Why GxP is Vital for Cloud Control

Cloud computing is an abstraction of hardware, software, and operations staff. Subscribers of cloud computing don’t know what computers are being used nor any of the people managing them, which makes many Chief Risk Officers nervous. How can a CRO or CIO know the computers, networks, storage, and software are safe and reliable? What assurances are there that the cloud data center workers are professionals? Fortunately, the major cloud service providers (CSPs) have published plenty of GxP facts and guarantees to satisfy most inquiries about these concerns.  Indeed, they are painfully aware that one major failure or breach will dramatically harm their reputation. Plus, they have been challenged on GxP best practices by many clients, many times. CSPs like AWS, Microsoft Azure, and Google Cloud publish their GxP best practices concerning hardware, software, and cloud procedures. 

There are 30 GxP best practices. The acronym means Good x Practice where “x” is replaced with audit, engineering, clinical, and so on. Each GxP category has approximately 20 to 30 meticulous protocols and standard operating procedures (SOPs). GxPs – and hence SOPs – are templates for how to run a sensible, ethical business. There is latitude in how to implement best practices since not every manufacturing line or clinical trial is the same. Some GxP practices are easy to determine that the vendor does or does not meet the criteria, and others are measured in a high-to-low adherence estimate, which is common in best practices.   

Accountability of GxP Best Practices
Chief Risk Officers quickly detect that GxP best practices have three centers of gravity in cloud computing. Accountability is split across the data and analytics platform provider (Teradata), the CSP, and the subscriber (corporate cloud buyer). The CSP owns the risks associated with cloud servers, storage, networks, and other software, and all parties ride on top of those vehicles. Above the hardware infrastructure is the data management and analytics layer where Teradata must follow the best practices. And last, are the corporate cloud buyers who orchestrate and administrate workloads running on the hardware and database layers who also have best practices to follow.    

This typically leads to a RACI matrix. RACI matrices clarify which of the participants is responsible, accountable, consulted, or informed for each operation. The vendors propose the RACI accountabilities, and the client agrees or needs more information. That’s often the best way to initially work through GxP assurances from Teradata and CSPs.  

RACI Matrix Example

What GxP Best Practices does Teradata VantageCloud Fulfill?
One of the most important cloud accountability topics is Security. It is always at the top of everyone’s list, especially in recent times. Security encompasses data protection, intrusion monitoring, regulatory compliance, and identity authentication. Within the domain of databases, the hundreds of governments and banks using Teradata Vantage security is one good proof point. Some large banks get 10,000 cyber-attack attempts per day; some get a lot more. Teradata Vantage certifications in ISO/IEC 27001:2013 and PCI-DSS 3.2.1 are clear signals about Teradata’s security strengths.

Next are vendor process controls. Are payments and billings handled by accredited applications? Does the vendor have a code of conduct? Does the company have a fraud or abuse hotline for reporting irregularities? Software companies must also have quarterly executive business reviews and quality systems. Fortunately, most companies, like Teradata, implemented process controls long ago because of legal regulations and cost savings. For example, Teradata uses Software-as-a-Service (SaaS) SalesForce.com to control sales proposals, marketing, and metrics reporting.  We also use ServiceNow (also SaaS) to manage service requests, processes, trouble tickets, and workflows across business domains. 

Personnel validations includes vetting skills, security checks, regular training, and certifications. This is crucial for cloud support workers. Which is why many Teradata employees are Certified Teradata Masters, a certification available to customer DBAs as well. Like many large corporations, Teradata requires annual security, ethics, and sensitivity training of all employees and contractors. Teradata Product Engineering’s ISO 9001 certifications  ̶  especially clause seven  ̶  dictate employee competency, communication, and appropriate training of employees. 

Software quality control leans heavily on DevOps procedures. Teradata Engineering uses many popular DevOps tools in nightly test cycles. What distinguishes Teradata from many startups is our Unified Offering Lifecycle. It is one of dozens of derivatives from the Rational Unified Process (RUP) methodology. UOL adheres to six best practices for modern software engineering. 

1.    Develop iteratively (aka agile), with risk as the primary iteration driver 
2.    Manage requirements (Jira, Aha! Wikis, design.docs)
3.    Employ a component-based architecture
4.    Model software visually
5.    Continuously verify quality
6.    Control changes

Teradata also uses a collaborative planning process called Integrated Product and Process Design (IPPD).  Like many corporations, we modified IPPD and added it to UOL. Integrated Product Teams (IPT) collaborate to “optimize design, manufacturing, and supportability processes. IPPD facilitates meeting cost and performance objectives from product concept through production, including field support.”  This means regular meetings between engineering, marketing, sales, procurement, professional services, and finance leaders. The meetings review upcoming product releases, education, and schedules, to ensure every organization is in sync. The IPT irons out product and process mistakes early in the development and go to market cycles. This means when the big release date arrives, there are no last-minute obligations missing. 

Software supply chain and release cadence ensures cloud customers can expect continuous modernization and enhancements to their investments. Between customer demands and competitors, Teradata has plenty of motivation for new features in the next product release. We’ve been modernizing Teradata Vantage software and tools for 30 years. Teradata’s product advisory council contains customer DBAs who meet periodically to voice requirements, likes, and dislikes face-to-face with product managers. Teradata’s newest VantageCloud Lake deployment will use cloud-native CI/CD technology to ensure our clients always have the latest, most secure software in production. 

These days, Teradata engineering is also collaborating with the big CSPs to help them evolve their cloud to be better at analytic workloads. What works for small data marts, doesn’t work for 800 terabytes, and especially not for twenty petabytes. Who knew? Teradata knew. Our engineers are now helping the CSPs modernize too! 

GxP Assurances
What most cloud customers want is assurances and insights that build trust in the supplier. Finding assurances of GxP best practices means examining documentation and business processes inside cloud vendor companies like the Teradata Vantage Guidelines in a GxP Environment. Teradata’s many certifications and processes already align well with GxP best practices. We renew them periodically and add new ones. 

One answer is documentation. Documentation is the cornerstone of GxP. GxP requires it from manufacturers, retailers, and life sciences. Cloud subscribers should, in turn, ask Teradata and CSPs for documentation too. Yes, there must be accountability and traceability shown in data and documentation throughout the vendor product lifecycle.  As you expect, it will take time to find the correct documents and people to help you.   While some questions can be answered in documents, some will be answered in meetings.  

There are many proof points that show Teradata is safe and reliable that intersect GxP assurances. Perhaps the most relevant is Teradata’s Title 21 CFR Part 11 certification affecting pharmaceutical drug development and manufacturing operations. Teradata Vantage database was independently audited for Title 21 CFR Part 1 by Compliance Implementation Services*. The following Teradata certifications also intersect many GxP best practices:

•    ISO 9001:2015              – effective quality management processes (Maintained by Product Engineering)
•    ISO/IEC 27001:2013     – security management requirements
•    SOC 1                           – financial management
•    SOC 2                           – accounting security, integrity, and privacy
•    PCI-DSS 3.2.1              – data security for credit card holders
•    HIPAA                           – health insurance and privacy

Additionally, Teradata has again been recognized as one of the Most Ethical Companies in the World – receiving the honor for the last 13 consecutive years.

Summary
If your company needs GxP assurances from Teradata, first read the white paper and then make your list of areas to discuss with Teradata. Only together will we find a way to satisfy and assure the CRO and CIO.

*Acquired by Deloitte, renamed CIS by Deloitte