Enabling a Robust Infrastructure Architecture with Comprehensive Security Controls for Medical Research


UCSF’s self-managed data centers no longer offered the capacity or performance needed to store vast research data.


ClearScale implemented a “secure envelope” consisting of separate AWS accounts to enable safe and compliant data use.


UCSF School of Medicine now has an IaaS platform with faster delivery speeds, better security controls, and increased capacity.

AWS Services

AWS Config, Amazon CloudWatch

Executive Summary

One of the overarching benefits that cloud solutions provide is the ability for customers to quickly provision and scale up their implementations rapidly due to expected or real-time demand. Like many organizations that had a tremendous growth through the last few decades, the University of California, San Francisco (UCSF) School of Medicine built and maintained large data centers to operate research and patient care related applications. The self-managed data center has finite resources and lengthy processes for the procurement and deployment of additional capacity.

UCSF’s mission is dedicated to "advancing health worldwide." The IT leadership team identified that a key technical capability to increase their velocity towards this mission was the ability to quickly deploy transient environments with high compute and storage requirements. The platform for this capability would need to be secure, agile, and cost-effective. The goal was to deliver actionable results that impact real patient outcomes.

The Challenge

UCSF wanted to see if there was a way to move into the cloud since the benefits were so compelling. However, their biggest area of concern was security. Because the research data they were utilizing was medical in nature and contained Protected Health Information (PHI), UCSF was required to adhere to HIPAA regulations and subjected them to high levels of internal scrutiny and the NIST Security Framework. They reached out for assistance from AWS Premier Consulting Partner ClearScale with the organizational policies and procedures which ultimately would allow them to have ClearScale design an appropriate architecture that provided tight security controls while still allowing UCSF to have easier provisioning and deployments.

The ClearScale Solution

The design that UCSF chose to implement for this capability was referred to internally as the "secure envelope." Several IT functions were compartmentalized into separate AWS accounts (SecOps, DevOps, Remote Access, and Data Storage) to increase security posture and reduce blast radius. The "secure envelope" services enabled research users to quickly deploy their own environments that were automatically integrated with security and compliance controls. UCSF created an account vending machine model.

In this model, new research deployments were created in unique accounts for isolation. All of the research deployments automatically use approved AMIs and all services are connected to the appropriate controls in the SecOps account. Researchers had the freedom to configure, and iterate through application deployments using configuration management tools. With this design, research projects can be deployed quickly and comply with a set of predefined security services. All controls were identified and mapped to the NIST Framework to address HIPAA requirements.

The Benefits

This collaborative approach with AWS Premier Consulting Partner ClearScale enabled UCSF School of Medicine to increase infrastructure delivery speeds by 90x by using the AWS Infrastructure-as-a-Service (IaaS) platform. Not only did it reduce time to deliver the necessary infrastructure, but it enabled bursts in capacity to handle transient workloads at a variable cost. Security teams can manage controls across the organization, reduce overall risk, and protect patient data. Researchers have been able to take their ideas into action on day one. The ultimate result is that UCSF has pushed the limits again towards their mission of "advancing health worldwide."