is the cloud a “safe place” for pharmaceutical … annual meeting 29 october – 1 november 2017...

ISPE Annual Meeting29 October – 1 November 2017

San Diego, CA

1

Is the Cloud a “Safe Place” for Pharmaceutical Companies?

2

ValGenesis, Inc.

South San Francisco, CA | Tampa, FL | Chennai, IND

Steve Thompson, Sr. Manager, Professional Services


San Diego, CA

2

What and Where is the Cloud?

Controlling a System doesn’t mean it’s Secure


San Diego, CA

3

Why Control ≠ Secure • Physical location is not as important as you think [Link]

• Cloud professionals focus on security & governance more than “behind the firewall” professionals [Link]

• Systems that lack security rigor are not as secure

Focus more on well‐defined and executed

security strategy, with the right enabling technology,

then you do on the platform

Social Engineering is your biggest threat

• Social engineering became the top attack technique in 2015 for beating cyber security, replacing exploits of hardware and software vulnerabilities, according to a study by security firm Proofpoint.

The CLOUD isn’t your biggest threat… the CROWD is!

SOCIAL ENGINEERINGThe use of deception to manipulate individuals into divulging confidential or personal information that may be

used for fraudulent purposes.


San Diego, CA

4

Is the Cloud Less Secure than On‐Premise?• Variations in threat activity not as important as geographic location

• If it can be accessed it can be attacked • Attacks are opportunistic in nature• All have equal chances of attack (cloud or enterprise)

• Web application‐based attacks hit both • 53% of service provider environments• 44% of on‐premises environments (44%)• On‐premises environment users or customers actually suffer more incidents than those of service provider environments.

• On‐premises environment @ 61.4 attacks• Service provider environment customers @ 27.8 attacks

• On‐premises environment users also suffered significantly more brute force attacks

Nothing is safe! According to Alert Logic's Fall 2012 State of Cloud Security Report

Current technology makes it extremely hard to snoop or falsify data packets

Extremely Hard

Risky

Very Hard

Haruhiko Araki, Hitachi, Ltd., Comments on 21 CFR Part 11, NTSB Conference Center, Washington, DC


San Diego, CA

5

In the Cloud, your data can be made secure

• Data must be owned and maintained by the “Qualified Individuals” (Business Unit)

• IT does not own the data

• Only “Qualified Individuals” can access the data

• Data privacy can be ensured through encryption & multi‐tenant architecture , ensuring data integrity

• Data can be compromised / corrupted, ANYWHERE! Preventive measures & procedures are required

WARNINGBe aware of Safe Harbor!

Countries may prohibit some data to cross borders.

Guidance• CRITICAL REQUIREMENTS

– Security requirements – Governance requirements

• RULEAccess control is more important than geographic location– Most data breaches are due to vulnerabilities.– It doesn’t matter if it’s cloud‐based or on‐premises.

• COMMANDVulnerability testing is absolutely necessary– No matter what– No matter where

If it isn’t tested, it isn’t secure!


San Diego, CA

6

Is the Cloud considered an “Open System”?

• There is no definitive answer

• Some consider it an “Open System” because administration is provided as a service from the Cloud Provider

• Others view the Cloud Provider as an extension of their business, just like they do with contractors or consultants, bound by Service Level Agreements (SLA)

• The same is true • When companies use contractors or consultants for their own on premise IT infrastructure

• Or even when third parties are used for maintenance of manufacturing equipment, instruments, etc.

• What’s vital is to have Security & Governance requirements in‐place along with binding agreements (SLA’s)

21 CFR Part 11 Open versus Closed Systems

§ 11.10 Controls for closed systems

• Electronic Records• Create, modify, maintain, or transmit• Procedures & Controls to ensure authenticity,

integrity, confidentiality• Ensure cannot repudiate signed record as not

genuine

• Validation• Complete & accurate copies• Protection of records• Limited access• Audit trails• Operational system checks• Qualified individuals• Document control• Revision & change control procedures

§ 11.30 Controls for open systems

• Same as § 11.10, plus additional measures• Encryption

• Digital signatures

• Ensure authenticity, integrity, confidentiality


San Diego, CA

7

Open & Closed System compliance is attainable

A company’s interpretation, along with Cloud configuration, implementation, and

maintenance, determines Open versus Closed. Both can be made to comply.

You need technology to effectively use technology!

How do you Validate Cloud‐based systems?

• Cloud computing affords the ability to leverage Service Provider Validation

• IQ & OQ do not have to be redone

• Cloud‐based Validation Lifecycle Management Systems (VLMS) are a technology tool that can be leveraged

• Automated Testing fosters rapid deployment and change / configuration management

• Leverage Vendor’s IQ, OQ. Focus on customer’s PQ

• A more controlled V‐Model is achieved



San Diego, CA

8

Change Control ensures systemsare maintained in a Validated state

• Change Control systems and procedures must be in place

• A Validation Lifecycle Management System (VLMS) can deliver Change Control functionality or integrate with other Change Control systems

• Impact of Change can be automatic, identifying affected requirements or documents along with pre‐determined risk mitigating processes

• Validation can prove data is encrypted allowing system to comply with regulation and ensure data integrity


Cloud systems are “Readily Available”and Secure• Regulation requires systems be “readily available”

• Typical Cloud based solutions can have • 99.999% up‐time

• High Availability (HA)• Fault Tolerance & Fail Over• Multi‐tenant architecture assures data is separate, segregated, secure, and data integrity is maintained

• Disaster Recovery / Business Continuity is essentially delivered in Cloud‐based computing



San Diego, CA

9

Is the Cloud a Safe for Pharmaceutical Companies?

YES

The Cloud is safe for Pharmaceutical companies,

but agility, rapid deployment,and efficient change management

are required.


• Five Most Prevalent Web Threats Today1. Bots and Web Scraping

2. DDoS (Distributed Denial of Service)

3. Cross‐ Site Scripting

4. SQL Injection

5. Malware

• Technology Solutions• DDoS (security)

• Website Security (security)

• Content Delivery Network (performance)

• Load Balancer (performance)



San Diego, CA

10

What Pharmaceutical Companies need

• Agility

• Rapid deployment

• Efficient change management

• Systems must be Validated• Software

• Infrastructure

• Legacy paper‐based systems cannot • Maintain

• Sustain

• Remain

Ph: 510 445 0505

Steve @ ext 1030

[email protected]

[email protected]

www.valgenesis.com

Contact Details


San Diego, CA

11

YES

The Cloud is safe for Pharmaceutical companies, but agility, rapid deployment,

and efficient change managementare required.

Controversial StatementsAgree / Disagree?• Cloud is better than on premise systems

• Secure• Accessible• Flexible• Economic • Reliable

• Cloud is collectively more compliant• Infrastructure Qualification & Validation• Configuration & Change Management• Data integrity• Disaster Recovery / Business Continuity

• Overall, Cloud performance is better• Reliability• Connectivity• Scalability • Rapid deployment


San Diego, CA

12

is the cloud a “safe place” for pharmaceutical … annual meeting 29 october – 1 november 2017...

Documents