transform your cloud validation strategy from cloudy to clear
TRANSCRIPT
T22 Cloud Testing 10/6/16 15:00
Transform Your Cloud Validation Strategy from Cloudy to Clear
Presented by:
Vandana Viswanathan
Cognizant Technology Solutions
Brought to you by:
350 Corporate Way, Suite 400, Orange Park, FL 32073 888-‐-‐-‐268-‐-‐-‐8770 ·∙·∙ 904-‐-‐-‐278-‐-‐-‐0524 -‐ [email protected] -‐ http://www.starwest.techwell.com/
Vandana Viswanathan Vandana Viswanathan is a solutions-‐driven information technology leader with more than fifteen years of experience providing consultative management in regulatory compliance, intelligent process automation, program and quality management, SDLC/QA transformation, testing account management, and client relationship management services for clients worldwide. Her consulting industry experience spans across life sciences, healthcare, and insurance verticals. Vandana has designed intelligent automation solutions for large clients and pioneered best-‐in-‐class quality assurance frameworks for cloud-‐based and COTS systems. Vandana has led and implemented PMO, change management, and SDLC & QA process transformation for large corporate clients.
© 2016 Cognizant 1
© 2016 Cognizant
How to Transform Your Cloud Validation Strategy from Cloudy to Clear
Vandana Viswanathan Associate Director, Process & Quality Consulting
© 2016 Cognizant 2
Cloud Hosting Overview
Challenges for Cloud Adoption and Validation
Introduction to Cloud Hosting
Context for Validation
Framework for Cloud Hosting
Validation and Framework for Cloud
Cloud Provider Assessment
Validation Strategy
End-to-End Risk Based Testing approach
Change Management in Cloud
Audit/Inspection readiness
Stages for a Sound Cloud Application Migration/Implementation Strategy
Next Steps, Benefits and Summary
Agenda
Case Studies
© 2016 Cognizant 3
Cloud Computing Model Definition (NIST)
• Enabling convenient, on-demand network access to a shared pool of
configurable computing resources
• Can be rapidly provisioned and released with minimal management
effort or service provider interaction.
Cloud Hosting Overview
Five Essential Characteristics
Resource pooling
Broad network access
Rapid elasticity
On-demand self-service
Measured Service
Small initial
investment and on-
going cost
Acquire computing
and development
services as
needed and on
demand
Open Standards
Sustainability
Key Drivers for
Moving to Cloud
© 2016 Cognizant 4 4
Cloud Hosting Overview (Cont.)
Cloud Services Delivery Model
Application
Platform
Virtualization
Hardware
Application
Platform
Virtualization
Hardware
Application
Platform
Virtualization
Hardware
Vendor Client Responsibility
IaaS PaaS SaaS
Infrastructure as a
Service : Providers offer
computers – physical or
(more often) virtual
machines – and other
resources.
Platform as a Service: Providers deliver a computing platform, typically including operating system, programming-language execution environment, database, and web services.
Software as a Service:
Users gain access to
application software and
databases. Priced on a
pay-per-use basis or using
a subscription fee.
© 2016 Cognizant 5
Client Challenges driving Cloud Agenda
What we are hearing from our clients & our readiness to help them
• Regulatory Compliance (e.g., Sox, FDA, HIPPA)
• Data Security and Privacy – PHI
• Reliability and Performance
• Governance & Change Management
• Legacy IT
• Existing investment in the On-premise IT
• Lack of resources/ expertise
CLO
UD
AD
OP
TIO
N IS
SU
ES
CIO
CH
ALLE
NG
ES
• Business asking to do more with less
• Regulatory requirements e.g. GxP, HIPAA guidelines & audits
• Addressing CSO concerns
• Organizational silos and varied interest
• Building a case for transformation
• Business demands e.g. Release faster
• Operations Efficiency
• Business Transformation
• Innovation
CLO
UD
LE
VE
RS
* Lack of resources / expertise is the #1 cloud challenge in 2016 Source: RightScale 2016 State of the Cloud Report
© 2016 Cognizant 6
Challenges for Cloud Validation
Risk Control - Share Responsibilities between Client and Vendor for Above
Reliability
and
Performance
Compliance Operating
Control
Compliance to
external
regulations
Compliance to
internal Policies
Data Privacy:
Control of PII
