SHARE:
GxP in the AWS cloud: The compliance and
efficiency benefits of rethinking regulated workloads
3
manual point-in-time validation to automated near-
continuous compliance.
This means the voids in compliance knowledge
inherent in the old model are truncated. Cloud
users can say with far more confidence that their
systems are compliant right now. Furthermore, they
can present documentation to auditors to support
such confidence.
Companies running GxP workloads in the cloud
achieve this level of traceability while reducing the
effort involved. Once created, automated services
deliver consistent assessments of the system with
minimal input and oversight. To simplify matters
further, many of the services are based on pre-built
cloud services.
MOVING GxP WORKLOADS TO THE CLOUD
Merck is among the companies to use pre-built cloud
services to help move GxP workloads into the cloud.
The Big Pharma started using the cloud for some
of its unregulated workloads around five years ago
but only started applying the model to parts of its
business covered by GxPs two years ago. Merck has
increased its use of the cloud to run GxP workloads
gradually as it has become more comfortable with
the model and more aware of its benefits.
The process followed by Merck shows how biopharma
companies can move to the cloud and the benefits
they can realize. Merck began by creating a security
framework. This was the bedrock of Merck's plan.
The systems had to be secure.
As an AWS user, Merck shared responsibility for
security with its vendor. AWS handled the security
and quality of the cloud itself, as it does for all
customers under its Shared Responsibility Model.
Merck took responsibility for the security and quality
of what happened in the cloud, exactly as it had
when using an on-site datacenter.
In addressing its security responsibilities, Merck
adopted a safety-first, hands-on approach that
mandated manual checks of whether services were
enabled and policies met expectations.
Merck then assessed what it needed to do to ensure
it was prepared for a regulatory inspection. This
entailed talking to colleagues working in quality,
inspectional readiness, technical posts and other
functions to formulate an overall systems assurance
strategy. The result was a set of processes to ensure
the Merck Managed Cloud meets GxP requirements
and the needs of auditors.
These processes use AWS services. Every change to
the system is logged using AWS CloudTrail. Auditors
can view who, what, when and where from for every
change. The low cost of cloud storage means companies
can keep all logs indefinitely.
Other ser vices cover dif ferent aspects of GxP
compliance. AWS Config enables Merck to show
what its environment was like on any given day in
the past. Providing such information to auditors
used to require reams of paper. Working in the cloud,
users simply scroll back through time. This shows
when files were added or removed from storage.