Using a Secure Landing Zone to Protect University Research

For many years, colleges and universities across the United States have conducted scientific research on behalf of federal government agencies spanning many different domains. The work that higher education institutions have contributed to our country should be proudly recognized and intensely protected from exfiltration and use by competitors or foreign adversaries. Cyberattacks to gain access to controlled unclassified information (CUI), data or documentation covered by International Traffic In Arms (ITAR) regulations or Export Administration Regulations (EAR), and other sensitive data are at an all-time high and continue to escalate. All parts of the research supply chain must be responsible for implementing the technology necessary to ensure the security of research and development projects that are vital to our nation's security, growth, and economy.

Enter a secure landing zone in cloud services.

What is a secure landing zone? The secure landing zone represents an end-to-end architecture for all aspects of an organization's research that are subject to compliance requirements. A secure landing zone includes secure endpoints (virtual or physical), networks, firewalls, logical access, identities, the data estate, monitoring capabilities, data exchange, and threat detection and response. All of the activities associated with the research process, including collaboration, communication, and data exchange with customers, must happen in a secure manner. The need for US Department of Defense (DOD) contractors to be audit-ready for Cybersecurity Maturity Model Certification (CMMC) Level 3 over the next eighteen to twenty-four months has made it necessary to rethink how all of those activities happen in a modern and secure way while not affecting the progress of research and development initiatives.

The benefit of using a cloud-based secure landing zone is that there are no limitations on current security or networking devices, threat detection, or identity services. Minimizing the legacy IT burden allows for a deeper integration of services to support end users, regardless of their research and development needs, from high performance computing (HPC), data warehousing, cognitive services, and AI, to simple collaboration with other researchers and their customers.

Stepping away from legacy systems and the central IT organization generally can be thought of as progressive or regressive, depending on your institution. While many colleges and universities have central IT organizations for shared or common services such as identity, virtualization, storage, and collaboration, the teams that support those services are often unable to support their end users (researchers) effectively. By utilizing a standardized, secure landing zone approach, IT departments can eliminate on-premises infrastructure, deliver more agile environments for their end users, enable better access to direct billing and consumption information, and, best of all, provide a known, compliant platform based on standards such as CMMC.

This process of creating a secure landing zone can be repeated many times throughout a department as additional research teams are formed. Having distinct zones means that one set of research data does not co-mingle with other research data and that compliance can be continuously achieved and demonstrated. In addition to the repeatability of the process, opportunities also exist for self-service deployment of additional resources. For example, a research team may be working on a project during a weekend, have a breakthrough, and want to scale up research right away. Within a provider's portal, the researchers can increase the number of HPC nodes or add additional batch jobs to their AI trainer. Using a secure landing zone in a cloud-based infrastructure also allows an organization to provide better access to their research partners (other universities) or their customers (DOD, US Intelligence Community, US Department of Homeland Security, National Institutes of Health, etc.) while still maintaining the security and compliance that is necessary.

If your organization is keen to adopt a secure landing zone approach to providing compliant, secure research access, consider the following two factors.

Organizations should first consider what type of needs the research team has. As with all cloud services, the use of resources within those services is based on consumption. Having a clear understanding of how much computing, data processing, or modeling may be done allows your organization to better describe what costs may be incurred when deploying a secure landing zone. If collaboration is needed, there are generally licensing fees associated with that as well.

The second consideration is focused on the number of users that will be accessing the secure landing zone. This is linked to usage costs, but it also impacts how users will access the data. This may be via a VDI-type environment, a direct VPN into the environment from a secured endpoint, or a mobile device that has been deemed compliant. All of these aspects have an impact on cost and type of deployment.

A cloud-based solution should be focused on the core technologies that support the secure landing zone. As outlined above, all the components of a traditional enclave are still in play and must be deployed. These should be deployed and configured based on known best practices, and, if they exist, Cloud Solution Providers' (CSP) guidance on meeting the compliance levels necessary for your organization.

As institutions move past the pandemic and into a time of unprecedented need to be cyber-safe, protecting and securing the important research of colleges and universities and their relationships with their customers are more important than ever. The DOD has taken a big first step with the mandate that all Defense Industrial Base customers meet CMMC Level 3; however, much work needs to be done to get there. For many, that path will include the deployment of an audit-ready secure landing zone (or zones) within their organization to support ongoing programs with their customers.