whitepaper nnit enterprise hybrid cloud content/whitepaper_enterprise_hybrid_cloud_ls.pdf · nnit...

NNIT ENTERPRISEHYBRID CLOUDfor Life Sciences GxP

Written by:

Jesper Bagh, Cloud Subject Matter Expert

Torben Thorhauge, Vice President, Life Sciences

Anders Vidstrup, IT Quality Subject Matter Expert

WHITEPAPER

NNIT ENTERPRISE HYBRID CLOUD4

© 2018, NNIT A/S. All rights reserved.

NOTICES

This document is provided for informational purposes only.

It represents NNIT’s current or planned product offerings

and practices as of the date of issue of this document

and it is subject to change without notice. Customers are

responsible for making their own independent assessment

of the information in this document and any use of NNIT’s

products or services, each of which is provided “as is”

without warranty of any kind, whether express or implied.

This document does not create any warranties, representa-

tions, contractual commitments, conditions or assurances

from NNIT, its affiliates, suppliers, or licensors. The responsi-

bilities and liabilities of NNIT to its customers are controlled

by NNIT agreements, and this document is not part of,

nor does it modify, any agreement between NNIT and its

customers.

NNIT ENTERPRISE HYBRID CLOUD 5

Contents

Foreword 6

Approach 8

Customer Responsibilities 9

NNIT Responsibilities 9

Assessment of Microsoft Azure 10

Assessment Conclusion 10

NNIT Enterprise Hybrid Cloud 11

Cloud Service Models 11

Cloud Deployment Models 11

Product Walkthrough 11

NNIT Enterprise Hybrid Cloud Portal 12

Layers below the Portal 14

Technology used 15

Web services used 15

Interfaces used 15

COTS used 15

Network Architecture 16

Security 16

Services Available 17

Afterword 19


Foreword

Since the launch of cloud services, the life sciences industry has been highly interested in the potential benefits of cloud services. However, the industry has not yet embraced the cloud to the same extent as other industry segments. This is primarily due to concerns about regulatory compliance. Among others, the concerns relate to data privacy and data integrity, the ability to validate the cloud services in compliance with Annex 11 and 21 CFR Part 11, change control and configuration management.

Life sciences companies are held responsible for complying with the regulatory requirements, including when they make use of service providers. Therefore, it is a prerequisite that they can audit the service providers to obtain documented evidence that the service providers have established an efficient Quality Management System that enables them to comply with the same set of regulatory requirements.

At the same time, it can be a burden for service providers to be continuously audited by their life sciences customers, especially when the services target a much broader market to include all industry segments, as is the case for Microsoft Azure.

Therefore, NNIT and Microsoft have established a partnership to provide a GxP Azure Infra-structure as a Service which is compliant with Annex 11 and 21 CFR Part 11.

The service is based on an assessment of Microsoft Azure by NNIT for compliance with Annex 11 and 21 CFR Part 11, and documented in a report according to the NNIT quality Management System. On top of Microsoft’s Azure fabric NNIT has implemented additional controls and validation of NNIT’s deployment engine.

This way, NNIT can provide GxP compliant IaaS cloud services either in Microsoft Azure or in NNIT’s own private cloud.

4

NNIT GxP cloud services including Azure

Client Applications Client Applications

Azure Fabric Azure Fabric

SQL Server

Virtual Servers

Client Applications

NNIT Fabric

SQL Server

Virtual Servers

Validated according to client QMSClosing windowscoordinated with NNIT

NNIT Enterprise Hybrid Cloud= Controlled by NNIT QMS

= Controlled by Microsoft QMS

= Controlled by client QMS

NNIT Managed Services• Qualification• Patching• KPI’s• Backup•............

NNIT datacenter• Housing• Network• HW

MS datacenters• Housing• Network• HW

Client Applications


This document describes NNIT’s assessment of Microsoft Azure, the controls and validation imple-mented by NNIT, the validation activities to be executed on applications that are implemented in NNIT Enterprise Hybrid Cloud, and the technical setup of the NNIT EHC. The value adding service of NNIT EHC can be illustrated as follows:

NNIT’s Enterprise Hybrid Cloud enables customers from one single portal to fast provision and decom-mission workloads in both Microsoft Azure and in private clouds in NNIT’s data center. It includes month-ly consolidated billing and single point of contact and support. On top of that, it enables customers to customize standard workloads to include customer tools and policies in order to comply with customer specific policy. This is typically needed in security areas such as Antivirus, Application Whitelisting, HIPS, DLP, IAM, and Patch Management but also areas such as License Management.

