The Forecast is Cloudy

GE recently announced it is moving its 9,000 supported applications to the cloud. Nowadays, all of us are bombarded with information about “the cloud”, and it can be hard to wade through the hype and hyperbole to understand the landscape in a way that helps us make decisions about our own organizations.

Enterprise cloud computing is a complex topic, and how you look at it depends on many variables. Below I try to outline one typical scenario. Your inputs, and the weight you give to different factors involved in making the decision will vary, but the general paradigm is useful across a wide variety of organizations.

In the interest of full disclosure, I am CEO of a company that sells cloud-based clinical research solutions (OpenClinica Enterprise, OpenClinica Participate). We adopted a cloud model after going through exercises similar to the ones below. Rather than reflecting bias, it demonstrates our belief that the cloud model offers the greatest combination of value for the greatest number of organizations in the clinical research market.

So… Let’s say you’re a small-to-medium size enterprise, usually defined as having under 1000 staff, and you are considering moving your eClinical software technologies to a public cloud and/or to a Software-as-a-Service (SaaS) provider.

Let’s start with the generic move of in-house (or co-located) servers and applications to public cloud environment. We’ll get to SaaS in a bit.

Economics

For this exercise, we’ll use the handy modelling tools from Intel’s thecloudcalculator.com. And we’ll assume you want to run mission-critical apps, with high levels of redundancy that eliminate single points of failure. We’ll compare setup of your own infrastructure using traditional virtualization to a similar one on cloud, based on certain assumptions:

The results for an internal, or “private” cloud are:

Economics

The public cloud looks as follows:

Economics2

Economics3

Source: http://thecloudcalculator.com

Wow. A 26x difference in cost. Looks pretty compelling, right? But not totally realistic – you’re probably not considering building a highly redundant in-house or co-located data center to host just a couple of apps. Either you already have one in place, or are already deploying everything to the cloud. In the latter case, you don’t need to read further.

In the former case, let’s explore the cost of adding several more applications to your existing infrastructure. What are the marginal costs of adding the same amount of computing capacity (12GB of memory, 164GB storage) on top of an existing infrastructure? We can use the same calculator to compute the delta between the total cost of a private cloud with 190GB of memory and 836GB of storage. But here it gets much trickier.

According to the calculator, our 190GB cloud costs $379,324 – the same as the 12GB cloud in the first example! Moreover, adding another 12GB of capacity pushes the cost up to $513,435, a difference of $134,111. However, if we change our assumptions and start with a 150GB cloud, then add 12GB of capacity, the marginal cost is $0.

What we’re seeing is how the IT overhead costs of running your own private cloud infrastructure tend to grow in a discrete, rather than continuous, manner, and the cost of going from one tier to the next is usually very expensive.

Our calculator makes a bunch of assumptions about the size of each server, and at what point you need to add more hardware, personnel, cooling, etc. The exact number where these thresholds lie will vary for each organization, and the numbers in the example above were picked specifically to illustrate the discrete nature of IT capacity. But the principle is correct.

Large cloud providers, on the other hand, mask the step-wise and sunk capital costs from customers by only charging for each incremental unit of computing actually in use. Because these providers operate at a huge scale, they are able to always ensure excess supply and they can amortize their fixed and step-wise costs over a large number of customers.

The examples above show that the actual costs of a public cloud deployment are likely to be significantly lower than those of building or adding to a comparable private cloud. While there’s no guarantee that your public cloud cost will be less than in-house or colocated, market prices for cloud computing continue to become more competitive as the industry scales up.

What is certain however, is that flexibility of the public cloud model eliminates the need for long-term IT capital budget planning and ensures that a project won’t be subject to delays due to hardware procurement pipelines or data center capacity issues. In most cases it can also reduce burden on IT personnel.

Qualitative Advantages

The central promise of the cloud is a fundamental difference in the ability to run at scale. You can deploy a world class, massively scaled infrastructure even for your first proof-of-concept without risking millions of dollars on equipment and personnel. When Amazon launched the S3 cloud service in 2006, its headline was “Amazon S3 enables any developer to leverage Amazon’s own benefits of massive scale with no up-front investment or performance compromises”.

It is a materially different approach to IT that enables tremendous flexibility, velocity, and transparency, without sacrificing reliability or scalability. As Lance Weaver, Chief Technology Officer for Cloud at GE Corporate identifies, “People will naturally gravitate to high value, frictionless services”. The global scale, pay as you go pricing models, and instantaneous elasticity offered by major public cloud providers is unlike anything in the technology field since the dawn of the Internet. If GE can’t match the speed, security, and flexibility of leading public cloud providers, how can you?

