Part 2: Cloud Vendor Selection for Your Life Science Company – Strategies to Ensure Benefits and Mitigate Risk
Know your Cloud options
Cloud computing is defined to have several deployment models, each of which provides distinct trade-offs which are migrating applications to a cloud environment. NIST defines the cloud deployment models as follows:
- Private cloud: The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.
- Community cloud: The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g. mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise.
- Public cloud: The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.
- Hybrid cloud: The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e g , cloud bursting for load-balancing between clouds).
Choosing the correct deployment can depend on who needs to access the service, budget and security concerns.
Private clouds are the most secure and most expensive. Private clouds allow companies to have isolated sections of a cloud where you can launch resources in a virtual network. You can have complete control over your virtual networking environment and place your backend systems, such as databases or application servers with no Internet access. You can limit access to these servers based on access control, physical hardware, and IP address. A Private Cloud is therefore mostly suited for sensitive data, where the customer is dependent on a certain degree of security. Private Clouds, to an extent, lose the economy of scale compared to a Public Cloud.
Community clouds spread costs over fewer users than a public cloud. This option is more expensive but may offer a higher level of privacy, security and/or policy compliance.
Public clouds are the least expensive deployment. When most people think about cloud computing, they think of a public cloud deployment. All resources are shared but can be secured. If you are comfortable with the level of security of your cloud provider or have budget constraints, public clouds are your best option.
Hybrid clouds are the typical deployment model for most enterprises. In this cloud deployment model, an organization provides and manages some resources in-house and has others provided externally. The main benefit of the hybrid cloud is that it provides the scalability and low costs of a public cloud without exposing mission-critical applications and data to third-parties.
Know your privacy, security and disaster recovery needs
When it comes to comes to privacy, security, and disaster recovery, you need to first determine your requirements and budget. The Cloud provider can provide you tools to help protect your data, but you need to implement those tools. For example, Cloud providers can allow you to limit access to your data based on their physical machine or location; but you need to remove those access rights when machine or location no longer needs access.
Your Cloud provider needs policies, processes, and control activities for the delivery of each of their services. The collective control environment encompasses the people, processes, and technology. Your Cloud provider needs well trained staff that has limited physical access to your data and processes that protect your data and technology by keeping prying eyes away from sensitive areas. Accordingly, you should choose a Cloud vendor that maintain proper certifications like SAS 70 (the Statement on Auditing Standards No. 70), ISO/IEC 27001, and FISMA.
You also need to ensure the Cloud provider stores your data in the proper region. The selection of a region within an acceptable geographic jurisdiction to the customer provides a solid foundation to meeting location-dependent privacy and compliance requirements, such as the EU Data Privacy Directive.
You need to have proper disaster recovery controls in place. A traditional approach to disaster recovery involves different levels of off-site duplication of data and infrastructure. Critical business services are set up and maintained on this infrastructure and tested at regular intervals. The disaster recovery environment’s location and the source infrastructure should be a significant physical distance apart to ensure that the disaster recovery environment is isolated from faults that could impact the source site. Accordingly, it is important that your Cloud provider has data centers located in different physical locations and are isolated from faults from the other data centers. When dealing with a disaster, it’s very likely that you will have to modify network settings as you are failing over to another site. For the most critical systems you want to choose a Cloud provider that will allow you to automate the changing of the network settings.
Although the Cloud provider is responsible to maintain the infrastructure, it is still your responsibility to test your disaster recovery plan.
Choose a Cloud Vendor who can support your FDA Quality Management System needs
Cloud vendors commonly implement quality measures ranging from verbally shared processes and practices to SOPs and trouble ticket software to highly structured Quality Systems. However, advertising a level of quality management does not guarantee that the Cloud Vendor will meet your life science quality management expectations. To meet your compliance obligations, your cloud provider may need to make existing processes and procedures more robust and in a way that is more collaborative than they originally intended. Be aware that many Cloud Vendors consider their services to be proprietary and comprised of trade secrets, which may make collaborating around quality more difficult.
Choose a Cloud Vendor who can support your FDA Vendor Management needs
When selecting your Cloud Vendor, be sure they support your vendor management obligations. Cloud vendors who rightly take pride in their SAS 70 Type II certification, for example, often mistakenly insist that the certification should satisfy all quality and auditing needs. These certifications frequently focus on security issues and may not sufficiently cover life science regulatory concerns. Life science companies face validation requirements and regulatory concerns that go above and beyond SAS 70 certification, such as installation qualifications, change control, audit trails, electronic signatures, and permissions configuration. These requirements should be defined for the cloud environment and services and then implemented in your Service Level Agreements.
Be prepared to massage and coax the understanding of the vendor for cooperation before and during this process. By educating the Cloud Vendor about your requirements, you’ll be much more likely to complete a successful migration to the cloud.
Conclusion: Your Cloud Vendor needs to be a partner who fits into your regulatory and quality framework.
Shifting your technology operation to the cloud can garner many significant benefits including:
- Improved scalability and cost savings
- Increased access to and utilization of key business assets
- Improved controls on security and data access
- Increased innovation due to collaboration and availability of resources
However, regulatory burdens are not abated by shifting to the cloud, and Cloud Vendors today are by and large unschooled on FDA regulations, which, if not addressed, can create risk. Life science companies should select a Cloud Vendor with the expectation that many will depend on coaching and assistance in order to meet regulatory requirements. The Cloud Vendor’s ability to accept and then in a timely fashion respond to your regulatory requirements should, therefore, become a highlighted vendor characteristic in your vendor selection criteria.
About the authors:
Russ King is President of Methodsense, a consulting firm that helps clients deliver medical and technological breakthroughs by effectively meeting the requirements needed to bring their products to market. He can be reached at (919) 313-3962 or email@example.com.
Jason Rock is Chief Technology Officer of GlobalSubmit, a products and services company that provides transparency in regulated healthcare products. He may be reached at 888-840-9580.