How backing-up sensitive data enabled the Francis Crick Institute’s COVID-19 testing and research programme

The Francis Crick Institute is a charity that aims to better understand why disease develops and translate discoveries into new ways to prevent, diagnose and treat illnesses such as cancer, heart disease, stroke, infections and neurodegenerative diseases.

It was inevitable then, that when the COVID-19 pandemic set in, 1500 researchers at the Crick adapted their usual work to lend their expertise to fight against coronavirus.

Researchers are now probing how the disease came about, studying how it is spread and developing new types of tests, as well as providing testing services to staff and patients in the NHS.

Considering the amount of sensitive information, coupled with the increase in sophisticated phishing attempts around COVID-19, the organisation's data management and back-up products have had to be up-to-scratch. James Fleming, director of IT security at the Crick, told diginomica that this was an area that had been revamped a year before the pandemic, as part of a new strategy which focused on streamlining the entire IT estate, as it was becoming burdensome and expensive.

He said:

The initial forays into the market showed we could simplify our back-up dramatically as we were running multiple different solutions at that point in time. [Cloud data management provider] Rubrik stood out, it was very simple and easy to use and commercially competitive as well. In addition, they had aspirations to do much more creative things with back-up.

The charity moved quickly; the search started at the tail end of 2018 for a new back-up provider, and by February 2019, Rubrik had been selected and implemented.

Fleming explained that while the tender process was very much about getting the best price for a back-up solution, the more the Crick engaged with Rubrik's team, the more it realised that the product involved would help change the way the company operated altogether. He said:

It expanded from the thing we run regularly and then forget about to actually being far more a part of our day-to-day operations in terms of how we keep track of all of our data estate and all of the metadata that's contained within that as well.

When the Crick first implemented Rubrik, it was an on-premise organisation. The organisation has now moved towards a multi-cloud approach. The organisation has its own data centre, a back-up data centre, and cloud infrastructure from Microsoft Azure and Amazon Web Services, with Rubrik plugged into all of these areas, giving the IT team visibility across the whole IT estate. Fleming explained:

It's improved our administrative processes and ability to keep an eye on things, the ability to recover information when necessary, has been streamlined, and some of the more sophisticated features have been incorporated into our information governance assurance, so we can make a dynamic audit of any personal information that might be stored across our estate.

This is particularly important as the company has a huge number of different databases and thousands of researchers that are generating data all of the time - so rather than having them read and sign a policy, it provides a way to audit what happens across the estate at all times, and this gives the organisation more assurance around things like GDPR compliance than it otherwise would have had.

Covid-19 has meant extra precautions

The Francis Crick Institute repurposed a lot of its lab facilities into a COVID-19 test pipeline. It has tested 50,000 NHS staff and frontline staff for COVID-19 to date, and Fleming said this took a huge cross-functional effort. From the IT side, it meant that the organisation is now handling anonymised test data, which is where Rubrik has become integral for backing-up data. He said:

It's anonymised data but it's still much more sensitive than what we normally work with - and all of the laboratory management systems it has been run on, and the results databases that we've had to build as well to interface back with NHS systems, is now assured by Rubrik straight out of the gate.

So rather than us scrubbing around to try and retrospectively fit in mechanisms to back-up the data, given Rubrik was there to back-up our VMware platform to begin with, it was there as a back-up immediately and it allowed the various teams involved to concentrate on getting the pipeline set up.

This meant that the Crick had the right level of assurance and security and its team didn't have to worry about anything going wrong. Fleming said:

It was a reassurance for our partners as well, as we were acting as a subcontractor to the NHS, so doing the right thing by the data, both the storage and recovery of it was good for them, and provided us with an extra layer of back-up and security if the absolute worst was to happen in terms of failure or a cyber-attack.

How the concept of back-up has changed

Fleming explained that in years gone by, enterprises would find it extremely difficult to find a single point where all of its data was ultimately channelled, and that businesses would end up building a number of warehouses to try and continuously consolidate. In addition, back-up provided only one purpose. He said:

Back-up was essentially a dead space, it was a cost line and you used it as you needed but you hoped you never needed to use it. The notion of actually repurposing that back-up and turning it into an asset that tells us something about the organisation and how people are behaving, what threats there might be is actually hugely powerful, because you're taking costs that were otherwise sunk into discs that were accessed once in a blue moon into a rich source of information.

The Crick has plans to use this in a number of ways. At the moment the information is being used to check for peculiar behaviour. For example, whether the back-up has grown or shrunk massively from one run to the next, which signifies that a huge amount of data is being moved from one place to another. This is flagged to Fleming's team and enables them to follow-up with a user to ask if that was what they were supposed to be doing, and thwart any further malicious activity.