What You Give Up

At some level, when moving to the cloud you do give up a measure of direct control. Your company’s employees no longer have their hands directly on the raw iron powering your applications. However, the increased responsiveness, speed, and agility enabled by the cloud model gives you far more practical control that the largely theoretical advantages of such hands-on ownership. In a competitive world, we outsource generation of electrical power, banking, delivery of clean, potable water, and access to global communications networks like the Internet. Increasingly, arguments for the cloud look similar, with the added benefits of continuous, rapid improvements and falling prices.

Encryption technologies and local backup options make it possible to protect and archive your data in a way that gives you and your stakeholders increased peace-of-mind, so make sure these are incorporated into your strategy.

Risk Reduction

The model above is based on the broad economics of the cloud. However, there are other, more intangible requirements that must be met before a change can be made. You’ll want to carefully evaluate a solution to ensure it has the features you need and is fit for purpose, that the provider you choose gives you the transparency into the security, reliability, and quality of their infrastructure and processes. Make sure that data ownership and level of access is clear and meets your requirements. Ensure you have procedures and controls in place for security, change control, and transparency/compliance. These would be required controls for an in-house IT or private cloud as well. One benefit of public cloud providers in this area is that many of them offer capabilities that are certified or audited against recognized standards, such as ISO 27001, SSAE16, ISAE 3402, and even FISMA. Some will also sign HIPAA Business Associate Agreements (BAAs) as part of their service. Adherence to these standards may be part of the entry-level offering, though sometimes it is only available as part of a higher-end package. Be sure to research and select a solution that meets your needs.

External Factors

No matter who you are, you are beholden to other stakeholders in some way. Here are a couple areas to ensure you pay attention to:

  • Regulation – Related to risk reduction, you want to have controls in place that adhere to relevant policies and regulations. In clinical research, frameworks such as ICH Good Clinical Practice and their principles of Computer System Validation (CSV) are widely accepted, well understood, and contain nothing that is a barrier to deploying a well-designed cloud with the appropriate due diligence. You may also have to consider national health data regulations such as HIPAA or EU privacy protections. Consider if data is de-identified or not, and at what level, to map out the landscape of requirements you’ll have to deal with.
  • Data Storage – A given project or group may be told that the sponsor, payer, institution, or regulatory authority requires in-house or in-country storage of data. Sometimes this is explicitly part of a policy or guideline, but just as often it is more of a perceived requirement, because “that’s the way we’ve always done it”. If there is wiggle room, think about if it is worth fighting to be the exception (more and more often, the answer is yes). Gauge stakeholders such as your IT department, who nowadays are often overburdened and happy to “outsource” the next project, provided good controls and practices are in place.
  • Culture – a famous saying, attributed to management guru Peter Drucker, is that “Culture eats strategy for breakfast, every time”. Putting the necessary support in place for change in your organization and with external stakeholders is important. The embrace of cloud at GE and in the broader economy helps. Hopefully this article helps :-). And starting small (something inherently more possible with the cloud) can help you demonstrate value and convince others when it’s time to scale.

SaaS

SaaS (Software-as-a-Service) is closely tied to cloud, and often confused with it. It is inherently cloud-based but the provider manages the details all the way up to the level of the application. SaaS solutions are typically sold with little or no up-front costs and a monthly or yearly subscription based on usage or tier of service.

SaaS-IaaS-PaaS

Source: http://venturebeat.com/2011/11/14/cloud-iaas-paas-saas/

When you subscribe to a SaaS application, your solution provider handles the cloud stuff, and you get:

  • a URL
  • login credentials
  • the ability to do work right away

Which leads to a scenario like the following:

A few years ago, you typically had to balance this advantage (lack of IT headaches and delays) against the lack of a comprehensive feature set. As relatively new entrants to the market, SaaS platforms didn’t yet have all the coverage of legacy systems that had been around for years, or in some cases decades. However, the landscape has changed. The SaaS provider is focused on making their solution work great on just one, uniform environment, so they can focus more of their resources on rapidly building and deploying high-quality features and a high-quality user experience. The result is that there is far more parity. Most SaaS solutions have caught up and are outpacing legacy technologies in pace of improvements to user experience, reliability, and features. Legacy providers have to spend more and more resources dealing with a complex tangle of variations in technology stack, network configuration, and IT administration at each customer site.

