For many years, universities throughout the United States have conducted scientific research on behalf of many federal government agencies spanning many different domains. The work that universities have contributed to our country should be both proudly recognized and intensely protected from exfiltration and use by competitors or foreign adversaries. Cyber-attacks to gain access to CUI, ITAR, EAR, and other sensitive data is at an all-time high and continues to escalate. It is now the responsibility of all parts of the research supply chain to implement necessary technology to securely research and develop these projects that are vital to our nation’s security, growth, and economy.
Enter, a secure landing zone in cloud services. What is a secure landing zone? The secure landing zone represents an end-to-end architecture for all aspects of an organization’s research that must be compliant, including secure endpoints (virtual or physical), networks, firewalls, logical access, identities, data estate, monitoring, data exchange, and threat detection and response. If we think about the process by which research is conducted, collaboration and communications occur, and data exchange with customers is performed, all these activities must happen in a secure manner. The advent of the need for DoD contractors to be audit-ready for CMMC Level 3 over the next 18-24 months has necessitated a need to rethink how all those activities happen, in a modern and secure way, all while not affecting the ability for research and development to occur.
The benefit of using a cloud-based secure landing zone is there are no limitations on current security or networking devices, threat detection, or identity services. When the legacy IT burden is minimized, this allows for deeper integration of services to support end-users, regardless of their research and developments needs, from HPC, data warehouse, cognitive services, and AI, to simple collaboration with other researchers and their customers.
Stepping away from legacy and central IT is something that generally can be thought of as progressive or regressive, depending on your organization. While many universities have central IT for shared/common services such as identity, virtualization, storage, and collaboration, the teams that support those services are often unable to effectively support your end-users (researchers). By utilizing a standardized, secure landing zone approach, departmental IT can eliminate on-premises infrastructure, deliver more agile environments for their end-users, enable better access to direct billing and consumption information, and best of all, provide a known compliant platform based on standards such as CMMC.
This process of creating a secure landing zone can be repeated many times throughout a department as additional research teams are created based on additional awards. Having distinct zones means that one set of research data does not co-mingle with other research data, and compliance is continued to be achieved and demonstrated. In addition to the repeatability of the process, there are opportunities for self-service deployment of additional resources as well. As an example, a research team may be working on a project on a weekend and have a breakthrough that they want to be able to scale up research on. Within a provider’s portal, they can increase the number of HPC nodes, or add additional batch jobs to their AI trainer. Lastly, using a secure landing zone in a cloud-based infrastructure allows for better access by research partners (other universities) or their customers (DoD, IC, DHS, NIH, etc.) while still maintaining the security and compliance that is necessary.
If your organization is keen to adopt a secure landing zone approach to providing compliant secure research access, there are two considerations to be made.
The first consideration is to consider what type of needs the research team has. As with all cloud services, the use of the resources within those services is based on consumption. Having a clear understanding of just how much computer, data, or modeling may be done allows your organization to better describe what costs may be incurred when you deploy a secure landing zone. In addition, if collaboration is a need, there are generally licensing costs incurred there as well.
The second consideration is focused on the number of users that will be accessing the secure landing zone. This is not only linked to the first consideration of usage costs, but also how users will access the data. This may be via a VDI type environment, a direct VPN into the environment from a secured endpoint, or a mobile device which has been deemed to be compliant. All these aspects have an impact on cost and the type of deployment to be undertaken.
A cloud-based solution solving this should be focused on the core technologies that support the secure landing zone. As outlined above, all the components that a traditional enclave are still in play and must be deployed. These should be deployed and configured based on known best practices, and if they exist, CSP guidance on meeting the compliance levels necessary for your organization.
As we move past the pandemic and into a time of unprecedented need to be cyber-safe, protecting and securing the important research of our university institutions and their relationship with their customers is more important than ever. The US DoD has taken a first big step with the mandate of all DIB customers needing to meet CMMC Level 3, however there is much work to be done to get there. For many, that path will include the deployment of an audit-ready secure landing zone(s) within their organization to support their ongoing programs with their customers.