Introduction
The Secure Enclave Services (SES) are a virtual server environment designed for the secure hosting and analysis of restricted research data. (This service is formally known as “Glovebox.”).
The environment is designed to create one or more walled off areas, called enclaves, where researchers data are segregated from other researcher’s projects in a flexible manner (that is, to say, as coarse or fine-grained a manner as necessary).
Sensitive Data Types
The environment is suitable for restricted data up to ‘high‘ classification, including Controlled Unclassified Information (CUI). This includes other classifications. The Sensitive Data Guide page for YBRC has more detail as to all of the data types that can be analyzed here.
Physical Characteristics
Virtual Services in the environment can run Windows or Linux. The maximum size of any single machine within the environment is 12 cores and 96 GB of RAM. We run each machine as a shared environment, every member of the research environment is given access to the machine. In the event that the lab is large enough for multiple machines are needed in their enclave environment, then all members of the lab are given access to every machine in the enclave unless otherwise directed by the lab manager.
Only computational machines are created in an enclave unless given express consent by the YBRC Manager or ARC director for that project. We encourage people who need databases or other types of infrastructure to look to MiDatabase or other cloud services.
Software
Admin rights for machines within restricted data enclaves are held by SES admins only. We do not delegate admin rights to researchers within enclaves. If any software is needed to be installed, researchers should submit a ticket to arc-support@umich.edu. Some limited software (R libraries, python modules) can be installed on a limited basis without admin rights, but everything else should be a requested by submitting a ticket (send an email to arc-support@umich.edu).
Licensed software needs to be acquired by the researcher and the license key and install media submitted to SES personnel for installation within the virtual machine. For machines with the high classification, we reserve the right to reject the installation of certain software if it looks like it could be a risk to machines within the enclave, subject to a review by ITS/IA.
Policy
The SES operates under a shared responsibility model to ensure researcher data security. Not only is continued data security incumbent upon the admins keeping data secure, it’s also dependent on the individual researchers. SES Admins depend on research faculty to ensure data security. Restricted data within the enclave MUST NOT LEAVE THE ENCLAVE. In this event, we recommend that a lab appoints a Data Use Administrator to examine data that leaves the enclave and certifies to be clear of restricted data. This is required for CUI data, but also highly encouraged for HIPAA and other levels of data. ARC nor SRS staff can act as Data Use Administrators for your lab. It is sufficient, in small labs of one or two people, for the Data Use Administrator to also be the data analyst. In larger groups, to prevent any conflicts, it may be preferable for the Data Use Administrator to be a separate role from the analyst.
As SES is currently a no-cost environment, we do send out periodic emails to all enclave users to determine if your virtual servers are still being used. If they are not being used, we reserve the right to remove the virtual server and archive any data on SES.
Cost
Through the end of December 2021 (and perhaps later), the Secure Enclave Service will continue to be presented at no cost to researchers. However, if the service does reach capacity, we reserve the right to wait-list researchers who wish to use the service until capacity becomes available.
How Do I Get My Own Enclave?
Access to SES resources involves a single email to us at arc-support@umich.edu. Please include:
- Your name or your advisor’s name
- Your unit
- What you would like to use SES for
- Whether you plan to use restricted data
Someone from your unit IT staff or an ARC staff member will reach out to you and arrange details to determine the best path to make your request work within the SES environment.