The short version: Moving to the cloud is as much a vendor decision as a technology decision. The vendors you choose own a share of your security and risk posture, so qualification, documented service level agreements (SLAs), and proof of stability matter as much as raw capability. Cloud scalability removes the cost and lag of provisioning on-premises hardware, but only design discipline and the right partners keep that scale compliant.
As you scale to the cloud, you will need to make critical decisions about the vendors you partner with and how you can increase or decrease your IT resources to meet your needs.
What does it mean to be a cloud-first company? It means that you aim to use cloud services as much as possible. You evaluate your current business processes and the variety of applications used within your organization, and you opt for cloud solutions and providers. If your company has started or completed its digital transformation, you can consider it a cloud-now company.
Whether you are cloud-first or cloud-now, it is important to understand what aspects of security and risk are handled by your cloud provider (i.e., Amazon Web Services, Microsoft Azure, or Google Cloud Platform). Awareness is key when it comes to risk management, and knowing your responsibilities will mitigate your risk in the cloud.1
The shared responsibility reality: Your cloud provider secures the underlying infrastructure, but you remain accountable for how your regulated data and applications are configured, accessed, and governed on top of it. Mapping that line clearly is the foundation of life sciences cybersecurity in the cloud.
Vendor Selection and Qualification
Vendor selection is a critical aspect of your overall risk-reduction strategy. The right vendors will provide not only stable infrastructure, platforms, and applications, but also the evidence to demonstrate that stability. Maintenance can be built into a vendor’s responsibilities as well. Third-party release analysis and regression testing can be leveraged to ensure that a stable environment persists.2
You need to establish that the vendor meets the requirements of your service level agreement (SLA). What goes in the SLA is important and it needs to have an appropriate level of documentation, processes, and experience around infrastructure. Good qualification, data centers, and security procedures need to be formally documented and approved. Verify that there are redundancies in place such as correct document management systems, disaster recovery systems, and back-up systems.3
Because every cloud vendor inherits part of your compliance footprint, treating qualification as an ongoing discipline rather than a one-time checkbox is the heart of third-party risk management. The same rigor protects the integrity of the regulated data those vendors store and process, which is why cloud vendor decisions are inseparable from data integrity in life sciences.
Vendor qualification can be accomplished in one of two ways. You can either perform vendor audits to specify that you need these items or to find out if they have them, or you can engage other companies like USDM to do that for you. You can state in your SLA that the vendor must have these items in place in order to be considered a vendor.3
What a defensible vendor qualification covers
- Documented SLA: clear, written commitments on uptime, responsibilities, and the evidence the vendor will provide.
- Qualification and data center procedures: formally documented, approved, and available for audit.
- Security procedures: defined controls that align with your shared-responsibility obligations.
- Redundancies: document management, disaster recovery, and back-up systems verified to be in place.
- Ongoing maintenance: third-party release analysis and regression testing to keep the environment stable over time.
The right vendors don’t just provide stable infrastructure, platforms, and applications — they provide the evidence to demonstrate that stability.
Scaling to the Public Cloud
There are many reasons to make the move to the cloud, but one of the most common is scalability, which is the ability to add or subtract computing or storage resources. On-premises scalability is costly, slow, and difficult to manage. “Scaling up” means buying new server hardware and disk arrays. But what if you needed fewer resources? You don’t want to get stuck provisioning enough resources to cover expected peak demand when you aren’t at peak demand every single day.4
Design best practices can help you make the most of the public cloud and avoid risks. Best practices include: design for portability, leverage automation, use containers, anticipate issues at scale, and keep an eye on the bottom line.5
Compliance-Ready Solutions
USDM’s cloud portfolio has got you covered whether you need a single-vendor SaaS solution; an integrated SaaS solution for multiple vendors; or IaaS, PaaS, and SaaS solutions for a single public cloud vendor.
USDM Cloud Assurance supports the compliance requirements of your IT operation and addresses your entire tech-stack. USDM can also accommodate a traditional CSV methodology or newer computer software assurance (CSA) methodology. As your validated systems move to the cloud, keeping them in a continuously qualified state is a discipline of its own — see our guide to validation lifecycle management for life sciences teams.
Cloud 101 Blog Series
In Part 1 of this Cloud 101 blog series, we introduced the three cloud service models with examples, and provided links to digital transformation resources.
In Part 3, we embrace the cloud.
FAQ: Cloud Vendor Management and Scaling
What is the difference between a cloud-first and a cloud-now company?
A cloud-first company aims to use cloud services as much as possible, evaluating its business processes and applications and opting for cloud solutions and providers wherever it can. A cloud-now company is one that has started or completed its digital transformation and already operates that way.
Who is responsible for security and risk in the cloud?
Responsibility is shared. Your cloud provider — such as Amazon Web Services, Microsoft Azure, or Google Cloud Platform — handles certain aspects of security and risk, while you remain responsible for the rest. Knowing exactly which responsibilities are yours is what mitigates your risk in the cloud.
What should a cloud vendor SLA include?
An effective service level agreement needs an appropriate level of documentation, processes, and experience around infrastructure. It should cover qualification, data centers, and security procedures that are formally documented and approved, and it should confirm redundancies such as document management, disaster recovery, and back-up systems. You can also state that a vendor must have these items in place to be considered at all.
How do you qualify a cloud vendor?
You can perform vendor audits yourself to confirm whether the vendor has the required documentation and controls, or you can engage a partner like USDM to perform that qualification for you.
Why is scalability a leading reason to move to the cloud?
Scalability is the ability to add or subtract computing and storage resources on demand. On-premises scaling is costly, slow, and hard to manage because it means buying new hardware sized for peak demand you do not hit every day. The cloud lets you match resources to actual need.
Scale to the Cloud with Confidence
Choosing, qualifying, and managing cloud vendors while keeping regulated systems compliant is exactly where USDM helps life sciences organizations move faster with less risk. Contact USDM to talk through your cloud vendor strategy, SLAs, and a scalable, compliance-ready path to the public cloud.
References
1 Threat Stack, How to adapt your risk management strategy for the cloud (August 2017)
2 USDM white paper, Blewitt, D., Regulated GxP Workloads in the Public Cloud: Why Cloud Systems are Safer Than On-Premise Systems (2020)
3 USDM blog, How do life sciences companies qualify vendors and software (October 2018)
4 CloudCheckr, Cloud vs. data center: what is scalability in cloud computing? (March 2020)
5 Bio-IT World, HPC in life sciences: why cloud computing is now indispensable and how organizations can prepare (May 2020)