4/12/2020

1

ENSURING DATA INTEGRITY IN THE CLOUD ENVIRONMENTPRESENTATION - PEERSAPRIL 16, 2020

ORLANDO LOPEZE-COMPLIANCE AND E-RECORDS INTEGRITY SME

OBJECTIVE

• The objective of this presentation is to go over those elements in data integrity

impacting cloud related services.

1

2

4/12/2020

2

REFERENCES

REFERENCES

• NIST SP 800-27rA, Engineering Principles for

Information Technology Security (A Baseline for

Achieving Security), Revision A

• López, O., “Electronic Records and Cloud

Computing”, in Best Practices Guide to

Electronic Records Compliance, (CRC Press,

Boca Raton, FL, 1st ed., 2017), PP 193-199.

3

4

4/12/2020

3

REFERENCES (CONT.)

• López, O., “A Computer Data Integrity Compliance Model,” Pharmaceutical Engineering, March 2015.

• Regulatory Analysis (rev 03-November-2019) https://drive.google.com/open?id=1EqeWvGAipuuwQJh2qf0v7ru50BiWzov-

• ECA Data Integrity & IT Compliance Group, “ECA ITWG Cloud SP Selection SOP Draft 001,” https://www.it-compliance-group.org/icg_best-practice.html

• López, O., "Designing Data Integrity into your Practices,” presented at the

PEERS Meeting, Durham, NC, 04/19/2018.

DEFINITIONS

5

6

4/12/2020

4

DEFINITIONS

Back end Architecture.Comprises the part of the cloud computing architecture that powers the front-end architecture. This includes the core components of the system such as hardware and storage and is generally located in a server farm in a geographically distant location.

Cloud Computing.A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with essential characteristics. (NIST)

DEFINITIONS

Data or Data Elements.The contents of the record, is the basic unit of information that has a unique meaning and can be transmitted. (ISO/IEC 17025)

Data Flow.Diagram that maps the flow of information of any process or system (inputs, outputs, storage points and routes between each destination). (CEFIC)

7

8

4/12/2020

5

DEFINITIONS

Data Integrity.The property that data has not been altered in an unauthorized manner since it was created, transmitted or stored. (NIST SP 800-27rA) The extent to which all data are complete, consistent and accurate throughout the data lifecycle. (MHRA)

Front end Architecture. Denotes any user-facing part of cloud computing architecture. This is the part that the end user interacts with, and it is comprised of subcomponents that make up the user experience. Front end architecture generally takes the form of a user interface and is an integral part of how the user interacts with cloud computing software.

DEFINITIONS

Metadata.Data describing stored data: that is, data describing the structure, data elements, interrelationships, and other characteristics of electronic records. (DOD 5015.2-STD)

Raw Data.Original records and documentation, retained in the format in which they were originally generated (i.e. paper or electronic), or as a ‘true copy’. (MHRA)

9

10

4/12/2020

6

DEFINITIONS

Record.Records are defined as the collection of related data treated as a unit (ISPE/PDA, “Technical Report: Good Electronic Records Management (GERM),” July 2002).

In a regulated environment, a record provides evidence of various actions taken to demonstrate compliance with instructions, e.g. activities, events, investigations, and in the case of manufactured batches a history of each batch of product, including its distribution. Records include the raw data which is used to generate other records. For electronic records regulated users should define which data are to be used as raw data. At least, all data on which quality decisions are based should be defined as raw data. (Eudralex Vol 4 Ch 4)

CLOUD DIAGRAM

11

12

4/12/2020

7

MHRA

• Where ‘cloud’ or ‘virtual’ services are used, attention should be paid to

understanding the service provided, ownership, retrieval, retention and

security of data.

SIMPLIFIED ARCHITECTURE CLOUD DIAGRAMInfrastructure as a service (IaaS)• servers• databases• network• storage

Platform as a service (PaaS)• A PaaS provider hosts the infrastructure on its own infrastructure.

Software as a service (SaaS)• Software distribution model in which a third-party provider hosts

applications and makes them available to customers over the

Internet.

Business Process as a Service (BPaaS)• It is a new model for cloud services where the cloud service provider

takes full responsibility for not only the design, management, and

control of its software application but also the operation of the

business process on behalf of the client company.

13

14

4/12/2020

8

15

16

4/12/2020

9

ANOTHER CONTRACTUAL ARRANGEMENT

SaaS

• Regulated user – SaaS

• Supplier - Application

• Supplier context – PaaS portion

hired by supplier (PaaS hosted by

other)

17

18

4/12/2020

10

PRO AND CON

PRO

• Lower cost for developing a system.

• Faster development and

deployment.

• Lower overhead cost to maintain the

system.

CON

• Not complete control of system

maintenance.

DATA INTEGRITY APPROACH

19

20

4/12/2020

11

DATA INTEGRITY

APPROACH

• Back end environment (Supplier)

• Front end environment (Regulated user)

• Assumptions:

SLA (EU Annex 11-3)

GAMP software category 1 - Operating systems

GAMP software category 3 - Non-Configured software

GAMP software category 4 - Configured software

GAMP Hardware category 1 - Standard Hardware

Components

Supplier provides a Core Application Software

Regulated user provides a configuration. Core +

Configuration = intended use

DATA INTEGRITY APPROACH – BACK END

21

22

4/12/2020

12

BACK END COMPUTING

• Application – interface being offered to the end user. Coordinates the needs

of the user with resources in the back end.

