As with any connected organisation, there’s a balance to be struck between operational freedom and security. Responsible for determining that equilibrium is chief information security officer and head of networks, Guy Morrell.
In the case of a research centre such as the Francis Crick Institute, that means enabling its biomedical researchers to safely collaborate and analyse large amounts of sensitive data, sometimes across international borders.
The Crick generates about 2.5PB of scientific data each year, most stored in its on-premises high-performance compute cluster. Labs and operational teams also use an expanding array of cloud services.
“Our research data has been non-clinical or pseudonymised, but that’s changing. Increasingly, clinical scientists are using computational modelling and machine learning to transform our understanding of the causes of and treatments for diseases such as cancer.
“We have a legal and ethical responsibility to keep data safe, so our security strategy focuses on making sure that the right people have access to the right data.
“We must provide our scientists with secure, well-understood systems, where it's not easy to accidentally share the wrong data and there is an audit trail to show who shared what and with whom.”
The pandemic, of course, made all that more difficult. Morrell and his team had to move fast to make it as easy and safe as possible for scientists to continue their work from home, while supporting those who continued to work in the building.
Accelerating the roll-out of multi-factor authentication (MFA) was key. So too was a solid virtual private network (VPN) and effective collaboration tools. The office/remote working paradigm was turned on its head and required creative thinking to launch a new VPN service with a 50-fold capacity increase in late March 2020.
The move to cloud collaboration tools massively simplified scaling these to the whole organisation, leaving Crick staff to focus on supporting and embracing the new ways of working, rather than technology problems.
Ransomware as a driver for change
Morrell considers ransomware to be the biggest current risk to the Crick.
“Ransomware’s global media coverage over the last year has focused attention on security. ‘Ransomware as a Service’ is a reality we all need to get to grips with; the barrier to entry is far lower than five years ago. Fear is not a good catalyst for change but at least staff at every level are aware that it is a serious issue.
“Changing working practices to improve security can be challenging, but our scientists and operations teams are open to this if the data supports it. Two strategic priorities are science and operational excellence, both of course include security.
“This is excellent as we have a strategic imperative from the highest level to be secure by design and a culture where staff are willing to listen, engage and work with us to continuously improve.”
That doesn’t mean a bottomless security budget, however. Morrell explains:
“I need to evidence where the gaps are, provide a compelling business case for change – and justify every pound we don’t spend on science.”
To help instil a feeling that security is everyone’s responsibility, Morrell enlists fellow leaders.
“It’s important to empower directors to understand and mitigate the risks in their department. It's not helpful simply to provide a list of things that need fixing, patching or replacing. That kind of overload can be paralysing, so I help them prioritise.
"I've developed a patching policy, formalising staff roles and responsibilities to minimise risks associated with unpatched devices. Regular network scans identify at-risk devices, including scientific equipment. If they can’t be patched or replaced, we move them to an untrusted zone, which provides the minimum viable level of network access for them to function.”
A similar ‘least privilege’ principle applies to network access for users.
“Authenticated non-Crick devices get ‘untrusted’ network access with limited access to internal services - just the things that a typical user would need. Access rights are appropriate to the device used and individual job requirements. This lowers the potential ‘blast radius’ if there are problems.”
Human error is one of the biggest risks, so mandatory training, published policies and guidance are in place for all staff. Security tips are often included in internal communications and policies clarify the responsibilities of managers and individuals.
Fortunately, Morrell notes that:
“Scientists understand the importance of keeping their data secure. Nobody wants a national newspaper headline about a data breach.
“Many of our staff are early-career and tech savvy, but there's always room for further education. Ideally everyone will be empowered do their jobs without fear of contravening regulatory compliance and experienced enough to know when something seems ‘phishy’.”
Pros and cons of scanning
Weekly network scans are useful, says Morrell, but only if they are effectively responded to, so he and his team triage vulnerabilities to identify the most important.
“Scanning can create overwhelming ‘noise’ – apparent problems which make little difference to risk. Our vulnerability triage group meets regularly to assess genuine risk of emerging threats so that these can be prioritised.”
Research in the cloud
Most operational systems have moved to the cloud, and Morrell reckons this will play an increasing role in research.
“Crick scientists collaborate globally, so we are working to create a ‘cloud trusted research environment’. It's a collaboration platform where each research cohort within a study uploads data they want to share for secure processing and analysis.
“Imagine if all the studies into the effect of COVID-19 on patients with cancer pooled their research data. Combine that with the benefits of modern data analytics using machine learning or artificial intelligence and this could transform scientific collaboration.
“Cloud-based research will solve some of our long-standing challenges: how to safely share data among many different people; how to give control to the those who own the data to only share what they want to; and yet give them access to other data that people are sharing in a standard way across multiple countries and institutes.
“Another advantage of cloud is that, unlike on-premises services, which are at the cutting edge only at the point of sale, cloud services are constantly evolving, so we always have access to the latest technology.
“On-premises data centres won’t disappear – especially if institutions generate as much data as the Crick – but it’s likely cloud computing will become more prevalent in the research arena, with hybrid compute clusters, cloud-native science pipelines and digitally transformed operations being the new normal.”
To sum up, Morrell says:
“Security is about continuous improvement. It’s about finding the sweet spot between locking down and operating smoothly and that takes a lot of time and energy to determine and get right.”
Guy Morrell is speaking at the free-to-attend Jisc security conference (9-11 November). Registration is open now.