Transform Your Cloud Validation Strategy from Cloudy to Clear

1. T22 Cloud Testing 10/6/16 15:00 Transform Your Cloud Validation Strategy from Cloudy to Clear Presented by: Vandana Viswanathan Cognizant Technology Solutions Brought to you by: 350 Corporate Way, Suite 400, Orange Park, FL 32073 888-‐-‐-‐268-‐-‐-‐8770 ·∙·∙ 904-‐-‐-‐278-‐-‐-‐0524 -‐ info@techwell.com -‐ http://www.starwest.techwell.com/

2. Vandana Viswanathan Vandana Viswanathan is a solutions-‐driven information technology leader with more than fifteen years of experience providing consultative management in regulatory compliance, intelligent process automation, program and quality management, SDLC/QA transformation, testing account management, and client relationship management services for clients worldwide. Her consulting industry experience spans across life sciences, healthcare, and insurance verticals. Vandana has designed intelligent automation solutions for large clients and pioneered best-‐ in-‐class quality assurance frameworks for cloud-‐based and COTS systems. Vandana has led and implemented PMO, change management, and SDLC & QA process transformation for large corporate clients.

3. © 2016 Cognizant1 © 2016 Cognizant How to Transform Your Cloud Validation Strategy from Cloudy to Clear Vandana Viswanathan Associate Director, Process & Quality Consulting Vandana.Viswanathan@Cognizant.com

4. © 2016 Cognizant2 Cloud Hosting Overview Challenges for Cloud Adoption and Validation Introduction to Cloud Hosting Context for Validation Framework for Cloud Hosting Validation and Framework for Cloud Cloud Provider Assessment Validation Strategy End-to-End Risk Based Testing approach Change Management in Cloud Audit/Inspection readiness Stages for a Sound Cloud Application Migration/Implementation Strategy Next Steps, Benefits and Summary Agenda Case Studies

5. © 2016 Cognizant3 Cloud Computing Model Definition (NIST) • Enabling convenient, on-demand network access to a shared pool of configurable computing resources • Can be rapidly provisioned and released with minimal management effort or service provider interaction. Cloud Hosting Overview Five Essential Characteristics Resource pooling Broad network access Rapid elasticity On-demand self-service Measured Service Small initial investment and on- going cost Acquire computing and development services as needed and on demand Open Standards Sustainability Key Drivers for Moving to Cloud

6. © 2016 Cognizant4 4 Cloud Hosting Overview (Cont.) Cloud Services Delivery Model Application Platform Virtualization Hardware Application Platform Virtualization Hardware Application Platform Virtualization Hardware Vendor ClientResponsibility IaaS PaaS SaaS Infrastructure as a Service : Providers offer computers – physical or (more often) virtual machines – and other resources. Platform as a Service: Providers deliver a computing platform, typically including operating system, programming-language execution environment, database, and web services. Software as a Service: Users gain access to application software and databases. Priced on a pay-per-use basis or using a subscription fee.

7. © 2016 Cognizant5 Client Challenges driving Cloud Agenda What we are hearing from our clients & our readiness to help them • Regulatory Compliance (e.g., Sox, FDA, HIPPA) • Data Security and Privacy – PHI • Reliability and Performance • Governance & Change Management • Legacy IT • Existing investment in the On-premise IT • Lack of resources/ expertise CLOUDADOPTIONISSUES CIOCHALLENGES • Business asking to do more with less • Regulatory requirements e.g. GxP, HIPAA guidelines & audits • Addressing CSO concerns • Organizational silos and varied interest • Building a case for transformation • Business demands e.g. Release faster • Operations Efficiency • Business Transformation • Innovation CLOUDLEVERS * Lack of resources / expertise is the #1 cloud challenge in 2016 Source: RightScale 2016 State of the Cloud Report

8. © 2016 Cognizant6 Challenges for Cloud Validation Risk Control - Share Responsibilities between Client and Vendor for Above Reliability and Performance Compliance Operating Control Compliance to external regulations Compliance to internal Policies Data Privacy: Control of PII data in Global environment Inspections and Audits Upgrading at Various Levels and Change Management Incident Management Performance Monitoring Logging, Audit Trails and Reporting Service Availability Performance / Scalability / Elasticity Data Backup Disaster Recovery and Business Continuity Security Network security Host Security Application Security Data Security Identity and Access Management

