How Emory University expects the cloud to simplify and secure research

Ensuring security and efficiency for $628 million in annual research isn’t easy, but Rich Mendola, the enterprise CIO at Emory University, is confident his team has found a way get what it needs through the cloud.

Mendola, speaking at the Amazon Web Services (AWS) Public Sector Summit in Washington, D.C., on Wednesday, told the audience how he and his team transformed the university’s research platform with cloud tools — beginning with security.

“We thought long and hard about ‘do we want to be in this business’ and we just couldn’t see a way not to be in this business, at least until we get a cost effective third party or AWS solves the space,” he added.

That “business” is protecting researchers and their data online in a way that preserves the ease of access to their projects and platforms that they are familiar with, Mendola said. Researchers at Emory, a private university in Atlanta, were already using some tools from AWS, but a comprehensive platform didn’t exist that secured them from financial fraud or sensitive data leaks from the start to finish of a project.

“We have researchers who, if we don’t offer something, will just use their credit card with no controls, and they’re gonna get in trouble, and we’ll be on the front page of the paper — not them,” he said. “We had researchers putting private keys into GitHub,” a code repository, “and we started to realize ‘our solution will fix that’ — they won’t be able to do that in our solution.”

“We were trying to be proactive,” Mendola told EdScoop, explaining the impetus for the project. He affirmed that the undertaking — which he and his core team of three software developers at the university started around 18 months ago — will place Emory ahead of the pack in the IT space of higher education research when it launches in August.

The university has already spent $750,000 in total and expects an additional annual cost of $100,000 for its platform, but feedback, at least in the conceptual stage, has been positive.

Getting in more quickly

Researchers had previously been able to set up a research environment on Emory’s platform in 10 minutes, so Mendola and his team — along with an in-house AWS developer hired by the university — set a goal of guiding a researcher through an initial access process in eight minutes. Mendola and his team ended up automating a 48-step process into the eight-minute constraint, amplifying security in the process.

“We needed to create a set of security risk detectors and controls to put in place,” Mendola said. Within the new platform, the researcher is now prompted to answer security-specific questions, like if their research will be HIPAA compliant or if they will be handling otherwise sensitive data. That’s on top of other, built-in security measures. “A simple one is ‘if you’re in a HIPAA environment, we’re never going to allow you to create an S3 bucket thats not encrypted,'” Mendola added.

The new platform also ties in financial and administrative security measures. Instead of using their own credit card every time they procure a service, researchers will be integrated directly into Emory’s financial accounting system so they can simply input the account code on their grants to pay for a service or tool. Even earlier in the process, Mendola said, he and his team implemented a single sign-on tool to ease the authentication process for researchers.

Mendola also emphasized that Emory didn’t want to build the system for itself. His team built it so it could be replicated or modified if other universities wanted to operate similar platforms.

“We realize that not everybody is going to have the same service desk, the same financial accounting system, the same identity management system,” he said, “but the architecture was really built to show that we could pull one of those out, put another one in and it wouldn’t be that hard.”

He also hinted at a partnership with other universities to offer the basis of a similar platform.

“Given the costs associated with this, one of the things we’re trying to do in the higher ed community right now is to build a consortial effort so that other universities can join us in continuing to expand the number of services certified and offered with AWS and eventually to take this to other cloud providers as well, knowing that we’re going to get pressure eventually to have the full compliment of services across all providers.”