Secure Enclave Services (SES)
The Secure Enclave Services provides U-M researchers with high-performance, secure, and flexible computing environments enabling the analysis of sensitive data sets restricted by federal privacy laws, proprietary access agreements, or confidentiality requirements.
The Secure Enclave Services (SES) are a virtual server environment designed for the secure hosting and analysis of restricted research data. (This service is formally known as “Glovebox.”).
The environment is designed to create one or more walled off areas, called enclaves, where researchers’ data are segregated from other researchers’ projects in a flexible manner (that is, to say, as coarse or fine-grained a manner as necessary).
Sensitive Data Types
The environment is suitable for restricted data up to ‘high‘ classification, including Controlled Unclassified Information (CUI). This includes other classifications. The Sensitive Data Guide page has more detail as to all of the data types that can be analyzed here.
Administrative (admin) rights for machines within restricted data enclaves are held by SES admins only. ARC does not delegate admin rights to researchers within enclaves.
If any software is needed to be installed, researchers should submit a ticket to firstname.lastname@example.org. Some limited software (R libraries, python modules) can be installed on a limited basis without admin rights, but everything else should be requested by submitting a ticket (send an email to email@example.com).
Licensed software needs to be acquired by the researcher and the license key and install media submitted to SES personnel for installation within the virtual machine. For machines with the high classification, ARC reserves the right to reject the installation of certain software if it looks like it could be a risk to machines within the enclave, subject to a review by Information and Technology Services (ITS) and ITS Information Assurance (IA).
The SES operates under a shared responsibility model to ensure researcher data security. Not only is continued data security incumbent upon the admins keeping data secure, it’s also dependent on the individual researchers. SES admins depend on research faculty to ensure data security.
Restricted data within the enclave MUST NOT LEAVE THE ENCLAVE, unless consent is given to move data from the enclave by the faculty sponsor.
In the event that data must leave the enclave, ARC recommends that a lab appoints a Data Use Administrator to examine any data that leaves the enclave and certifies to be clear of restricted data. This is required for CUI data, but also highly encouraged for HIPAA and other levels of data. Neither ARC nor ITS Service Request System (SRS) staff can act as Data Use Administrators for your lab. It is sufficient, in small labs of one or two people, for the Data Use Administrator to also be the data analyst. In larger groups, to prevent any conflicts, it may be preferable for the Data Use Administrator to be a separate role from the analyst.
Through June 30, 2023, the Secure Enclave Service will continue to be presented at no cost to researchers. After that date, each active virtual machine will be charged an Office of Financial Affairs (OFA) approved rate. We hope to publish those rates here sometime around January 31, 2023.
What can I run in my own enclave?
Virtual Services in the environment can run Windows or Linux. The maximum size of any single machine within the environment is 12 cores and 96 GB of RAM. Each machine is run as a shared environment, and every member of the research environment is given access to the machine.
In the event that the lab is large enough that multiple machines are needed in their enclave environment, then all members of the lab are given access to every machine in the enclave, unless otherwise directed by the lab manager.
Only computational machines are created in an enclave unless given express consent by the SES manager or ARC director for that project. ARC encourages people who need databases or other types of infrastructure to look to MiDatabase or other cloud services.
How do I get my own enclave?
Access to SES resources involves a single email to us at firstname.lastname@example.org. Please include:
- Your name or your advisor’s name
- Your unit
- Intended use
- Type of restricted data (HIPAA, CUI, CMS, data use agreement)
Someone from your unit IT staff or an ARC staff member will reach out to you and arrange details to determine the best path to make your request work within the SES environment.
The Secure Enclave Service supports the following platforms for researchers at the University of Michigan:
- CUI: an environment for the analysis of restricted data for Controlled Unclassified Information (CUI).
- Virtual servers: an environment for large groups to share a consistent platform for data analysis. Useful for groups that have datasets that they would like to share with collaborators, but not allow the collaborators to download the data to their home environments.
- Virtual Desktops: an environment where researchers can use a data analysis platform that can be turned off and turned on where needed. This is for researchers who would like to pay for what they use, and not pay for an “always-on” solution.
The new Secure Enclaves System consists of 20 compute nodes each with:
- 2x AMD EPYC 7542 (32 core) processors
- 1 TB of RAM.
- 2x 100 GBit ethernet interconnect
- 5 of the 20 compute nodes each of 2 X NVidia A40 GPUS for machine learning of restricted data.
- 10 storage nodes that provide 350 TB of Flash based SAN for VMs to utilize.
The U-M Research Ethics and Compliance webpage on Controlled Unclassified Information provides details on handling this type of data. The U-M Sensitive Data Guide to IT Services is a comprehensive guide to sensitive data.
The following services have been deprecated in the current implementation of Secure Enclave Services, and will not be replicated in future versions of the environment. ARC is not taking new customers for any of these services.
- Data Pipeline Tools, which include databases, message buses, data processing and storage solutions. This platform is suitable for sensitive institutional data classified up to High — including CUI, and data that is not classified as sensitive.
- Research Database Hosting, an environment that can house research-focused data stored in a number of different database engines.
- Virtual desktops for research. This service was suitable for data that is not classified as sensitive.
- Docker Container Service. This service can take any research application that can be containerized for deployment.
- Yottabyte Research Cloud (YBRC). This service has migrated to the Secure Enclave Service (SES). YBRC is no longer available.
Researchers who need to use Hadoop or Spark for data-intensive work should explore our Spark tools on Great Lakes and Armis2.
Contact email@example.com for more information.