9. © 2016 Cognizant7 Regulated, Non-regulated and Business Critical Applications  Regulated Applications: must meet regulatory requirements Cloud Adoption Statistics :82% of enterprises have a multi-cloud strategy and only 3% of enterprises have no plans at all. ( Survey of respondents with 1000+ employees) Source: RightScale 2016 State of the Cloud Report Specific Risks for Regulated Applications (Life Science as an example)  Impact on Patient Safety and Product Quality  Subject to Good Laboratory, Clinical and Manufacturing Practices (GLP, GCP, GMP) requirements  Electronic Records and Signatures Regulations (21 CFR Part 11)  End to End Validation is required across the entire System Development Life Cycle  FDA Inspections  Business Critical Applications: Business and Software requirements need to be captured and tested based on Business risks Banking and Financial Services: SOX Health Care: HIPAA Life Science: GxP

10. © 2016 Cognizant8 Cloud Adoption – Validation / Testing Context    • Cloud adoption in regulated applications lags behind • Compliance accountability cannot be outsourced • Lacking regulatory guidance • Cloud adoption changes the risk profile of the application • A risk based Validation approach is required •Relationships with many cloud providers - a unique, cross-market insight Cloud Providers and Regulations •Disparity between marketing claims and actual understanding / competence Consumers in Regulated Areas •Wide variation in approach to Risk Management: • Regulatory concern need not prevent adoption • Existing guidance on Risk Management adequate – leverage to overcome barriers to adoption • Strategic use of Audit/Assessment and SLA monitoring to manage risk and minimize cost of compliance Background Experience Lessons Learned • Lower costs • Infrastructure and application optimization • Faster time to market • Accelerated innovation • Enhanced collaboration • Better and faster disaster recovery management Benefits

11. © 2016 Cognizant9 Validation/Testing Framework for Cloud Hosting Vendor Assessments Qualify Provider Risk-based Validation Validation Strategy Functionality, Performance, Security, Installation, Migration Testing Change Control User Access Control Governance Documentation, Logs & Audit Trails, Record Retention Inspection Readiness Methodology SaaS PaaSI a a S Technology The Transformation Solution Testing Approach

12. © 2016 Cognizant10 Objective 1: Cloud Provider Assessment Application MaintenanceAssessments Align Client QMS / Gap Analysis Risk Control & Mitigation Measures Report & Recommend Contract & SLAs Security & Privacy Policies & Controls Operating Procedures SDLC Inspection Support - Network, Host and Application Level Security - Data Security / Encryption - User Management and Access Control - Data Privacy Measures (PII data) - Data Backup and Disaster Recovery - Performance Monitoring - Incident Management - SDLC Standards, Procedures - SDLC Documentation - Release Management - Availability of documentation, electronic records, metadata, logs and audit trails during Inspection/Audits - Record Retention Focus Areas during Assessment

13. © 2016 Cognizant11 Objective 2: Risk-based QA/Validation Strategy  Information Security and Data Privacy controls  Overall testing requirements and level of testing  Stage gates and release strategy  Documentation and deliverables  Requirement tracing approach  Required Standard Operating Procedures  Vendor Management and Communication Plan Arrive at an End to End QA / Validation Strategy Perform Risk Assessment  Information Security Risks  Data Privacy Risks  Regulatory Risks  Business Criticality and Risks Define Responsibilities  Boundary of QA - Responsibility between Cloud Provider & Client Organization  QA Handshake Protocol Risk Profile

14. © 2016 Cognizant12 Objective 2: Risk-based Validation Strategy (Cont.) Shared Responsibility PaaS SaaS IaaS Risk-based UAT performed by the client prior to go-live Client performs software development as per their SDLC Client manages Installation testing for any software / platform hosted Client performs design, configuration, testing and deployment of virtualized infrastructure Development phase is black box to the client Vendor provides environments - Test and Production Platform maintenance and Installation / Configuration Testing are managed by Vendor Platform policies must align with Client’s privacy and security policies Vendor’s policies must align with client’s infrastructure Management procedure Pre-defined change control process for improved scalability of infrastructure Client Organization Cloud Provider & Partner