After the provisioning of workloads, they will be managed by NNIT in a bimodal mode. Workloads can either be managed in “Basic” or “Enhanced” mode. “Basic“ mode gives the customer full control over the workload, which is great for development and test, while “Enhanced” is used for production workloads that includes monitoring, incident, and change handling.

GxP workloads include all the benefits of “Enhanced” mode in addition to the GxP functionality described in this whitepaper.

In addition, NNIT offers network and security services in order to integrate Microsoft Azure successfully into your enterprise network. This includes Microsoft Azure Express Routes, VPN setup, Network Integra-tion and the necessary security hardening of Microsoft Azure in combination with your enterprise network.

NNIT Enterprise Hybrid Cloud for Life Sciences – Qualification and Controls

NNIT EHC including the use of Microsoft Azure has been validated according to the EMA and FDA requirements for infrastructure services.

The basis for the qualification is:• NNIT A/S Quality Management System – QMIT, • ISPE GAMP5, • ISPE GAMP5 Good Practice Guide, Infrastructure Compliance and Control • FDA 21 CFR part 11, electronic records part • EU (EMA) Annex 11

Compliance & Management

Metered use &

Fas

t p

rovi

sio

ning P

rivate Hybrid Network

EnterpriseHybridCloud

MPLS Express Route & Internet VPN support

Security-hardenedprivate network

Hybrid Network integration

Validation Policies (CMDB, CIL, GxP)

Backup

Patch Management

Customer policy andlicense compliance

Customer securitylayer & IAM

Customer Whitelisting,HIPS & DLP

Support & SinglePoint of Contact

Instant Provisioning& decommissioning

Monthly Consumptionbased billing

6


Approach

The qualification approach and result is described in a Quality Activity Plan and Report, which both have been reviewed and approved by NNIT’s independent Quality Assurance unit. The Quality Activity Plan describes all the quality activities to take place during the execution of the qualification as well as, e.g.:

• Roles and responsibilities

• Project activities and deliverables

• Test Activities

• Documentation

• Approval of documents

• Traceability matrix.

NNIT has taken a risk based approach as described in GAMP5, with risk assessments executed during the qualification project. The operation and maintenance of NNIT’s EHC cloud is docu-mented in an Operational Manual and includes processes for risk assessment, change control, and configuration management.

Inception Elaboration/Construction Transition

User requirements specification Performance qualification

Operational qualification

Installation qualification

Unit test

Code review

Time

System specification – functional part

System specification – technical part

Detailed specification

= Main points for risk assessments

Coding

Ven

do

r m

anag

emen

t

Val

idat

ion

pla

n

Val

idat

ion

rep

ort


Customer Responsibilities

The customer is responsible for performing the following main activities for each GxP comput-erized system requiring qualification and validation within the Microsoft Azure platform as a part of the NNIT EHC solution:

• Perform high level risk assessment in order to identify a specific risk associated with hosting the GxP computerized system in a cloud environment and mitigation strategies.

• Develop or identify procedural controls governing the use of the GxP computerized system. These procedural controls should cover e.g.: • Use of Microsoft IDs and passwords.

• Account access to Virtual Machines applications.

• Compliance management with the applicable laws and regulations.

• Planning and implementation of customer data encryption requirements.

• Data access method (public or signed access) for data contained with the Azure Platform.

• Data backup and retrieval upon Microsoft Azure subscription termination. Especially the construction of failover in Microsoft Azure.

• Quality assurance of applications before moving to Microsoft Azure.

• Security monitoring for applications developed on Microsoft Azure.

• Assessing public Microsoft Azure security and patch updates.

• Follow customer procedures governing qualification and/or validation processes.

• Verification documentation providing evidence that the GxP computerized system meets its intended use as defined within the relevant specification documents.

• Maintain and operate the GxP computerized system in a secure and controlled manner according to internally developed procedures.

