Independent Eyes on a High-Stakes Platform

About the customer

This is an agency of the US federal government working in the medical research space. Their mission involves building secure environments where researchers, both inside and outside the agency, can access sensitive medical and biometric data for legitimate research purposes. These environments, known as Trusted Research Environments or TREs, need to enable data access while guaranteeing that the right data goes only to the right people, and that regulators can have absolute confidence in the controls. The agency was building a new TRE platform and had invested heavily in doing it properly.

The challenge

They had assembled a substantial team around the project. A leading cloud provider was delivering professional services to help build the platform. Independent contractors and consultants were advising at multiple levels. On paper, the security angle was covered. In practice, there was a question nobody in the room could answer objectively: were all these parties giving advice that served the agency's interests, or advice that served their own? A cloud provider's professional services team has a natural incentive to recommend more cloud. Contractors have an incentive to keep engagements running. The agency needed someone whose only brief was to tell them the truth.

Our role

We were introduced by an existing customer. We began with a full audit of the AWS environment, then provided independent guidance on the architectural decisions that mattered most — how to segregate data, how to manage researcher access, how to structure the environment for genuine federal-grade security rather than generic cloud security best practices. Some of those recommendations required pushing back on designs that had come from other parties.

We also ran threat models on the TRE platform itself — covering the applications and infrastructure components that would handle the most sensitive data. These models informed the architectural decisions and helped the agency understand where the real risks were before any of it went live.

The outcome

As the engagement progressed something shifted. The early threat models surfaced issues we helped the agency address. The later ones found something better: zero meaningful risks. Not because we went easier on them as we got to know the team, but because they had actually fixed the foundations. They had taken the earlier advice seriously and built it in properly.

That's the best outcome a threat modelling programme can produce. When you run the final assessment and there's nothing left to find, it means the work has been done correctly. The agency closed the engagement with an independent, documented confirmation that their security was fit for purpose.