Post on 30-Apr-2018
ISPE Annual Meeting29 October – 1 November 2017
San Diego, CA
1
Is the Cloud a “Safe Place” for Pharmaceutical Companies?
2
ValGenesis, Inc.
South San Francisco, CA | Tampa, FL | Chennai, IND
Steve Thompson, Sr. Manager, Professional Services
ISPE Annual Meeting29 October – 1 November 2017
San Diego, CA
2
What and Where is the Cloud?
Controlling a System doesn’t mean it’s Secure
ISPE Annual Meeting29 October – 1 November 2017
San Diego, CA
3
Why Control ≠ Secure • Physical location is not as important as you think [Link]
• Cloud professionals focus on security & governance more than “behind the firewall” professionals [Link]
• Systems that lack security rigor are not as secure
Focus more on well‐defined and executed
security strategy, with the right enabling technology,
then you do on the platform
Social Engineering is your biggest threat
• Social engineering became the top attack technique in 2015 for beating cyber security, replacing exploits of hardware and software vulnerabilities, according to a study by security firm Proofpoint.
The CLOUD isn’t your biggest threat… the CROWD is!
SOCIAL ENGINEERINGThe use of deception to manipulate individuals into divulging confidential or personal information that may be
used for fraudulent purposes.
ISPE Annual Meeting29 October – 1 November 2017
San Diego, CA
4
Is the Cloud Less Secure than On‐Premise?• Variations in threat activity not as important as geographic location
• If it can be accessed it can be attacked • Attacks are opportunistic in nature• All have equal chances of attack (cloud or enterprise)
• Web application‐based attacks hit both • 53% of service provider environments• 44% of on‐premises environments (44%)• On‐premises environment users or customers actually suffer more incidents than those of service provider environments.
• On‐premises environment @ 61.4 attacks• Service provider environment customers @ 27.8 attacks
• On‐premises environment users also suffered significantly more brute force attacks
Nothing is safe! According to Alert Logic's Fall 2012 State of Cloud Security Report
Current technology makes it extremely hard to snoop or falsify data packets
Extremely Hard
Risky
Very Hard
Haruhiko Araki, Hitachi, Ltd., Comments on 21 CFR Part 11, NTSB Conference Center, Washington, DC
ISPE Annual Meeting29 October – 1 November 2017
San Diego, CA
5
In the Cloud, your data can be made secure
• Data must be owned and maintained by the “Qualified Individuals” (Business Unit)
• IT does not own the data
• Only “Qualified Individuals” can access the data
• Data privacy can be ensured through encryption & multi‐tenant architecture , ensuring data integrity
• Data can be compromised / corrupted, ANYWHERE! Preventive measures & procedures are required
WARNINGBe aware of Safe Harbor!
Countries may prohibit some data to cross borders.
Guidance• CRITICAL REQUIREMENTS
– Security requirements – Governance requirements
• RULEAccess control is more important than geographic location– Most data breaches are due to vulnerabilities.– It doesn’t matter if it’s cloud‐based or on‐premises.
• COMMANDVulnerability testing is absolutely necessary– No matter what– No matter where
If it isn’t tested, it isn’t secure!
ISPE Annual Meeting29 October – 1 November 2017
San Diego, CA
6
Is the Cloud considered an “Open System”?
• There is no definitive answer
• Some consider it an “Open System” because administration is provided as a service from the Cloud Provider
• Others view the Cloud Provider as an extension of their business, just like they do with contractors or consultants, bound by Service Level Agreements (SLA)
• The same is true • When companies use contractors or consultants for their own on premise IT infrastructure
• Or even when third parties are used for maintenance of manufacturing equipment, instruments, etc.
