SaaS VENDORS RESPONSIBLITIES
Extent of qualification.
The vendor should perform an Installation Qualification (IQ) and an Operational Qualification (OQ) and these documents must be shared with the user. Based on the coverage of testing and a suitable package, the user would be able to understand the extent of the qualification already performed.
The procedures followed, along with the evidence must be made available for an audit. Specifically, the software development life cycle, change control process for upgrades, and cases, where there might be the automated deployment of configurations in the cloud, should be presented for a customer audit.
SaaS products are like ice cream cones. Each user might want custom-built add-ons and integrations to suit their taste or, in all probability, their purpose. These could be API extensions or any suitable solution offered by the vendor. Do you think these should be qualified by the vendor or the user?
Provision of multiple instances for end-user.
To support the end user’s validation and exclusive cloud environment needs for any customizations or configurational changes, the vendor must provide separate development, validation and production instances.
The vendor would see how the application performs on the cloud in terms of how quickly it can be accessed, used and queried. A combination of timed and automated tests is usually done for this, to verify the performance of the application.
Among the many apprehensions of an end-user, cloud security is one of the biggest. A solution that comes with a security feature will be preferred over one that does not. Providing visibility in terms of stats, metrics and insights into the services used would be of great help for an end-user. For instance, AWS Security Hub is a collection of CloudTrail (a compliance-governing service), CloudWatch (a performance monitoring tool), Firewall Manager, etc. This way, Security Hub monitors and manages the overall cloud security aspects.
Based on a couple of recent consulting exercises, our cloud qualification and validation team assessed the above key aspects and interestingly, in several discussions, the end-users were happy ticking away these parameters until it came to one more KEY aspect.
While evaluating to purchase a suitable cloud-based solution, is it enough if a vendor checks all the above boxes? Can a simple checklist decide whether you are going to go all-in?