QARA Software - SaaS vs. On-Premise: how to choose?

When a medical device manufacturer seeks a Regulatory or Quality software system, the choice between SaaS (Software as a Service) and On-premise deployment can be a tricky one.

What is the best option for you?

In this article, we will spell out the major differences between the two and how they can help you get the most out of your digitalization strategy.

Comparing SaaS vs. On-Premise

Before 2010 and the era of cloud computing, applications were almost exclusively deployed in the company's own network. However, in this day and age, almost all applications are available as SaaS.  

As stated in the notions themselves, the primary distinction between SaaS and On-premise solutions lies in their hosting arrangements: SaaS solutions are managed and hosted by an external provider, in this case the application vendor which in turn might use sub-suppliers for hosting services, whereas on-premise solutions are managed and hosted by the client organization internally.

Deciding which implementation type is best suited for your company depends on several factors, such as your budget, goals, validation efforts, security needs, and the overall company culture. Just as with evaluating SaaS options, you should thoroughly assess your choices before deciding on an implementation method.

Cost and Budget

A key advantage of SaaS solutions is their relatively low initial cost. As companies subscribe to a SaaS on a rental basis, there is no requirement for a substantial upfront investment. Subscription fees, which are paid monthly or annually, vary based on the type of licence and number of users.

It is equally easy to step out, by simply cancelling the subscription. While this approach helps keep initial expenses down, the total cost of ownership may become unfavourable over a longer time. Failing to make SaaS payments in time can also lead to grave consequences, as the hosting partner can decide to delete your resources if payments are not provided as per the Service Level agreement.

An On-premise solutions have a higher initial cost because the device manufacturer must buy the necessary hardware or cloud resources and cover the expenses for its setup and deployment.

Although the ongoing maintenance costs may be minimal (sometimes by sharing resources among many systems), in-house solutions necessitate a dedicated IT infrastructure and IT personnel for maintenance and troubleshooting. Over time, hardware upgrades contribute to further costs.

Ownership and Timelines

A SaaS application tend to become operational almost immediately. It is in the SaaS vendor's best interest to automate the deployment process, have special set up and maintenance competence in-house, and to help the client to get started, in order to quickly start tapping into the revenue stream. The same principle goes for the deployments of service packs and security updates.

If the application is hosted On-premise, the deployment and configuration tasks tend to fall under the responsibility of the IT department. In some organizations, the IT department automatically becomes the owner of any acquired IT system and being the owner of many systems, your SaaS system may not always be the IT department's top priority. The actual deployment time therefore tends to be longer.

Security and compliance

Contrary to popular belief, storing your data in the cloud, like in SaaS applications, is not necessarily riskier than storing it On-premise.

A SaaS vendor stands and falls with the security he provides, and therefore a serious SaaS vendor has IT security as one of his core competences. Industry standards such as SOC and ISO 27001 are a good way to vet suppliers regarding the security dedication. The security of your data will be his absolute primary concerns, and he will continuously work to improve it. This includes the planning and handling of backups, monitoring, and disaster recovery planning.

If the Quality data is considered to be of strategic importance in our organization, you might feel safer to manage the data under your own roof.

Keeping the data On-premise potentially gives you the possibility to place the system entirely inside your own network, limiting its exposure to the outside world. This is fine, as long as all users operate within your network, which is not always the case if your workforce is distributed and/or your clients and suppliers needs access to your QARA applications.

A further point to consider is the location and deployment of the systems with which your QARA system integrates. Are they On-premise application or are they SaaS products? What possibilities and constraints does the selected hosting arrangement imply for your integration strategy?

Validation and Version control

Quality and Regulatory software (often) need to be validated. This also goes for updates and re-configurations. As we all know, validation efforts come with a considerable expense, and it is therefore often in the customer's best interest to have tight control over any changes to the validated application.

In some cases, SaaS suppliers push out new versions of their software without consulting or even informing their customers, invalidating the current application state. This can lead to unexpected validation efforts as the SaaS customer have little control over the SaaS infrastructure or, even worse, if this occurs immediately before or during an audit. On the other hand, when it comes to urgent security updates, it can be argued that a SaaS supplier in some cases can supply and deploy such updates considerably quicker than an in-house IT organisation.

Having an On-Premise deployment increase the control over when and to what version upgrades shall take place. This gives the customer a better way to assess the change scope against the validation effort required and hence decide whether an update to the particular version is warranted, given the expected validation costs.

Conclusion

Both On-premise and SaaS offer their unique sets of pros and cons. SaaS offers low initial costs, quick deployment, and flexible subscription pricing, but may lead to higher long-term costs and less control of the update cycles. On-premise solutions require significant upfront investment and longer deployment times, yet provide greater control and potentially lower ongoing maintenance costs.

The best choice depends on your budget, goals, security needs, and company culture. Careful evaluation of both options will help you make an informed decision that supports your digitalization strategy.

About the Expert

Allan Brignoli is DevOps Specialist and Security Expert at Aligned AG with years of experience in deploying, configuring and maintaining quality and regulatory applications in both cloud and in on-premise scenarios. He has a leading role in Aligned's efforts to uphold its security posture and is a central figure in Aligned AG's ISO 27001 effort.