The million dollar question is "Can Microsoft Azure be qualified?". In this blog post I will provide a prescriptive guide on not just "how to qualify", but also how to maintain the qualified state intelligently.
As we all know, initial qualification of IT Infrastructure is hard but pales in comparison to the effort involved in maintaining the qualified state (QS). The model presented here ensures QS Integrity so that requalification can be avoided at all costs.
Azure Resource Manager (ARM) Template Qualification
Step 1: Transform your infrastructure requirements into code. This can be done by using ARM Templates. Using ARM you create a template for your infrastructure. Then, test your template and hand it over to IT Quality.
Step 2: Build a "continuous" qualification framework to qualify your template. This framework can automatically deploy the template in a TEST environment and perform various tests to ensure all the requirements are met. Also, the test execution reports with all evidence are automatically generated.
IT Quality reviews the results and then certifies the ARM template.
Step 3: Publish the qualified ARM template to the Service Catalog. Your global teams can deploy this template any number of times without worrying about qualification (Qualify it once and use it many times!).
Azure Monitoring Toolset Qualification
In order to maintain your Azure Infrastructure in a Qualified State, you need to create a "qualified" catalog of Azure Monitoring Services. Such services include Automation, Azure Monitor, Automation & Control, Application Insights, Azure Advisor, Azure Policy, Log Analytics, Security & Compliance, Azure Security Center, etc..
Step 4: Build a "continuous" qualification framework to qualify each monitoring service. This framework can automatically qualify each service in a TEST environment and perform various tests to ensure all the requirements are met. IT Quality reviews the results and then releases the service for Production Use.
Step 5: Now each of the qualified monitoring services can be used globally without worrying about qualification.
Build Qualified Azure Infrastructure and Go Live
Step 6: Now your IT teams can build "qualified" infrastructure using ARM templates from the Service Catalog. Also, they can monitor them using "qualified" services in order to maintain the "qualified state" of the infrastructure.
By following the above six (6) steps, you can build and maintain a qualified infrastructure that is GxP compliant and always "audit ready". The above framework uses the mantra "qualify it once and use it many times", thus not only making it cost efficient but also baking in the best practices.
Frequently Asked Questions (FAQ)
Microsoft Azure releases changes constantly. How will I maintain change control?
A true "cloud" is designed to constantly release changes so that the end customer can leverage these innovations and thus increase productivity. Azure is no exception here. However, this presents a dilemma for the traditional validation folks who are used to reviewing each change and then addressing it one way or the other.
If you want to embrace the Cloud, the compliance perspective must change from examining every change by the Cloud Provider (which is practically impossible considering the velocity of changes) to ensuring your requirements are met constantly. This can be achieved with the "continuous" validation framework where by you are constantly (for example: daily) testing to ensure your requirements are met in spite of the changes.
How does "continuous" qualification really work?
Continuous Qualification is GxP compliant and based on a sophisticated Model Based Testing Framework. Once the Continuous Qualification model is built, it can be used to perform initial qualification of an infrastructure template or a monitoring service, for example. It can be run at regular intervals to "continuously qualify" with no human intervention ("lights out mode"). This approach enables cost effective testing on a continuous basis thus enabling deployment of GxP workloads in the public cloud.
What are the real advantages of qualifying an Infrastructure Template?
Before the advent of "software defined" data center, the only way to qualify was to build first and then perform the qualification. Now with Azure, building infrastructure is akin to writing code. In other words, you script the infrastructure you want to build and then run it as many times as you want to consistently and within minutes stand up your virtual data center.
Now, this makes qualification cost effective and implementing IT best practices that much easier. Azure does provide downloadable templates that you can start with and then modify them to meet your requirements. For example, you can stand up a complex environment for SAP implementation within minutes using ARM templates.
You build the template using best practices (for regulatory, security compliance, etc..) that meet your specific requirements. You then qualify the template and make it available in the Service Catalog for consumption throughout your organization.
Why do we need the monitoring tools after the template is qualified?
Once the infrastructure is built and deployed, you need to monitor its health and also ensure that the Qualified State (QS) drift has not occurred. QS drift can occur when changes to the deployed infrastructure are made (either intentional or unintentional) after it is qualified by bypassing the change control process.
Automation & Control enables continuous services and compliance with automation and configuration management. You can apply and monitor configurations using a highly-available pull service, and fix configuration drift without manual intervention. You can combine change tracking with configuration management to identify and apply configurations and enable compliance. You can deliver orchestrated update management for servers. This service will enable compliance with the Qualified State (QS). It will bring to your notice if a QS Drift has occurred.
Log Analytics enables you to quickly connect and collect log data from multiple sources. You can correlate and analyze using powerful machine learning constructs. You can transform your Azure activity data into actionable insights. You can automate and trigger remediation with Azure Automation, Logic Apps and Functions.
Azure Monitor will help you get detailed, up-to-date performance and utilization data, access to the activity log that tracks every API call, and diagnostic logs that help you debug issues. Azure Monitor gives you the basic tools you need to analyze and diagnose any operational issue, so you can resolve it efficiently.
Azure Advisor helps you optimize across four different areas – high availability, performance, security, and cost – with all recommendations accessible in one place on the Azure portal. You can follow recommendations based on category and business impact.
Security & Compliance helps you analyze events across multiple data sources and identify security risks. You can understand the scope and impact of threats and attacks to mitigate the damage of a security breach. You can understand the security posture of your entire environment regardless of the platform. You can capture all of the log and event data required for security or compliance audits.
Azure Policy helps you turn on built-in policies, or build your own custom policies to enable security and management for Azure resources. You can choose to either enforce policies, or audit policy compliance against best practices.
What other are measures should I consider to ensure Qualified State Integrity?
You need to design your infrastructure based on IT best practices that meet your business, security and compliance requirements. For example, you can define encryption requirements, permissions to resources (which roles apply to certain environments), which compute images are authorized (based on hardened images of servers you have authorized), and what kind of logging needs to be enabled. Such security best practices can be enforced by using ARM templates.
Our goal is to create a GxP audit-ready environment. For example, Automation & Control allows you to capture the current state of any environment, which can then be compared with your “secure environment” rules. You can ensure that the controls are operating 100 percent at any point in time, versus traditional audit sampling methods or point-in-time reviews.