Wer seine IT-Projekte in die Cloud bringen möchte, muss auf ein paar Fallstricke achten. Herausforderungen finden Sie vor allem im Bereich der Sicherheit. Ihre Daten müssen vor dem Zugriff Unberechtigter absolut sicher sein. Trotzdem muss das Zugriffsmanagement für Ihre Mitarbeiter gut funktionieren. Zu diesen technischen Aufgaben kommen handfeste Vorgaben aus Ihren betrieblichen Richtlinien sowie wichtige gesetzliche Auflagen hinzu. Diese Compliance-Fragen sollten Sie unbedingt kennen und zuverlässig erfüllen. Denn nur, wenn Sie alle Compliance-Vorgaben korrekt einhalten, kann Ihr Cloud-Projekt ein voller Erfolg werden.

1. GxP @ AWS
Bertram Dorn – Specialized Solutions Architect
Security/Compliance
Amazon Web Services EMEA
©Amazon.com, Inc. and its affiliates. All rights reserved.

2.  Healthcare and Life Sciences customers are rapidly adopting AWS
 Initial usage concentrated in Research, Digital Marketing and core IT
 GxP solutions are now incredibly important to our customers
 Development and Manufacturing are beginning the adoption curve
 AWS’s GxP approach comes directly from our customers and partners
 We want to educate, engage and deliver further value to our
customers
Business Context of AWS and GxP

3. The Benefits to Using the AWS Cloud
?Move from operational to
variable cost
Lower variable cost than most companies
can achieve
No need to guess
capacity
Agility, speed &
innovation
Remove undifferentiated
heavy lifting
Go global
in minutes

4. AWS Service Build
 Tennant Isolation
 Deep Network Security
 Scaling Crypto Services
 Detailed Monitoring
 Access Control
 Mandatory
 Fine Grade
 MFA Possible
AWS Global Infrastructure
Application Services
Networking
Deployment & Administration
DatabaseStorageCompute
I
n
h
e
r
i
t
C
o
n
t
r
o
l
Identity
Management
Key
Management &
Storage
Monitoring
& Logs
Assessment and
reporting
Resource &
Usage Auditing
SECURITY & COMPLIANCE
Configuration
Compliance
Web application
firewall
Access Control

5. 12 Regions
33 Availability Zones
54 Edge Locations
Coming Soon:
5 Regions
11 Availability Zones
AWS Operates Globally, as do our Customers

6. ENTERPRISE
APPS
DEVELOPMENT & OPERATIONSMOBILE SERVICESAPP SERVICESANALYTICS
Data
Warehousing
Hadoop/
Spark
Streaming Data
Collection
Machine
Learning
Elastic
Search
Virtual
Desktops
Sharing &
Collaboration
Corporate
Email
Backup
Queuing &
Notifications
Workflow
Search
Email
Transcoding
One-click App
Deployment
Identity
Sync
Single Integrated
Console
Push
Notifications
DevOps Resource
Management
Application Lifecycle
Management
Containers
Triggers
Resource
Templates
TECHNICAL &
BUSINESS
SUPPORT
Account
Management
Support
Professional
Services
Training &
Certification
Security &
Pricing
Reports
Partner
Ecosystem
Solutions
Architects
MARKETPLACE
Business
Apps
Business
Intelligence
Databases
DevOps
Tools
NetworkingSecurity Storage
Regions
Availability
Zones
Points of
Presence
INFRASTRUCTURE
CORE SERVICES
Compute
VMs, Auto-scaling, &
Load Balancing
Storage
Object, Blocks, Archival,
Import/Export
Databases
Relational, NoSQL,
Caching, Migration
Networking
VPC, DX, DNS
CDN
Access Control
Identity
Management
Key
Management &
Storage
Monitoring
& Logs
Assessment and
reporting
Resource &
Usage Auditing
SECURITY & COMPLIANCE
Configuration
Compliance
Web application
firewall
HYBRID
ARCHITECTURE
Data Backups
Integrated
App
Deployments
Direct
Connect
Identity
Federation
Integrated
Resource
Management
Integrated
Networking
API
Gateway
IoT
Rules
Engine
Device
Shadows
Device SDKs
Registry
Device
Gateway
Streaming Data
Analysis
Business
Intelligence
Mobile
Analytics