NNIT Responsibilities

NNIT is responsible for operating and maintaining the IaaS services in the Enterprise Hybrid Cloud in compliance with NNIT’s quality management system as well as the FDA and EMA requirement.

This obligation requires strict change control, configuration management, and security pro-cesses. The adherence to the quality and security requirements is audited on a regular basis by the NNIT independent Quality Unit.

NNIT is responsible for informing customers about any change or incident that may impact the validation status on application that customers have implemented and validated in NNIT’s Enterprise Hybrid Cloud.

Furthermore, NNIT is responsible for operating the Enterprise Hybrid Cloud according to the KPIs and responsibilities as described in the Enterprise Hybrid Cloud service catalog.


Assessment of Microsoft Azure

As part of the evaluation of Microsoft Azure and the ability of Azure to comply with GxP regulations in general and e.g. EU (EMA) Annex 11 and FDA 21 CFR Part 11, NNIT has conducted a careful review of reports that Microsoft has made available prior to the on-site assessment conducted by NNIT.

The reports made available include:

• Description of Microsoft Azure Service System and the suitability of the design and Operat-ing Effectiveness and Controls covering the period October 2013 to April 2014” and “Securi-ty, Availability, and Confidentiality Trust Principles” (2014 Microsoft Azure SOC 1 Type II, SOC 2 Type II, Info Sec Policy and Azure Pen Test), Deloitte 2014

• Microsoft Azure 2014 ISO 27001:2013 Assessment (BSI) and ISO 2014 SoA reports.

• Microsoft Azure, Report of Controls at Service Organization Relevant to Security, Availability,

• Confidentiality and Processing Integrity Trust Principles (SOC2), Deloitte July 2015

• Microsoft Secure development lifecycle, https://www.microsoft.com/en-us/SDL (web based without version number)

• Microsoft Red Teaming, February 2016

• Qualification Guideline for Microsoft Azure, June 2014

Based on the review of the reports NNIT identified a few potential gaps between the documen-tation requirements for GxP platforms (aligned with requirements from FDA and EMA) and the information and conclusions in the reports made available by Microsoft. The potential gaps to be assessed during the on-site assessment were high-level:

1. Quality Responsible for releases include quality management review and periodic review of services

2. Identification of method used for risk Assessment, e.g. FMEA?3. Investigation of contingency, disaster, and recovery process in details4. Training of appointed employees in the relevant pharma regulations.

Assessment Conclusion

The conclusion of the assessment is available in NNIT’s assessment report: Assessment of Microsoft Azure, Assessment Report, 2016-04-28. The conclusion is that Microsoft Azure as part of NNIT’s Enterprise Hybrid Cloud with additional GxP controls can be used for GxP purposes. The additional controls related to the NNIT responsibility is a part of the NNIT A/S qualification. The entire report can be reviewed during audits of NNIT.

This assessment was followed up by another assessment at site in Redmond August 2018, and the report ended up with same conclusion.


NNIT Enterprise Hybrid Cloud

Cloud Service Models

Infrastructure as a service (IaaS) provides users with processing, storage, networks, and other computing infrastructure resources. The user does not manage or control the infrastructure, but does have control over operating systems, applications, and programming frameworks.

Platform as a service (PaaS) enables users to deploy applications developed using specified programming languages or frameworks and tools on the cloud infrastructure. The user does not manage or control the underlying infrastructure, but does have control over the deployed applications.

Software as a service (SaaS) enables users to access applications running on a cloud infra-structure from various end-user devices (generally through a web browser). The user does not manage or control the underlying cloud infrastructure or individual application capabilities other than through limited userspecific application settings.

Cloud Deployment Models

Private clouds are operated solely for one organization. They may be managed by the organi-zation itself or by a third party and they may exist on or off premises.

Public clouds are open to the general public or to a large industry group and are owned and managed by a cloud service provider.

Hybrid clouds combine two or more clouds (private or public) that remain unique entities but are bound together by technology that enables data and application portability. Community clouds have infrastructure that is shared by several organizations and supports a specific community.

