FAQ (Frequently Asked Questions)

General Questions:

• What is the Secure Enclave Service (SES)?
• How do I get access to SES resources?
• What class of problems is SES designed to solve?
• How large is the Secure Enclave Service?
• What can I do with the Secure Enclave Service?
• How do I get help if I have an issue with something?
• What are the support hours for the Secure Enclave Service?

Usage Questions

• What’s the biggest machine I can build within Secure Enclave Services?
• What is ‘scratch’ storage?

HIPAA Compliance Questions

• What can I do inside of a HIPAA Secure Enclave?
• What are researcher and research group responsibilities when they have HIPAA data within SES?

CUI Compliance Questions

• What can I do inside of a CUI Secure Enclave?
• What are a researcher and research group responsibilities when they have CUI data within SES?

GENERAL QUESTIONS

What is the Secure Enclave Service (SES)?

The Secure Enclave Service (SES) is the university’s private cloud environment for research. It’s a collection of processors, memory, storage, and networking that can be subdivided into smaller units and allocated to research projects as needed to be accessed by virtual desktop machines and servers.

How do I get access to SES resources?

Access involves a single email to us at arc-support@umich.edu. Please include:

• Your name or your advisor’s name
• Your unit
• What you would like to use SES for
• Whether you plan to use restricted data

Someone from your unit’s IT staff or an ARC staff member will reach out to you and arrange details to determine the best path to make your request work within the SES environment.

What class of problems is SES designed to solve?

SES resources are aimed squarely at research and the teaching and training of students involved in research. Primarily, SES resources are for sponsored research. SES is not for administrative or clinical use (business of the university or the hospital). Clinical research is acceptable as long as it is sponsored research.

How large is the Secure Enclave Service?

In total, SES has ~2200 processing cores, 15 Terabytes of RAM, 10 A40 GPUs, and roughly 330 TB of scratch storage available.

What can I do with the Secure Enclave Service?

SES is focused on:

• Hosting of Virtual Desktops and Servers for restricted data use cases, such as statistical analysis of health data, or an analytical project for Controlled Unsecured Information (CUI).  Most people in this case may need a powerful workstation for SAS, Stata or R analyses, for example, or some other application.
• Collaborating with other team members or external research partners.
• Are these the only things I can do with resources in the Secure Enclave Services? No! Contact us at arc-support@umich.edu if you want to learn whether or not your idea can be done within SES!

How do I get help if I have an issue with something?

The best way to get help is to send an email to arc-support@umich.edu with a brief description of the issues you are seeing.

What are the support hours for the Secure Enclave Service?

SES is supported between the hours of 8 a.m. to 5 p.m., Monday through Friday. Response times for support outside of these hours will be longer.

USAGE QUESTIONS

What’s the biggest machine I can build within Secure Enclave Services?

Because of the way that SES allocates resources, the largest STANDARD Virtual Machine within the cluster is 12 processing cores, and 96 GB of RAM. Larger configurations can be accommodated. Please contact us for more information, arc-support@umich.edu.

What is ‘scratch’ storage?

Scratch storage for SES is for OS temporary working space and active data sets. This data is not backed up or replicated to separate infrastructure. It is provided by SAN infrastructure local to SES. Like the scratch storage on Great Lakes, ARC does not recommend storing any data solely on the local disk of any machines. Make sure that you have backups on other machines, like Turbo, Locker, or some other service appropriate for your data classification.

HIPAA COMPLIANCE QUESTIONS

What can I do inside of a HIPAA Secure Enclave?

For researchers with restricted data with a HIPAA classification, ARC provides a small menu of Linux and Windows workstations to be installed within your enclave. ARC does not delegate administrative rights for those workstations to researchers or research staff. ARC may delegate administrative rights for workstations and services in your enclaves to IT staff in your unit who have successfully completed the HIPAA IT training coursework given by ITS or HITS, and are familiar with desktop and virtual machine environments.

Machines in the HIPAA network enclaves are encircled by a deny first firewall that prevents most traffic from entering the enclaves. Researchers can still visit external-to-campus websites from within a HIPAA network enclave. Researchers within a HIPAA network enclave can use storage services such as Turbo and MiStorage Silver (via CIFS) to host data for longer-term storage.

What are researcher and research group responsibilities when they have HIPAA data within SES?

All researchers, staff, and students that use SES when analyzing restricted data have a shared responsibility in keeping their restricted data secure.

• Researchers need to be aware of the personnel in their labs who have access to the data in their enclaves.
  • Each lab should have a process for adding and removing users from enclaves that includes offboarding lab members from access to restricted data as soon as possible after they have left the lab.
  • Each lab should review who has access to their data and enclaves at least twice a year by checking the memberships of their MCommunity and Active Directory groups to ensure that people have been removed as requested.
• Each lab user must store their restricted data in a specific directory, as discussed during their introductory meeting with ARC staff. They must keep the data only in this directory over the life of the data on the system.

CUI COMPLIANCE QUESTIONS

What can I do inside of a CUI Secure Enclave?

Staff will work with researchers using CUI-classified data to determine the types of analysis that can be conducted on SES resources that comply with relevant regulations. The CUI enclave is designed to mimic working in a locked-room, network disconnected environment as much as possible.  

Generally, ARC provides a small menu of Linux and Windows workstations to be installed within your enclave. ARC does not delegate administrative rights for those workstations to ANYONE outside of ARC staff.  

Machines in the CUI network enclaves are encircled by a very strict deny-first firewall that prevents nearly all traffic from entering or leaving the enclaves. Researchers will not be able to access any website, for example, that isn’t explicitly called out in a Project System Security Plan (PSSP).

What are a researcher and research group responsibilities when they have CUI data within SES?

All researchers, staff, and students that use SES when analyzing restricted data have a shared responsibility in keeping their restricted data secure.

• Researchers need to be aware of the personnel in their labs who have access to the data in their enclaves.
  • Each lab should have a process for adding and removing users from enclaves that includes removing departed lab members from access to restricted data as soon as possible after they have left the lab.
  • Each lab should review who has access to their data and enclaves at least twice a year by checking the memberships of their MCommunity and Active Directory groups to ensure that people have been removed as requested.
• Each lab user must store their restricted data in a specific directory, as discussed during their introductory meeting with ARC staff. They must keep the data only in this directory over the life of the data on the system.