Validating the Cloud: Three Questions to Ask Your Vendors
As the life sciences industry continues its move to the cloud, companies are learning more about how cloud-based systems are validated – and how to maintain validated status over time. Validation demonstrates that your applications and processes enable you to perform tasks in a consistent and repeatable manner, in accordance with regulatory requirements. System management is governed by specific procedures, and information must always be secure. Maintaining validated status is a partnership between you and your software vendor. There are core questions every company must ask vendors. Make sure your provider can address some of the highest priority areas:
1. How does your vendor meet regulatory requirements?
With past, on-premise technologies, life sciences companies were forced to take responsibility for updating the system – a process that could take up to a year – and own 100 percent of the validation effort. Years ago, when individual product versions had a longer life, this was more viable. Today, however, the industry is taking advantage of cloud-based applications purpose-built for life sciences. Multitenant cloud applications are designed for flexibility, so vendors can regularly enhance them. New features are often the result of customer feedback and specific requests. Users have constant access to the latest technological innovations, which helps organizations evolve quickly.
Ensure that your provider has a focused approach to supporting your validation, and that you can audit their quality management system and software development methodology. This testing, including business requirements, IQ, and OQ, can be leveraged in your validation to reduce your level of effort and shorten validation timelines. The multitenant cloud architecture, in which all customers are on the same version of the application simultaneously, makes it cost-effective for the provider to test and conduct validation for new features in advance of their general availability. You should also find out whether your vendor gives you control over which new features to turn on so you can conduct validation of your system configuration on your own schedule.
Moreover, you can gain deeper insight into your vendor’s compliance by asking about their internal validation process. Does your provider conduct regular testing against their own requirements documentation between releases?
2. How do you ensure data security?
Validation in this context signals that you can rely upon your systems to use data appropriately.
Multitenant cloud providers have an advantage here. They only need to run data security testing on one version of software, making it easier to test more frequently. Importantly, in the multitenant cloud, each individual deployment of an application occupies a virtual partition, which means that each customer can access its own data – never the information of any other customer.
Moreover, providers of life sciences-specific offerings understand that regulated industries need to know exactly where their data is at all times – down to the location of the data center where the information is stored. You should know that your vendor’s data centers are secure and prevent inappropriate access.
Regardless of whether an application is single tenant or multitenant cloud, on-premise, or hybrid, however, drilling down into specific vendor processes for data security is a recommended best practice. Your vendor should provide encryption of data during communication, encryption at rest, backup and restore, and disaster recovery services.
3. What kind of support does your vendor provide?
Both vendor and customer processes play into the overall compliance picture. Access to your vendor’s up-to-date validation documentation will help you demonstrate that the application has been sufficiently tested without requiring you to re-author and execute functional tests. Professional service offerings, tailored to support your validation approach, will help you make sure you are aligned with industry best practice and get the most out of your relationship with the vendor. Ask your software provider what resources they can give you to use to help with your validation.
To learn more, read this post about validation in the cloud.
John McCormick is the vice president of Vault product operations at Veeva.