Hosting GxP Applications on a Public Managed Cloud

What are the risks when allowing an external company to host our application?

– We have got a quotation from a company with a server farm who is offering either a public cloud or managed cloud. They will provide us with a Virtual Server which we will have sole access to and where we can load our application and run it from.

–. The external company owns the servers, many other virtual servers on the one physical box.

–. The physical box is not qualified and we don’t know what other companies nor what sites or applications are running on the box.

–. The external company will look after the back ups of our application and they also back up the other virtual servers on the same physcial box.

–. Using a virtual server that we have sole use of provides our application with logical security, but is logical security enough?

It is cheaper to use this managed cloud than creating our own private cloud so is there a risk to using the managed cloud?

Sounds good so far, you have dedicated access to the server so no conflict.

That shouldn’t be an issue, as long as you are getting the spec you need in terms of RAM etc

For regulated hosting I would expect the environment to be qualified, either you would have to do this (not advised) or go with a company that offers this service.

–. The external company will look after the back ups of our application and they also back up the other virtual servers on the same physcial box.[/quote]

No problem there.

Yes but I am sure they must have other levels of security too, in terms of physical etc.

There are many companies popping up now offering regulated compliant environments with the emergence of cloud computing in the regulated space maybe you need to look at other ones too.

Hope that helps

Yes there will be other physical security eg firewalls and the application will have a SSL secure login

I am guessing that our client would prefer to have the version of our application on their own dedicated virtual server on a dedicated physical box,
but in this case they will have their own dedicated Virtual server but not on a dedicated physical box.

If the same physical box also contains competitors of theirs is there any exposure or legal risk to our company.

I suppose a parallel can be drawn with gmail as many companies are using gmail instead of exchange for their email system. This means that many different companies information is being held on the same physical boxes.

Good question!

In theory this should be fine, but comparing this to Gmail is a bit different as I would assume this is mission critical software.

Its getting your clients heads around this could be an issue as they might be new to this concept…I would sell them the cost savings etc.

Not sure if there is any legal risk but you would have to be extra vigilant that database connections don’t get mixed up…that could be a big problem if they did.


Need to be careful about exactly how the system is deployed. Depending on your agreement with the service provider, you may be able to specify the hardware in general terms, but you may not know exactly which (physical) “box” the application is running on. In fact, if you require redundancy, it may switch over to a server (e.g., if maintenance is being done or a site goes out) in a completely different country. If you require a specific box that you can (traditionally) qualify, that may be a completely different service agreement.

The questions raised / discussions above all swirl around the ‘risk’ theme. Identify the possible failure modes (like mixed up database connections) and work with the service provider to ensure a deployment that mitigates your risks to an acceptable level.

Be sure the risk assessment identifies configuration changes by the provider. Again, this may drive a different / modified service agreement. In a validated environment, something like an OS patch would drive some level of re-validation (or at least an assessment as to whether action is needed). You may or may not have visibility into if / when such actions occur.

well… I don’t think there would be an issue with 3rd party hosting. It is good to have one in fact.