AMAG's IT needs are more efficiently and cost effectively served by public cloud providers, including infrastructure-as-a-service (IaaS) and software-as-a-service (SaaS), than by internal systems and applications.
Ping-pong table, fridge, firewall.
If all goes according to plan, that's all you'll find in AMAG Pharmaceuticals' data center by year's end.
"That's my legit goal. We figure that's the best use of the data center by that point," says Nathan McBride, executive director of IT at the Lexington, Mass., company.
AMAG's IT needs are more efficiently and cost effectively served by public cloud providers, including infrastructure-as-a-service (IaaS) and software-as-a-service (SaaS), than by internal systems and applications, McBride says.
Chasing the perfect cloud
When McBride arrived at AMAG three years ago, his task was to build the growing company's IT department and infrastructure in the cloud. Except for one Microsoft Exchange server sitting, literally, in a broom closet, he had no legacy systems with which to contend.
"Of course I jumped at the opportunity - no red tape, a blank slate, this is every IT person's dream," McBride says. (See Where to start with public cloud computing.)
After hiring a staff of four, he and his team began crafting the company's IT future.
"With one floor of this 12-story building all to ourselves, we had so much room for growth and so many different ways we could have gone. But, as not to repeat the mistakes of the past, I knew I wanted to get the entire company to the cloud as soon as possible," McBride says.
The cloud's potential had long been on McBride's mind, he says. "Back in 2005-2006, Salesforce.com was taking things by storm and a lot of other companies were starting to develop SaaS approaches, too. At about the same time, Amazon Web Services [AWS] came out with cheap storage to accommodate the SaaS profile - although nobody knew quite what to do with it at that point," he says.
THE PRIVATE SIDE: Cancer center builds Texas-sized cloud
Coming to AMAG gave him the opportunity to put his thoughts into action. The problem was, when he presented his three-year cloud vision to corporate management, he had to leave a lot of boxes blank, McBride says. "We knew what we wanted, but we couldn't find companies to support everything yet."
The business, of course, couldn't wait.
As the company was developing its first product, Feraheme, a therapeutic iron compound for treating iron deficiency anemia, it began ramping up its employee base. When McBride joined the company in January 2008, he was employee No. 72. That number has more than tripled, to roughly 250 today, he says.
For IT, AMAG's growth meant supplementing the cloud vision with actual infrastructure.
"We spent as little as we had to, and only where necessary, to make way for things like storing e-mail and files as we grew, making sure we had backup systems in place and taking care of security," McBride says.
A turning point in terms of product availability came in the first quarter of 2010. "We weren't having philosophical discussions any more but instead were saying, 'How soon can we get so and so in here to tell us about its 1.0 product?" McBride recalls.
By May 2010, IT had filled each box in that cloud schematic. But more than that, McBride says, "we'd been able to get the vendors that we'd chosen for what we call the 'five-headed dragon,' because we really had five points of approach, to talk to each other and actually start developing together and coming up with hybrid products that no one else had ever heard of before and that we got to be the first to use."
For example, Egnyte,a cloud storage provider, has teamed with Google to synch Google Docs with its cloud file service and works in conjunction with backend storage provided via AWS Simple Storage Service (S3). AMAG stores about 6 terabytes of data in the Egnyte cloud, which, after compression and data deduplication, amounts to about 2.5 TB of S3 storage, McBride says.
In addition, Egnyte and Google are each working with Okta, which provides an enterprise single sign-on (ESSO) service, for authentication. And OnState Communications, which provides a Web-based call center, has collaborated with Google on its unified communications platform, McBride says.
GDocs is the choice for storing documents that require frequent collaboration and, for e-mail, AMAG uses Google Mail as well as Postini archiving services. Ultimately these, too, back up to the AWS storage cloud.
Neither security nor compliance gives McBride pause.
"Security is my favorite topic because I've yet to meet a single person who can show me specifically in some legitimate, substantive, concrete way that the cloud is less secure. Everybody says it's less secure, but they can't actually show me that," he says. "That's because it isn't less secure. It's the same level of security, if not more - I couldn't possibly afford the redundancy I have in place now if we went brick and mortar with this data, for example."
Protecting AMAG's data and intellectual property begins with trusting employees - as should be the case at any company, McBride says. "I've seen companies try to block every single data egress point, and you just can't do that. Once you decide you can trust your employees, the rest gets pretty easy. Our data is in a secure place protected by a secure password just as it would be if it was in our own data center," McBride says.
And to assure password security, AMAG uses Okta's on-demand ESSO service, and enforces use of a 15-character passphrase. File and data transfers are encrypted.
When it comes to compliance, McBride says that in disassociating AMAG and its personnel from respective data types, the company has effectively dealt with pertinent federal and state compliance mandates (Massachusetts 201 CMR 17, FDA 21 CR 11 and Sarbanes-Oxley Section 404).
No apps beyond this point
"On the applications side, as of 2009, IT had stopped allowing internal lines of business to buy software that wasn't available as a service, McBride says.
As an example, he cites AMAG's need for "pharmacovigilance", which, per Food and Drug Administration mandate, requires use of an adverse event database in drug safety reporting. "Most pharmaceutical companies bring this in-house, spending hundreds of thousands of dollars on servers," says McBride, speaking from more than a dozen years of experience working in biotech IT. "But we told the company we wanted to use, 'host it for us or we'll find somebody else who will.'"
Other providers in AMAG's SaaS portfolio include Concur Technologies for travel and expense reporting, EchoSign for e-signatures, Epicor (formerly Spectrum) for human resources management, Google for applications and e-mail, SumTotal Systems for learning management and Tungle for e-calendaring, to name a few, McBride says.
As much as possible, AMAG runs legacy (meaning pre-2009) workloads - mainly financial in nature - on AWS Elastic Compute Cloud (EC2) servers, of which it currently has six. AMAG also has set up a temporary, small external private cloud at a nearby collocation facility to host a couple of applications, such as its general ledger program, that it doesn't intend to support in the long term, McBride says. It maps the virtualized server running in that cloud to AWS for storage, he adds.
"This has all taken me a little longer than I would have hoped, but we're almost done moving 100% to the cloud - and the company loves it," McBride says.
"When I came here and only hired four people, the question came up, 'How are you going to run an IT department with so few people?' And I kept telling my boss, the CFO, 'You just wait and watch. We'll make this happen, and not only that, we'll actually reduce the amount of money we spend every year on IT going forward,'" McBride says.
His prediction has rung true so far. Thanks to the cloud storage, for example, McBride says his budget today is 50% lower than it was in 2008.
Getting to its ideal cloud state hasn't been easy, McBride emphasizes. "We've worked above and beyond, but that's OK because we all believe in this. It's important enough for us."