Identifying & Mitigating Potential Risks in the Regulated Cloud

Cloud computing offers a significant number of upsides for IT organizations including flexibility, scalability and off-site infrastructure. Because of this, many life science organizations are now evaluating cloud services to improve their bottom line and reduce capital expenditures (CAPEX).

Some executives, however, are still hesitant to adopt cloud computing due to the concerns about properly identifying and mitigating potential risks. Studies and surveys routinely indicate that cloud security risks are the biggest barrier to adoption for IT leaders.

So how do we leverage the benefits of cloud services without leaving ourselves open to security breaches, potential data loss and other risks? Let's dive into some examples. 

Risk Scenario 1

By moving to a cloud-based offering, roles and responsibilities may shift.  As a result, job descriptions could potentially change. Additionally, your company’s IT and/or QA personnel may not have the qualifications or experience required to adequately assess the regulatory implications of moving to a cloud offering.

Mitigation Plan 1

Identify the required competencies for the personnel involved in the transition to the cloud and develop a strategy to ensure employees are adequately trained.  This may involve enlisting the help of external resources with the necessary expertise. 


Risk Scenario 2

Your company must ensure that it has the appropriate processes or mechanism in place to collaborate with SaaS vendor and assess its application before implementing it.
If these aren’t present you might find yourself deviating from your existing policies leaving you open to findings during potential client inspections or due diligence reviews.

Mitigation Plan 2

Gaps may come from the SaaS model not allowing the freedom to match your current processes. With the SaaS model, you will no longer have direct control over elements of the information technology infrastructure and this will need to be reflected in your processes.

Perform a thorough assessment of your SaaS vendor and determine if they are suitable for the indented use and overall risk of the application.


Risk Scenario 3

Your company may be required to demonstrate control over the computerized system it uses, and so if there is a lack of visibility on the information technology infrastructure supporting the SaaS application this becomes a risk.

Mitigation Plan 3

To address this risk you should ensure that you perform due diligence on the SaaS vendor prior to executing an agreement for services. The SaaS vendor should be able to provide a documented description of the supporting infrastructure to ensure proper coverage during infrastructure verification exercises (i.e. network penetration testing).

Due diligence can be done either by performing an on-site or remote audit of the security procedures, reviewing the terms of the service agreement to ensure that they meet your needs for support, response times and availability.


Risk Scenario 4

In some instances, the SaaS vendor may host their application within a 3rd party’s IaaS infrastructure.

As whether your company is still required to demonstrate that the IaaS is sufficiently managed and controlled, the added risk is access to the SaaS vendor’s hosting supplier’s details.

Mitigation Plan 4

To address this risk you must verify that the SaaS vendor has assessed its 3rd party vendor and has appropriate controls in place to address any potential issues.

Controls could include:

  • Redundancy; the vendor’s application is not dependent on the IaaS and could be implemented within a secondary infrastructure
  • Due diligence or standardization group certifications have been performed/obtained and are available for you to leverage and review
  • SLA or similar agreements define the roles and responsibilities of each party involved in the SaaS offering.


Risk Scenario 5

The fact that the SaaS application is accessible via the Internet can make it a more attractive target for individuals to try and break its security model.

Mitigation Plan 5

To address this risk you should ensure that appropriate security controls have been implemented by the SaaS vendor such as:

  • Account Management
    • Access control
  • Data availability and retention
    • Mechanism to recover data (data loss)
    • Data backup and restoration
    • Data retrieval, such as in the case of service termination
  • Data protection
    • Verifications of data integrity
    • Vulnerability monitoring
    • Intrusion detection

These controls could be described in an SLA, Quality Agreement or similar document defining the controls implemented by the SaaS vendor and those that could potentially be implemented by clients.


Risk Scenario 6

The SaaS vendor fails to respect the terms of the service level agreement. 

Mitigation Plan 6

Consider requesting client references from the potential vendor as part of your vendor assessment process and make sure that what was promised is being delivered. Ask yourself; Is the potential vendor a well-established vendor with a history of the industry and a good number of existing clients?  Your contractual agreement should specify how your data can be retrieved if the vendor ceases to provide the service.

The address this risk ensure you should also have a Business Continuity plan that will guide you in the event that the system is unavailable for an extended period of time.  Consider performing data backups outside of the system to ensure that you always have a copy of your data available.

Periodically reassess the vendor to ensure they maintain good practices and that they continue to meet your evolving business needs. 


Key Takeaways

While moving to the cloud offers several key benefits for life sciences organizations, there are legitimate risks associated with moving to the cloud. However, developing comprehensive risk mitigation strategies can alleviate some of the concerns you may have.  In addition to the risk mitigation scenarios we’ve outlined above, we also recommend following a standard process to enable you to realize the benefits of the cloud.

  1. Make sure your resources have the required knowledge and competencies to transition to a cloud-based solution
  2. Assess internal processes and determine if changes are needed to accommodate your move to the cloud
  3. Perform a thorough vendor assessment of the SaaS, solution provider.
  4. Ensure the SLA addresses your business needs
  5. Implement a Business Continuity plan


Montrium Office 365 compliance toolkits

About the Author: Stephanie Tanguay

Recent Posts