Adopting public cloud while keeping FDA-regulated workloads secure and compliant
A key challenge life sciences companies face today is how to adopt cloud while ensuring security and compliance for U.S. Food and Drug Administration (FDA)-regulated workloads. In this on-demand expert roundtable, you will hear best-practice approaches from alliance partners USDM Life Sciences and Data Intensity on how to simplify processes, reduce risk, and accelerate outcomes with FDA-compliant, data-driven workloads on the public cloud.
What you'll learn
- How to evaluate GxP applications for the cloud: treat each application as an opportunity to assess compliance, security, and cost together for a balanced decision.
- What a workload and license analysis surfaces: application compatibility, upgrade opportunities, patching needs, integration dependencies, and your effective license position (ELP).
- Where cloud assurance fits: identifying the right cloud choices for a workload and assessing the regulated-workload components.
- How ongoing compliance management works: obtaining and maintaining compliance regardless of where a workload's footprint lands.
- Why the cloud often improves data security: balancing FDA security requirements against internal needs across regulatory, economic, scalability, and availability considerations.
Topics covered in this roundtable
The discussion brought together regulatory, licensing, and cloud assurance perspectives across the full lifecycle of a regulated cloud workload:
- Regulatory and Economic Considerations
- Workload Analysis and Designing for Public Cloud
- Change Management and Speed-of-Business
- Global Regulatory Compliance
- Availability, Scalability, and Security
Featured panel
- Biju Thomas, Oracle ACE Director and Global Oracle Practice Lead, Data Intensity
- Paul Buckley, Vice President of Software License Solutions, Data Intensity
- John Petrakis, Vice President of Cloud Assurance Solutions, USDM Life Sciences
- Rich Froble (moderator), Vice President of Product Management, Data Intensity
USDM's point of view: Moving GxP workloads to the public cloud is no longer a question of whether you can stay compliant — it is an opportunity to assess each application from compliance, security, and cost perspectives at the same time. The data security debate usually resolves in favor of the cloud: the vendor manages the infrastructure better than most life sciences companies can on their own, while you stay focused on clinical trials, research, and manufacturing. USDM's role is data integrity — making sure the data you put in is correct and stays correct — alongside continuous cloud assurance for the regulated components.
Roundtable Q&A
Based on the status of the industry, should we evaluate GxP applications based on cloud options? In other words, should we even consider applications that cannot migrate to the cloud? We have some that may need to be upgraded, others that may need to be replaced, based on business needs. Whether or not they can operate safely and effectively in any cloud, including public cloud, seems to be an undeniable factor now. Is that fair to say?
(John Petrakis) Yes, if you’re evaluating an application, it’s an opportunity to assess it from a compliance and security perspective and a cost perspective so there’s a balanced view. There are tremendous efficiencies that come with a Software-as-a-Service (SaaS) application that operates efficiently within the cloud and has a vendor that supports that set of technology.
Do the type of roadmaps and infrastructure assessments that you're discussing allow me to better understand integration failure points, bandwidth errors, patching needs, and licensing lapses?
(Biju Thomas) This question may have a three-part answer: workload analysis, license analysis, and cloud assurance. For workload analysis, the [Data Intensity] TCOT cloud readiness assessment will identify application/platform compatibility, upgrade opportunities for application business functionality, and technical upgrades for vendor support. It will identify the patching needs and will help to document the integration and dependencies.
The license analysis portion of the assessment gives you a complete picture of your effective license position (ELP). It shows you what you own and what you use. Are you using products that you are not entitled to, or maybe not using a product that you licensed? It will give you a detailed picture of the quantities you need and are entitled to.
The cloud assurance aspect is addressed by both Data Intensity and USDM Life Sciences. Data Intensity helps you identify the right cloud choices for your workload. We are leading partners of Oracle, Azure, and AWS, yet cloud-agnostic. USDM also assesses any regulated-workload components.
What about ongoing compliance management? Once an Oracle workload is migrated to the cloud, do you train or help customers there, too?
(Paul Buckley) This is part of our License Management as a Service offering. We help customers understand how to obtain and maintain compliance regardless of where their footprint lands and is used. We train customers in the basics of licensing in any environment and advise them of the compliance position, how to remediate and fix issues, and also how to remain compliant with our assistance and service help.
Is there a prudent balance between meeting U.S. Food and Drug Administration (FDA) security requirements and our own needs for improved data security? Is there a better balance in the cloud?
(John Petrakis) Security is a little different than some of the other regulations because patient safety is usually not one of the main things at risk. The risk is mostly financial and reputational. An obvious exception would be security on a medical device itself. That may shift a risk analysis once that differentiation is realized. I would ask what the difference is between FDA and the company’s internal requirements, just to understand what issues are under consideration.
Overall, the answer to this question is almost always going to be yes, the cloud is better. The "cloud" just means your computers and data are being managed by someone else who is almost certainly better at data security than you. You do clinical trials, research, manufacturing, etc., and they do data security. You provide the data and we provide the data integrity; we make sure the data you put in is correct and stays correct. The cloud vendor keeps it safe.
In practical terms, the cloud vendor most likely has already implemented whatever features your life sciences company is considering, so it's the cost of designing, testing, implementing, and maintaining it yourself versus never having to think about any of that (and being up and running much sooner).
FAQ: FDA compliance for public cloud workloads
Should life sciences companies evaluate GxP applications based on cloud options?
Yes. Evaluating an application is an opportunity to assess it from compliance, security, and cost perspectives at once, giving a balanced view. SaaS applications that operate efficiently in the cloud with a supporting vendor can deliver tremendous efficiencies.
What does a workload and license assessment reveal?
A workload analysis identifies application and platform compatibility, upgrade opportunities, technical upgrades for vendor support, patching needs, and integration dependencies. The license analysis produces a complete effective license position (ELP) — what you own versus what you actually use.
Who handles ongoing compliance after migration?
Ongoing compliance is managed through services that help customers obtain and maintain compliance regardless of where their footprint lands, including training on licensing basics, remediation guidance, and continuous cloud assurance for regulated workload components.
Is the public cloud better for data security than managing it in-house?
In most cases, yes. The cloud means your systems and data are managed by a provider that specializes in data security, while your organization stays focused on clinical trials, research, and manufacturing. The provider has likely already implemented the security features you would otherwise design, test, and maintain yourself.
How does USDM support FDA-regulated cloud workloads?
USDM Life Sciences focuses on data integrity and assesses the regulated-workload components, working alongside cloud and licensing partners so that compliant, data-driven workloads can run on the public cloud. Learn more about 21 CFR Part 11 compliance and the Computer Software Assurance (CSA) approach that underpin this work.
Watch the on-demand roundtable. Hear the full discussion from USDM Life Sciences and Data Intensity on adopting public cloud for FDA-regulated workloads. To talk through your own GxP cloud strategy, contact USDM Life Sciences.