transform your cloud validation strategy from cloudy to clear

T22 Cloud Testing 10/6/16 15:00

Transform Your Cloud Validation Strategy from Cloudy to Clear

Presented by:

Vandana Viswanathan

Cognizant Technology Solutions

Brought to you by:

350 Corporate Way, Suite 400, Orange Park, FL 32073 888-‐-‐-‐268-‐-‐-‐8770 ·∙·∙ 904-‐-‐-‐278-‐-‐-‐0524 -‐ [email protected] -‐ http://www.starwest.techwell.com/

Vandana Viswanathan Vandana Viswanathan is a solutions-‐driven information technology leader with more than fifteen years of experience providing consultative management in regulatory compliance, intelligent process automation, program and quality management, SDLC/QA transformation, testing account management, and client relationship management services for clients worldwide. Her consulting industry experience spans across life sciences, healthcare, and insurance verticals. Vandana has designed intelligent automation solutions for large clients and pioneered best-‐in-‐class quality assurance frameworks for cloud-‐based and COTS systems. Vandana has led and implemented PMO, change management, and SDLC & QA process transformation for large corporate clients.

© 2016 Cognizant 1

© 2016 Cognizant

How to Transform Your Cloud Validation Strategy from Cloudy to Clear

Vandana Viswanathan Associate Director, Process & Quality Consulting

[email protected]

© 2016 Cognizant 2

Cloud Hosting Overview

Challenges for Cloud Adoption and Validation

Introduction to Cloud Hosting

Context for Validation

Framework for Cloud Hosting

Validation and Framework for Cloud

Cloud Provider Assessment

Validation Strategy

End-to-End Risk Based Testing approach

Change Management in Cloud

Audit/Inspection readiness

Stages for a Sound Cloud Application Migration/Implementation Strategy

Next Steps, Benefits and Summary

Agenda

Case Studies

© 2016 Cognizant 3

Cloud Computing Model Definition (NIST)

• Enabling convenient, on-demand network access to a shared pool of

configurable computing resources

• Can be rapidly provisioned and released with minimal management

effort or service provider interaction.

Cloud Hosting Overview

Five Essential Characteristics

Resource pooling

Broad network access

Rapid elasticity

On-demand self-service

Measured Service

Small initial

investment and on-

going cost

Acquire computing

and development

services as

needed and on

demand

Open Standards

Sustainability

Key Drivers for

Moving to Cloud

© 2016 Cognizant 4 4

Cloud Hosting Overview (Cont.)

Cloud Services Delivery Model

Application

Platform

Virtualization

Hardware

Application

Platform

Virtualization

Hardware

Application

Platform

Virtualization

Hardware

Vendor Client Responsibility

IaaS PaaS SaaS

Infrastructure as a

Service : Providers offer

computers – physical or

(more often) virtual

machines – and other

resources.

Platform as a Service: Providers deliver a computing platform, typically including operating system, programming-language execution environment, database, and web services.

Software as a Service:

Users gain access to

application software and

databases. Priced on a

pay-per-use basis or using

a subscription fee.

© 2016 Cognizant 5

Client Challenges driving Cloud Agenda

What we are hearing from our clients & our readiness to help them

• Regulatory Compliance (e.g., Sox, FDA, HIPPA)

• Data Security and Privacy – PHI

• Reliability and Performance

• Governance & Change Management

• Legacy IT

• Existing investment in the On-premise IT

• Lack of resources/ expertise

CLO

UD

AD

OP

TIO

N IS

SU

ES

CIO

CH

ALLE

NG

ES

• Business asking to do more with less

• Regulatory requirements e.g. GxP, HIPAA guidelines & audits

• Addressing CSO concerns

• Organizational silos and varied interest

• Building a case for transformation

• Business demands e.g. Release faster

• Operations Efficiency

• Business Transformation

• Innovation

CLO

UD

LE

VE

RS

* Lack of resources / expertise is the #1 cloud challenge in 2016 Source: RightScale 2016 State of the Cloud Report

© 2016 Cognizant 6

Challenges for Cloud Validation

Risk Control - Share Responsibilities between Client and Vendor for Above

Reliability

and

Performance

Compliance Operating

Control

Compliance to

external

regulations

Compliance to

internal Policies

Data Privacy:

