Cannabis Software as a Service (SaaS) –Finding the right one is like finding a pot of gold.
It seems like every time you open the paper (do people still do that?) or open your computer to read the news there is another story about some company being hacked.
The global banking system was hacked several times this last summer. In the spring hospitals all over the country were hacked and infected with ransomware. And now for the first time a cannabis “seed to sale” software tracking system has been allegedly “hacked” and crippled by malware.
When it comes to the cannabis industry it is not just about losing sensitive data. Even being down for one day can lead to non-compliance with the government and being out of compliance can mean closing the doors and shutting down your business. Not only would it mean not getting much needed medicine to many patients but it can also mean the loss of 10’s to 100’s of thousands of dollars.
In some situations the criminal is looking for sensitive information. Sometimes it’s ransom money they expect to get in exchange for giving back the key or access to the system. In the case of the recent cannabis software system attack the motive still seems to be unclear. What is clear, however, is that if you are going to run a business in the cannabis industry you need a system that is never, ever crippled by hackers or down for any reason.
How do you ensure that you are getting the most secure and reliable cannabis software solution?
There are many new cannabis software systems out there claiming to be the best on the market. . How do you know which one is right for you? In this age of cyberattacks and data compromises your goal is to figure out which one will supply you with all of the components you need as well as utilizes the best security. When it’s time to decide which cannabis software or compliance software to have as the backbone of your business operation there are 3 Pillars of Architecture you must consider:
Data Security – Not just secure from a hack but also secure from loss of information.
System “Up-Time” – AND what happens in case of an emergency.
Compliance Capability – Is your compliance automated?
Let’s delve into each with a little more detail.
The first pillar of cannabis software is Data Security.
You want to make sure that your data is not only secure from a hack standpoint but also from a loss of information. This could be due to a system crash or downtime because of nature. There are specific points you need to consider when measuring data security:
Unique Data Silos
Military Grade Encryption Protocol SSL (secure socket layer)
A well integrated cloud system can create nearly limitless efficiencies and possibilities. All applications are managed by the server so that data is replicated and preserved remotely. The Cloud Architecture must be setup to include Point in time backups (similar to a system restore) or Continuous data protection (CDP). This would allow it to restore the system settings to a past date such as before data corruption occurred.
Because Continuous Data Protection continuously captures changes as they happen and then keeps a running recovery journal you would be able to restore your system back to a specific hour of the day. If your recovery point objective is to keep it down to the minute then this is a much more flexible any-point-in-time framework that allows you to achieve goals that are that fine tuned. All data should be contained in unique “data silos” to mitigate a compromise. Unique data silos create a type of air gap, a separate database or set of data files that are not part of an organization’s enterprise-wide data administration. This way if there were a breach or an attack they would not be able to reach the set of data that is stored in this unique silo and its information would stay intact.
Next you need to make sure your cannabis software system will create redundant backups.
These back-ups should be on multiple servers nationwide. Having multiple servers across the nation means that if the one goes down there is a seamless transition from one to another … and so on and so forth. Each silo will contain a full backup, protocols for data integrity, and disaster recovery procedures.
Military grade encryption protocol SSL (secure socket layer). Everyone uses SSL the only thing that makes it different is if the company has strict policies that they have implemented around firewalls, passwords & access control.
Lastly, they must have policies in place that include actively monitoring and auditing firewalls to ensure application security compliance. You can’t just put the firewalls in place and sit back and assume they are doing their job. They must be actively monitored for any attempt at a breech so that steps can be taken before something happens. Data centers should also have both electronic and physical security protocols.
Electronic security protocol will enable the application to be able to identify a corruption event and correct it without any intervention. Physical security refers to an actual physical person. You don’t always lose data from a system going down or being digitally hacked. Sometimes the hacking has to begin from a physical implementation from inside your establishment. For instance, a person walks in and installs a thumb drive on your system. Having physical security protocols in place will help eliminate the possibility of a data breach at the hands of a thief.
The second pillar we talk about is cannabis software Up Time.
This can be hard to quantify and most companies do like to brag about having no downtime whatsoever, however…..
Here are the most important components of making sure your software will have adequate systems in place to make sure you don’t experience any downtime.
Redundancy and Load Balancing
Availability zones worldwide
Daily preventative maintenance and diagnostics
Uninterruptible power supply units (UPS)
Once again, just like with redundant backups in data security, server farm redundancy is an important feature that will help to insure system stays up and running. You must have redundant instances that default to each other if there is a problem. For instance, ROAR cannabis software utilizes multiple server silos in the West, Mid-west, and on the East coast as well as overseas, if needed. If there were to be a problem with a silo in the West the system would immediately and seamlessly transfer to the next. Having availability zones worldwide means that in the event of a regional outage data will migrate to the next available server farm even if it means overseas. It is highly unlikely that the whole nation would go down at the same time, but….
