Benefits and Risks of Moving to the Cloud, Including Cloud Vendor Selection
Migrating to the Cloud: What are the Benefits?
According to the National Institute of Standards and Technology, the cloud is “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
Most companies’ IT infrastructure use less than 30% of their capacity. It took years to get the capacity to where it is today, and it takes months to increase capacity. Employing qualified resources to maintain such an infrastructure is difficult and expensive.
Cloud providers utilize about 65% of their capacity and can add capacity quickly. In short, cloud providers benefit from economies of scale, which enables them to lower individual usage costs and centralize infrastructure costs. Companies benefit by only paying for what they consume. Companies can increase or decrease their usage rapidly, and can spend less time managing complex IT resources.
Not only do efficiency improvements reduce costs, the nature of some costs can change from being capital investment in hardware and infrastructure (CapEx) to a pay-as-you go (OpEx) model. Maximizing IT capacity utilization, improving IT flexibility and responsiveness, and minimizing cost are not the only advantages of the cloud.
Collaboration can be one of the most important advantages of cloud computing. Multiple users, from around the world, can collaborate more easily on documents and projects. Because the information is hosted in the cloud, and not on individual computers, business owners can collaborate with external stakeholders in a secure environment with nothing more than an Internet connection and some identity management controls.
The most surprising benefit of the cloud is security. Top cloud providers have the best infrastructure and security technology with the top people maintaining that infrastructure and technology. Speaking before the House of Representatives, Army General Keith Alexander, commander of U.S. Cyber Command and Director of the National Security Agency, said cloud computing provides the best way to secure DOD networks. As Jesse Lipson pointed out in a recent Forbes article: “Most cloud computing companies are like experienced airline pilots. They are well trained, have backup systems and contingency plans in case they encounter an issue, and they have a full staff of professionals regularly checking and maintaining their service. Cloud software companies, knowing the implications of a crash on their business’ bottom line, invest significant resources into ensuring that such a disaster never occurs. Cloud computing companies can invest far more resources in data backup and security than your business can.” Compare this to the levels of protection that your company provides.
Cloud Vendor Selection: What are the Risks?
While the cloud can be a compelling option for life science companies, understanding the risks associated with cloud vendor selection is a critical first step. Cloud vendors often view life science companies as attractive clients because of their long term data management needs and the general belief that life science business delivers a premium for services that can quickly boost margins. But, all too frequently, Cloud Vendors are unprepared for the critical data management needs of life science companies within the context of FDA regulations. The gap, framed by the Cloud Vendor’s strong desire for life science business, the vendor’s frequent lack of knowledge about regulatory requirements, and the perennial pressure on life science companies to control expenses, creates a recipe for short cuts and their associated risks.
The Cloud Vendor holds your most critical assets
The risk associated with a Cloud Vendor selection is directly related to the criticality of the data managed. At the end of the day, the value of a pharmaceutical, biotech, or medical device company is instantiated in intellectual property. This includes the information that satisfies the requirements of the FDA, as well as the requirements of potential commercial partners or buyers. If your intent is to place your critical information in the cloud, then any risk created in your relationship with your Cloud Vendor directly reflects your willingness to potentially compromise your intellectual property and its valuation.
Your FDA regulatory obligations do not change just because you migrate to the cloud
The most frequent risk we see is allowing the priority of regulatory requirements to erode under the misconception that sophisticated data centers and technically savvy Cloud Vendor staff can compensate for, or somehow replace, the intent of FDA requirements to maintain data integrity, authenticity, and non-repudiation. Migrating critical data to the cloud does not excuse you from regulatory obligations that would otherwise exist if you were hosting the services inside your company. The same controls you are required to apply to your internally hosted infrastructure must be applied to your external cloud environment, which means partnering with a vendor that is willing and able to support these controls to the degree needed.
Validating computing environments, virtualized services and systems, security controls, and the actual migration to the cloud are required for compliance. Moreover, maintaining a state of compliance must take into consideration the Cloud Vendor’s tools, systems, practices, and procedures, and, most importantly, compensate for gaps between what the Cloud Vendor has in place and your regulatory obligations. The real risk is realized when either regulators or potential partners have problems with the lack of controls to ensure data integrity and other electronic assurance information values. Without such controls, you may not be able to sufficiently demonstrate the veracity of your intellectual property claims, which directly impacts the value of your IP and commercialization strategy
A common scenario: What can to wrong with your Cloud Vendor selection
A Cloud Vendor sells private cloud services to a pharmaceutical company who subsequently performs a vendor audit on the Cloud Vendor. The audit produces a gap analysis with observations and a commitment from the Cloud Vendor to resolve critical observations against an agreed upon time line. The pharmaceutical company begins migration to the new cloud by validating the virtualization of their systems and then validating the migration to the cloud. As the due date for observation remediation approaches, it becomes apparent that the Cloud Vendor cannot, or will not, address the critical observations on time. The pharmaceutical company must then decide whether they will take on the work and cost of correcting the problems, or choose another vendor, whereby both alternatives threaten the anticipated savings the company thought they would enjoy. Choosing the right vendor from the onset helps mitigate this risk.
In Part 2 of this blog we explore practical strategies and tips to help you with Cloud Vendor selection, so you can avoid risk and enjoy the benefits of Cloud Computing.
About the authors:
Russ King is President of MethodSense, a consulting firm that helps clients deliver medical and technological breakthroughs by effectively meeting the requirements needed to bring their products to market. He can be reached at (919) 313-3962 or rking@methodsense.com.
Jason Rock is Chief Technology Officer of GlobalSubmit, a products and services company that provides transparency in regulated healthcare products. He may be reached at 888-840-9580.