Control of PII

data in Global

environment

Inspections and

Audits

Upgrading at

Various Levels

and Change

Management

Incident

Management

Performance

Monitoring

Logging, Audit

Trails and

Reporting

Service

Availability

Performance /

Scalability /

Elasticity

Data Backup

Disaster

Recovery and

Business

Continuity

Security

Network security

Host Security

Application

Security

Data Security

Identity and

Access

Management

© 2016 Cognizant 7

Regulated, Non-regulated and Business Critical Applications

Regulated Applications:

must meet regulatory

requirements

Cloud Adoption Statistics :82% of enterprises have a multi-cloud strategy and only 3% of

enterprises have no plans at all. ( Survey of respondents with 1000+ employees) Source: RightScale 2016 State of the Cloud Report

Specific Risks for Regulated Applications (Life Science as an example) Impact on Patient Safety and Product Quality

Subject to Good Laboratory, Clinical and Manufacturing Practices (GLP, GCP, GMP)

requirements

Electronic Records and Signatures Regulations (21 CFR Part 11)

End to End Validation is required across the entire System Development Life Cycle

FDA Inspections

Business Critical Applications: Business and Software requirements

need to be captured and tested based on Business risks

Banking and Financial Services: SOX

Health Care: HIPAA

Life Science: GxP

© 2016 Cognizant 8

Cloud Adoption – Validation / Testing Context

• Cloud adoption in

regulated

applications lags

behind

• Compliance

accountability

cannot be

outsourced

• Lacking regulatory

guidance

• Cloud adoption

changes the risk

profile of the

application

• A risk based

Validation approach

is required

•Relationships with

many cloud

providers - a unique,

cross-market insight

Cloud Providers

and Regulations

•Disparity between

marketing claims

and actual

understanding /

competence

Consumers in

Regulated Areas

•Wide variation in

approach to Risk

Management:

• Regulatory

concern need not

prevent adoption

• Existing guidance

on Risk

Management

adequate –

leverage to

overcome barriers

to adoption

• Strategic use of

Audit/Assessment

and SLA

monitoring to

manage risk and

minimize cost of

compliance

Background Experience Lessons Learned

• Lower costs

• Infrastructure and

application

optimization

• Faster time to

market

• Accelerated

innovation

• Enhanced

collaboration

• Better and faster

disaster recovery

management

Benefits

© 2016 Cognizant 9

Validation/Testing Framework for Cloud Hosting

Vendor Assessments

Qualify Provider

Risk-based Validation

Validation Strategy

Functionality, Performance, Security, Installation, Migration Testing

Change Control

User Access Control

Governance

Documentation, Logs & Audit Trails, Record Retention

Inspection Readiness

Methodology

SaaS PaaS I

a

a

S

Technology

The Transformation Solution

Testing Approach

© 2016 Cognizant 10

Objective 1: Cloud Provider Assessment

Application Maintenance

Assessments

Align Client

QMS / Gap

Analysis

Risk Control

& Mitigation

Measures

Report &

Recommend

Contract &

SLAs

Security & Privacy

Policies & Controls

Operating

Procedures

SDLC Inspection Support

- Network, Host and

Application Level

Security

- Data Security /

Encryption

- User Management

and Access

Control

- Data Privacy

Measures (PII

data)

- Data Backup and

Disaster Recovery

- Performance

Monitoring

- Incident

Management

- SDLC Standards,

Procedures

- SDLC

Documentation

- Release

Management

- Availability of

documentation,

electronic records,

metadata, logs

and audit trails

during

Inspection/Audits

- Record Retention

Focus Areas during Assessment


Objective 2: Risk-based QA/Validation

Strategy

Information Security and Data

Privacy controls

Overall testing requirements

and level of testing

Stage gates and release

strategy

Documentation and deliverables

Requirement tracing approach

Required Standard Operating

Procedures

Vendor Management and

Communication Plan

Arrive at an End to End QA /

Validation Strategy

Perform Risk Assessment

Information Security Risks

Data Privacy Risks

Regulatory Risks

Business Criticality and

Risks

Define Responsibilities

Boundary of QA -

Responsibility between

Cloud Provider & Client

Organization

QA Handshake Protocol

Risk Profile


Objective 2: Risk-based Validation Strategy (Cont.)

