What is Cloud Computing?
It includes offers, benefits and billing which are dynamically adapted to the needs of IT services through a network.
There are 5 essential features:
- Broad network access via standardized mechanisms, regardless of the device
- Rapid elasticity with access to (apparently unlimited) available capacity (flexible allocation and approval)
- Resource pooling, i.e. shared among several renters
- Measured service, i.e. control and optimize the utilization and ensure transparency in invoicing
- Self-service of IT resources on demand (e.g. computing time, storage capacity) by the user
What are the differences from traditional outsourcing?
- Also for the use of cloud services, Chapter 7 of the EU GMP Guide holds true:
- The suitability of the provider will be verified by audits
- Service should be noted in the contract
- Quality must be monitored through appropriate measures (monitoring)
Considering that the traditional IT model for a computerized system is designed somewhat differently from a (valid) cloud computing system, the following topics
For IaaS (Infrastructure as a Service) and PaaS (Platform as a Service):
- (classic) qualification of IaaS before implementation
- Measures for shutdown or resource sharing: data deletion / archiving
- When validating software that is running on these services, additional risks must be anticipated because of virtualization and multi-user operation (e.g. by encrypting data).
- Regular monitoring of SLA
- System or supplier selection and qualification, taking into account:
- Quality management, in particular measures to maintain (valid) operations (communication, change management, CAPA, business continuity)
Data security - Service Level Agreements (SLA)
- Migration strategy (in und out)
For SaaS (Software as a Service such as S/4HANA):
- Validation of the application as GAMP Category 3 or 4 Software
Additional risks:
- Changes to the configuration / software are initiated by the agent.
- The possibility of continuing to use older versions / configurations is to be determined in the SLA.
- Since large parts of the computerized system (software and data) are with the external service provider, contingency planning (including backup), as well as the shutdown concept must be done at an early stage.