Estimated reading time: 5 minutes
In an effort to help research and higher education (R&E) institutions navigate through cloud technologies for research, the Internet2 CLASS Program launched the Secure Research Environments series.
The series is split into three distinct phases that cover the different stages of institutional planning and execution. The first phase of the Secure Research Environments series focuses on institutional strategy and will conclude on March 31, 2026, with the “Stakeholder Identification & Governance Alignment Workshop”.
Catch Up on the Secure Research Environments Series
If you would like to review the recordings or slides from the Secure Research Environments series, please contact CLASS.
In the first phase of the series, our guest speakers helped attendees explore what research computing teams should consider when scoping secure research environments. Together, we addressed how a researcher-centered security model can accelerate (rather than impede) research, and where to take your institution from here.
Research Computing and the Path to Implementation
In a Feb. 17 webinar, guest speaker Dr. Jill Gemmill, associate vice president of Research Computing and Data at Clemson University, helped us think about the emerging research security landscape and its implications for research computing teams.
For many research computing professionals, secure research is a new territory. Jill provided a practical framework for thinking clearly about the “Who, What, Why, When, and How” of standing up a secure research environment.
Jill also laid out a leadership roadmap for getting this work off the ground:
- Establish Authority (secure executive sponsorship and define ownership)
- Audit the Process (assess your current compliance posture and identify gaps)
- Fund Sustainment (plan for ongoing operations, not just the initial buildout)
That last step is easy to overlook, but critical. Standing up a secure research environment is a commitment, not a one-time project.
Jill also flagged the Cybersecurity Maturity Model Certification (CMMC) timeline as something institutions need to take seriously now.
CMMC requires documented evidence that controls have been operating effectively over time. You can’t certify retroactively. Without certification, your institution won’t be eligible to bid on U.S. Department of Defence contracts that require it. Waiting is itself a risk.
Keeping the Researcher at the Center
The webinar sessions in the initial Strategy phase of the Secure Research Environments series concluded with a discussion about empowering researchers through risk reduction.
Will Drake, CISO and principal security analyst at the Indiana University Center for Applied Cybersecurity Research, led a webinar on March 3 that showed that risk reduction is achieved by empowering researchers.
Researchers are often left with little to no support in translating cybersecurity regulations and requirements into something implementable.
The solution, according to Will, is to accelerate the research mission by reducing that burden. Provide researchers with the technical and support resources they need to conduct research securely, with security baked in and made as frictionless as possible.
Will shared Indiana University’s SecureMyResearch program as a model. Since launching in 2020, the program has handled over 1,100 cases, consulted on more than $500 million of funded research, and reached 90% of academic departments at Indiana University.
Will laid out two essential steps for building this kind of program.
First, you must build a portfolio of pre-secured technical solutions. Select a robust third-party security baseline, apply it broadly across your research computing solutions, and leverage inheritance. Understand your researchers’ use cases, secure your existing shared systems, architect solutions for common needs, and develop workflows for edge cases. Researchers will always find a solution; the question is whether the one they find is secure.
Second, provide cybersecurity consulting and support across the full research lifecycle, from pre-award planning and budgeting through contracting, institutional approvals, project execution, and closeout. Partner with the groups that already own each stage.
When you treat security as something you do for researchers rather than to them, adoption follows naturally.
Putting Strategy Into Practice
We encourage anyone working with institutional research security to participate in the upcoming “Stakeholder Identification and Governance Alignment Workshop” on March 31.
In this workshop, we will move from learning to practice. Working in small institutional teams, we’ll walk through realistic research scenarios, from straightforward regulated projects to messy edge cases like time-sensitive requests and budget crises mid-project, to identify the people who need to be at the table and stress-test whether our governance structures can hold up under real pressure.
The goal is to leave with a clearly defined core team, a full stakeholder map, and a framework for how governance of secure research environments fits within your existing institutional compliance structures.
Phase 1 of the Secure Research Environments series surfaced hard questions about who owns research security, how institutions organize around it, and whether current structures can hold up under real pressure.
The March 31 workshop is where we start answering them — and Phase 2 of the series is where we turn those answers into architecture. If your institution is navigating these challenges, now is the time to get involved.
Join Us for the Secure Research Environments Series Design Phase
Beginning April 7, we are kicking off the Design phase of the Secure Research Environments series. This second phase of the series will run from April to June.
We will shift from strategy to architecture. In the Design phase, we’ll dig into what secure research environments look like in technical terms, hear from peers who have done this work, and get hands-on with security controls.
Attendees will also learn directly from cloud providers, including AWS, Microsoft Azure, Google Cloud, and Kion, about their approaches to supporting SRE implementations.
Here is what is coming:
As a reminder, institutions that participate in all sessions within a phase receive one hour of personalized consulting (up to three hours across all three phases) with experienced community members to help launch your secure research initiative.
We still have a lot of ground to cover in the Secure Research Environments series. If you haven’t already, join us for upcoming webinars and workshops so you don’t miss everything that is ahead.
Need guidance for your secure research infrastructure design? Join Internet2 CLASS at one of our upcoming webinars and workshops in the Secure Research Environments series.
ICYMI