Shared Responsibility

PaaS

SaaS

IaaS

Risk-based UAT performed by the client prior to go-live

Client performs software development as per their SDLC

Client manages Installation testing for any software / platform hosted

Client performs design, configuration, testing and deployment of virtualized infrastructure

Development phase is black box to the client

Vendor provides environments - Test and Production

Platform maintenance and Installation / Configuration Testing are managed by Vendor

Platform policies must align with Client’s privacy and security policies

Vendor’s policies must align with client’s infrastructure Management procedure

Pre-defined change control process for improved scalability of infrastructure

Client Organization Cloud Provider & Partner


Objective 3: Risk-Based Cloud Testing Approach

Risks:

• Unauthorized

Access

• Malicious

Attacks

• Insufficient

Encryption

Functionality Testing

• Network Security

• Authentication and

Authorization

• IAM

• Data Encryption

• Testing log files and

Audit Trails

• Vulnerability Scan

• Scalability or Elasticity

Testing

• Response Time

• Load and Stress

Testing

• Endurance Testing

• System installed /

configured per pre-

approved Specifications

• Availability to users

• Connectivity to

interfaced systems /

services

• Data Backup, Disaster

Recovery

• End-to-End Business

Processes (User

Acceptance)

• Interface with other

systems / services within

or outside the Cloud

(Integration Testing)

• Usability Testing

• Tracing to Business and

Functional

Requirements

Installation / Availability Testing

Security Testing Performance Testing

Risks

• Critical

Requirements

not met

• Integration

with systems

outside the

Cloud

Risks:

• Installation,

Configuration

and

Connection

errors

• Loss of Data

during

Disaster

Risks:

• Capacity not

scalable.

• Response

Time

increases at

peaks

13


Objective 3: Risk-Based Cloud Testing

Approach (Cont.)

Installation / Configuration

Testing

• Infrastructure Layer

Testing

• Virtualization Level

Testing

• Platform Layer Testing

• Application Layer Testing

• Separation of

responsibility depends on

Cloud Delivery Model

(SaaS, PaaS, IaaS)

Data Migration

• Data Cleanup

• Correct Data Conversion

• Tracking Migrated Data

(audit trail)

• Sampling, Record

Counting and Business

Verification

• Parallel Runs and Cutover

Regression Testing

• Critical Business Processes

• Integration with other

systems in Cloud

• Integration with other

systems On-premise

• Integration with third-party

service providers (IAM etc.)

Testing Strategy for Migration to Cloud


Object 4: Governance - Change Management in

the Cloud

Identify Change Impact Analysis Define

Responsibility Implementation and Validation

In which layer the

change occurs?

• Infrastructure

• Virtualization

• Platform

• Application

• Technical Impact

• Businesss

Impact

• Compliance &

Regulatory

Impact

• Identify Change

Management Procedures

from cloud provider

• Identify Change

Management Procedures

from Client

• Determine the boundary

of responsibility between

Client and cloud Provider

• Determine handshake

protocol between Client

procedures and Cloud

provider procedures

• Installation &

Configuration

Testing

• Regression

Testing of

impacted areas

• Regression

Testing of critical

business

processes

• Regression

Testing of

interfaces with

other systems

Approval Impact

Assessments

Implementation &

Testing Strategy

Evidence &

Change Summary

Document


Objective 4: Governance - Change Management

in the Cloud (Cont.)

Technical Impact Assessment

Test Planning

Test Execution Application

Patch Release

App

Update?

Application Update

No

Platform Patch

Doc Update

Yes

Sanity Test

Platform / Infrastructure Update As an Example


Objective 4: Governance - User Access Control

Determine

Responsibilities

User Management

Align Procedures

• User Provisioning

and De-Provisioning

• Credential

Management

• Authorization

Policies

• Identity Federation

Monitoring

• Logs and Audits

• Authentication &

Authorization

Records

• Reports of Access

Activities

Review

• Periodic Review of

User Accounts

• Periodic Review of

Access Rights and

Privileges

Client

Organization Cloud Provider

3rd Party IAM

Service Provider

Access Management Procedures


Objective 5: Audit / Inspection Readiness

State of Control

- Infrastructure

- Platform

- Application

Risk Assessment and Controls

Operational Phase

Procedures

Operating Records

Training Records

Application Development and

Testing Documentation

Documented Evidence


Objective 5: Audit / Inspection Readiness (Cont.) Objective 5: Audit / Inspection Readiness (Cont.) Client Organization is accountable for Compliance. Via Vendor Audit/Assessment and

Contractual Agreements, Client Organization should ensure Cloud Provider maintain

key Records, Report and Audits

Examples of Cloud Provider Records

IAM Users / Groups / Roles

IAM Providers (for example, for SAML & OpenID Connect)

Records if applicable

Resource Based policies in other

services (for example, Storage

Services)

Security Configuration

Monitor activity in cloud accounts

Operating Logs and/or Audit Trails

Application validation records

(SaaS)

