Feb 26, 2026
Peter Busk
Cloud migration in pharma: How to ensure compliance
Introduction
"Can we even use cloud in a GxP environment?" That question we heard constantly 5-10 years ago at Hyperbolic. Today, the question is no longer if, but how. Cloud is not just acceptable in pharma; it is becoming the standard.
However, migrating to cloud in a regulated environment is fundamentally different from other industries. You cannot simply "lift and shift" your systems and hope for the best. Compliance, data integrity, and validation must be handled carefully.
Why pharma is moving to cloud
Scalability and flexibility: Clinical trials generate enormous amounts of data in intensive periods. Cloud can scale up and down as needed, which saves costs.
Disaster recovery: Pharma cannot afford data loss. Cloud providers offer built-in redundancy and backup that would cost millions to build yourself.
Collaboration: Global pharma has teams spread across continents. Cloud-based systems facilitate real-time collaboration.
Innovation: AI, machine learning, and advanced analytics require computing power that the cloud provides cost-effectively.
Regulatory challenges
Data residency and sovereignty: Some countries require that patient or clinical trial data remains within the country's borders. The EU's GDPR has specific requirements for data transfer to third countries.
Our approach: Map precisely which data have residency requirements. Use cloud regions that meet these requirements. For EU data, we typically use EU-based Azure or AWS regions.
Validation of cloud systems: The FDA's guidance clearly states that "cloud hosting does not change regulatory requirements." The system must still be validated.
The challenge: You do not own the cloud infrastructure, so how do you validate it?
The solution: Shared responsibility model. Cloud provider (AWS, Azure, GCP) handles infrastructure validation. You handle application validation. But you must verify the provider's controls through:
Review of provider's SOC 2/ISO 27001 certificates
Audit rights in contract
Regular assessment of provider controls
21 CFR Part 11 compliance: Electronic records and signatures must be protected. In the cloud, this means:
Encryption in transit and at rest
Access controls and authentication
Audit trails
Data integrity controls
Framework for compliance cloud migration
Phase 1: Risk assessment and planning
System categorization: Not all systems have the same GxP impact. We use GAMP 5 categorization:
Category 5 (configured systems with direct GxP impact): Requires full validation
Category 4 (configured packages): Risk-based validation
Category 3 (standard packages): Supplier assessment focus
Non-GxP: Minimal validation
Risk-based approach: Prioritize migration based on:
Business value vs. complexity
GxP impact level
Current system stability issues
License renewal timelines
At Hyperbolic, we typically start with lower-risk, non-GxP systems first to build experience, then we tackle GxP-critical systems.
Phase 2: Cloud provider selection and contract
Due diligence on provider:
Certifications: ISO 27001, SOC 2 Type II, HIPAA compliance
Data center locations: Do they meet data residency requirements?
Security controls: Encryption, access management, monitoring
Business continuity: SLAs, backup, disaster recovery
Audit rights: Right to audit the provider's controls
Critical contract points:
Data ownership: Clear statement that you own your data
Data return/deletion: Processes for returning or deleting data upon contract termination
Change control: Notification before the provider makes changes that affect you
Compliance support: Provider's commitment to support your compliance requirements
Quality Agreement: In GxP, the relationship with the cloud provider must be formalized in a Quality Agreement that defines:
Roles and responsibilities
Change control processes
Incident management
Audit arrangements
Phase 3: Migration strategy
Three main strategies:
Rehost ("lift and shift"): Move existing application to cloud with minimal changes.
Pro: Fastest, lowest risk
Con: Does not fully leverage cloud benefits
Validation impact: Typically abbreviated validation if no functional changes
Replatform: Minor optimizations for cloud (e.g., use managed databases).
Pro: Balance of speed and cloud benefits
Con: Some code changes necessary
Validation impact: Regression testing of changed areas
Refactor: Redesign for cloud-native architecture.
Pro: Maximum cloud benefit
Con: Highest cost and risk
Validation impact: Full revalidation as a new system
At Hyperbolic, we typically recommend rehost or replatform for GxP systems to minimize the validation burden.