data in Global
environment
Inspections and
Audits
Upgrading at
Various Levels
and Change
Management
Incident
Management
Performance
Monitoring
Logging, Audit
Trails and
Reporting
Service
Availability
Performance /
Scalability /
Elasticity
Data Backup
Disaster
Recovery and
Business
Continuity
Security
Network security
Host Security
Application
Security
Data Security
Identity and
Access
Management
© 2016 Cognizant 7
Regulated, Non-regulated and Business Critical Applications
Regulated Applications:
must meet regulatory
requirements
Cloud Adoption Statistics :82% of enterprises have a multi-cloud strategy and only 3% of
enterprises have no plans at all. ( Survey of respondents with 1000+ employees) Source: RightScale 2016 State of the Cloud Report
Specific Risks for Regulated Applications (Life Science as an example) Impact on Patient Safety and Product Quality
Subject to Good Laboratory, Clinical and Manufacturing Practices (GLP, GCP, GMP)
requirements
Electronic Records and Signatures Regulations (21 CFR Part 11)
End to End Validation is required across the entire System Development Life Cycle
FDA Inspections
Business Critical Applications: Business and Software requirements
need to be captured and tested based on Business risks
Banking and Financial Services: SOX
Health Care: HIPAA
Life Science: GxP
© 2016 Cognizant 8
Cloud Adoption – Validation / Testing Context
• Cloud adoption in
regulated
applications lags
behind
• Compliance
accountability
cannot be
outsourced
• Lacking regulatory
guidance
• Cloud adoption
changes the risk
profile of the
application
• A risk based
Validation approach
is required
•Relationships with
many cloud
providers - a unique,
cross-market insight
Cloud Providers
and Regulations
•Disparity between
marketing claims
and actual
understanding /
competence
Consumers in
Regulated Areas
•Wide variation in
approach to Risk
Management:
• Regulatory
concern need not
prevent adoption
• Existing guidance
on Risk
Management
adequate –
leverage to
overcome barriers
to adoption
• Strategic use of
Audit/Assessment
and SLA
monitoring to
manage risk and
minimize cost of
compliance
Background Experience Lessons Learned
• Lower costs
• Infrastructure and
application
optimization
• Faster time to
market
• Accelerated
innovation
• Enhanced
collaboration
• Better and faster
disaster recovery
management
Benefits
© 2016 Cognizant 9
Validation/Testing Framework for Cloud Hosting
Vendor Assessments
Qualify Provider
Risk-based Validation
Validation Strategy
Functionality, Performance, Security, Installation, Migration Testing
Change Control
User Access Control
Governance
Documentation, Logs & Audit Trails, Record Retention
Inspection Readiness
Methodology
SaaS PaaS I
a
a
S
Technology
The Transformation Solution
Testing Approach
© 2016 Cognizant 10
Objective 1: Cloud Provider Assessment
Application Maintenance
Assessments
Align Client
QMS / Gap
Analysis
Risk Control
& Mitigation
Measures
Report &
Recommend
Contract &
SLAs
Security & Privacy
Policies & Controls
Operating
Procedures
SDLC Inspection Support
- Network, Host and
Application Level
Security
- Data Security /
Encryption
- User Management
and Access
Control
- Data Privacy
Measures (PII
data)
- Data Backup and
Disaster Recovery
- Performance
Monitoring
- Incident
Management
- SDLC Standards,
Procedures
- SDLC
Documentation
- Release
Management
- Availability of
documentation,
electronic records,
metadata, logs
and audit trails
during
Inspection/Audits
- Record Retention
Focus Areas during Assessment
© 2016 Cognizant 11
Objective 2: Risk-based QA/Validation
Strategy
Information Security and Data
Privacy controls
Overall testing requirements
and level of testing
Stage gates and release
strategy
Documentation and deliverables
Requirement tracing approach
Required Standard Operating
Procedures
Vendor Management and
Communication Plan
Arrive at an End to End QA /
Validation Strategy
Perform Risk Assessment
Information Security Risks
Data Privacy Risks
Regulatory Risks
Business Criticality and
Risks
Define Responsibilities
Boundary of QA -
Responsibility between
Cloud Provider & Client
Organization
QA Handshake Protocol
Risk Profile
© 2016 Cognizant 12
Objective 2: Risk-based Validation Strategy (Cont.)
