cloud service provider to know exactly who is responsible for managing every element of the IT infrastructure. Where qualification and validation is important, the cloud service provider must be able to demonstrate and record that all its activities meet a company’s GxP compliance requirements. 

On-premise cloud

Where security and control are paramount concerns, on-premise cloud deployments are preferred. In this model, all IT infrastructure remains within the organization. With on-premise cloud, a company uses cloud computing technology as a means of centralizing access to IT resources by different parts, locations, or departments of the organization. 

Even though the cloud infrastructure physically resides on the company’s premises, the IT resources it hosts are still considered “cloud-based,” as they are made remotely accessible via the cloud to both internal and external users. The service provider delivers the level of management and maintenance skills the pharma customer requires to operate the system. The main features of on-premise cloud are:

• Ability to qualify the data center infrastructure, cloud stack, and virtualized architectures.

• Ability to remain using existing hardware.

• Ability to maintain system on-premise.

• Ability to retain existing IT system customizations.

• Flexibility to modify systems as required.

• Flexibility on the control of upgrade and patch frequency.

• Ability to use provider to flexibly resource IT infrastructure.

• Maximum levels of security.

• Maximum control over cloud infrastructure.

From the standpoints of data integrity, security, and software validation, on-premise cloud represents an attractive option. However, it does have drawbacks. Unsurprisingly, this cloud type suffers from some of the key weaknesses of internal IT systems. Key among these is the potential lack of scalability. A company is still bounded by the capabilities of its existing servers and can’t take advantage of the unlimited potential to quickly and securely scale computing capacity as business requires.

Further, with a hardware refresh rate of three to five years, and the internal costs of managing the solution and any associated regulated expectations, this deployment type can soon exceed the perceived value of an on-premise architecture.

The regulatory paradox

To meet the criteria for computing in a GxP environment, software applications have to be carefully validated and other IT infrastructure components-data center facilities, network components, and infrastructure software and tools-needed to be properly qualified. The life sciences industry had become very comfortable with using the GAMP 5 for the validation of applications. Until recently, similar guidance for cloud deployments was in short supply, but the International Society for Pharmaceutical Engineering (IPSE), the creator of GAMP 5, has addressed this with the publication of the GAMP Good Practice Guide: IT Infrastructure Control and Compliance rev 2.² The guide directly addresses the vastly increased risk profile for cloud computing and provides a roadmap for transitioning from an internal self-managed relationship to a model for working with a qualified supplier, such as a CSP. 

The IPSE guidance for achieving compliance now places new emphasis on:

• Supplier assessment and management.

• Installation and operational qualification of infrastructure components (including facilities).

• Configuration management and change control of infrastructure components and settings in a highly dynamic environment.

• Management of risks to IT Infrastructure.

• Involvement of service providers in critical IT Infrastructure processes.

• SLAs with XaaS (i.e., IaaS, PaaS, SaaS) providers and third-party data center providers.

• Security management in relation to access controls, availability of services, and data integrity.

• Data storage, and in relation to this, security, confidentiality, and privacy.

• Backup, restore, and disaster recovery.

• Archiving.

This new guidance comes at a critical time, as regulatory pressure elsewhere in the business are likely to encourage life sciences companies to investigate cloud services. A slew of recent and forthcoming regulations across the European Union (EU) place an emphasis on information sharing and improved data management. The EU General Data Protection Regulation (GDPR), which deals with the management of personal information; the ISO Identification of Medicinal Products (IDMP), which involves improving information sharing and reporting of medicinal products; and the EU Clinical Trials Regulation (CTR) will affect every company that sells, markets, or works in Europe.

In all three cases, the regulations require enterprise-level of control and visibility of data within an organization-and, in some cases, its suppliers, partners, and customers. It involves bringing together different data in different formats from different parts of the business. In many cases, existing legacy systems will labor to meet performance, security, and transparency requirements to comply with these regulations. The scalability, reliability, and proven security capabilities of the cloud make it an increasingly attractive option. 

What to expect from a cloud provider

Delivering cloud services into a regulated environment places extra responsibility on service providers. Often, as the GAMP Cloud Special Interest Group has pointed out, this will involve them being willing to adapt their business model, as “it involves even greater movement of control toward the supplier, but still leaves the responsibility for the data and process within the regulated company. …The compliance concerns are just as valid, on infrastructure, platform, and application level, with little or nothing that we as life sciences companies can influence with regard to the provider’s management processes.”³

While true, many service providers have made significant efforts to tailor their service to meet GxP requirements. In addition to meeting all the latest cloud standards, such as SSAE and ISO 27001, some deliver against qualification standards and include validation packages that let a company take a risk-based approach to application development, delivery, and amendment. They will all provide the most stringent security, access, and change controls to meet the needs of regulated environments.

Where some providers differ is in their willingness or ability to deliver the level of audit rights and documented processes that life sciences companies require to meet their GxP compliance responsibilities. It is essential that companies are sure that the change control and documentation processes of the provider meet their requirements, especially within their qualification documentation practices.

Ready to go

The cloud is not an immature technology. Properly architected, built, and managed, it is a highly resilient, scalable, and secure platform that has been proven to successfully host mission-critical applications. More and more industries-even the US government-are quickly moving to adopt a “cloud-first” strategy. The GxP environment, like other regulated environments, has very stringent requirements and that has certainly slowed adoption. 

The lack of clear implementation guidance has been an issue. However, with the new IPSE guidance and a risk-based approach to cloud deployment backed by a cloud service provider whose services are designed for regulated environments, companies can now begin to benefit more fully from the cloud. Today, the cloud is better suited to deliver GxP-compliant services that will help life sciences organizations meet their key business challenges. As the GAMP Special Interest Group says: “We all know it’s the way to go.”³

Jaleel Shujath is Director, Life Sciences Strategy, at OpenText. Stephen Ferrell is a Partner at Promedim Ltd.

References

1. https://www.netmagicsolutions.com/blog/there-is-a-life-in-the-cloud-life-sciences-take-to-the-cloud

2. ISPE, GAMP Good Practice Guide: IT Infrastructure Control and Compliance (Second Edition), 2017

3. https://www.ispe.gr.jp/ISPE/07_public/pdf/201407_en.pdf