7. ENTERPRISE
APPS
DEVELOPMENT & OPERATIONSMOBILE SERVICESAPP SERVICESANALYTICS
Data
Warehousing
Hadoop/
Spark
Streaming Data
Collection
Machine
Learning
Elastic
Search
Virtual
Desktops
Sharing &
Collaboration
Corporate
Email
Backup
Queuing &
Notifications
Workflow
Search
Email
Transcoding
One-click App
Deployment
Identity
Sync
Single Integrated
Console
Push
Notifications
DevOps Resource
Management
Application Lifecycle
Management
Containers
Triggers
Resource
Templates
TECHNICAL &
BUSINESS
SUPPORT
Account
Management
Support
Professional
Services
Training &
Certification
Security &
Pricing
Reports
Partner
Ecosystem
Solutions
Architects
MARKETPLACE
Business
Apps
Business
Intelligence
Databases
DevOps
Tools
NetworkingSecurity Storage
Regions
Availability
Zones
Points of
Presence
INFRASTRUCTURE
CORE SERVICES
Compute
VMs, Auto-scaling, &
Load Balancing
Storage
Object, Blocks, Archival,
Import/Export
Databases
Relational, NoSQL,
Caching, Migration
Networking
VPC, DX, DNS
CDN
Access Control
Identity
Management
Key
Management &
Storage
Monitoring
& Logs
Assessment and
reporting
Resource &
Usage Auditing
SECURITY & COMPLIANCE
Configuration
Compliance
Web application
firewall
HYBRID
ARCHITECTURE
Data Backups
Integrated
App
Deployments
Direct
Connect
Identity
Federation
Integrated
Resource
Management
Integrated
Networking
API
Gateway
IoT
Rules
Engine
Device
Shadows
Device SDKs
Registry
Device
Gateway
Streaming Data
Analysis
Business
Intelligence
Mobile
Analytics

8. ENTERPRISE
APPS
DEVELOPMENT & OPERATIONSMOBILE SERVICESAPP SERVICESANALYTICS
Data
Warehousing
Hadoop/
Spark
Streaming Data
Collection
Machine
Learning
Elastic
Search
Virtual
Desktops
Sharing &
Collaboration
Corporate
Email
Backup
Queuing &
Notifications
Workflow
Search
Email
Transcoding
One-click App
Deployment
Identity
Sync
Single Integrated
Console
Push
Notifications
DevOps Resource
Management
Application Lifecycle
Management
Containers
Triggers
Resource
Templates
TECHNICAL &
BUSINESS
SUPPORT
Account
Management
Support
Professional
Services
Training &
Certification
Security &
Pricing
Reports
Partner
Ecosystem
Solutions
Architects
MARKETPLACE
Business
Apps
Business
Intelligence
Databases
DevOps
Tools
NetworkingSecurity Storage
Regions
Availability
Zones
Points of
Presence
INFRASTRUCTURE
CORE SERVICES
Compute
VMs, Auto-scaling, &
Load Balancing
Storage
Object, Blocks, Archival,
Import/Export
Databases
Relational, NoSQL,
Caching, Migration
Networking
VPC, DX, DNS
CDN
Identity
Management
Key
Management &
Storage
Monitoring
& Logs
Assessment and
reporting
Resource &
Usage Auditing
SECURITY & COMPLIANCE
Configuration
Compliance
Web application
firewall
HYBRID
ARCHITECTURE
Data Backups
Integrated
App
Deployments
Direct
Connect
Identity
Federation
Integrated
Resource
Management
Integrated
Networking
API
Gateway
IoT
Rules
Engine
Device
Shadows
Device SDKs
Registry
Device
Gateway
Streaming Data
Analysis
Business
Intelligence
Mobile
Analytics
Access Control

9. The main AWS Compliance Frameworks of today
Certificates: Programmes:
ISO
27000
ISO
9001

10. GxP SDLC and Deployment Scenarios
Develop Validate Operate
COTS App
Virtual
Infrastructure
Custom App
Virtual
Infrastructure
AWS Products AWS Products
Scenario 1 Scenario 2
AWS Account AWS Account
SaaS
Virtual
Infrastructure
AWS Products
Scenario 3
AWS Account
GxP End Users
Pharma,
Device
AWS ISV PartnerRoles:

11. User
Needs
Application
Requirements &
SLA
Server
Requirements
Amazon EC2
Instance
Amazon EC2
Product Spec &
SLA
Solution
Architecture
Database
Requirements
Solution
Architecture
Amazon RDS
DB Instance
Amazon RDS
Product Spec &
SLA
Customer
AWS
Development Starts with Your User Needs