Shared Responsibility
PaaS
SaaS
IaaS
Risk-based UAT performed by the client prior to go-live
Client performs software development as per their SDLC
Client manages Installation testing for any software / platform hosted
Client performs design, configuration, testing and deployment of virtualized infrastructure
Development phase is black box to the client
Vendor provides environments - Test and Production
Platform maintenance and Installation / Configuration Testing are managed by Vendor
Platform policies must align with Client’s privacy and security policies
Vendor’s policies must align with client’s infrastructure Management procedure
Pre-defined change control process for improved scalability of infrastructure
Client Organization Cloud Provider & Partner
© 2016 Cognizant 13
Objective 3: Risk-Based Cloud Testing Approach
Risks:
• Unauthorized
Access
• Malicious
Attacks
• Insufficient
Encryption
Functionality Testing
• Network Security
• Authentication and
Authorization
• IAM
• Data Encryption
• Testing log files and
Audit Trails
• Vulnerability Scan
• Scalability or Elasticity
Testing
• Response Time
• Load and Stress
Testing
• Endurance Testing
• System installed /
configured per pre-
approved Specifications
• Availability to users
• Connectivity to
interfaced systems /
services
• Data Backup, Disaster
Recovery
• End-to-End Business
Processes (User
Acceptance)
• Interface with other
systems / services within
or outside the Cloud
(Integration Testing)
• Usability Testing
• Tracing to Business and
Functional
Requirements
Installation / Availability Testing
Security Testing Performance Testing
Risks
• Critical
Requirements
not met
• Integration
with systems
outside the
Cloud
Risks:
• Installation,
Configuration
and
Connection
errors
• Loss of Data
during
Disaster
Risks:
• Capacity not
scalable.
• Response
Time
increases at
peaks
13
© 2016 Cognizant 14
Objective 3: Risk-Based Cloud Testing
Approach (Cont.)
Installation / Configuration
Testing
• Infrastructure Layer
Testing
• Virtualization Level
Testing
• Platform Layer Testing
• Application Layer Testing
• Separation of
responsibility depends on
Cloud Delivery Model
(SaaS, PaaS, IaaS)
Data Migration
• Data Cleanup
• Correct Data Conversion
• Tracking Migrated Data
(audit trail)
• Sampling, Record
Counting and Business
Verification
• Parallel Runs and Cutover
Regression Testing
• Critical Business Processes
• Integration with other
systems in Cloud
• Integration with other
systems On-premise
• Integration with third-party
service providers (IAM etc.)
Testing Strategy for Migration to Cloud
© 2016 Cognizant 15
Object 4: Governance - Change Management in
the Cloud
Identify Change Impact Analysis Define
Responsibility Implementation and Validation
In which layer the
change occurs?
• Infrastructure
• Virtualization
• Platform
• Application
• Technical Impact
• Businesss
Impact
• Compliance &
Regulatory
Impact
• Identify Change
Management Procedures
from cloud provider
• Identify Change
Management Procedures
from Client
• Determine the boundary
of responsibility between
Client and cloud Provider
• Determine handshake
protocol between Client
procedures and Cloud
provider procedures
• Installation &
Configuration
Testing
• Regression
Testing of
impacted areas
• Regression
Testing of critical
business
processes
• Regression
Testing of
interfaces with
other systems
Approval Impact
Assessments
Implementation &
Testing Strategy
Evidence &
Change Summary
Document
© 2016 Cognizant 16
Objective 4: Governance - Change Management
in the Cloud (Cont.)
Technical Impact Assessment
Test Planning
Test Execution Application
Patch Release
App
Update?
Application Update
No
Platform Patch
Doc Update
Yes
Sanity Test
Platform / Infrastructure Update As an Example
© 2016 Cognizant 17
Objective 4: Governance - User Access Control
Determine
Responsibilities
User Management
Align Procedures
• User Provisioning
and De-Provisioning
• Credential
Management
• Authorization
Policies
• Identity Federation
Monitoring
• Logs and Audits
• Authentication &
Authorization
Records
• Reports of Access
Activities
Review
• Periodic Review of
User Accounts
• Periodic Review of
Access Rights and
Privileges
Client
Organization Cloud Provider
3rd Party IAM
Service Provider
Access Management Procedures
© 2016 Cognizant 18
Objective 5: Audit / Inspection Readiness
State of Control
- Infrastructure
- Platform
- Application
Risk Assessment and Controls
Operational Phase
Procedures
Operating Records
Training Records
Application Development and
Testing Documentation
Documented Evidence
© 2016 Cognizant 19
Objective 5: Audit / Inspection Readiness (Cont.) Objective 5: Audit / Inspection Readiness (Cont.) Client Organization is accountable for Compliance. Via Vendor Audit/Assessment and
Contractual Agreements, Client Organization should ensure Cloud Provider maintain
key Records, Report and Audits
Examples of Cloud Provider Records
IAM Users / Groups / Roles
IAM Providers (for example, for SAML & OpenID Connect)
Records if applicable
Resource Based policies in other
services (for example, Storage
Services)
Security Configuration
Monitor activity in cloud accounts
Operating Logs and/or Audit Trails
Application validation records
(SaaS)
Virtual infrastructure Installation /
Configuration records
End User account info & training