• Service – storage, application development environment, web services.

• Cloud Runtime – where service runs. Virtualization allows multiple runtimes to

exist on the same server.

• Storage – it is where all data required to operate the cloud software resides.

• Infrastructure – engine powering all cloud software.

BACK END COMPUTING

• Security - focuses on securing the server with virtual firewalls, preventing data

loss and redundancy mechanisms.

• Management – Also known as “middleware,” it is software in charge of

allocating specific resources for certain tasks. It is used to divide system

resources and infrastructure in a seamless and dynamic manner.

23

24

4/12/2020

13

DATA INTEGRITY– BACK END

• Creating

• While in transit

• Storing

• Processing

DATA INTEGRITY– BACK END

SLC RECORDS• Requirements, Functional and Design Specifications

• Configuration

• Testing documents

• Verification results, Executed validation protocols, Summary reports

• Change control records

• CAPA records

• Others

WORKFLOW RECORDS

• Records created by the application

• Manually entered data

• Data from other systems

• E-signatures

• Audit trails and metadata

25

26

4/12/2020

14

SLC RECORDS

SLC RECORDS• Regulated user

– Potential Data Migration (11-4.8)

– Risk Assessment (11-1)– Suppliers (11-3)– Requirements (11-4.4)– Periodic Reviews (11-11)– Security (11-12)– Incident Management (11-

13)– Business Continuity (11-16)– Printouts (11-8)– Data

• I/Os (11-5)• Accuracy Checks (11-6)

– Self Inspection

• Supplier– Service Level Agreement– 2nd Principle (Infrastructure

should be qualified)– Requirements (11-4.4)– Validation (11-4)– Configuration Management

(11-10)– Periodic Reviews (11-11)– Security (11-12)– Incident Management (11-13)– Business Continuity (11-16)– Data

• Data Migration (11-4.8)• I/Os (11-5)• Data Storage (11-7)• Data Archiving (11-17)• Accuracy Checks (11-6)

– Self Inspection– E-sig (11-14)

Sup

plie

r man

ages

28

27

28

4/12/2020

15

WORKFLOW RECORDS

WORKFLOW RECORDS

• Creating

• While in transit

• Storing

• Processing

29

30

4/12/2020

16

CREATION OF E-RECORDS

• All data become a record when the data is saved to a durable storage

location.

• To avoid transient data, the data must be saved contemporaneously.

• CGMP controls to transient data:

• Infrastructure must be qualified. (EU Annex 11 Principle 2)

• System holding transient records must contain built-in checks. (EU Annex 11-5)

• Accuracy for transient data entered manually. (EU Annex 11-6)

E-RECORDS WHILE IN TRANSIT

• E-records integrity controls:

Infrastructure must be qualified. (EU Annex 11 Principle 2)

System transmitting e-records must have built-in checks. (EU Annex 11-4.8 and 5)

Accuracy for transient data entered manually. (EU Annex 11-6)

E-records can not be altered in an unauthorized manner. (EU Annex 11-12.1)

31

32

4/12/2020

17

PROCESSING E-RECORDS

• Archiving (EU Annex 11-17)

• Audit trails (EU Annex 11-9)

• Build In-checks (EU Annex 11-5)

• E-signatures (EU Annex 11-14)

• Print outs/Reports (EU Annex 11-8)

• Security (EU Annex 11-12)

STORED E-RECORDS

• Migration (EU Annex 11-4.8)

• E-records in Storage (EU Annex 11-7)

• File Integrity Checking

• Records Archiving (EU Annex 11-17)

• Records retirement (MHRA DI Guidance Section 6.7)

33

34

4/12/2020

18

DATA INTEGRITY APPROACH – FRONT END (REGULATED USER)

FRONT END COMPUTING

• Software - web browser or client-side application

• User Interface

• Client Device/Network - user’s PC and input devices

35

36

4/12/2020

19

FRONT END ENVIRONMENT

• Interface between regulated user

infrastructure, internet, and cloud

infrastructure.

• Middleware and drivers associated

with the communication to the cloud.

• SLA

REGULATED USER ENVIRONMENT

• E-records integrity controls:

LAN Infrastructure must be qualified. (EU Annex 11 Principle 2)

Cryptographic infrastructure (e.g., VPN) be qualified. (EU Annex 11 Principle 2)

System transmitting e-records must have built-in checks. (EU Annex 11-4.8 and 5)

Operating Procedures.

37

38

4/12/2020

20

SUMMARY

SUMMARY

• For the purpose of simplifying the analysis of data integrity controls to a cloud

system, the environments to be controlled can be set in Front End and Back End.

• In the back end or suppliers’ environment the controls can be segregated as records

creation, records while in transit, records in storage, and records processing.

• In the front end or regulated user environment the only data integrity controls are

related with the interface between the front and back emd.

39

40

4/12/2020

21

41

41

Orlando LópezE-Compliance and E-Records Integrity SME

olopez6102@gmail.com

42

41

42

4/12/2020

22

43

FINFIN

43