They may be managed by the organizations or a third party and may exist on or off premises. Source: NIST (http://www.csrc.nist.gov/groups/SNS/cloud-computing/index.html)

Product Walkthrough

The NNIT Enterprise Hybrid Cloud uses principles of private and public clouds to comprise a hybrid cloud setup connected together with full security boundaries established so that they form one managed infrastructure where machines can communicate since they are all inside the same data center.

The overall structure of the NNIT EHC will be explained in this section along with the security and a description of the services available and how the responsibility is structured. A descrip-tion of how the services are provisioned and the difference between the various services on the infrastructure layer as well as the technology used is also available.

The NNIT EHC user is first met by the service portal featuring user authentication, service catalog, ordering functionality with approval flows, and a rich user experience.


NNIT Enterprise Hybrid Cloud Portal

The customer logs on to the EHC portal to order and change services. The portal is integrated into NNIT’s extranet, and the customers must have a user account before they can logon.

The customer user account creation is accomplished through a short series of onboarding workshops, where the necessary governance structure, infrastructure readiness (network, security and policies), portal setup, and commercial structure are evaluated and prepared.

Once the structure is in place, the customer can logon using two-factor authentication.

Private Shared sites

Global reach (17+ sites)

Private Resources

On NNIT hardware

Private dedicated

sitesNNIT

Own ResourcesOther Resources

Public sites

Azure Northern Europe

EuropeAzure ChinaAzure US East

NNIT EHC Portal

1

Instant provisioning

Bimodal operation

Single point of management

Public sites

Private dedicated sites

Customer

Authenticated User

NNIT Identity Service

2 Factor Authentication

Enterprise Hybrid Cloud Portal

Log in

Enterprise Hybrid Cloud Portal

Log in

Azure FabricSolution Description with Customer choices

NNIT Cloud Delivery Model

NNIT Cloud Service Contract Terms (SCTs)


The NNIT Cloud Service Catalog consists of a variety of standard services that are paired with the individual customer requirements and choices resulting in a customer solution. The solution is based on three items that together comprise the customer services as illustrated in the figure below:

Solution Description entails the customer choices and the actual service configurations based on the customer requirements and Cloud Service Contract Terms.

The Cloud Delivery Model is a document that describes the basic setup for delivery of services.

The Cloud Service Contract Terms are a description of the possible services that can be delivered as a cloud service, e.g. having a basic cloud server.


Layers below the Portal

Below the portal, an integration layer connects the portal frontend to the backend automation factory.

The backend automation factory comprises many different components and technologies. Please see more in the section “Technology Used”.

Inside the automation factory, all of the processes are documented in detail and governed by the NNIT Quality Management System. Each employee is trained in the procedures in which he or she operates. All of the scripts and code are subject to change management.

Over time, NNIT has thoroughly documented and developed procedures for each individual step of the provision and change of an infrastructure component. Every step for the qualifying provision process is documented in the Quality Activity Plan.

The provision process has been broken down and every step documented in order to automate. Every single script used to comprise a GxP service is then documented and tested. Periodic reviews are conducted in order to keep the service in a qualified state.

The various scripts developed are gathered in an orchestration tool or a run-book automation tool. This master script is activated after the customer orders a service.

The building block method is used to comprise a service. That way, scripts and run-books can be reused. And standard changes are applied in order to keep the solution agile.

NNIT A/S

QAP for Enterprise Hybrid Cloud

GxP: yesInternal No: N/A

Version: 1

Cloud Customer

Service Request Creates a CI for new VM server

Event management(correlation, de-dup, filtering, etc.)

Events & Metrics

CloudApp

VirtualGuest

CloudApp

VirtualGuest

Hypervisor

System - Network - Storage

Cloud Databases

Automatically discovers new cloud CIs

VM Availability or vCenter Events

Get CI info about VMs

Events

Generate Incidents

IaaS or PaaS

CMDB

QMLBPMSiS

NewVirtualGuest

BSM Remedy

VMware

Portala c

b

d

ei

k

g

f h

Deploy new VMInstrumentation policies


Technology Used

The NNIT EHC is built on web services, interfaces, and scripts. Furthermore, commercial off-the-shelf software (COTS) from a number of vendors, such as HPE, Cisco, Oracle, and Micro-soft, is used. All of the vendors are approved by NNIT’s Quality Assurance unit, and periodic reviews of deliverables from the vendors are carried out.