Virtual infrastructure Installation /

Configuration records

End User account info & training

records

Technical support cases

IT Training records Cloud Account

credentials


Next Steps – Adoption

Establish goal/objective for cloud adoption

Initiate a workshop with vendor to discuss requirements

Discuss prospective areas/candidate systems

Develop implementation roadmap

Starters

Finalize pilot projects for implementation

Share insight/experiences with vendor on provider data gathered

Finalize implementation schedule and initiate Statement OW

Initiate supplier assessment with vendor Early Adopters

Pioneers

Identify additional divisions/areas of the organization for cloud adoption

Select systems to be hosted

Collect and analyze key performance metrics on currently hosted solutions ,

partner performance and cost benefits

Partner with vendor and share key organizational goals

Develop implementation roadmap


Benefits

Compliance Assurance

Ensure System is developed in Compliance with:

Regulatory Requirements

Organizational SDLC, Information Security, and Data Privacy Policies,

Standards and Procedures

Industrial Best Practices

Benefits to Client Organization

Efforts and Cost Saving

Validation and Testing are risk-based, hence efforts and cost are optimized

Saving due to shared responsibility and leveraging Cloud Provider’s testing

and documentation

State of Control

Governance in place for Change Management and Access Control to

ensure System is maintained in a State of Control post go-live to meet

changing business needs

System is ready for any potential Audit / Inspection


Summary of Cloud Validation Strategy

Security, data privacy, and regulatory compliance are critical factors when

defining a QA / validation strategy for moving business applications from in-house

client hosted environments to a cloud platform. An appropriate level of risk

assessments must be performed.

Cloud validation and verification strategies should be risk-based to optimize

efforts and costs.

Cloud validation and testing are shared efforts between client organization and

cloud provider. The responsibilities should be clearly defined based on cloud

delivery Model.

Cloud validation should ensure governance is in place for change and access

management to maintain a cloud hosted system in a state of control that is ready

for audits / inspections.


Case Study 1: Cloud Hosting Validation for a Fortune 100 Pharmaceutical Company

Client is a top fortune 100

global Pharma company

based out of the US.

The Scope was to validate a

Patient Data Management

platform hosted on the cloud

(Oracle Managed Cloud

Services and Accenture Life

Sciences Cloud).

Conducted Cloud Provider

Assessments

Conducted InfoSec, Data

Privacy and Regulatory

Risk Assessments

Defined a cost-effective

validation strategy based

on risk assessments

Leveraged vendor testing

Built a Testing strategy

focusing on end-to-end

systems integration (within

and outside the Cloud)

Ensured operating

procedures are in place for

Change Management, User

Access, Performance

Monitoring and DR and the

Client procedures and

Cloud Provider procedures

were fully aligned.

Business Needs

Challenges

Average cost savings of

20% for the overall

program due to the risk-

based validation

strategy that optimized

the validation efforts

Average resource cost

savings of 30%

achieved by

implementing the risk-

based testing model and

performing collaborative

testing with the Cloud

Provider and leveraging

testing documents from

Cloud Provider.

Passed a regulatory

compliance audit with

zero major findings

The Platform consisted of

10+ GxP regulated

applications on premise and

on the cloud

Cloud Applications needed

to be integrate with each

other and interface with

existing legacy applications

On Premise

Budget constraint and tight

timeline

Solution Benefits


Case Study 2: Cloud Application Validation for a Top 10 Pharmaceutical Company

Client has developed a VPC

platform, which is a

framework of automated

controls and tools, that allows

provisioning of GxP

applications on AWS cloud.

In order for VPC to host

regulated workloads, the

Platform and its underlying

infrastructure components

need to be evaluated for

conformance with GxP

requirements

Performed an assessment

of AWS controls and

processes, by mapping

SOC report controls against

client’s SDLC requirements

and SOP standards

Assessed current SDLC

deliverables and operating

processes for VPC platform

and identified gaps with

provided recommendations

Documented end-to-end

process for Infrastructure

provisioning and application

installation

Performed security

assessment and analysis of

controls and automation

across AWS and the VPC

platform

Business Needs

Challenges

Established a framework

to validate client’s VPC

environment for GxP

workloads

Set precedence to

onboard additional GxP

applications onto cloud

infrastructure

Qualification of cloud

platform for GxP

workloads will enable other

applications to leverage

the high scalability,

flexibility, and low-cost

aspects of AWS cloud

services

Maintain compliance with

regulatory requirements

Identified and remediated

gaps in VPC

documentation

AWS policies and

procedures have not been

shared with the client

organization

AWS procedures for Identity

and access management

have not been audited by

client

Solution Benefits

Thank you

Vandana Viswanathan [email protected]

mailto:[email protected]