Technology, Testing, and Standards: The Makings of a Secure Cloud QMS

We’ve helped customers bring products to market safely and efficiently for over two decades.  During that span of time, a lot changed. VHS tapes turned into streaming, phone booths vanished, and your neon windbreaker…well, there’s reason it’s buried at the back of your closet.

During that time our quality management system (QMS) software solutions changed a bit too. You see, businesses operate much differently than they once did. Today when you look at a bottle of aspirin, you’re looking at a product that may have literally traversed the globe before it came to rest in your medicine cabinet.  

Our customers needed a better way to manage a large and diverse group of partners, so our solutions had to evolve from on-premise to SaaS. But with that shift, came big security concerns. After all, there’s a new security breach story every week: Data falls into the wrong hands, consumer confidence is destroyed, millions of dollars are lost. There are also laws and regulations to consider. 

So, how do you prevent all of that from happening?  It starts with choosing the right foundation.

Setting a Secure Foundation

After much research, we selected Salesforce and Amazon Web Services as the foundation for 123Compliance and Stratas QM respectively. Both vendors are clear leaders in providing secure, fault-tolerant, scalable infrastructure and cloud computing services. They also meet the highest standards required to obtain SOC2 and many other relevant certifications.  In fact, our many of our Life Sciences customers already run validated workloads on both platforms for other areas of their business.

In AWS infrastructure, we make use of a virtual private cloud (VPC) isolating Sparta’s network from all other AWS customers.  

Virtualized data centers provide up-to-the-minute data mirroring and frequent incremental backups to geographically diverse regions around the world. It allows them to handle fail-over with less than a minute data loss and unnoticeable disruption to service. The environments are “designed for failure” every step of the way.

The multiple layers within the cloud infrastructure are gated by leveraging multi-factor authentication, TLS/SSL only traffic, defined security groups and access control lists all based on the principle of least privilege.  

Architectures and designs leverage frameworks like Cloud Security Alliance (CSA) controls and National Institute of Standards and Technology (NIST) just to name a few. These frameworks define a set of information and security controls designed to make systems more resilient to many different types of threats.   

Testing and Monitoring the Infrastructure  

As an added layer of scrutiny we have 3rd party vendors perform regular external penetration testing on the infrastructure as well as the deployed application code. Our SDLC incorporates tools that perform regular static code analysis as part of a robust continuous integration and delivery process. Tools selected for this process are those that can identify vulnerabilities and loopholes documented and enforced by OWASP Top-10, PCI DSS, HIPAA and others.    

We also retain fulltime security and compliance experts who review designs and tools to ensure security is embedded in everything we do.  The OWASP Application Security Verification Standard (ASVS) is used as a framework for building and testing application software.

Finally, both Sparta and our SaaS infrastructure partners employ 24x7 environment monitoring.  Teams setup around the globe help to ensure the highest degree of uptime with monitoring tools, alerts, and notifications.  

Automated Deployment and Validation

A key objective is to ensure our SaaS solutions are rapidly deployable, and allow customers to get the latest features quickly.  This is accomplished via a multi-tenant architecture, automated deployment and feature toggles that allow customers to pick and choose when they want to expose those new capabilities.  We implement multi-tenancy in a way that leverages server, application, and resource sharing while still providing per tenant data isolation.

Historically multi-tenant architectures have posed a challenge for regulated customers and their Computer System Validation (CSV) cycles.  A traditional manual approach to validation typically results in vendors only providing incremental risk-based packages.  All too often the customer is left having to complete the validation gap resulting in extra time, resources, and cost.

But with our SaaS offering, we’ve made a huge investment in extending our agile practices to include a high level of test automation to create the validation process.  That’s because we recognize the need to improve the efficiency of validation without putting compliance at risk. Thus, we’re able to deliver a fully compliant and complete validation package for each release that covers every change to the system! 

Standards Allow Flexibility for the Future

We all recognize that technology is constantly advancing. That’s why we use industry standards to allow us to incorporate updated technologies as they become available.  It helps customers avoid vendor lock-in and point-to-point custom integrations.  For example, interoperability across all our QMS software solutions is facilitated by the Quality Data Interchange Specification (QDIS): a patent pending message format developed specifically for exchanging quality data in a product agnostic way.   

We’ve also adopted specifications for Business Process Model and Notation (BPMN) and Decision Model and Notation (DMN) for workflow creation and management. These are standards for business process management maintained by the OMG standards body. This gives us flexibility on workflow creation, management and supporting tools, without creating vendor lock-in risks.   

We also use those same standards to create and maintain out-of-box process designs, all of which encapsulate industry standard specific workflows based on our two decades of experience working with clients.  These can be used as the starting point for many companies to begin their quality management implementations.

Security is Part of Our Culture

Not only do we adopt standards, our employees also participate and contribute to standards bodies, publications, and open source standards.  We strive to retain a high-level of security consciousness through the maintenance of certifications like IS0 9001, SOC 2 Type 1 (one of the first in the industry to do so), and SOC 2 Type 2.  

Sparta is leading the way with cloud services based on an open standards platform, and by considering all aspects of regulatory requirements needed in Life Sciences and other regulated industries.  Sparta and its partnership with AWS and Salesforce as a hosting and service provider have guaranteed the most secure cloud environments that exist today.  

Learn more about Sparta’s cloud QMS solutions.