15. © 2016 Cognizant13 Objective 3: Risk-Based Cloud Testing Approach Risks: • Unauthorized Access • Malicious Attacks • Insufficient Encryption Functionality Testing • Network Security • Authentication and Authorization • IAM • Data Encryption • Testing log files and Audit Trails • Vulnerability Scan • Scalability or Elasticity Testing • Response Time • Load and Stress Testing • Endurance Testing • System installed / configured per pre- approved Specifications • Availability to users • Connectivity to interfaced systems / services • Data Backup, Disaster Recovery • End-to-End Business Processes (User Acceptance) • Interface with other systems / services within or outside the Cloud (Integration Testing) • Usability Testing • Tracing to Business and Functional Requirements Installation / Availability Testing Security TestingPerformance Testing Risks • Critical Requirements not met • Integration with systems outside the Cloud Risks: • Installation, Configuration and Connection errors • Loss of Data during Disaster Risks: • Capacity not scalable. • Response Time increases at peaks 13

16. © 2016 Cognizant14 Objective 3: Risk-Based Cloud Testing Approach (Cont.) Installation / Configuration Testing • Infrastructure Layer Testing • Virtualization Level Testing • Platform Layer Testing • Application Layer Testing • Separation of responsibility depends on Cloud Delivery Model (SaaS, PaaS, IaaS) Data Migration • Data Cleanup • Correct Data Conversion • Tracking Migrated Data (audit trail) • Sampling, Record Counting and Business Verification • Parallel Runs and Cutover Regression Testing • Critical Business Processes • Integration with other systems in Cloud • Integration with other systems On-premise • Integration with third-party service providers (IAM etc.) Testing Strategy for Migration to Cloud

17. © 2016 Cognizant15 Object 4: Governance - Change Management in the Cloud Identify Change Impact Analysis Define Responsibility Implementation and Validation In which layer the change occurs? • Infrastructure • Virtualization • Platform • Application • Technical Impact • Businesss Impact • Compliance & Regulatory Impact • Identify Change Management Procedures from cloud provider • Identify Change Management Procedures from Client • Determine the boundary of responsibility between Client and cloud Provider • Determine handshake protocol between Client procedures and Cloud provider procedures • Installation & Configuration Testing • Regression Testing of impacted areas • Regression Testing of critical business processes • Regression Testing of interfaces with other systems Approval Impact Assessments Implementation & Testing Strategy Evidence & Change Summary Document

18. © 2016 Cognizant16 Objective 4: Governance - Change Management in the Cloud (Cont.) Technical Impact Assessment Test Planning Test Execution Application Patch Release App Update? Application Update No Platform Patch Doc Update Yes Sanity Test Platform / Infrastructure Update As an Example

19. © 2016 Cognizant17 Objective 4: Governance - User Access Control Determine Responsibilities User Management Align Procedures • User Provisioning and De-Provisioning • Credential Management • Authorization Policies • Identity Federation Monitoring • Logs and Audits • Authentication & Authorization Records • Reports of Access Activities Review • Periodic Review of User Accounts • Periodic Review of Access Rights and Privileges Client Organization Cloud Provider 3rd Party IAM Service Provider Access Management Procedures

20. © 2016 Cognizant18 Objective 5: Audit / Inspection Readiness State of Control - Infrastructure - Platform - Application Risk Assessment and Controls Operational Phase Procedures Operating Records Training Records Application Development and Testing Documentation Documented Evidence

21. © 2016 Cognizant19 Objective 5: Audit / Inspection Readiness (Cont.)Objective 5: Audit / Inspection Readiness (Cont.) Client Organization is accountable for Compliance. Via Vendor Audit/Assessment and Contractual Agreements, Client Organization should ensure Cloud Provider maintain key Records, Report and Audits Examples of Cloud Provider Records IAM Users / Groups / Roles IAM Providers (for example, for SAML & OpenID Connect) Records if applicable Resource Based policies in other services (for example, Storage Services) Security Configuration Monitor activity in cloud accounts Operating Logs and/or Audit Trails Application validation records (SaaS) Virtual infrastructure Installation / Configuration records End User account info & training records Technical support cases IT Training records Cloud Account credentials

22. © 2016 Cognizant20 Next Steps – Adoption  Establish goal/objective for cloud adoption  Initiate a workshop with vendor to discuss requirements  Discuss prospective areas/candidate systems  Develop implementation roadmap Starters  Finalize pilot projects for implementation  Share insight/experiences with vendor on provider data gathered  Finalize implementation schedule and initiate Statement OW  Initiate supplier assessment with vendorEarly Adopters Pioneers  Identify additional divisions/areas of the organization for cloud adoption  Select systems to be hosted  Collect and analyze key performance metrics on currently hosted solutions , partner performance and cost benefits  Partner with vendor and share key organizational goals  Develop implementation roadmap