12. AWS Shared Responsibility Model in GxP
Human
Interface Support
Equipment
Interface Support
Instrument
Interface Support
Application
Data
Software-defined Infrastructure
AWS Account
Amazon IAM Amazon VPC Amazon EC2 Amazon S3 Amazon RDS Other AWS Products
Manual I/O Automated I/O
Step 1 Step 2 Step 3
Customer
AWS
Automated I/O
GxP Process
Validation
GxP Software
Validation
GxP Infrastructure
Qualification
Commercial IT
Standards
G o o d L a b o r a t o r y , C l i n i c a l , M a n u f a c t u r i n g P r o c e s s
On-Premises
Infrastructure
Products

13. AWS’s New GxP Compliance Resources
GxP Cloud on AWS FAQ
Considerations for Using AWS
Products in GxP Systems
AWS Quality Management
System Overview
(available to NDA-holders)
 Technical Product
Documentation
 Introduction to
Auditing the Use
of AWS
 Security by Design
Program

14. Cloud Technology
Software-defined infrastructure?
 Cloud users replace physical IT infrastructure with
virtual IT infrastructure
 SDI can be managed like any other software code
 Users control their virtual infrastructure and data via
web service API, CLI, GUI
 Users integrate applications with virtual infrastructure
through SDKs and APIs
 Users and applications interact with SDI
programmatically with .json scripts instead of manually
with .doc files
{API}

15. AWS Cloud Advantages
IT Benefits
 Trade capital expense for
variable expense
 Benefit from massive
economies of scale
 Stop guessing capacity
 Increase speed and agility
 Stop spending money on data
centers
 Go global in minutes
Compliance Benefits
 Designed for Security & Quality
 Constantly Monitored
 Highly Automated
 Highly Available
 Highly Accredited
ISO 9001:2008, ISO 27001:2013
ISO 27017:2015, ISO 27018:2014

16. Cybersecurity of AWS Products
 Security Features Built-in
 Security Bulletins
 Security Guidance
 AWS Trusted Advisor
 Penetration Testing/Scanning
 Vulnerability Reporting
 AWS Professional Services
 AWS Partner Network
"The financial service industry attracts some of the
worst cyber criminals. We work closely with AWS to
develop a security model, which we believe enables
us to operate more securely in the public cloud than
we can in our own data centers."
-Rob Alexander, CIO, Capital One

17. Data Integrity with AWS Products
API
service
web
API
Request
API Response
includes a Message
Digest, a unique
fingerprint for each
API request
AWS Product Features for Data Integrity
End-to-end authenticated encryption, API message digests, file object hashing, file object integrity monitoring,
log file integrity validation, account configuration rules and alarms, fine-grained access controls, VPC flow logs,
application deployment and testing tools to enforce application input validations, multi-region redundancy and
backup capability, multiple methods of bulk data transfer to and from the AWS cloud…

18. Supplier Assessments of AWS
Customers with GxP systems have
completed their supplier assessments of
AWS based on our performance history,
compliance reports, and extensive
documentation of our products.
 Product Documentation
 Product Training Materials
 Customer Support
 Service Health Dashboard
 Security & Compliance Whitepapers
 Quality Management System Overview
 Supplier Questionnaires & RFIs
 ISO Certification
 SOC Auditor Reports
 FedRAMP Compliant Status
 Public Company Reporting (AMZN)

19. Agreements with AWS
 Customer Agreement
 Service Terms
 Acceptable Use Policy
 Customer Support Agreement
 Product SLAs
 Addendums:
oSecurity
oData Processing
oBusiness Associate
Change notification
Security notification
Your data
Data privacy
Support case SLA
No minimum spend or term
Customer responsibilities

20. Cloud Solution Validation (CSV)
Hardware Era Cloud EraVirtualization Era
Protocol-driven
manual activities
Procedure-driven
manual activities
Code-driven
automated activities
 Application Validation
 Software Defined
Infrastructure
Qualification
 Web Service API
Qualification
AWS qualifies our products to commercial IT standards like ISO, SOC and NIST,
Customers qualify their use of AWS Products to industry-specific standards like GxP, QSR and Part 11.

21. Operations of GxP Systems
 Reduce human access to
your production IT
environment through
deployment automation
 Track and monitor 100%
of your assets, changes,
and configurations
 Software-defined
infrastructure makes
synchronizing
environments easy
 Feed end user requests
back into the
development process.
GxP end usersGxP engineers
production

22. Auditing GxP Systems
An IAM user, Alice,
employed the
CreateUser action to
create a new user
account for Bob.
AWS CloudTrail

23. Resources
 https://aws.amazon.com
 https://aws.amazon.com/compliance/
 https://aws.amazon.com/security/
 https://aws.amazon.com/premiumsupport/
 http://status.aws.amazon.com/

24. Thank you!