Quick summary: Cloud computing is delivered through three core service models — Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). Each shifts a different amount of management responsibility from your team to the provider. This post explains how the three models differ, how they map to private, public, and hybrid cloud deployments, and how to pick the right combination for your regulated life sciences workloads.
In a white paper by David Blewitt, VP of Cloud Compliance at USDM, he predicted that 2020 would be a big year for cloud in the life sciences industry. He didn’t foresee that a pandemic would kick digital transformation into high gear, but he did point out the inherent benefit and decreased burden of risk with today’s cloud systems. With business continuity on the minds of the C-suite, there are still some life sciences outliers that haven’t embraced the benefits of cloud-based systems.
Private, Public, and Hybrid Cloud
There are three basic cloud options: private, public, and hybrid cloud. A private cloud is hosted on a company’s intranet or data center and the data is protected behind a firewall. All of the management and maintenance is the company’s responsibility. A public cloud is hosted in the provider’s data center (for example AWS or Google Cloud) and the provider is responsible for management and maintenance. A hybrid cloud is the combination of on-premises infrastructure and private or public cloud services. For example, sensitive data might be kept in a company’s own data center behind a firewall, but the public cloud is used for applications like Microsoft Outlook for email and Box for content management.
Why Move to the Cloud?
In addition to the advantages of cloud-based systems for reducing the cost of ownership, no infrastructure to maintain, and less overhead, the cloud also offers continually released new functionality, and when used and developed correctly, can keep pace with innovation. Additional advantages are mobility and access anywhere, the ability to connect devices anytime, and security. Microsoft spends more than $1 billion each year on cybersecurity for its core technologies like Windows, Office, and Azure. Not long ago, companies didn’t want to move to the cloud because of security. These days, companies move to the cloud because of security.
Not long ago, companies didn’t want to move to the cloud because of security. These days, companies move to the cloud because of security.
That shift doesn’t eliminate your obligations — it reframes them. Even when a provider hardens the underlying platform, your organization still owns the controls around access, data handling, and supplier oversight. A disciplined approach to life sciences cybersecurity and third-party risk management is what turns a provider’s security investment into your own defensible compliance posture.
Cloud vendors perform much of the upfront groundwork for their customers when it comes to qualification and validation, making it easier to onboard new applications and leverage the vendor’s validation activities.
Shared responsibility in plain terms: Moving up the stack from IaaS to PaaS to SaaS, you hand off more of the management work to the provider — but accountability for your data and for demonstrating compliance never leaves your organization. Knowing exactly where the line sits for each model is the first step in scoping validation and risk.
Cloud Service Models
Cloud computing can be divided into three service models, each satisfying a specific set of business needs: IaaS, PaaS, and SaaS.
The Three Cloud Service Models at a Glance
- IaaS — Infrastructure as a Service: The provider owns and manages the hardware (servers, networking, storage). You manage everything above it. Most control, most responsibility.
- PaaS — Platform as a Service: IaaS plus the operating system and databases. You stay responsible for applications, functions, and data.
- SaaS — Software as a Service: The provider delivers everything except your data. Most support, least infrastructure to manage.
Infrastructure as a Service (IaaS)
IaaS delivers the hardware for cloud services, including servers, networking, and storage (for example, AWS and Rackspace). With IaaS, the cloud service provider owns and manages the hardware upon which your software stack runs.
IaaS can be a great cost-reduction strategy if you want to avoid purchasing and maintaining infrastructure.1 It allows complete control over your infrastructure and operates on a pay-as-you-go model, so it fits most budgets. It’s also a great way to future-proof your business.2
Platform as a Service (PaaS)
PaaS gives you everything available with IaaS, plus the operating system and databases (for example, force.com and Microsoft Azure), which means less work for your IT team. Your organization is still responsible for applications, functions, and data.1
PaaS is often the most cost-effective and time-effective way for developers to create a unique application because it allows them to focus on the creative side of app development, as opposed to menial tasks such as managing software updates or security patches. All of their time and brainpower will go into creating, testing, and deploying the app.2
Software as a Service (SaaS)
SaaS offers the most support, providing your end users with everything except for their data.1 It’s very likely that this is already part of your organization if you use CRM software (like Salesforce), cloud-based file storage (like Box), eSignatures (DocuSign), and email applications (like Outlook or Gmail).
Chances of something going wrong with a cloud-based application are small, but if something does go wrong, it’s up to the SaaS provider to find a solution.2
Choosing the Right Model for Regulated Workloads
The type of service you choose (IaaS, PaaS, and/or SaaS) depends on your available infrastructure, IT staff resources, cost considerations, and cloud security needs.1 In USDM’s digital cloud portfolio, we address various combinations of solutions.
Whichever model you land on, the work of keeping a validated state current as the provider pushes continuous updates is ongoing. Pairing your cloud strategy with USDM Cloud Assurance keeps GxP systems in a perpetual state of compliance, while a risk-based approach to computer software assurance (CSA) focuses your validation effort where patient safety and data integrity actually depend on it.
Whether you need help getting started with a SaaS vendor or ensuring that every layer of your tech stack complies with FDA and global regulations, USDM has the solutions for your regulated workloads.
Cloud 101 Blog Series
In Part 2 of the Cloud 101 blog series, we talk about vendor management and scaling to the cloud.
FAQ: Cloud Service Models for Life Sciences
What is the difference between IaaS, PaaS, and SaaS?
The three models differ in how much the provider manages versus your team. IaaS delivers the underlying hardware — servers, networking, and storage — while you manage everything above it. PaaS adds the operating system and databases, leaving you responsible for applications, functions, and data. SaaS delivers a complete application and provides everything except your data.
How do cloud service models relate to private, public, and hybrid cloud?
Service models (IaaS, PaaS, SaaS) describe what the provider delivers and manages. Deployment options (private, public, hybrid) describe where the cloud lives. A private cloud sits behind your firewall, a public cloud runs in a provider’s data center such as AWS or Google Cloud, and a hybrid cloud combines on-premises infrastructure with private or public cloud services.
Which cloud service model is right for my organization?
It depends on your available infrastructure, IT staff resources, cost considerations, and cloud security needs. Many life sciences organizations use a combination — IaaS or PaaS for custom applications and SaaS for established tools like CRM, content management, and eSignatures.
Does moving to the cloud reduce my compliance responsibility?
Cloud vendors do much of the upfront groundwork for qualification and validation, which makes onboarding easier. However, your organization remains accountable for your data and for demonstrating compliance with FDA and global regulations. Cybersecurity, third-party risk management, and ongoing validation of GxP systems stay with you.
Is the cloud secure enough for regulated life sciences workloads?
Major providers invest heavily in securing their platforms — Microsoft, for example, spends more than $1 billion each year on cybersecurity for core technologies like Windows, Office, and Azure. Today many companies move to the cloud because of security rather than in spite of it, provided they layer appropriate governance and risk controls on top.
Get Started with Your Regulated Cloud Strategy
Ready to map IaaS, PaaS, and SaaS to your regulated workloads — and keep them compliant as they scale? Contact USDM Life Sciences to talk through your cloud strategy, validation needs, and compliance roadmap.
Additional Resources
White Paper: Regulated GxP Workloads in the Public Cloud: Why Cloud Systems are Safer Than On-premise Systems
Solution: Digitally Transform Your Life Sciences Business
References
1 Intel, IaaS vs. PaaS vs. SaaS: cloud service model overview (Q3 2020)
2 Big Commerce, IaaS vs PaaS vs SaaS enter the ecommerce vernacular: what you need to know, examples, & more (2018)