Just like on the freeways in our major cities, computer systems can get all jammed up when there is too much traffic. Too much traffic or data overload is one of the main reasons a system crashes. This can be easily mitigated with a system that is actively balancing the loads. Load balancing improves the distribution of traffic or workloads and divides it across multiple computing resources. The system should perform daily preventative maintenance and diagnostics for load balancing and this will allow you to nip it in the bud, so to speak. This happens actively and continuously so that the system never has a chance to overload and crash resulting in loss of up-time and ultimately important data.
In case of an emergency the front end of your system must also be able to operate in Offline mode. Even if you don’t get hacked and the system doesn’t crash there still may be times when you do not have internet. The internet can go down at the drop of a hat, usually do to natural disasters caused by Mother Nature. You must be able to still conduct sales through an emergency. If the internet is down you cannot afford to have to stop doing business and close your doors because your point of sale is crippled. At these times it is essential to have software that is capable of continuing to work in offline mode and will store all data until you are able to get back online. Once back on line the data automatically syncs to the cloud and is then brought up to date so it is accurate in real time. You are still able to conduct business and your sales and tracking information is preserved so you remain compliant despite the outage.
Speaking of outages, simply losing power can result in loss of data. The architecture of any cloud service should include Uninterruptible Power Supply units (UPS). These UPS units act like a power back up. The system should not only have backup generators that are capable of running the entire server but also be equipped with huge batteries that are capable of running the entire server for hours. This type of power back up works a little differently than backup power we are used to at home. Auxiliary power, like a generator or backup battery, we might use at home will have to be turned on when the power goes out resulting in a gap of power. UPS differs in that it will provide near-instantaneous protection from power interruptions, when power from the main source fails it is able to instantly engage and keep the power supply steady and unchanged.
Finally the 3rd pillar of cannabis software, and probably the most important, is compliance.
Your software must be able to perform all of the processes you need for the specific laws of compliance in your state. But it must also be able to continue to perform them indefinitely. Here are some points to consider that will help you determine the software’s capabilities for conducting the requirements of compliance and also it’s safeguards against instances that can render you out of compliance.
Tracking and Traceability-determine your specific needs
Real time or daily synchronization
Automated compliance-does the system do the work
Automatic updates -continuously updated as rules change
The premier objective is to become compliant in the first place in each and every way that is required by the entities that govern your state or municipality. Once you’ve accomplished that your main goal will be to maintain that compliance at all times and report that information to those governing bodies.
The main objective of compliance law is to be able track and trace your every move. The software needs to be able to track your product from “seed to sale”. This means that it must be able to trace every plant and every part of the plant, whether it is sold as flower or goes into a batch to be extracted and then exactly what products those extractions were used for and who bought them. Your software will need to be able to report exactly how much product you sell in total and how much product you have sold to each individual purchaser. In many states a person or patient is only allowed to buy a certain amount of product at one time. This information is required to be reported back so that the governing bodies can make sure people aren’t buying more than what’s legally allowed and/or that a patient is not visiting multiple dispensaries and buying their full allotment from each one. It must also be capable of keeping an accurate inventory count and be able to then match your current inventory numbers with waste and sales and report the information to the government entities. These reports can be required as often as daily depending on the state where you are located. Based on the requirements you are bound by you will want to be able to specify your system to meet your unique needs. You may need your system to seamlessly integrate with the state’s system constantly in real time or once daily at the end of the day, for example.
Another thing to consider is who is doing all of this compliance auditing and synchronization? Is your system doing the heavy lifting for you and performing automated compliance? Your compliance information should be able to go directly to your state’s traceability API. Regardless of whether your state, county or city municipality requires real time or daily sync make sure that the cannabis software you choose is able to automatically generate and deliver all reports automatically to your governing entity. The last component of making sure you compliance responsibilities go uninterrupted is having a software that is continually modified to reflect any new changes in requirements. Laws and regulations in the cannabis industry are being changed and updated constantly. Some municipalities are able to create their own set of rules separate from the state. Making sure you partner with a company whose tech support is rigorously monitoring these changes and updating your software accordingly will unsure fluid adaptation to new rules when they go into effect.
Compliance isn’t only all about the tracking, tracing and reporting through the use of technology. Much of the adherence to rules and laws that impact cannabis industry compliance require measures to be implemented on premise. However, having confidence that your software system is performing all your reporting accurately, and automatically, leaves you with the time and energy to pay attention to the true focus of your business.
You can think of the first 2 pillars as the foundation for the 3rd. They are the building blocks that will help you to always remain compliant. And we’ve already determined that compliance is your premier objective. It is the one thing that allows you to keep your doors open and your business up and running. All of the elements of the first 2 pillars, security measures, redundancy, UPS units and Offline mode all help to ensure your compliance and ultimately your success.
Guardian Data Systems is known for bringing transformational technology to the cannabis industry and with ROAR Cannabis Software has taken each one of these components, pillars, to heart. ROAR was created on a mature platform explicitly for the cannabis industry.
Guardian Data Systems is comprised of a team of industry professionals from former FinCEN regulators to Risk Management Supervisors from the FDIC to tech industry pioneers. Please call us with any questions you may have about cannabis software solutions. We guarantee your satisfaction!