1 of 12

Geert Soet

Opening Up

Research Cloud

Without

Losing Control

INSERT/EDIT AN IMAGE

1

If necessary, delete the existing image�by using the ‘Backspace key’. Select the placeholder, go to the tab ‘Slidebuilder’ and click on the button ‘Images’.

3

Click with the right mouse button on the image and choose ‘Send to back’.

4

To scale or drag the image, go to the tab ‘Picture Tools - Format’ and click on�the button ‘Crop’. Scale the image itself with�the spheres and scale the image frame with the brackets.

Send to front

Send to back

2

Select the preferred category and image�and click on ‘Insert’.

Insert

Crop

WANT TO KNOW MORE?�Go to the tab 'SLIDEBUILDER’ and click�on the button ‘INSPIRATION'

Inspiration

Images

NAME OF THE LAYOUT

2 of 12

EUR 100,000+

Nobody saw it until the invoice arrived.

Operating in the dark

NAME OF THE LAYOUT

3 of 12

Central IT Made a Reasonable Choice

Nobody ever got fired for choosing… Microsoft

~70-80% of spend on one hyperscaler

NAME OF THE LAYOUT

4 of 12

Everyone Thinks They're Unique

NAME OF THE LAYOUT

5 of 12

We Build the Plumbing Once

• Cloud account vending machine

• SURFconext authn/authz + SURFconext Invite (PI self-service)

• Automatic Direct Connect

• Wired into the SURF SOC

• Cloud DR + backup to SURF tape and object storage

• The same blocks on every cloud, not one per provider

• Central billing, no procurement, no surcharge

NAME OF THE LAYOUT

6 of 12

Trust isn't on the org chart

• Transparent: a policy they can read, not a promise

• Enforced: even SURF engineers can't read your data

• Auditable: break-glass alerts the customer

• Automated: runbooks, severity model, post-mortems, tabletop

NAME OF THE LAYOUT

7 of 12

Where we are now

• 3 institutions live; 10+ targeted by end of 2026

• AWS live; Open Telekom Cloud onboarding first customers

• Control plane in production: self-service onboarding + central billing

• Intake to working environment in a day

NAME OF THE LAYOUT

8 of 12

What We've Learned

  • €100k surprise is a missing guardrail, not a careless person
  • Match the model to the need: templated for plain compute, native + guardrails for real cloud
  • We win or lose at the intake call, not in the code

NAME OF THE LAYOUT

9 of 12

What’s next

  • Burst SURF HPC into AWS and other clouds through CDS
  • A second European cloud live; more providers to follow
  • Partnering on the methodology,

NAME OF THE LAYOUT

10 of 12

Questions / discussions

  • What would you add/change in this model?
  • Easy cloud with guardrails VS abstracting away

NAME OF THE LAYOUT

11 of 12

Thank you for your attention!

https://www.surf.nl/surfcumulus

geert.soet@surf.nl

linkedin.com/in/geertsoet

https://www.surf.nl/surfcumulus

geert.soet@surf.nl

linkedin.com/in/geertsoet

Thank you for your attention!

INSERT/EDIT AN IMAGE

1

If necessary, delete the existing image�by using the ‘Backspace key’. Select the placeholder, go to the tab ‘Slidebuilder’ and click on the button ‘Images’.

3

Click with the right mouse button on the image and choose ‘Send to back’.

4

To scale or drag the image, go to the tab ‘Picture Tools - Format’ and click on�the button ‘Crop’. Scale the image itself with�the spheres and scale the image frame with the brackets.

Send to front

Send to back

2

Select the preferred category and image�and click on ‘Insert’.

Insert

Crop

WANT TO KNOW MORE?�Go to the tab 'SLIDEBUILDER’ and click�on the button ‘INSPIRATION'

Inspiration

Images

NAME OF THE LAYOUT

12 of 12

Data boundaries

  • Layer 1: permission-set deny on SURF SSO (read / download / decrypt)
  • Layer 2: Service Control Policy blocks the same actions org-wide
  • Layer 3: customer-owned KMS key SURF cannot use
  • Break-glass: 2 engineers + MFA + 1-hour session, customer gets the alert, full CloudTrail

NAME OF THE LAYOUT