23.01.2024 | LOGFILE Feature 2/2024

Can GMP Data be in the Cloud?

Can GMP Data be in the Cloud?

7 min. reading time | by Thomas Peither

What is cloud computing?

Cloud computing is not a new technology, but a new way of providing resources for data processing.

Cloud computing services range from data storage and processing to software such as email processing. Such services are non-binding and available on demand.

As we are in a time of austerity, many companies are opting for predictable running costs rather than long-term, uncertain investments. With rapid innovation cycles and high costs, this new business model for data processing found fertile ground and is expanding worldwide.

The German Federal Office for Information Security (BSI) defines cloud computing as follows:

"Cloud computing is a model that makes it possible,

  • on demand,
  • anytime, anywhere and conveniently via a network
  • to access a shared pool of configurable computing resources (e.g. networks, servers, storage systems, applications and services),
  • that can be rapidly provisioned and with minimal management effort or service provider interaction“.

It is useful to initially think of a "cloud" first as a data centre, i.e. a third-party data centre. However, a regulated company has the same responsibility for the compliant operation of computerised systems as it does in its own data centre – only now the infrastructure and data are located elsewhere.

In principle, the control or management of the data is entrusted to the cloud provider, while the responsibility remains with the pharmaceutical manufacturer. From the perspective of a GMP regulated company, this immediately raises questions about

  • data security,
  • data availability and
  • data integrity.

Cloud models

The type of software provision distinguishes between different types of cloud.

Common models are:

  • Public Cloud
  • Community Cloud
  • Private Cloud
  • Virtual Private Cloud
  • Hybrid Cloud

Service models

Then there is the type of service model, and this is where things get a bit complicated. Let me just pick out the most common acronyms:

  • IaaS – Infrastructure as a Service

This is a computer infrastructure that is provided and managed via the Internet. Companies utilise the computing capacities and pay for the use of the computing power.

  • PaaS – Platform as a Service

Here, the company rents a complete operating system or a development environment. The customer is responsible for the applications running on it.

  • SaaS – Software as a Service

Finally, the user company is only responsible for the customer-specific data and access. Many people are familiar with this from SAP or accounting programmes. GMP Compliance Adviser is also a SaaS.

You can set favourites in the GMP Compliance Adviser for which we as a publisher are not responsible. Our GMP:READY e-learnings are also included in this category.

As you can see, things were different 10 years ago, and software often even had to be installed on a PC in the company. Today and in the future, we will only access the resources provided. This is also called division of labour – why should a pharmaceutical company be so deeply involved in IT issues when its core competency is drug production?

And of course the GMP Compliance Adviser does not run on a server in our basement, but in a cloud environment. This is not only more secure, but also more stable and less prone to downtime.

The word "more secure" may have raised an eyebrow. That’s OK, because we also wanted to look at the opportunities and risks of using the cloud.

Let's start with the opportunities:

Cloud-based services are used extensively in private areas (social media, online shopping) and are widely used in retail, banking, entertainment, etc.

These are seen as advantages:

  • Cost savings
  • Speed
  • Flexibility
  • Security

On the other hand, there are disadvantages that can arise in unfavourable cases:

  • Penalties
  • Downtime
  • Loss of sales
  • Damage to reputation
  • Loss of customer confidence

The Cloud Security Alliance (CSA) regularly collects, analyses and summarises the potential risks of using the cloud. In 2022, the report "Top Threats to Cloud Computing - Pandemic Eleven" was published.

I encourage you to read this list, as it will give you an idea of the range of issues, from insecure security architectures to hacking to steal data.

However, it is important to remember that when companies decide to keep all applications and data in-house, most of these risks are still present and need to be managed with in-house expertise.

Professional cloud services already cover these risks.

Expertise is always a key factor in the decision to outsource or insource. How much does external or internal expertise cost? The premise of division of labour also applies here.

This article is a shortened and translated excerpt from the 39th episode of our German GMP & TEA webcast.

Thomas Peither


Thomas Peither
GMP Expert, Specialist Journalist, Founder of the GMP-Verlag Peither AG, President of GMP Publishing Peither, Inc.
E-Mail: thomas.peither@gmp-publishing.com

GMP-Compliance Adviser

GMP-Compliance Adviser

The GMP Compliance Adviser is the most comprehensive GMP online knowledge portal worldwide, combining theory and practice in a successful way.
It is used by more than 10,000 professionals in over 50 countries.

The GMP Compliance Adviser is presented in two parts:

GMP in Practice: "How-to-do"-interpretations and knowledge of our noted industry specialists and according to international GMP regulations.
GMP Regulations: The most important GMP regulations from Europe, USA, Japan and many more (e.g. PIC/S, ICH, WHO,...).

Updates: All regulatory changes are covered, minor or big. With a high frequency update rate of 6x a year, you are always up to date.

>>> Get Your Free Demo Access Now!

> More information and order