In early 2020, scientists at the Francis Crick Institute in London, Europe’s largest biomedical research facility, suddenly found themselves facing what may prove to be the toughest challenge of their careers in the shape of a largely unknown new coronavirus – likely linked to bats – that made the leap to humans somewhere in China late in 2019.
The Sars-CoV-2 pathogen, and Covid-19, which is strictly speaking the infection it causes, required an urgent and concerted cross-disciplinary research effort, and the Crick – as it has become known – stepped up, leading on the development of new testing methods and seeking answers to questions such as why some cases of Covid-19 are so much worse than others, how the virus interacts with human cells, how it spreads through human populations, and how it affects people who have pre-existing conditions.
Fortunately, the Crick also had a pre-existing condition – a partnership with data management company Rubrik, which came on board as part of a cloud-first journey, tasked with protecting its backups and recovery data, and ensuring optimal cyber security resilience in a highly complex threat landscape. Academic institutions are, after all, tempting targets for cyber criminals alike.
Medical researchers need data protection nous
To understand how Rubrik’s involvement has kept the Crick secure – and kept it from appearing in Computer Weekly as a cyber attack victim rather than a case study – we must first backtrack a few years and learn a bit more about the institute itself.
A joint partnership between Cancer Research UK, The Wellcome Trust, Imperial College London, King’s College London, University College London and the Medical Research Council, the Crick was a policy initiative set up in 2007 under Gordon Brown’s government, but formally opened its doors in 2016.
Its mission is to discover the biology underpinning human health, improve the treatment, diagnoses and prevention of disease, and generate economic opportunities for the UK.
James Fleming, director of ITS at the Crick, joined in 2018 and was tasked with putting together a new ICT strategy. Even though the centre was only two years old at that point, he found it was already starting to struggle with complexity.
“We have a great team but we are lean, and IT is not our core business. We were at risk at that point of ending up with too many competing systems and solutions, a lot of which had been put in quickly to facilitate migration to the new facility,” he says.
“So one of the key pillars of that strategy was simplifying to do more – we realised we were going to have to get a handle on a lot of the back office IT functions, backup evidently being one of them, and we needed to find new solutions that brought data management together, brought simplification and reduced costs.”
With the understanding that the way forward in this regard was through a hybrid cloud strategy, this was the beginning of the Crick’s engagement with Rubrik, which, according to Fleming, immediately ticked both of his boxes in terms of simplifying the centre’s existing backups and future-proofing them.
For a medical research body, it should be clear why data backup and protection is such a crucial plank of a wider IT strategy.
“Unlike a large corporation, we have a massively heterogenous data environment with pretty much every single sort of database technology you can possibly think of,” Fleming tells Computer Weekly.
“We’ve got multiple different data types sitting within that – such as relational and non-relational – and we’ve got a user community that is pushing the boundaries of science, and therefore doesn’t like to conform to policies and rules very much.
“I have to try to provide security and assurance without getting in their way, without interfering, and without introducing onerous centralised or limiting policies,” he says. “We want security to happen and then, for the most part, them not even to be aware of it. But when we do have an issue with data loss or something like that, we’ve got the fence in place. That was our number one design consideration.”
The Crick deployed Rubrik’s Cloud Data Management platform in 2019. A single software platform, the service is designed to deliver data backup, instant recovery, archiving, search, analytics, compliance and copy data management in a single secure fabric in clouds, at the edge, or on-premise.
James Fleming, Francis Crick Institute
The initial install and data discovery process was relatively straightforward, largely because the Crick is a young institution and so there were few nasty surprises lurking on its network. This is not to say there were none, but mostly they were not malicious threats, more the handiwork of people who had made up their own ad hoc solutions.
“Had we been five or 10 years down the line, it would have been a very different conversation, so it allowed us to get in there early before things became unmanageable,” he says.
Fleming immediately found a reduction in administrative load – he had just replaced five different solutions with one pane of glass, so this is perhaps not so surprising.
He then found he was starting to understand the behaviour of the Crick’s data in a way he hadn’t been able to before.
“It had been impossible for us to identify what normal looked like, and hence what anomalous might look like,” says Fleming. “As it turns out, what’s anomalous in a corporate is actually normal in science – you get large amounts of data being moved around all the time, completely legitimately – it might be someone moving from an instrument database to an analysis environment, for example.
“Having that single pane of glass afforded us a lot more intelligence in how we viewed and managed and structured our data, and that led us down the path of starting to realise more value from the product.”
For example, once Fleming could understand what types of data the Crick was holding and interrogate it properly, he could find out if someone was storing personal data somewhere they shouldn’t be, and could then go and have a quiet, proactive conversation about security with them before it became a problem.
“It’s immediate, it’s simpler to do, and we realise benefits in terms of operational intelligence later on,” he says.
Fleming also credits Rubrik with turning a relatively unexciting part of the IT stack into something that is delivering value to the organisation. “The thing we have really enjoyed about Rubrik is that it has turned what would otherwise be a dead cost in our estate – which backup often is – into a management asset for us,” he adds.
Covid-19 no cause for panic
Even though medical organisations such as the Crick are more alert to the threat of a global pandemic than the average corporate enterprise, the Covid-19 pandemic blew up in Fleming’s face just as much as it did for any other IT leader.
“Obviously the organisational shock to the system was moving from a largely nine to five operation with everyone in the office environment to everyone’s working remotely in common with just about every other organisation on the planet,” he says.
“But what was unique to our environment was that we then decided to respond in two ways. One was repurposing large chunks of the lab into a Covid-19 test pipeline, which I think has now run over 60,000 tests for NHS staff, and we are continuing to do that on a regular basis. That involves setting up a whole new set of protocols, daisy chaining various systems together, interfacing to the NHS, and so on.
“The second wave of that was a lot of our labs turned their attention to Covid-19 research. What makes the Crick unique is that we have a huge variety of different disciplines, we’re not focused on a particular disease or a particular methodology. We look at a spectrum. That meant there were quite a few different labs that were able to focus on different aspects of Covid research.”
What did that mean from a cyber security perspective? Like any other organisation moving into a remote-by-default paradigm, Fleming had a novel threat environment to consider, but in many regards he was already well set-up, having already put in systems that could facilitate remote working.
“What was there previously was very much focused on people interacting with each other within the bounds of the Crick, as opposed to conceding we are a node in a global network of scientists. When you collaborate internally, you will always want to collaborate externally as well,” he says.
“So we had Dropbox, we had Slack, we had Zoom, we had all those various pieces in place, and we have the right security wrap around them, and then with Rubrik we were able to backup data over the top of it, so to cover off the shift to remote we were actually in a pretty good place.”
Other investments in foundational cyber security over the past two years have also left the Crick in an advantageous position to weather the storm without a major incident.
“We started upgrading our security a long time before Covid-19 struck. So, it was more a case of leaning more heavily on the things we had in place, rather than needing to scramble to put new assets in place,” says Fleming. “It’s been a case of upgrading and monitoring and watching a lot more closely. But we had a lot of the right foundations in place to begin with.”
This has been enhanced by Rubrik’s platform bringing the Crick increased visibility over its data and reducing sensitive data exposure, providing an extra layer of protection against the increased risks presented by the current cyber security landscape.
“Rubrik has given us the last line of defence and the assurance that should the worst happen, we do have that immutable backup and recovery mechanism in place to allow us to get back on our feet,” Fleming concludes.