Building a Production-Ready Barts Health Secure Data Environment Tooling, Access Control, and Cost Governance_.pptx
- 1. Barts Health Data Platform Author: Tony Wildish, Idowu Samuel Bioku, Evan Hann, Steven Newhouse, Benjamin Eaton, Ruzena Uddin, Francene Clarke-Walden. Building a Production-Ready Barts Health Secure Data Environment: Tooling, Access Control, and Cost Governance Presenter: Idowu Samuel Bioku. STEP-UP RS London 2025
- 2. Background Barts Health Data Platform? The Barts Health Data Platform (BHDP) is an integrated health data analytics platform. Provides a Data Portal for researchers to apply for access to research ready NHS patient data. A Secure Data Environment (SDE) for researchers to find insights from the data they have been authorised to access. Provides researchers and clinicians access to the data we hold on patients in East London. Why build a Secure Data Environment? SDE is crucial to health research with sensitive data. It satisfies the obligation to keep it safe, legally compliant, protected, and with the right tooling. ü Security and Integrity of Data. ü Build public trust over data handling. ü Compliance and Legal Requirements. ü Tooling to help researchers get started with significantly reduced overhead. ü Give researchers freedom to use wide variety of tools (VMs, SQL, AI/ML).
- 3. The SDE is built upon Microsoft Azure's Trusted Research Environment (TRE) The AzureTRE is an open-source accelerator template that provides the core architecture for secure data environment. Benefits of AzureTRE ü Integration with the Microsoft Entra ID. ü Core Infrastructural templates (Terraform). ü Core security architecture. ü Flexibility and ease of integration with latest technologies. Need for production-level enhancements ü Support for Large-Scale Research: Barts Health's need to operate at scale of up to 150 concurrent projects to accommodate wider scope research. ü Ensuring Data Security and Compliance: As a leader in secure research environments, it’s critical to ensure data security and compliance. ü Operational Efficiency and Cost Control: Enhanced tooling for monitoring and resource management allows better cost optimization and resource allocation, keeping the platform sustainable as usage grows. ü Timely Support for Researchers: Technical support must scale to quickly resolve issues and minimize downtime.
- 4. What we have done Secure Data Connection to Research Workspaces Secure Azure Data Factory linked service. To enable secure transfer of approved research data. Cost transparency and management Granular project by project cost tracking over the full project lifetime (up to 3 years or more) . Highly Visible and transparent costing. Research use cases demand secure, scalable, and customised environments. Custom VM images ü Pre-installed software and configurations tailored to research needs. ü Ensures consistency and faster provisioning across multiple projects and OS flavours. ü Regular updates as well as easy and fast deployment of new tools.
- 5. Customised VM Images (1) The customised VM images include pre-installed and pre-configured set of software and configurations tailored to research needs. Custom Images: ü Windows 10 ü Windows 11 ü Windows Server 19 ü Ubuntu 22.04 ü Ubuntu 24.04 Pre-installed software, configuration and setup Dev Tools: Python, Anaconda, R, RStudio, VS Code, DotNet, GIT. Machine Learning Tools: Jupyter Notebooks, Azure Data Studio. DB Tools: MySQL, PostgresSQL DBeaver, SSMS, Storage Explorer DICOM viewers: Radiant, Spyder General: Google Chrome, FireFox, LibreOffice
- 6. Tailored for: Machine Learning • Pre-installed ML frameworks optimized for GPU and CPU workloads. • Integrated libraries for data preprocessing, feature engineering, and model deployment. • Configured with GPU for accelerated training. Medical imaging • Includes specialised imaging software and toolkits e.g. DICOM viewers. Default Images Our Solution – Custom Images Deployment of new VMs takes time Faster deployment of new VMs Lack of research dependent software Availability of research dependent software Inability to control updates to images Can control updates to images and pre-installed software Why build custom images? Customised VM Images (2) Impact ü Faster Deployment. ü Consistent environments. ü Faster onboarding. ü Access to varieties of tools. ü Faster research.
- 7. Secure Data Connection to Research Workspace Each research workspace is configured to ensure data access and transfer from the Analysis Data Core. Azure Data Factory: ü Enables automated and monitored data pipelines that transfer requested research data into the workspace. ü Uses encrypted connections and strict access controls to maintain data confidentiality and integrity during transit. ü Supports complex data transformation, validation, and orchestration workflows tailored to research needs. Dedicated Private Endpoint: üEach workspace is provisioned with a dedicated private endpoint that provides a secure, private network connection specifically between Azure Data Factory (ADF) and the workspace’s data storage. üThis private endpoint ensures that data transferred by ADF pipelines flows entirely within Azure’s private network, eliminating exposure to the public internet and greatly enhancing data security during transit.
- 8. Default Azure Cost Management Portal Enhanced Cost Management Tooling Cost data has limited retention period High availability of cost data that even for decommissioned projects beyond the default retention period. Metadata of deleted resources has limited retention period Metadata of deleted resources are highly and readily available. Difficulties in mapping costs appropriately to their respective projects Solves the difficulties of mapping costs to their respective projects. Provides granular cost visibility of how much each resource costs in each project Cost Management Tooling ü The Cost Management is an Azure runbook-based solution. ü Runs weekly to aggregate cost data into AzureSQL. ü Helps researchers and TRE administrators to track resources costing, enabling smarter financial decisions. Why is the cost Management Tool Important? Impact üProvides high visibility of expenses üHigh persistency even for completed or decommissioned projects üHelps with making smarter research cost decision üGranularity and transparent billing
- 9. Ongoing Work: RBAC integration RBAC integration refers to embedding a permissions framework into the SDE that controls the sets of tools available to researchers. Why are we doing this? ü To streamline governance across a growing number of concurrent research workspaces. ü To enable precise control over tool access, ensuring only approved and secure software is available based on role. ü To reduce manual overhead in provisioning, updating, or removing tools across environments. How will it impact users? Researchers will get simplified and relevant tool access, improving usability and focus. Admins will be able to centrally manage access to tools and enforce compliance standards. IT teams can roll out new tools, upgrades, or deprecations in a controlled, role-based way. How will it impact the SDE? Allow SDE and workspace administrators to control the set of tools available to researchers. Make upgrades and deprecation of tools easier to manage.
- 10. Summary: Our solution addresses the growing needs of Barts Health to support large-scale, secure, and compliant research environment. Delivered a ready-to-use data platform with extended possibilities and features. This has progressed in 2024 from Alpha in March, through Beta in June, to full production release in December. Our deliveries to date: Custom VM Images tailored for machine learning, medical imaging, and complex health data workloads, ensuring optimized, secure, and consistent compute environments. Secure Data Connection to Research Workspaces, featuring a secure Azure Data Factory integrations, and private endpoints together ensuring safe, compliant, and reliable data transfer pipelines. Cost Management Tooling that provides transparency, cost granularity, and cost data persistency, helping to manage research budget efficiently. Ongoing Production-Level Enhancements, including RBAC integration to provide fine-grained, role-based control over tool access. This aims to improve security, simplifying administration, governance, and enabling scalable operations.