Bridging Conventional GxP Solutions with the AWS Cloud: An Approach to Adopting Cloud Services

The cloud has brought agility and cost savings compared to running workloads in a data center, forcing customers to consider how regulatory concerns are shared between themselves and the cloud provider. Customers with existing GxP (an abbreviation for “good practice” guidelines and regulations for various industries like pharmaceutical, agricultural, or manufacturing) solutions are challenged when migrating to the cloud. These challenges revolve around the regulatory and compliance positioning of software running in a cloud environment and how to provide the required controls for a cloud-based solution.

AWS provides various resources and support to assist customers in successfully moving their GxP regulated solution to the AWS cloud.  Through self-service artifacts providing third-party attestations to recognized certifications and guidance documents on maintaining regulatory compliance in the cloud, AWS supports the process for our customers.  This post introduces how AWS addresses these challenges and provides references to other documents providing a deeper dive into other aspects of regulated workloads in the cloud.

When building modern and traditional web or connected solutions, you likely already accept the premise that your solutions will securely operate over the internet using encrypted channels. You rely on the fact that your information will travel from point “A” to point “B” without worrying about the technical details of how your data moves from one place to another, such as the physical communication layer or the well-known protocols such as TLS, TCP, and HTTP, as represented in the OSI Model layers 1-6.

Additionally, based on the solution risk profile, you can design your solutions to mitigate the risk of failure and reduce recovery time, allowing you to accept that such risks can be mitigated by employing high-availability techniques. For example, running your solutions in multiple availability zones and data centers allowing for a failure in one application runtime zone to be continued in the second location. Using high-availability and disaster recovery techniques, even if the web application runs in the same data center, you acknowledge a design that allows for failure and has mechanisms in place to mitigate those risks.

Your data center also needs to follow regulatory certifications to store and handle protected data (for example, personally identifiable or health information). Regulatory requirements require documentation to attest that the data center hardware and software stack are compliant. Standard operating procedures must exist to mitigate any risk, and events and actions taken must be auditable. We would expect these things from any data center that stores and transmits sensitive or mission-critical data. The AWS Cloud consists of data centers, just like the ones you currently use (internal and wholly-owned by your business or co-located). AWS makes its third-party certifications conducted by independent auditors available through AWS Artifact to our customers to meet your regulatory compliance evidence needs.

GxP regulated workloads can be migrated or re-platformed from a local or co-located datacenter to the AWS cloud while maintaining the same or better risk mitigations, accomplished through architectural best practices. The AWS Well-Architected Framework provides a foundation for building and ensuring that your solutions are operating on secure, high-performing, resilient, and efficient infrastructure.   The “Quality Management System Overview,” found in the AWS Artifact service in the AWS Console, provides insights into the AWS quality management systems giving regulated solution builders the needed attestations to conduct their supplier assessments relative to AWS.

AWS provides certifications, attestations, and regulatory control alignments with worldwide frameworks and laws that govern how protected health information and personally identifiable information is handled, transmitted, and stored. AWS makes this documentation available also via the AWS Artifact service within the AWS Console, which enables you to inherit the mitigations of risk through The AWS Shared Responsibility Model, for example:

More information about these and other compliance controls can be found on the AWS Compliance Programs site.

Additionally, AWS also complies and aligns with international privacy laws, regulations and global and regional industry frameworks:

Another opportunity to allow AWS to perform more of the undifferentiated heavy lifting is to use AWS Managed Services to maintain your infrastructure within the cloud.  AWS Managed Services has a set of standard operating procedures to manage the infrastructure aspects of your solution.  As part of the supplier assessment, you can evaluate AWS Managed Services as part of your overall solution.

Using good cloud design practices as described in The Well-Architected Framework and understanding how the AWS Shared Responsibility Model supports your regulatory certification requirements, you can allow AWS to perform more of the infrastructure management of the cloud while maintaining your strong compliance posture, as you have in your on-premises or co-location data centers today.  Additionally, you can make use of various Reference Architectures and QuickStarts that exist for building compliant solutions, such as GxP Compliance Automation or the HIPAA on AWS QuickStart. As a result, you can focus on your solutions’ value-add instead of infrastructure management. AWS goes the extra mile and provides you with the required assurances to confidently and safely move your workloads to the cloud.

To learn more about how AWS helps with GxP compliance visit, https://aws.amazon.com/health/solutions/gxp/