Web services used:

• Simple Object Access Protocol (SOAP)

• Representational State Transfer (REST)

Interfaces used:

• Application Programming Interface(API)

• Command Line Interface (CLI)

• Graphical User Interface (GUI)

COTS used:

• HPE Operations Orchestration

• HPE Server Automation

• HPE Network Automation

• HPE Operations Manager

• HPE UCMDB

• HPE Service Health Reporter

• Microsoft PowerShell

• Microsoft SQL Server

• Oracle Databases

Web services are not tied to any one operating system or programming language, which means that the applications written in various programming languages and running on various platforms can seamlessly exchange data over the Internet (or intranet) using the pre-defined actions supported by each web service interface. A major advantage of the web service ap-proach, sometimes called web-oriented architecture, is that software applications that use web services do not need to know how the web service is built or how the underlying data is stored; they only need to know which actions the web service interface will respond to. As long as the actions are available in the interface, changes to the underlying components of a web service or the addition of new actions do not affect the behavior or reliability of the application.


Network Architecture

All of the services are separated by firewalls and separate network segments.

The customer’s own infrastructure either in the NNIT data center or own premises is connected to Microsoft Azure through ExpressRoute or VPN. The structure of the con-nection is defined in the workshop phase and it varies based on deployment scenarios.

Once the infrastructure is connected, the governance setup is activated and the control of deployment images, policies, network infrastructure, addresses, etc. is now under NNIT EHC automation and orchestration control. This is necessary in order to keep control of the configuration items that comprise the solution as well as to maintain compliance.

Security

A number of security measures and software components are activated when the cus-tomer’s infrastructure is extended into Microsoft Azure and kept in control by NNIT EHC:

• Hardening the Operating System

• Antivirus Software

• Configuration Management Agents

• Microsoft Azure IP Address controls

• NNIT IP Address controls.

14

ServersArchiving

ServersSandbox

ServersSandbox

ServersProd

ServersProd

Service 1

Patch

Instance 1 Instance N

Monitoring

Service N

Internet

NNIT Shared ServicesAzure DC NNIT DC

Customer Domains/Tenants

NNIT System Management

Database Hotels

Architecture


Services Available

At present the following services are available from the service catalog in the NNIT EHC self-service portal.

Name Description

Basic Cloud Serverin a dedicated environment

This service delivers a virtual cloud server residing on a customer dedicated virtual infrastructure hosted in NNIT premises.In the Basic Cloud Server, the customer is granted administrative privileges to the server. NNIT will only handle patch management and antivirus on the server.

Intended use for this type of service is test and development.

Basic Cloud Serverin Microsoft Azure

This service delivers a virtual cloud server residing in Microsoft Azure. In the Basic Cloud Server, the customer is granted administrative privileges to the server. NNIT will only handle patch management and antivirus on the server.


Basic Cloud Serverin a shared environment

This service delivers a virtual cloud server residing on a shared virtual infrastructure hosted in NNIT premises.In the Basic Cloud Server, the customer is granted administrative privileges to the server. NNIT will only handle patch management and antivirus on the server.


Enhanced Cloud Service This service delivers a virtual cloud server on a customer dedicated or shared virtual infrastructure hosted in NNIT premises or Microsoft Azure and with additional NNIT services.

Enhanced Cloud Service includes backup, monitoring, patch management and antivirus on the server.

Enhanced Cloud servers are joined to a chosen customer domain. This only applies to Windows servers.

Service Availability is measured on the operating system (OS) level, which is why the customer is not granted administrative privileges to the server.

Intended use for this service is production.

Additional third party management tool

Automatic installation of customer specific management tool post-provisioning (log management, additional security agents, etc.). The additional management tool is setup as a part of onboarding.


All of the infrastructure services can be delivered as GxP.

The following table indicates responsibilities in relation to this service between the service provider, customer, and possible third party according to the RACI model.