records
Technical support cases
IT Training records Cloud Account
credentials
© 2016 Cognizant 20
Next Steps – Adoption
Establish goal/objective for cloud adoption
Initiate a workshop with vendor to discuss requirements
Discuss prospective areas/candidate systems
Develop implementation roadmap
Starters
Finalize pilot projects for implementation
Share insight/experiences with vendor on provider data gathered
Finalize implementation schedule and initiate Statement OW
Initiate supplier assessment with vendor Early Adopters
Pioneers
Identify additional divisions/areas of the organization for cloud adoption
Select systems to be hosted
Collect and analyze key performance metrics on currently hosted solutions ,
partner performance and cost benefits
Partner with vendor and share key organizational goals
Develop implementation roadmap
© 2016 Cognizant 21
Benefits
Compliance Assurance
Ensure System is developed in Compliance with:
Regulatory Requirements
Organizational SDLC, Information Security, and Data Privacy Policies,
Standards and Procedures
Industrial Best Practices
Benefits to Client Organization
Efforts and Cost Saving
Validation and Testing are risk-based, hence efforts and cost are optimized
Saving due to shared responsibility and leveraging Cloud Provider’s testing
and documentation
State of Control
Governance in place for Change Management and Access Control to
ensure System is maintained in a State of Control post go-live to meet
changing business needs
System is ready for any potential Audit / Inspection
© 2016 Cognizant 22
Summary of Cloud Validation Strategy
Security, data privacy, and regulatory compliance are critical factors when
defining a QA / validation strategy for moving business applications from in-house
client hosted environments to a cloud platform. An appropriate level of risk
assessments must be performed.
Cloud validation and verification strategies should be risk-based to optimize
efforts and costs.
Cloud validation and testing are shared efforts between client organization and
cloud provider. The responsibilities should be clearly defined based on cloud
delivery Model.
Cloud validation should ensure governance is in place for change and access
management to maintain a cloud hosted system in a state of control that is ready
for audits / inspections.
© 2016 Cognizant 23
Case Study 1: Cloud Hosting Validation for a Fortune 100 Pharmaceutical Company
Client is a top fortune 100
global Pharma company
based out of the US.
The Scope was to validate a
Patient Data Management
platform hosted on the cloud
(Oracle Managed Cloud
Services and Accenture Life
Sciences Cloud).
Conducted Cloud Provider
Assessments
Conducted InfoSec, Data
Privacy and Regulatory
Risk Assessments
Defined a cost-effective
validation strategy based
on risk assessments
Leveraged vendor testing
Built a Testing strategy
focusing on end-to-end
systems integration (within
and outside the Cloud)
Ensured operating
procedures are in place for
Change Management, User
Access, Performance
Monitoring and DR and the
Client procedures and
Cloud Provider procedures
were fully aligned.
Business Needs
Challenges
Average cost savings of
20% for the overall
program due to the risk-
based validation
strategy that optimized
the validation efforts
Average resource cost
savings of 30%
achieved by
implementing the risk-
based testing model and
performing collaborative
testing with the Cloud
Provider and leveraging
testing documents from
Cloud Provider.
Passed a regulatory
compliance audit with
zero major findings
The Platform consisted of
10+ GxP regulated
applications on premise and
on the cloud
Cloud Applications needed
to be integrate with each
other and interface with
existing legacy applications
On Premise
Budget constraint and tight
timeline
Solution Benefits
© 2016 Cognizant 24
Case Study 2: Cloud Application Validation for a Top 10 Pharmaceutical Company
Client has developed a VPC
platform, which is a
framework of automated
controls and tools, that allows
provisioning of GxP
applications on AWS cloud.
In order for VPC to host
regulated workloads, the
Platform and its underlying
infrastructure components
need to be evaluated for
conformance with GxP
requirements
Performed an assessment
of AWS controls and
processes, by mapping
SOC report controls against
client’s SDLC requirements
and SOP standards
Assessed current SDLC
deliverables and operating
processes for VPC platform
and identified gaps with
provided recommendations
Documented end-to-end
process for Infrastructure
provisioning and application
installation
Performed security
assessment and analysis of
controls and automation
across AWS and the VPC
platform
Business Needs
Challenges
Established a framework
to validate client’s VPC
environment for GxP
workloads
Set precedence to
onboard additional GxP
applications onto cloud
infrastructure
Qualification of cloud
platform for GxP
workloads will enable other
applications to leverage
the high scalability,
flexibility, and low-cost
aspects of AWS cloud
services
Maintain compliance with
regulatory requirements
Identified and remediated
gaps in VPC
documentation
AWS policies and
procedures have not been
shared with the client
organization
AWS procedures for Identity
and access management
have not been audited by
client
Solution Benefits