SHARE:
GxP in the AWS cloud: The compliance and
efficiency benefits of rethinking regulated workloads
4
The historical oversight provided by Config is a
major advance over what went before. Until now,
compliance was a point-in-time activity. Companies
could show compliance at discrete points in time
but only assume compliance between these points.
Config provides near-continuous compliance that
is far more comprehensive than earlier systems.
AUTOMATING CLOUD MONITORING
Merck provided an onboarding document to help
teams put apps into the cloud. Teams subsequently
embraced the cloud. This validated the model but
also created challenges. User growth outpaced
capacity at the IT department. The manual checks
implemented in the early days to ensure security
became burdensome. A new, more automated way
of working was needed.
C ompanies seeking to automate aspects of the
management and oversight of cloud systems can
use readymade services. IT teams can connect these
off-the-shelf services to their systems, or link multiple
services together and make minor modifications to
create processes tailored to their needs.
The aforementioned CloudTrail traffic logger links
to Amazon CloudWatch, a cloud monitoring service.
IT teams can configure CloudWatch to send alerts
via text or email when certain events happen. For
example, the system could send an alert when someone
tries to log in with superuser privileges. This allows
IT to see whenever someone accesses—or tries to
access—the system with powers that enable them
to make major changes.
AWS C onfig Rules enables similarly proactive,
automated oversight. This service, an extension of
the aforementioned AWS Config, automates the
enforcement of policy. When something unusual
happens or is detected in an automated periodic
assessment, the service triggers an action. The IT
team defines what is unusual and what action is
triggered. For highly-undesirable events, the service
can automatically roll back the system to its status
before the change happened.
Other ser vices ensure the integrity of data. One
way to achieve this is through encryption. If data
integrity is compromised, the system will detect the
problem during decryption. This automates control
of one of the most common GxP problems. Backup
and recovery controls allow IT teams to return the
system to its former, uncompromised state.
Merck also used the building blocks provided by
AWS services to create custom monitoring tools. One
such creation automatically places restrictions on
what new users can do and access. Another minor
development checks each user against Merck's active
director y when they tr y to access the cloud. If a
user leaves Merck, they are automatically removed
from the directory and therefore prohibited from
accessing the cloud.
ACHIEVING CONTINUOUS COMPLIANCE
These automated services allowed Merck to support
a fast-growing user base without expanding its IT
team in lockstep. Merck and companies with similar
setups control their systems and the users who interact