R - Responsible – Person working on an activity

A - Accountable – Person with decision authority

C - Consulted – Key stakeholder who should be included in the decision or work activity

I - Informed – Needs to know of the decision or action

Responsibility area Description NNIT Customer

Basic Cloud Server Monitoring of the Hypervisor platform A/R

License for the Hypervisor platform A/R

License for operating system A/R

Hardware ownership A/R

Patch management, OS related A/R

Antivirus A/R

Licenses for NNIT Management tools installed under provisioning

A/R

Monitoring of operating system A/R

Backup of operating system A/R

Licenses for software installed after provisioning A/R


Enhanced Cloud Service

Monitoring of the Hypervisor platform A/R

License for the Hypervisor platform for cloud servers A/R

License for operating system A/R

Hardware ownership A/R

Patch management A/R

Antivirus A/R

Monitoring of operating system A/R

Backup of operating system A/R

Licenses for software installed after provisioning A/R


Additional third party management tool

Deployment of third party management tool post-provisioning

A/R

Maintenance of third party management tool A/R

Licenses for third party Management tools installed post-provisioning

A/R


Afterword

With this whitepaper, NNIT hopes that we have provided life sci-ences companies with information to remove the concerns about regulatory compliance in the cloud. A prerequisite to go the cloud way is to make the right risk assessment as well as to plan and execute the right quality and compliance activities.

The first step, as we have pointed out in this white paper, is to select a service provider that has implemented the right controls and has deep insight into the regulatory regulations in the life sciences industry. The assessment of the service providers’ capabilities in this area is crucial.

Secondly, the life sciences company must ensure that it plans and executes all of the necessary validation activities for each regulated application that it intends to implement in the cloud. A prerequisite for this is trust in and close cooperation with the cloud services provider to ensure continuous compliance.

With our partnership with Microsoft, the controls implemented by Microsoft and NNIT, respectively, we have taken the first step to remove the barriers for life sciences companies to benefit from the cloud.

About NNIT A/S

IT advisory, development, and outsourcing

We are passionate people building winning teams with our customers.

With deep roots in the pharmaceutical industry, we supply services thatmeet the highest requirements for quality, security, and standardization.

NNIT is an international consultancies in IT development, implementation,and operations. For over a decade, we have applied thelatest advances in technology to make software development, businessprocesses, and communication significantly more effective.

Our technology, information, and life sciences experts deliver integratedIT consultancy services and solutions that increase the capabilities of keyareas of the pharmaceutical value chain, including drug development,regulatory affairs, quality management, and production.

At NNIT, we guarantee that your data and applications are operatedand maintained in an environment that is secure and always ready forregulatory inspection. We run our operations in a state-of-the-art datacenter that meets strict European requirements for security, availability,and compliance.

Our GxP cloud is fully validated and regulatory compliant as per EudraLex, Volume 4, Annex 11 and FDA’s 21 CFR Part 11. NNIT’s Quality Management System is ISO 9001:2015 and ISO 27001:2005 certified by DNV GL (Det Norske Veritas Germanischer Lloyd). In addition, our governance and operation models are based on ITIL and tailored to optimize our various services.

Learn More If you would like to learn more, please contact us at [email protected] or visit www.nnit.com.

NNIT A/S Østmarken 3A DK-2860 Søborg Tel: +45 7024 4242

NNIT Switzerland Bändliweg 20 CH-8048 Zurich Tel: +41 44 405 9090

NNIT Germany c/o Regus Herriotstrasse 1 DE-60528 Frankfurt am Main Tel: +49 69 66 36 98 73

NNIT Czech Republic Explora Jupiter Bucharova 2641/14 2.NP CZ-158 00 Prague 5 Tel: +420277020401

NNIT USA 4 Research Way Third Floor Princeton New Jersey 08540 Tel: +1 (609) 945 5650

NNIT China 20th floor, Building A, Jin Wan Mansion, 358 Nanjing Rd. CN-Tianjin 300100 Tel: +86 (22) 5885 6666

NNIT Philippines Inc. 10/F, 2251 IT Hub 2251 Chino Roces Avenue Makati City 1233 Tel: +63 2 889 0999

NNIT United Kingdom c/o MoFo Notices Limited CityPoint One Ropemaker Street London

whitepaper nnit enterprise hybrid cloud content/whitepaper_enterprise_hybrid_cloud_ls.pdf · nnit...

Documents