 

Furthermore, the modern SaaS provider can reduce, rather than increase, vendor lock-in. Technology market forces demand that interoperability be designed into solutions from the ground up. Popular SaaS frameworks such as microservice APIs mean your data and content are likely to be far more accessible, both to users and other software systems, than when locked in a legacy relational database.

The SaaS provider has the ability to focus on solving the business problems of its customers, and increasingly-powerful cloud infrastructure and DevOps technologies to automate the rest in the background in a way that just works. These advantages get passed that along to the customer in continuous product improvements and the flexibility to scale up and down as you need to, without major capital commitments.

Conclusion

YMMV, but cloud & SaaS are powerful phenomena changing the way we live and work. In a competitive environment, they can help you move faster and lower costs, by making IT headaches and delays a thing of the past.

 

Clinical Trials in the Cloud (Part II)

The other day I posted an overview of the new OpenClinica Optimized Hosting offering. Since then we have received requests for more detail on how we secure the data in a customer’s OpenClinica instance against unauthorized access. This is obviously a very important topic!

The particular questions were asked in the context of HIPAA–particularly the HIPAA Security Rule–and the answer below is framed in this context. But even if HIPAA is not relevant to you (because you have no PHI in your OpenClinica instance, you’re not part of a covered entity, or you’re outside the U.S.), the safeguards described below are generally applicable best practices and can be applied in the context of most security compliance/regulatory regimes.

In general the requirements of the HIPAA Security Rule can be summed up as:

  1. Ensure the confidentiality, integrity, and availability of all e-PHI you create, receive, maintain or transmit;
  2. Identify and protect against reasonably anticipated threats to the security or integrity of the information;
  3. Protect against reasonably anticipated, impermissible uses or disclosures; and
  4. Ensure workforce compliance.

Adhering to these requirements is generally demonstrated via a risk analysis that determines reasonable and appropriate security measures for protecting ePHI, and implementing administrative and technical safeguards consistent with the risk analysis (see http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html for more info). These safeguards may include:

Administrative Safeguards

  • Implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
  • Limit uses and disclosures of PHI to the “minimum necessary.”
  • Appropriate training, authorization, and supervision of workforce members who work with e-PHI
  • Regular review and evaluation

Technical Safeguards

  • Implement technical policies and procedures that allow only authorized persons to access electronic protected health information.
  • Ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
  • Implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.

So how do we do this? Many of these safeguards have long been in place as part of the SOPs and other controls we have for our staff and suppliers. The OpenClinica application itself enforces controls such as password policies, audit history, role based access control, and user access log. On top of these safeguards, what’s notable with OpenClinica Optimized Hosting are the specific controls surrounding this new hybrid/cloud-based hosting environment. Below are excerpts of our new Standard Operating Procedure associated with OpenClinica Optimized Hosting. The full SOP and supporting documentation are available as part of a compliance audit.

Excerpt from SOP-SA002 – Managing Hosted OpenClinica

7.1               Security

7.1.1                       Access to any customer instance is limited, via login credentials, to authorized customer users for the web interface only. Customers have no access to the server itself [except through defined application and programmatic interfaces].

7.1.2                       All OpenClinica employees are granted access only to computer and networking areas necessary to perform their duties.

7.1.3                       Each customer’s installation is separate, and cannot be accessed from any other customer installation.

7.1.4                       Connection to a hosted instance is encrypted by means of secure socket layer.

7.1.5                       Application server and database server are secured via firewall, hardened to remove nonessential access credentials, and strong password compliance.

7.1.6                       Hosted systems are constantly monitored for latencies and intrusion.

7.2.1     Installation qualification is performed on initial setup of the OpenClinica Optimized Hosting environment image, and documented in an IQ Report. Qualification items are checked by inspection, review of vendor documentation, or direct testing as appropriate; items are specified in the Installation Qualification Protocol.

7.2.2     Installation qualification for each customer instance is performed when configuring that instance, and is documented in an IQ Report. Qualification items are checked by inspection, or direct testing as appropriate.

