ELN in the Cloud
Marketing buzz or reality?
Cloud computing and software-as-a-service (SaaS) are buzz terms thrown around quite frequently these days in the IT community. In a typical cloud environment, a software supplier provides access to their software over the Internet for a monthly fee with data management services and support included. Motivated by lower administration costs, no capital outlay, lack of available IT resources, and geographically dispersed user bases, applications such as customer relationship management (CRM) and pharmaceutical clinical trials electronic data capture (EDC) have been successfully hosted by these external third parties for several years.
|Fig 1: Consideration of a hosted ELN|
Not prone to miss a trend, several electronic laboratory notebook (ELN) suppliers (e.g., CambridgeSoft, Symyx, Contur, LABTrack and Rescentris) have recently introduced hosted solutions as an option to the traditional perpetual licenses installed at customer locations. With prices ranging from 50 to several hundred U.S. dollars per user per month, suppliers claim to provide a more cost-effective, elastically scalable and simpler ELN implementation. Clients communicate with an application server and database at the supplier’s hosting site. Depending on the application, clients can be browser-based, thick clients or virtualized using Citrix Presentation server. Over 1,000 scientists and engineers now leverage hosted ELN software, growing from just a few hundred users two years ago — but this is still a small percentage of all users.
But is the broader market really ready for “cloud ELN” with multi-billion-dollar patent data residing on third-party servers? To answer this question, Atrium Research undertook a study to examine the market for externally hosted ELN.
First, a few definitions: Cloud computing and SaaS are frequently misused and misunderstood terms. Cloud computing is a concept with information services delivered over the Internet where the physical architecture is abstracted from the users. Users do not need to know — or care — where servers are located or how they are managed. There are many different variations: public, private, hybrid, integration, database, and so on. In the ELN world, SaaS (a.k.a public cloud) and hosted private cloud are the two most prevalent deployment modes.
A hosted private cloud is essentially a buzz term for what is a traditional hosting solution where a party maintains the application for an end-user client. No other client shares the same code base. The system configuration and security management are self-serviced by the client; the host manages operations such as backup and disaster recovery. The application and database are supported on virtualized servers with other clients on the same hardware — which can have performance implications if not managed effectively. In this mode, the system can be customized to the user’s needs and integrated with other systems, such as chemical registration, inventory or user-specific data analysis tools.
|Fig 2: Markets of those who will consider a hosted ELN|
This is quite a bit different from a SaaS, or public cloud (the term currently in vogue) approach. In SaaS, a single code base is used to support multiple clients with internal security controls permitting data views only to authorized data consumers. This multi-tenant arrangement outsources the majority of the system administration to the third party with limited ability for customization and integration. Since many clients can be supported from the same system, the costs are much lower for the vendor, with realized savings passed on to the consumer. Hosted private cloud is often a transition step to a public cloud until the client gains the confidence of data security, access, uptime and support.
Cloud ELN survey
Late last year, Atrium Research conducted a survey to examine the readiness of the market to accept third-party hosted ELN. Three hundred scientists and managers answered over 20 questions about their motivations and barriers to adopting such a solution.
A relatively small percentage (less than five percent) of all users currently access ELN in either a SaaS or hosted configuration. Larger corporate accounts tend to gravitate (over 80 percent) to hosted private cloud deployments, while small companies and non-profits generally prefer a public multi-tenant configuration due to the lower price point.
As shown in Figure 1, the willingness of those who have an interest in ELN to invest in a hosted solution ranges from “Will Not Consider” to “Will Consider.” “Might Consider” is the largest segment at 51 percent. The lack of education on hosting capabilities, advantages and negatives is the primary reason for a lack of a definitive response from those participants.
For those who will not consider a hosted ELN, corporate life science organizations comprise the vast majority of respondents at 60 percent, with academia and government at only eight percent. Figure 2 shows the markets of those who will consider a hosted solution. In this case, it is quite the opposite, where 42 percent is made up of academic and government accounts. Diminished concern over patent protection translates to greater acceptance — as well as a perception of lower cost.
