Lessons learned from Architecting, Deploying, and Managing a Secure Research Cloud

May 22, 2025

James Monek, Director, Technology Infrastructure and Operations��

�

​

1

2

History

​

• Lehigh University added 5th College - College of Health
• Officially opened August 21, 2020
• HST building opened in Fall 2021
• Researchers will bring and/or have access to massive amounts of data
• Secure Research Cloud (SRC) went live in 2023

3

Current Types of Research and Data

​

• 6 researchers utilizing Secure Research Cloud
• 9 in the pipeline
• HIPAA Limited Data Sets
• Medicare Claims Data
• Data from Healthcare providers
• Other protected data

4

Secure Research Cloud (SRC) Data Flow

5

6

Culture changes

​

• Infrastructure as Code (IaC)
• Documentation
• Document our architecture
• Document our operations and procedures

7

HIPAA Audits

​

• HIPAA External Audit - 2022
• HIPAA Internal Audit - 2024

8

Artifacts sent to audit firm

​

• SRC Architecture Drawings
• NIST 800-171 Worksheet
• https://rc.byu.edu/171tool
• SRC Operations Manual
• Lehigh Information Security Standards
• LTS Incident Response Standard
• LTS Incident Response Procedure
• LTS Security Incident Response Tracking Procedure

​

​

• LTS Backup Standard
• LTS Change Management Standard
• LTS Change Management Procedure
• LTS Vulnerabilities Management
• User Accounts Policy
• Computing Accounts Policy
• LTS Security Awareness and Training Standard
• DR/BCP Procedures

​

9

Lessons Learned

​

• Conduct audits and pentests
• Documentation!
• Mindful of the non-technical controls
• Continuous Improvement
• Logging data fatigue
• Balancing using native cloud monitoring tools vs current tooling
• Dealing with changing requirements
• Don’t be the department of NO and don’t be too restrictive

10