With cloud-based solutions dominating global workspaces, we now have a myriad of SaaS vendors taking interest in the Scientific R&D IT space. The promise of accessibility, scalability and simplicity over something as common as a stable internet connection has been a great driving force in the shift towards the cloud.
Among the many pieces of the jigsaw puzzle that SaaS Application validation is, responsibility is one chunk. Is it the user’s responsibility to validate the solution? Or should the vendor take up that task?
In reality, the answer is almost never a binary and falls in the middle ground.
SaaS vendor’s responsibilities
Extent of qualification
The vendor should perform an Installation Qualification (IQ) and an Operational Qualification (OQ) and these documents must be shared with the user. Based on the coverage of testing and a suitable package, the user would be able to understand the extent of qualification already performed.
Audit-ready
The procedures followed, along with the evidences must be made available for an audit. Specifically, the software development life cycle, change control process for upgrades, and cases where there might be automated deployment of configurations in the cloud should be presented for a customer audit.
Customizations
SaaS products are like ice-cream cones. Each user might want custom-built add-ons and integrations to suit their taste or, in all probability, their purpose. These could be API extensions, or any suitable solution offered by the vendor. Do you think these should be qualified by the vendor or the user?
Absolutely Not!
Provision of multiple instances for end user
To support end user’s validation and exclusive cloud environment needs for any customizations or configurational changes, the vendor must provide separate development, validation and production instances.
Performance Testing
The vendor would see how the application performs on the cloud in terms of how quickly it can be accessed, used and queried. A combination of timed and automated tests is usually done for this, to verify the performance of the application.
Security!
Among the many apprehensions of an end user, cloud security is one of the biggest. A solution that comes with a security feature will be preferred over one that does not. Providing visibility in terms of stats, metrics and insights into the services used would be of great help for an end user. For instance, AWS Security Hub is a collection of CloudTrail (a compliance-governing service), CloudWatch (a performance monitoring tool), Firewall Manager, etc. This way, Security Hub monitors and manages the overall cloud security aspects.
Based on a couple of recent consulting exercises, our cloud qualification and validation team assessed the above key aspects and interestingly, in several discussions, the end users were happy ticking away these parameters, until it came to one more KEY aspect.
While evaluating to purchase a suitable cloud-based solution, is it enough if a vendor checks all the above boxes? Can a simple checklist decide whether you are going to go all in?
Absolutely Not!
End user’s responsibilities
Validation! Despite a qualification exercise performed by the vendor, the product must be verified for its intended use. From drafting User Requirements, Validation Plan to closing out a Validation Summary Report, with documented qualification for the end user configurations and a re-assuring traceability matrix, the end user needs to validate the cloud-based solution.
The healthcare space has been a vast field with regulations laying down impermeable boundaries. With remarkable innovations changing global businesses, responsible use of systems may also require adopting an innovative strategy, without compromising on regulatory standards.