SaaS based solutions are convenient, cost-effective, and flexible options for many industries. However, in a regulated environment, the use of a SaaS solution may be sensitive due to the nature of data being handled and the potential impact on customers or other stakeholders. The trust in SaaS solution providers' security controls is a significant concern across all SaaS models as they hold primary responsibility for security operations espacially when choosing a SaaS provider in the life science industry. In multi-tenancy SaaS arrangements, specific security aspects require careful consideration.
In this blog, we specifically draw attention to the variations that multi-tenancy and subcontracting might bring as compared to on-premises or private SaaS products. The content of this blog was inspired by a paper from ISPE GAMP® Community of Practice (COP) titled SaaS in a Regulated Environment – The Impact of Multi-tenancy and Subcontracting, that we encourage you to read if you are interested by this topic.
What is a SaaS?
Multiple definitions are available for consideration, based on the National Institute of Standards and Technology (NIST), Software as a Service (SaaS) means:
The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.”
As a different approach, here is the interpretation of a Software-as-a-Service (SaaS) of the Canadian Centre for Cyber Security:
SaaS is a software distribution model where applications are purchased or hosted by a cloud service provider, and then made available for customers to use over the internet. This reduces the need to install and maintain the software on local computers.
SaaS providers play a significant role in streamlining processes and enhancing efficiency within Life Science organizations. Here are just a few examples of SaaS providers with a significant presence:
Quality Management Systems (QMS): Greenlight Guru, Master Control, Qualio, ETQ Reliance and Veeva Vault.
Enterprise Resource Planning (ERP): SAP, Oracle and Microsoft AX
Does the SaaS Provider Use a Private or Public Infrastructure?
All SaaS companies must decide which infrastructure model they’ll choose for their SaaS solution. The infrastructure for a SaaS solution can be one of the following, depending on how the computing resources are distributed:
Exclusively used by one client (private cloud infrastructure model)
Used by several clients simultaneously (public cloud infrastructure paradigm).
For the sake of simplicity, variations of the public cloud are assumed to be intermediate models, such as community or hybrid cloud infrastructure models. As mentioned, in a vendor’s business model, resource allocation can be private or public, but what does it means?
Private cloud infrastructure – SaaS solutions based on private cloud infrastructure are like using an internal IT department and are considered a traditional outsourcing model. Regulated companies can have a significant influence over SaaS providers using this model.
Multi-tenant architecture – To achieve cost reductions and computer resources scalability, many regulated companies are considering SaaS solutions with multi-tenant architecture. This type of SaaS setup allows standard service levels to all clients but may not allow specific configuration settings.
Furthermore, infrastructure management can be divided into two offerings: internally, when provided by the SaaS vendor and externally, when provided by a separate IaaS (Infrastructure as a Service) subcontractor.
In cases where the SaaS provider sub-contracts aspects of its infrastructure management to a third party on an IaaS basis, as a regulated company, you have less control but still bear full accountability over security and compliance. This model is common in situations where the SaaS provider is familiar with regulated industry requirements but is using a partner with extensive datacenter facilities to provide a colocation service using dedicated equipment.
When assessing which suppliers to use and how to engage with them, both multi-tenancy and subcontracting should be considered. A SaaS provider may also subcontract infrastructure services to another company using a public cloud infrastructure, combining the risks of multi-tenancy and subcontractors.
What About Data Security and Privacy?
Both the SaaS provider and its subcontractors' performance must be cognizant of the significance of the data they hold, along with implementing robust security controls. This foundation is crucial for enhancing the integrity assurance of the regulated company's data. In a multi-tenancy environment, a flaw could potentially enable unauthorized access to restricted data or allow fraudulent identity assumption by malicious actors. There are several potential risks to look for before engaging with a SaaS provider. Here is a short list highlighted by the ISPE GAMP® Community of Practice (COP) on Data Security and Privacy:
Data accuracy and integrity ensured – As a regulated company, it is good practice to establish a process for data subjects to request changes to their data. When using subcontractors, you should ensure that the SaaS provider has a similar process in place with each subcontractor used.
Data is obtained only for specified and lawful purposes – Data subjects (individuals) must be informed about the processing of their data by the SaaS provider and all its subcontractors (legal entities and/or locations) where applicable.
Data not stored longer than necessary – As a regulated company, it is good practice to establish retention periods for personal data and define roles and responsibilities for data destruction at a SaaS provider. In the case of subcontractors, the SaaS provider must ensure that each subcontractor has a similar process in place.
Quality Agreements: Define and document the key responsibilities for both the SaaS provider and the regulated company for confirming an application’s intended use, fit for purpose, and associated services, including required controls and measures to ensure data integrity is maintained.
Security controls – Trusting the security controls of a SaaS provider is crucial in all SaaS models since they are primarily responsible for security operations. However, multi-tenancy SaaS models might be more appealing to hackers because managing access control in such models is more complex due to diverse process requirements.
Service Level Agreement: A service-level agreement (SLA) defines the level of service expected by a customer from a supplier, laying out the metrics by which that service is measured, and the remedies or penalties, if any, should the agreed-on service levels not be achieved.
Training among IaaS provider – When a SaaS arrangement involves an IaaS subcontractor, the security process becomes more complex with additional players and steps, including breach reporting. To address this, clarifying communication and response times for breach notification through Service Level Agreements (SLAs) or Quality Agreements (QAGs)can be a useful mitigation measure. Implementing a process to ensure that the regulated company receives notifications is crucial since there is no direct contact between the regulated company and the subcontractor.
Transfer only to countries with adequate protection – As a regulated company, it is good practice and your responsibility to know the SaaS provider’s location and data access locations, including the provider’s associates and physical hosting locations. Plus, it is recommended that you ensure that all these locations offer the necessary level of data protection through audits, Data Transfer Agreements and other mechanisms.
Conclusion
While adopting SaaS based solutions brings convenience, for regulated organisations the main worry is that another organisation oversees:
The platform on which the company's data is stored,
The data and software owned by the firm.
All SaaS solutions will have this common problem, but as each provider's cloud architecture and deployment strategy vary, different SaaS solutions will require alternative approaches to be taken. There are no “perfect” SaaS providers, only providers with different approaches leading to varied levels of risk related to your company’s particular usage and activities. It is up to you to determine what an acceptable level of risk is based on your applicable scenario and ensure that you have a clearly defined risk mitigation strategy that you adhere to, ensuring that the system is fit for its intended use.
If you want to know more about SaaS vendeor selection, we invite you to read the following blogs Regulations you must know before selecting an ERP system and Key Elements of Successful ERP Vendor Selection. Should you have any questions, be sure to contact us! We will be happy to help however we can. To do so, click here or email us directly at info@innnovx.org.
Software as a Service (SaaS) – Glossary | CSRC. (n.d.). Software as a Service (SaaS) – Glossary | CSRC. https://csrc.nist.gov/glossary/term/software_as_a_service
Canadian Centre for Cyber Security. (n.d.). Canadian Centre for Cyber Security. https://www.cyber.gc.ca/en/guidance/cloud-computing-types
ISPE GAMP COP. (2016) SaaS in a Regulated Environment – The Impact of Multi-tenancy and Subcontracting. ISPE. www.ispe.org