We conduct qualification of our own IT practices and our data center provider to assure security, reliability, availability, performance, and data protection within our hosted services. Items reviewed include:

  • Data Center physical security procedures
  • Data center HVAC, power conditioning, and fire suppression systems
  • Disaster prevention and disaster recovery processes
  • Back-up and data retention procedures
  • Network redundancy
  • Firewalls
  • SSL certificate (encryption)
  • System and network monitoring (for latencies, intrusion, and failure prediction)
  • Load balancing

Our data center has a SAS 70 Type II security certification, a well known security certification that originated from financial industry compliance requirements and aligns well with the requirements of the clinical trials industry. We regularly audit their policies and procedures in the context of our quality system, including review of the SAS 70 Type II audit report they provide. Our data center assures secure and reliable operation in part by maintaining appropriate physical resources at the  facility. Fire suppression, conditioned power, and redundant HVAC all protect computing equipment against damage from extreme conditions, while physical access security and surveillance guard against unauthorized intrusion. The full report is available for our customers to review as part of a compliance audit.

The above are some highlights of our multi-tier strategy to ensure the highest level of security of critical clinical data while maintaining accessibility and ease-of-use. Like any good security strategy, we treat it within the company as a dynamic function, subject to regular review and assessment. We recognize our strategy must always be evolving to respond to emerging threats and new requirements. At the end of the day it is the combination of process and technology controls, and subjecting these controls to continual scrutiny, that leads to strong security.

– Cal Collins

Clinical Trials in the Cloud

I got a phone call the other day from a longtime OpenClinica user about the announcement of our new OpenClinica Optimized™ Hosting. He remarked on how leading companies in the industry (including his) are making big investments in cloud computing products and services, because these technologies provide easy-to-access functionality on an infrastructure that is more redundant, scalable, and cost-effective than you could hope to build or buy on your own.

However, in the clinical research field, putting together such an offering is not for the faint of heart. Though our free OpenClinica Community Edition has been installed and run by users on cloud servers for years, our OpenClinica Enterprise Edition offering (which carries regulatory guarantees) would have to meet rigorous reliability, security, and regulatory compliance requirements. How can this be accomplished if you don’t actually know where your data physically resides at any point in time on the cloud?

Prior to the launch of Optimized Hosting, we offered each hosted customer a dedicated server or two server (application + database) setup. This provided a certain peace of mind from knowing that your clinical data lives on a dedicated piece of hardware, but for many the costs were high and suffered from the inherent limitations of being tied to a physical machine. At the end of last year our data center partner achieved SAS 70 Type II certification for their cloud services, and we decided it was time to begin diligence on a cloud-based offering for OpenClinica.

We have spent the past 9 months listening to our customers’ needs and concerns, a designing and testing a solution. The resulting OpenClinica Optimized™ Hosting is an innovative hybrid architecture that provides the best of both worlds:  the scalability, high availability, and flexibility of the cloud combined with the peace of mind that your data lives in purpose-built dedicated hardware.Clinical Research in the Cloud

In short, OpenClinica Optimized Hosting offers greater fault tolerance, with better scalability and performance, at a lower cost than alternatives. Here’s how it works:

Application

Each OpenClinica application instance is a cloud server cloned from an image that has been qualified according to our exacting installation instructions. We configure the instance according to the customer’s supplied configuration parameters and complete operational qualification (OQ). The instance is typically available and ready for production use within a day or two. Thanks to the cloud, computing resources are instantly scalable on-demand.

Database

Dedicated (non-cloud) high performance database machines are configured in a master/slave relationship to provide instant data replication and fault tolerance. By utilizing multiple slave databases located in different geographic regions, the OpenClinica Optimized Hosting database cluster is designed for zero data loss even in event of nuclear strike. The servers use the fastest hard disk technology available today (Fusion-io®), dramatically improving database performance. For example, in our testing, we commonly see data extracts run up to 10x faster than in the prior environment. Database servers are physically isolated via CISCO ASA firewall to eliminate all nonessential access credentials.

Validation and Compliance

OpenClinica Optimized Hosting provides maximum flexibility and transparency in the area of change control and compliance. It has been constructed around a carefully designed set of controls to ensure all updates are fully tested (and documented) in the environment prior to release, and that customers can have upgrades and maintenance releases applied according to their individual schedules and priorities.

One of the great advantages of OpenClinica is the choice it offers – you can use and extend the open source licensed code, you can choose between OpenClinica Community Edition and OpenClinica Enterprise, you can deploy it locally or choose the hosted option. Or, any combination of the above. The new Optimized Hosting environment enhances that choice by providing a fast, reliable, and cost-effective way to get up and running with OpenClinica.

For more on security in OpenClinica Optimized Hosting, see Clinical Trials in the Cloud – Part II.

– Cal Collins