Saas in a Regulated Environment: The Impact of Multi-tenancy and Subcontracting

1 Introduction

In the evolving regulated IT environment there are many things to consider when thinking of turning to the cloud for a solution. Using a SaaS provider can be an excellent option, but doing appropriate research and establishing the company’s specific needs are critical to making the right decision when having so many choices of providers, models and risks associated with each. This Concept Paper attempts to provide an overview into some of the current thinking on this topic in relation to the SaaS model.

SaaS risks should be weighed against the benefits of the IT solution’s lower ownership costs, as well as an optimized infrastructure. The latter allows for quick access to those computing services which are increasingly important in order to effectively process the volume of data produced in an increasingly computer dependent industry.

This Concept Paper considers some of the various models of SaaS being offered today along with issues and risks to consider when selecting a reliable, secure, and economically sound provider. In particular, it highlights the differences that subcontracting and multi-tenancy can bring, when compared to basic, private SaaS offerings. It also considers how key areas of security and privacy may be affected by these different models.

These considerations should allow further investigation of the subject while armed with some important background information, together with an understanding of the risks and decision points when planning a move to a SaaS offering.

The model appropriate for a regulated company’s particular needs with a provider offering reliable, quality, robust services with minimal risk is a basic set of requirements for any industry, but is particularly important for regulated pharmaceutical and biopharmaceutical companies.

2 Scope

In the introductory article “Cloud Computing in a GxP Environment: The Promise, the Reality and the Path to Clarity” [1] an overview was provided of some of the primary challenges and concerns which were debated by the regulated industry regarding whether or not cloud solutions could be adopted. In that article the following model was introduced to provide a framework of computer system components and where the control for the components reside. A second article produced by the GAMP® Cloud SIG [2] explored the challenges of adopting the Infrastructure as a Service (IaaS) delivery model within the regulated environment.

Figure 2.1: The Elements of Partnership That Should Be Prepared for with a Service Provider


This Concept Paper explores Software as a Service (SaaS) delivery models currently offered and will highlight the impact of subcontracting and multi-tenancy on SaaS arrangements. These two dimensions can make a significant difference to the risks associated with SaaS, in particular with the key areas of Information Security and Data Privacy.

The Concept Paper focuses on the data maintained at a SaaS provider.

3 The SaaS Model

The widely accepted definition of Software as a Service model by National Institute of Standards and Technology (NIST) is:

“The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings”.

The NIST SaaS Model can appeal to regulated companies and their IT departments by signifying the potential for:

  • On-demand self-service
  • Broad network access
  • Resource pooling
  • Rapid elasticity
  • Measured service

For the end users, some of the detail of cloud characteristics or the risks associated with the deployment model may be not be immediately apparent from this definition. The key concern for regulated businesses as users of SaaS applications, is that another organization is in control of:

  1. The infrastructure on which the business’s data resides
  2. The software and data belonging to the business

All SaaS solutions will share this common concern, but differences in the underlying cloud infrastructure characteristics and deployment models by each provider means that different SaaS solutions need to be handled in different ways.

Read more by downloading SaaS in a Regulated Environment – the impact of Multi-tenancy and Subcontracting (Published: July 2016).

Download Paper