Le Cloud computing and its constraints
 |
Cloud computing is a concept consisting of an externalization of services traditionally located on servers or local machine on remote servers for computer processing. |
Figure 1: Cloud computing concept
From this definition emerge three types of services:
- Software as a Service (SaaS): making software / application hosted by a vendor / partner available.
- Platform as a Service (PaaS): renting services and platforms on which the customer uses the tools at his disposal.
- Infrastructure as a Service (IaaS): making IT infrastructure (servers, networks, storage ...) available and adjustable to customer needs.
 Figure 2: types of services |
These Services are deployed according to 4 levels of sharing:
- Private Cloud: internal Cloud within company / organization- Community Cloud: intermediate level between the private and the public cloud. It consists of outsourcing IT resources with private access to the infrastructure by secured connections.
- Public Cloud: the IT infrastructure belongs to providers but they are shared between several companies and accessible via Web.
- Hybrid Cloud: merging of two or several clouds which must share applications and data between them.
The cloud computing generates a loss of control on its infrastructure and mainly on all stored data. The data responsibility belongs to customers even if outsourcing is under contract.
3 constraints:
Data access security (physical and logical): These are stored on the provider's infrastructure, which can be accessed especially during maintenance work. On one hand, there is a risk on confidentiality, integrity and availability of the data and on the other hand on its traceability (malice, error ...). It is necessary to ensure that it is properly isolated, especially for hybrid and public clouds.
Data geo-location: it is difficult to identify in which country the data is stored because the cloud has no border (especially for high availability, geographically distinct sites with redundancy of remote equipment). It will take into consideration the regulations of the countries where the data stored notably regulations relating to personal data.
Protection and data recovery: In the case of a contract resignation or change of cloud providers. Before engaging with a provider, make sure that it upon contracts termination, the data are destroyed on its infrastructure after a successful migration to another solution.
The contract negotiations can be more difficult according to the size of the supplier chosen. It is also important to properly ensure that all the constraints listed above, are identified in the terms and / or annexes of the contract and that all changes in general conditions of contract are clearly identified and subject to prior your approval.
The three main constraints of cloud computing listed above are precisely the points highlighted in the pharmaceutical regulations (confidentiality and data integrity).
This is especially true for the access to data stored in a cloud by the supplier. To overcome this, it is necessary:
- To establish a confidentiality agreement between customer / supplier
- To foresee that each party uses its own combination Login / password in order to trace the interventions,
- To ensure that a change request is made for each change of the safety rules.
To preserve data integrity, the cloud provider should be able to backup and restore data whenever necessary. The backup/restore needs have to be discussed with the client and a procedure must be implemented at the customer's.
In addition, other regulation aspects add to this. Indeed, each country produces its own regulations on data physically stored on its territory. This is particularly true for the United States with the Patriot Act, which, among other things, allows authorities to access data stored by companies on their territory and if the company is American, they can access it regardless of the location of the subsidiary. We must therefore ensure confidentiality clauses and exceptions to them in regard to the authorities of the country where the headquarters of the parent provider are based. For what Europe is concerned, data can flow between countries of the European Union while preserving the fundamental rights of individuals.
Standards and certifications are bound to be developed to meet customer needs on cloud computing. The "Enterprise Cloud Leadership Council" and "Cloud Security Alliance" tend to the establishment of standards. Moreover, the European Union is considering the development of a specific Cloud Computing regulation.
The establishment of a Cloud in a pharmaceutical context is not easy. It is therefore important to select the supplier based on a qualification process and ensure that all regulatory requirements are met.
Bibliographies:
- The NIST (National Institute Of Standards and Technology) definition of Cloud Computing, publication 800-145 (draft)
- The White book security of cloud, risk analysis, answers and good practices, SYNTEC numérique
- Cloud and Security, Clusif
|
|
Selmin Kuzu - SPIE Oil and Gas Services Computerized System Validation Engineer |
 |
Serge Librot - LivIT Senior Consultant IT infrastructure services ITIL Expert and Outsourcing Professional This email address is being protected from spambots. You need JavaScript enabled to view it. |