The greatest apprehension to external hosting is with data security and IP protection — over 60 percent of respondents rate it as a concern. Worries about theft of intellectual property (either from hackers or employees of the host) and the leakage of data to unauthorized users in a SaaS environment are paramount. Interestingly, many acknowledge security concerns with their own internal information management; an outside service could, in fact, provide lower risks. Much of the security concern is with management; the benefits of lower costs do not outweigh the increased risks, according to most managers. Other perceived barriers to acceptance are network availability, regulatory compliance, transport of large files and vendor stability.
Vendors often talk about the cost of system management as the primary benefit of the cloud. IT respondents from larger companies consider this a dubious claim, given server virtualization, established internal procedures and complexities involving customization and integration with the cloud. In fact, the majority of all respondents feel the “ability to share data between sites and collaborators” is the prime motivator for looking at externally hosted solutions. Given the increasing industry trend in partnerships, collaborations, virtual teams and outsourcing, this is a logical motivator, as exposing an internal system to the Internet is not always practical. Nevertheless, ELN as a cloud of scientific collaboration is subject to a great deal of competition from other technologies, such as Microsoft’s Azure cloud initiative including SharePoint Services. Smaller companies, where the IT infrastructure is less established, are more sensitive to system management costs. However, several of the smaller companies who invested in cloud ELN believe a greater benefit is gained by allocating IT resources to strategic initiatives, rather than on system maintenance operations. Other motivating factors are faster implementation, ease of upgrades, and a lack of resources for tasks such as procedure development.
Managing security anxiety
As noted, anxiety over data security is the largest barrier to adoption of hosted ELN, particularly public cloud deployments. Combined with the fact that the majority of suppliers are using yet another party to physically host the solution, the lack of standards for data portability, and the absence of agreed standards for ELN record authentication, there are real and valid concerns that should be addressed before making a decision to leverage a hosted system for experiment documentation.
In the wider market for cloud computing, there are a number of standards for operational controls and auditing that have yet to be fully exploited in the ELN world. The Auditing Standards Board of the American Institute of Certified Public Accountants Statement on Auditing Standards No. 70: Service Organizations or “SAS 70” is a set of guidelines for auditors of service organizations handling sensitive data. SAS 70 certification has been used by cloud providers, such as Google and Amazon, to prove they have had their operational processes successfully audited to safeguard customer data. There are two types of service auditor reports:
- Type 1 describes the company’s controls at a specific point in time.
- Type 2 includes detailed testing of the controls over a six-month period.
Hosted ELN systems also tend to ignore the standard ISO/IEC 27001 Information Technology – Specification for an Information Security Management System. 27001 is a recognized model specifying requirements for the definition, deployment, monitoring and review of security controls. Under 27001, an information security management system (ISMS) is an organized framework of policies, procedures and physical controls for information security governance. 27001 is commonly implemented in conjunction with the companion 27002 agreement imparting best practices. Microsoft and Sun are currently seeking ISO 27001 certification of their cloud products to gain customer confidence in their security infrastructure. For similar reasons, Google is pursuing compliance with the U.S. government’s Federal Information Security Management Act (FISMA) which is a standard quite similar to 27001.
Prospective cloud ELN users should dig deeply to gain visibility into the supplier’s operational processes, data loss prevention technology, record authentication and security controls to gain confidence in the safe preservation of their data. Particularly in light of Google’s recent findings of major security breaches, any supplier providing a hosted solution should provide ready access to all their operational procedures, security controls and tools for record integrity. SAS 70 Type II audit certification should be provided, at a minimum. It is well worth the time to perform a risk assessment to gain a sufficient level of confidence (or not). Service level agreements (SLA) also must be negotiated so both parties share common expectations of continuing controls, uptime, services provided and support hours.
While it is not uncommon to find cloud computing overtake certain IT segments, the resistance in the ELN space is comparatively high. While growing, it is doubtful that public cloud ELN will be a major component of the overall market for many years. There is a great deal of “fear, uncertainty and doubt” about patent data residing in the cloud, particularly with SaaS installations. This is not too dissimilar with the fears of using electronic records to support patents that existed before 2006. That was overcome (majority of ELN installations are now electronic-only), but it took several years, changes in court proceedings, technology maturation and a leap of faith by major pharmaceutical companies to abandon paper records. Though the benefits are substantial, cloud ELN is still immature and will require continued focus on operational processes and adherence to established standards — and a similar leap of faith.
Michael H. Elliott is CEO of Atrium Research & Consulting. He may be reached at editor@ScientificComputing.com.