• What’s vital is to have Security & Governance requirements in‐place along with binding agreements (SLA’s)
21 CFR Part 11 Open versus Closed Systems
§ 11.10 Controls for closed systems
• Electronic Records• Create, modify, maintain, or transmit• Procedures & Controls to ensure authenticity,
integrity, confidentiality• Ensure cannot repudiate signed record as not
genuine
• Validation• Complete & accurate copies• Protection of records• Limited access• Audit trails• Operational system checks• Qualified individuals• Document control• Revision & change control procedures
§ 11.30 Controls for open systems
• Same as § 11.10, plus additional measures• Encryption
• Digital signatures
• Ensure authenticity, integrity, confidentiality
ISPE Annual Meeting29 October – 1 November 2017
San Diego, CA
7
Open & Closed System compliance is attainable
A company’s interpretation, along with Cloud configuration, implementation, and
maintenance, determines Open versus Closed. Both can be made to comply.
You need technology to effectively use technology!
How do you Validate Cloud‐based systems?
• Cloud computing affords the ability to leverage Service Provider Validation
• IQ & OQ do not have to be redone
• Cloud‐based Validation Lifecycle Management Systems (VLMS) are a technology tool that can be leveraged
• Automated Testing fosters rapid deployment and change / configuration management
• Leverage Vendor’s IQ, OQ. Focus on customer’s PQ
• A more controlled V‐Model is achieved
You need technology to effectively use technology!
ISPE Annual Meeting29 October – 1 November 2017
San Diego, CA
8
Change Control ensures systemsare maintained in a Validated state
• Change Control systems and procedures must be in place
• A Validation Lifecycle Management System (VLMS) can deliver Change Control functionality or integrate with other Change Control systems
• Impact of Change can be automatic, identifying affected requirements or documents along with pre‐determined risk mitigating processes
• Validation can prove data is encrypted allowing system to comply with regulation and ensure data integrity
You need technology to effectively use technology!
Cloud systems are “Readily Available”and Secure• Regulation requires systems be “readily available”
• Typical Cloud based solutions can have • 99.999% up‐time
• High Availability (HA)• Fault Tolerance & Fail Over• Multi‐tenant architecture assures data is separate, segregated, secure, and data integrity is maintained
• Disaster Recovery / Business Continuity is essentially delivered in Cloud‐based computing
You need technology to effectively use technology!
ISPE Annual Meeting29 October – 1 November 2017
San Diego, CA
9
Is the Cloud a Safe for Pharmaceutical Companies?
YES
The Cloud is safe for Pharmaceutical companies,
but agility, rapid deployment,and efficient change management
are required.
You need technology to effectively use technology!
• Five Most Prevalent Web Threats Today1. Bots and Web Scraping
2. DDoS (Distributed Denial of Service)
3. Cross‐ Site Scripting
4. SQL Injection
5. Malware
• Technology Solutions• DDoS (security)
• Website Security (security)
• Content Delivery Network (performance)
• Load Balancer (performance)
You need technology to effectively use technology!
ISPE Annual Meeting29 October – 1 November 2017
San Diego, CA
10
What Pharmaceutical Companies need
• Agility
• Rapid deployment
• Efficient change management
• Systems must be Validated• Software
• Infrastructure
• Legacy paper‐based systems cannot • Maintain
• Sustain
• Remain
Ph: 510 445 0505
Steve @ ext 1030
steve.thompson@valgenesis.com
info@valgenesis.com
www.valgenesis.com
Contact Details
ISPE Annual Meeting29 October – 1 November 2017
San Diego, CA
11
YES
The Cloud is safe for Pharmaceutical companies, but agility, rapid deployment,
and efficient change managementare required.
Controversial StatementsAgree / Disagree?• Cloud is better than on premise systems
• Secure• Accessible• Flexible• Economic • Reliable
• Cloud is collectively more compliant• Infrastructure Qualification & Validation• Configuration & Change Management• Data integrity• Disaster Recovery / Business Continuity
• Overall, Cloud performance is better• Reliability• Connectivity• Scalability • Rapid deployment
ISPE Annual Meeting29 October – 1 November 2017
San Diego, CA
12