Is The Cloud A Safe Place For Your Data?

By Damien Tiller, Quality Manager, IDBS

Demonstrating data integrity is central to all processes within the Life Sciences industry. As the evolution of technology presents new opportunities and considerations to managing data, organizations can find it challenging to balance what is possible against the guidance provided within regulatory frameworks.

The interpretation of guidelines can be further complicated when you consider that some of this guidance, such as ENV/MC/CHEM(98)17, The Organisation for Economic Co-operation and Development (OECD) series on principles of good laboratory practice (GLP) and compliance monitoring, was last updated in 1997 – long before Software as a Service (SaaS) and cloud technology was as widely spread and robust as it is today.

The ability to interpret regulations and ultimately demonstrate to customers and regulators that data is safe, integral and available is more important than ever. But when working with SaaS providers, the adherence to regulations may require more than simply visiting an on-premise location where data is stored.

In many instances, visiting a physical location is no longer practical, and in some cases is even impossible. Many large Infrastructure as a Service (IaaS) organizations, such as Amazon Web Services (AWS), have made the decision not to provide the exact street address for their datacenters to reduce security risks.

Historically, when paper records were kept in a filing cabinet or even a server on-site, auditors would have expected to see an exact location for the data but, as with the AWS example above, this is now an increasingly outdated way of working.

Within both the cloud and information security, it is important to be able to meet the needs of regulators while getting products to market. This whitepaper explores the potential concerns that regulated customers may have when moving from an on-site deployment model to a hosted SaaS model. It will look at how the integrity of data can be assured and how due diligence can be demonstrated when the ability to physically inspect the hosting facility is no longer possible or practical.