With the increasing applicability of bioinformatics and genomics to clinical medicine, there is an increasing need for specialized and secure compute. Computational analysis, even on a small scale, often requires significant storage, compute capacity and memory, and even minimal configurations are well beyond the capability of the most advanced workstations. Information security requirements make the acquisition, configuration, and operation of this equipment even more complicated. Moving beyond “small scale” requires large investments in infrastructure. By developing and sharing centralized capacity, researchers can use equipment on an occasional basis without investing in dedicated infrastructure. Centralized resources can also be sanctioned as meeting information security requirements of the various funding agencies and will facilitate IRB and other approvals.
This security plan is a resource for Principal Investigators (PIs) when developing and submitting grant proposals. This plan outlines how the Secure41 research computing environment and the data stored within will be secured, and also explains important processes such as how access is granted to research teams and how research data is segregated from other research projects co-located within the same environment.
The Secure4 environment is a high-performance research (HPC) cluster suited for researchers who need to store/use level 4 (HIPAA) data and who also need sizeable disk space, considerable memory, large compute capabilities, or access to the more than 200 applications available in the environment. Please contact firstname.lastname@example.org to schedule a consultation with Research Computing Support Services.
The Secure4 environment is modeled after a traditional HPC computing environment (cluster) with security enhancements and is comprised of three components, the “login” node for user interactions, the “head node” to control the cluster, and “compute nodes” to perform calculations.
Users log in to a “login” node to spawn computational tasks on “compute nodes”. The compute nodes are scheduled by the “head” node that also provides networking, file, and configuration services internal to the cluster. Users access a dedicated account for each user and project (user-project) via a secure shell connection that provides a remote console, display, and file access to the cluster. The security measures put into place include a remote audit log for all security events, a highly restrictive file permissions policy to prevent accidental exposure of data to other accounts in the system, encrypted storage system (drive encryption), and no user access to the head node that runs file, scheduler, and configuration services for the cluster.
All the nodes in the system run CentOS7 (https://www.centos.org/) Linux operating system. The head node runs the SLURM job scheduler (http://slurm.schedmd.com/), the Puppet configuration management system http://puppet.com), the Razor provisioning system (https://puppet.com/blog/introducing-razor-a-next-generation-provisioning-solution/) and the Network File System (NFS).
The Secure4 environment will reside within the University of Missouri Data Center. The MU Data Center, operated by the Division of Information Technology (DoIT), provides a physically secure and environmentally controlled facility that houses computing systems for MU and other University of Missouri organizations. The center offers the following standard services and features:
All systems in the data center are located behind a firewall with a default configuration of DENY ALL. Exceptions to the default firewall configuration are managed on an IP-by-IP basis. The Secure4 environment will be reviewed annually by the university’s Information Security & Access Management team (ISAM), consisting of certified security professionals who use industry standard best practices to evaluate the security posture of the environment.
In addition to the data center firewall, a separate firewall will be used to segment the Secure4 environment from other systems within the data center. The use of a privileged Virtual Private Network (VPN) group will be required to gain access through this firewall irrespective of whether researchers are on- or off-net. Principal Investigators (PIs) are the only authorized approvers of accounts accessing their projects. Day-to-day account management of the VPN group will be handled by MU’s information security team. Annual review of the VPN group members will be handled by the MU Research Computing Support Services team.
Users and data will be isolated. Users log in to the system with a user-project account and can only access a single project with the user-project account, thus preventing the spread of data from one project to another. The account will belong primarily to the user-project Unix group and a “project” group for the project.
The umask will be set to 007, making data available by default to only the user-project account or the “project” group (default not world-readable). This policy is enforced and logged using SELinux on every system. NFS will carry these attributes across the cluster. All policy events will be logged and transmitted to and stored in a secure remote logging service.
Data in transit is encrypted using Secure Shell (SSH) through the creation of a secure SSH key and passphrase on the researcher’s workstations. This will be tested and verified within the Secure4 environment prior to authorization being granted.
The Secure4 environment will utilize hard disk encryption to protect the data at rest using Linux Unified Key Setup (LUKS) encryption. LUKS encryption conforms to the Transmission Sleeve Kit 1 (TSK1) secure key setup scheme and operates based on an enhanced version of cryptsetup, using dm-crypt. A portable USB drive containing the decryption key is stored in a locked safe with limited access privileges, managed by the university’s information security team.
Only projects with IRB approval are eligible to use the Secure4 environment. Principal Investigators (PIs) are the only individuals authorized to request access for members of their research team. Only requests originating from a PI are trusted. PIs and their research team members must work with their information technology professionals to create the secure SSH key pair and passphrase necessary to access the Secure4 environment. Accounts that have been granted access to the Secure4 environment are renewed on an annual basis. PIs are responsible for quickly communicating changes in research team/account status to the MU Research Computing Support Services team.
All members of the research team having access to the Secure4 environment must minimally have received Institutional Review Board (IRB) approval and Health Insurance Portability and Accountability Act (HIPPA) training prior to using the Secure4 environment. It is the responsibility of the PI to ensure this training has been completed.
It is the responsibility of the researcher’s IT professional to ensure that workstations with access to the Secure4 environment comply with university policies for DCL4 workstation management as well as with the access/encryption requirements in this document. Requirements include but are not limited to the following:
Only university-issued devices are allowed to access the Secure4 environment. While not prohibited, researchers are encouraged to use dedicated workstations free from unnecessary applications and programs. When dedicated computers are not feasible, researchers should refrain from personal or unnecessary web browsing and should also be careful to not open untrustworthy emails, download executables, or open suspicious files, as doing so could expose workstations to many forms of malware including viruses, worms, and key loggers.
Security event logs for the head node, login node, and compute nodes will be immediately shipped to the University of Missouri’s secure logging system, including but not limited to the following events:
Drives are encrypted with LUKS with the decryption key on a USB drive that is only present during boot. Data is not accessible without both the USB key and the drive. When a node is decommissioned, the USB drive will first be securely erased and destroyed, and after destruction, the hard disk will be removed from the machine and secure enclosure to be shredded. At no time will the USB drive and the hard disk be in the same location outside the secure rack. All movements will be logged.
To request the following activities, please send an email to email@example.com:
1 The “4” in the service name indicates that this environment was built was built specifically for (4) researchers and that it is secured according to UM Information Security Data Classification Level 4 policy requirements and standards.