Phase 4: Validation of cloud environment
Infrastructure Qualification (IQ):
Verify cloud infrastructure configuration
Network setup, security groups, encryption
Backup and disaster recovery procedures
Access controls
Operational Qualification (OQ):
Test critical functions in the cloud environment
Verify performance under load
Test failover and recovery procedures
Verify monitoring and alerting
Performance Qualification (PQ):
Verify system performs in actual use
User acceptance testing
Integration testing with other systems
Data migration validation (if applicable)
CSV documentation: Standard validation deliverables must still be produced:
Validation Plan
Risk Assessment
Test Scripts and Results
Validation Report
Traceability Matrix
Phase 5: Data migration
Data migration is often the most risky part.
Pre-migration validation:
Data profiling: Understand data quality and structure
Cleansing: Fix data quality issues before migration
Migration scripts: Automated, testable, reproducible
Migration execution:
Pilot migration with a subset of data
Validate pilot: 100% accuracy check
Full migration in planned downtime
Post-migration validation: Reconciliation of all records
Rollback plan: Always have a plan to roll back if migration fails.
Security and data integrity in cloud
Encryption:
In transit: TLS 1.2+ for all communication
At rest: AES-256 encryption of databases and file storage
Key management: Use cloud provider's KMS or bring-your-own-key
Access control:
Principle of least privilege: Grant only necessary access
Multi-factor authentication: Required for all admin accounts
Role-based access: Define roles based on job functions
Regular access reviews: Quarterly review and cleanup
Audit trails: Cloud-native logging (AWS CloudTrail, Azure Monitor) supplemented with application-level audit logs.
Network security:
Virtual Private Cloud (VPC): Isolate your environment
Security groups: Network-level access control
Web Application Firewall: Protect against common attacks
DDoS protection: Built-in at cloud providers
Case: ERP cloud migration
Client: Mid-size pharmaceutical manufacturer with on-premise ERP (GAMP Category 5 system).
Challenges:
The system was 15 years old, hardware at end-of-life
Growing data volumes, performance issues
Disaster recovery was inadequate
GxP-validated, migration must not impact compliance
Approach:
Thorough risk assessment: Identified critical functions and data
Rehost strategy: Minimize changes, focus on infrastructure
Parallel run: Ran cloud and on-premise simultaneously for 4 weeks
Phased cutover: Migrated one site at a time over 3 months
Comprehensive validation: IQ/OQ/PQ per GAMP 5
Challenges encountered:
Latency issues: Resolved by placing database in the same region as users
Integration complexity: Legacy on-premise systems required VPN connectivity
Training: Users had to adjust to new access patterns
Results:
Zero compliance findings through two audits post-migration
Performance: 40% improvement in transaction times
DR: Recovery time objective down from 72 hours to 4 hours
Cost: 25% reduction in total IT costs over 3 years
Hybrid cloud and data classification
Many pharma organizations end up with a hybrid setup: Some systems on-premise, others in the cloud.
Data classification drives placement:
Highly sensitive (formulations, clinical data): May require on-premise or private cloud
Sensitive (batch records, quality data): Public cloud with additional security
Internal (general business data): Standard public cloud
Public (marketing materials): Minimal security requirements
Hybrid architecture patterns:
VPN/ExpressRoute for secure connectivity between on-premise and cloud
Cloud-based DR for on-premise critical systems
Cloud-bursting for peak computational loads
Ongoing compliance management
Migration is not the endpoint. Ongoing compliance requires:
Change control: Cloud is dynamic. Provider makes continuous updates. Your change control must manage:
Provider changes: Assess impact when provider updates
Your changes: Standard change control for your changes
Emergency changes: Process for critical security patches
Continuous monitoring:
Security monitoring: Real-time alerts on suspicious activity
Performance monitoring: Verify SLAs are upheld
Compliance monitoring: Automated checks of security configurations
Regular reviews:
Quarterly access reviews: Cleanup of unnecessary accounts
Annual validation reviews: Verify system still in validated state
Periodic re-assessment of provider: Verify controls still adequate
Conclusion
Cloud migration in pharma is complex, but absolutely possible to do compliant. The key is:
Risk-based approach: Not everything needs to be migrated at once or the same way
Strong provider due diligence: Choose a provider that understands GxP
Solid validation: Treat migration as a lifecycle change
Data integrity focus: Encryption, access control, audit trails
Ongoing governance: Compliance is continuous, not one-time
At Hyperbolic, we have guided many pharma companies through cloud migration. We combine cloud expertise with deep GxP understanding to deliver solutions that both modernize infrastructure and maintain compliance.
Contact us to discuss your cloud strategy.
By
Peter Busk
CEO & Partner
[ HyperAcademy ]