23. © 2016 Cognizant21 Benefits Compliance Assurance Ensure System is developed in Compliance with:  Regulatory Requirements  Organizational SDLC, Information Security, and Data Privacy Policies, Standards and Procedures  Industrial Best Practices Benefits to Client Organization Efforts and Cost Saving  Validation and Testing are risk-based, hence efforts and cost are optimized  Saving due to shared responsibility and leveraging Cloud Provider’s testing and documentation State of Control  Governance in place for Change Management and Access Control to ensure System is maintained in a State of Control post go-live to meet changing business needs  System is ready for any potential Audit / Inspection

24. © 2016 Cognizant22 Summary of Cloud Validation Strategy Security, data privacy, and regulatory compliance are critical factors when defining a QA / validation strategy for moving business applications from in-house client hosted environments to a cloud platform. An appropriate level of risk assessments must be performed. Cloud validation and verification strategies should be risk-based to optimize efforts and costs. Cloud validation and testing are shared efforts between client organization and cloud provider. The responsibilities should be clearly defined based on cloud delivery Model. Cloud validation should ensure governance is in place for change and access management to maintain a cloud hosted system in a state of control that is ready for audits / inspections.

25. © 2016 Cognizant23 Case Study 1: Cloud Hosting Validation for a Fortune 100 Pharmaceutical Company  Client is a top fortune 100 global Pharma company based out of the US.  The Scope was to validate a Patient Data Management platform hosted on the cloud (Oracle Managed Cloud Services and Accenture Life Sciences Cloud).  Conducted Cloud Provider Assessments  Conducted InfoSec, Data Privacy and Regulatory Risk Assessments  Defined a cost-effective validation strategy based on risk assessments  Leveraged vendor testing  Built a Testing strategy focusing on end-to-end systems integration (within and outside the Cloud)  Ensured operating procedures are in place for Change Management, User Access, Performance Monitoring and DR and the Client procedures and Cloud Provider procedures were fully aligned. Business Needs Challenges  Average cost savings of 20% for the overall program due to the risk- based validation strategy that optimized the validation efforts  Average resource cost savings of 30% achieved by implementing the risk- based testing model and performing collaborative testing with the Cloud Provider and leveraging testing documents from Cloud Provider.  Passed a regulatory compliance audit with zero major findings  The Platform consisted of 10+ GxP regulated applications on premise and on the cloud  Cloud Applications needed to be integrate with each other and interface with existing legacy applications On Premise  Budget constraint and tight timeline Solution Benefits

26. © 2016 Cognizant24 Case Study 2: Cloud Application Validation for a Top 10 Pharmaceutical Company  Client has developed a VPC platform, which is a framework of automated controls and tools, that allows provisioning of GxP applications on AWS cloud.  In order for VPC to host regulated workloads, the Platform and its underlying infrastructure components need to be evaluated for conformance with GxP requirements  Performed an assessment of AWS controls and processes, by mapping SOC report controls against client’s SDLC requirements and SOP standards  Assessed current SDLC deliverables and operating processes for VPC platform and identified gaps with provided recommendations  Documented end-to-end process for Infrastructure provisioning and application installation  Performed security assessment and analysis of controls and automation across AWS and the VPC platform Business Needs Challenges  Established a framework to validate client’s VPC environment for GxP workloads  Set precedence to onboard additional GxP applications onto cloud infrastructure  Qualification of cloud platform for GxP workloads will enable other applications to leverage the high scalability, flexibility, and low-cost aspects of AWS cloud services  Maintain compliance with regulatory requirements  Identified and remediated gaps in VPC documentation  AWS policies and procedures have not been shared with the client organization  AWS procedures for Identity and access management have not been audited by client Solution Benefits

27. Thank you Vandana Viswanathan Vandana.Viswanathan@Cognizant.com

Transform Your Cloud Validation Strategy from Cloudy to Clear

Transform Your Cloud Validation Strategy from Cloudy to Clear

Transform Your Cloud Validation Strategy from Cloudy to Clear

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente(20)

Destacado

Destacado(7)

Similar a Transform Your Cloud Validation Strategy from Cloudy to Clear

Similar a Transform Your Cloud Validation Strategy from Cloudy to Clear(20)

Más de TechWell

Más de TechWell(20)

Último

Último(20)

Transform Your Cloud Validation Strategy from Cloudy to Clear