Panel 3: Security and Privacy in Practice
- 2. UNIVERSITY OF CALIFORNIA Higher security posture; e.g. HIPAA, CUI rely on guidelines from NIST, involves implementation of technical, administrative and physical controls Overhead in securing and managing sensitive data Security: Vulnerability Mgmt., Log Management, AV/Malware Protection, IDS/IPS, VPNs/Firewalls, Management: Account Mgmt., Configuration Mgmt., Monitoring, Backup/Archiving, etc. Policies: Security Plan, Contingency Planning, Incident Response, Risk Assessment DevOps teams to build, security teams needed to define control requirements, then audit Cloud platforms offer shared responsibility model, i.e., “security of the cloud + security in the cloud” Customers manage/secure application layers, which comes with associated costs and complexity PROTECTEDDATARESEARCHINVOLVES
- 3. UNIVERSITY OF CALIFORNIA Decide if you want a large capital expense (on-prem) or an ongoing operating expense (cloud based) Specific use cases or regulatory requirements (e.g. ITAR) may also influence decisions on what to build/use Managing a compliant environment comes with a certain cost (people+infrastructure+licensing), but nobody wants to pay for it Researchers want institutions to provide a campus service, campus IT wants researchers to pay for it Sustainability comes from economies of scale, also by not duplicating capability across multiple units within an organization THEBUSINESSOFRUNNINGASECUREHOSTINGCAPABILITY
- 4. UNIVERSITY OF CALIFORNIA Learning curve of working in a secure environment (security over usability) Cloud security is improving, ecosystem of services/micro-services, scaling, automation Runaway costs if not managed well, data egress charges (low for protected data) Containers everywhere, but how can you secure them? Physical scientific equipment with protected data, end-point workstation security We are moving away from standard architectures to more of a serverless architecture Making commonly used tools like Jupiter Notebooks, GPU compute, RStudio, etc. should be made available as turnkey platforms in a secure cloud Bottomline, Make cloud services secure, easy to consume (managed) and keep costs down EVOLUTIONOFPROTECTEDDATASERVICES
- 5. UNIVERSITY OF CALIFORNIA Organizations have to educate researchers so they care about security, provide information & tools, financial support, etc. Researchers have to accept the new norm that if you are dealing with protected data, it comes with a certain overhead Partnership between researchers, contracts & grants, export control, campus IT and MSP Cybersecurity training should be part of academic curriculum If grant work involving protected data generates significant revenue (IDC), then institutions should fund an operational capability for researchers to use The need, and requirements, for data and privacy protection are only increasing, we need to adapt to this change OTHERTHOUGHTS…