The Astrix Blog
Expert news and insights for scientific & technology professionals.
The Life Science Industry Blog for R&D Professionals
Considerations for Cloud Hosting Your Laboratory Informatics Systems
Traditional on-premise Laboratory Informatics Systems in scientific laboratories are often accompanied by significant operational costs – securing the data, applying patches, providing backup and disaster recovery, hardware maintenance, etc. Public, multi-tenant cloud-based systems accessed “as a service” share infrastructure across several customers and deliver value by managing those systems with shared resources and procedures that drive efficiency. For customers, costs are accrued as a monthly operating expense as opposed to a capital-intensive purchase that requires months of planning.
While the public cloud software as a service (SaaS) model is well established, there are other cloud computing models. The National Institute of Standards and Technology (NIST) defines the following characteristics and models for cloud computing:
- Essential characteristics: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service
- Service Models: software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS)
- Deployment Models: private cloud, community cloud, public cloud, and hybrid cloud
In addition to reduced costs for Laboratory Informatics Systems, there are other potential benefits to moving your scientific data and applications to the cloud:
- Faster system implementation
- Less costly software updates
- Flexibility to scale system use up or down
- Higher system availability with backup and disaster recovery services
- More performant global access to your systems
- Robust security including encryption of data
Although these benefits are attractive, they are not automatic. Selecting a cloud solution involves careful investigation of both the underlying system capabilities and the hosting infrastructure. In addition, there are business and technical risks that should be explicitly understood and prioritized. A poorly planned and executed migration to the cloud can result in budget overruns, regulatory compliance problems, unacceptable end-user experiences, and many other challenges. In this blog, we will discuss some of the key operational challenges in moving to the cloud and how to effectively address these risks to maximize the benefits of your cloud migration.
Common Cloud Migration Challenges
If you are considering a move to the cloud, there are risks that must be addressed in order to ensure a smooth transition and maximize business value for your organization. A few of these challenges include:
Service Level Agreement (SLA). Working with a cloud vendor to transfer your workloads and data to the cloud means relying on an external partner for critical business activities. As a result, creating an appropriate SLA is one of the most important things you can do to ensure a successful cloud migration. A well-written SLA can make the difference between a smooth implementation and roll out of your system and/or platform versus cost and time overruns and unexpected expenses down the road.
Challenges in shifting your operations to the cloud can come from many details – networks, data security, storage, processing power, disaster recovery, database/software availability, regulatory changes, etc. Your SLA should serve to get your action plan to address these challenges down on paper, and clearly define the responsibilities of the cloud vendor in terms of measurable deliverables. Over-specifying these details of “how” in the SLA can curtail or even eliminate the benefits: the SLA should be focused on the “what”. Some of the key issues that your SLA should address include:
- Specific parameters and minimum levels required for business-significant aspects of the service, as well as what happens when your service provider fails to meet these requirements.
- Codification of your organization’s ownership of all service data and your right to obtain the data.
- Rights and costs to continue and discontinue using the service, both within and outside of contract renewal timelines.
- Security and privacy standards, and regulatory requirements that will be met, with the right to audit for compliance.
- Incident resolution processes and resolution expectations (e.g. time to resolve and escalations).
- Change management processes as applied to system updates and upgrades, including notifications and scheduling.
- Disaster recovery processes and expectations.
For each cloud service, an SLA assessment should be undertaken that examines the criticality of the cloud service with respect to the relevant business processes to determine the right SLA components and metrics. Finally, the SLA should be viewed as a living agreement: as services and business processes change, the SLA should be able to be adjusted appropriately.
Data Ownership. A critical question for any potential cloud hosted service is ‘who owns the data of your Laboratory Informatics Systems?’ As such, your SLA should include language clearly affirming your ownership of your data. Specifically, the SLA should:
- Describe the process by which your data will be returned, including the time your cloud provider will have to return your data and the cost for providing the data.
- Provide the ability to obtain data at any time upon request, and within a set timeframe after contract termination.
- Explicitly state that your data must be returned in a format that meets your needs as opposed to a proprietary or otherwise inaccessible format. This may likely need to be a compromise between the vendor’s system architecture and your specific skills and experience: outright forcing a vendor to support something they are not familiar with will not likely provide you with what you really require.
- Define how long after contract termination that your data will remain in the vendor’s systems.
- Mandate that your cloud provider destroys your data within a specified time after contract termination, with formal notification of full destruction and penalties for non-compliance.
Regulatory Compliance and Data Security. Regulatory compliance can be an issue for any business in a regulated industry that uses cloud services. For example, healthcare organizations in the USA have to comply with the Health Insurance Portability and Accountability Act (HIPAA) and the European General Data Protection Regulation (GDPR) applies to data collected about individuals in the European Union, even if the company does not conduct business in the EU, or offers services for free.
In order to facilitate compliance with these regulations, and prevent theft of sensitive data, any cloud service provider you partner with should have current security best-practices in place, including physical and virtual access, physical separation of resources, encryption, IP reputation service, dedicated firewalls, VPNs and multi-factor authentication. The service provider should be externally audited, conduct frequent security testing including penetration, spoofing, and denial of service tests, and maintain documentation on responses to audit and test findings.
Furthermore, companies in the Life Science and Food & Beverage industries using SaaS software need to make sure it is validated to the satisfaction of the FDA. Life Science companies typically run extensive validation cycles on on-premise systems providing installation and operational qualifications (IQ and OQ) during implementations and upgrades. These qualifications are not directly applicable to SaaS systems, however, since their installation and operations are controlled by the software vendor. Quality cloud vendors have taken on IQ and OA validation processes for multi-tenant systems by using automated continuous-validation approaches that streamline the validation process.
Current best-practice is to work with the vendor to ensure their IQ and OQ processes meet your requirements and obtain documentation to that effect. Performance Qualification (PQ) for the system, ensuring that the overall business process is reproducible, must still be done by the customer. It is important that your expectations for the execution and documentation of these processes are a part of the vendor agreement.
Cloud computing is a significant disruptive force across all industries and is revolutionizing the way companies are doing business. Although the potential benefits of cloud migration are compelling, the process of migrating to the cloud is far from simple. Moving to the cloud can create IT complexity and generate security challenges, along with unexpected costs, time overruns and interoperability issues of your Laboratory Informatics Systems– all of which need careful consideration.
One of the most important things you can do to ensure a smooth transition is to create a proper cloud migration roadmap for your organization. Choosing the best application migration option is not a decision that should be made in isolation, but should instead be part of a broader application portfolio rationalization context. Items to consider when planning a cloud migration strategy:
- Comprehensive cost analysis, including the cost of expected downtime
- Current state assessment of application portfolio that includes a map of application dependencies
- Roadmap for cloud migration that includes different phases
Astrix Technology Group has over two decades of experience in the Laboratory Informatics Systems domain. Our professionals bring together the technical, strategic and content knowledge necessary to help you develop an effective cloud migration strategy for your organization. Whether your deployment utilizes public, private, or a hybrid cloud architecture, our experienced and skilled professionals can make the process of migrating your applications and scientific data to the cloud far more cost effective and efficient. Contact us today for more information on leveraging the cloud to improve agility, reduce cost and advance collaboration when working on new scientific discoveries and technological innovation.