SAP Consulting and Software Validation

Cloud Computing

Validation of Cloud Computing Systems

Specific challenges in the validation of cloud computing systems

A recent study on the topic (in which one of our employees, Mr. Edgar Röder, was involved as a member of the section for cloud computing ISACA) begins with the words:

“Cloud computing has arrived in companies. Most companies have already had their first experiences with it. In addition to euphoria and skepticism, the discussion about the use of IT resources from the Internet is still dominated by a strong sense of uncertainty. The tension is clear: between the opportunities – primarily cost savings – on the one hand and the compliance and privacy concerns on the other hand, people will be looking for ways to benefit from cloud computing without incurring incalculable risks” (Cloud Governance in Germany- situational analysis, July 2015)

What is Cloud Computing?

It includes offers, benefits and billing which are dynamically adapted to the needs of IT services through a network.

There are 5 essential features:

  1. Broad network access via standardized mechanisms, regardless of the device
  2. Rapid elasticity with access to (apparently unlimited) available capacity (flexible allocation and approval)
  3. Resource pooling, i.e. shared among several renters
  4. Measured service, i.e. control and optimize the utilization and ensure transparency in invoicing
  5. Self-service of IT resources on demand (e.g. computing time, storage capacity) by the user

What are the differences from traditional outsourcing?

  • Also for the use of cloud services, Chapter 7 of the EU GMP Guide holds true:
  • The suitability of the provider will be verified by audits
  • Service should be noted in the contract
  • Quality must be monitored through appropriate measures (monitoring)

It is essential to look at the entire supply chain, as many vendors themselves offer their services as a cloud service. The 5 features above offer both optimization and additional risks.

Considering that the traditional IT model for a computerized system is designed somewhat differently from a (valid) cloud computing system, the following topics, with which DHC’s consultants would be happy to assist you, should be considered:

  • For IaaS (Infrastructure as a Service) and PaaS (Platform as a Service):
    • (classic) qualification of IaaS before implementation
    • Measures for shutdown or resource sharing: data deletion / archiving
    • When validating software that is running on these services, additional risks must be anticipated because of virtualization and multi-user operation (e.g. by encrypting data).
  • Regular monitoring of SLA
  • System or supplier selection and qualification, taking into account:
    • Quality management, in particular measures to maintain (valid) operations (communication, change management, CAPA, business continuity)
    • Data security
    • Service Level Agreements (SLA)
    • Migration strategy (in und out)
  • For SaaS (Software as a Service such as S/4HANA):
  • validation of the application as GAMP Category 3 or 4 Software
  • Additional risks:
    • Changes to the configuration / software are initiated by the agent.
    • The possibility of continuing to use older versions / configurations is to be determined in the SLA.
    • Since large parts of the computerized system (software and data) are with the external service provider, contingency planning (including backup), as well as the shutdown concept must be done at an early stage.
Header: ® igor stevanovic –