Leveraging PaaS in a Regulated Environment

1 Introduction

Over the past decade, the life sciences industry has seen cloud-based services and solutions evolve from a misunderstood technology that few regulated companies were comfortable using, to a mainstay solution adopted by many seeking to capitalize on numerous value propositions highlighted by cloud providers. These benefits include the ability to drive business innovation fueled by the speed at which a cloud solution can be made available or “spun up”, as well as the ability of the IT function to reduce overall costs and overhead, by leveraging a variable cost model rather than managing fixed costs of in-house IT solutions.

The evolution of cloud-based services and solutions in the Life Sciences industry can, in part, be attributed to the focus many leading cloud providers place on security and data integrity. In addition, many leading cloud-based providers are developing teams which are focused on the life sciences industry. These teams include members who understand the regulated nature of the life sciences industry and are focused on developing approaches, processes, and controls to address regulatory requirements.

Although there has been progress in understanding the controls required by both the regulated companies and the cloud providers, there are still some questions that remain unanswered. This is especially true for Platform as a Service (PaaS).

Many regulated companies continue to struggle with PaaS by attempting to apply existing policies surrounding the System Development Life Cycle (SDLC) or security-to-PaaS solutions. Those policies were originally intended to address traditional on-site systems where the regulated company had control over the entire technology stack from hardware up to the software layer. Control now is divided between cloud provider and cloud customer. 

In a previously published article, “Challenges for Regulated Life Sciences Companies within the IaaS Cloud” [2], the focus was on the key items that need to be addressed to adopt an IaaS model within a regulated organization.

As a continuation of the series, this Concept Paper will help explain how PaaS compares to other cloud solutions (specifically IaaS), as well as discussing risks and associated pragmatic controls that regulated companies should consider when leveraging PaaS within their organization.

2 Defining the PaaS Difference

NIST defines PaaS as the capability provided to the consumer to deploy onto the cloud infrastructure consumer created or acquired applications created using programming languages, libraries, services, and tools supported by the provider [3].

The purpose of PaaS is to provide a programming platform to create a software application solution without the overhead of hosting and maintaining the underlying technology stack.

While the regulated company is ultimately accountable for ensuring that systems are fit for use, Figure 2.1 shows where other lines of responsibilities can be drawn for PaaS between cloud providers/vendors and cloud customers/regulated companies (see Figure 2.1).

Figure 2.1: Regulated Company and Vendor Responsibilities Across Cloud Services

2.1 Rising Use Cases for PaaS

General use cases for PaaS are increasing and are cutting across the entire life sciences value chain Some examples are listed in Table 2.1.

Read more by downloading Evolution of the Cloud: A Risk-Based Perspective on Leveraging PaaS within Regulated Life Sciences Company (Published: July 2016.

Download Paper