The Secure Enclave Services provides U-M researchers with high-performance, secure, and flexible computing environments enabling the analysis of sensitive data sets restricted by federal privacy laws, proprietary access agreements, or confidentiality requirements.
The Secure Enclave Services (SES) are a virtual server environment designed for the secure hosting and analysis of restricted research data. (This service is formally known as “Glovebox.”).
The environment is designed to create one or more walled off areas, called enclaves, where researchers’ data are segregated from other researchers’ projects in a flexible manner (that is, to say, as coarse or fine-grained a manner as necessary).
Sensitive Data Types
The environment is suitable for restricted data up to ‘high‘ classification, including Controlled Unclassified Information (CUI). This includes other classifications. The Sensitive Data Guide has more detail as to all of the data types that can be analyzed here.
Software
Administrative (admin) rights for machines within restricted data enclaves are held by SES admins only. ARC does not delegate admin rights to researchers within enclaves.
If any software is needed to be installed, researchers should submit a ticket to [email protected]. Some limited software (R libraries, python modules) can be installed on a limited basis without admin rights, but everything else should be requested by submitting a ticket (send an email to [email protected]).
Licensed software needs to be acquired by the researcher and the license key and install media submitted to SES personnel for installation within the virtual machine. For machines with the high classification, ARC reserves the right to reject the installation of certain software if it looks like it could be a risk to machines within the enclave, subject to a review by Information and Technology Services (ITS) and ITS Information Assurance (IA).
Rates
These rates represent cost recovery for Secure Enclave Services and do not include any support your unit may choose to provide.
| Service Option | Rates |
|---|---|
| Secure Enclave Services | $7.00 per GB of RAM per month |
Policy
The SES operates under a shared responsibility model to ensure researcher data security. Not only is continued data security incumbent upon the admins keeping data secure, it’s also dependent on the individual researchers. SES admins depend on research faculty to ensure data security.
Restricted data within the enclave MUST NOT LEAVE THE ENCLAVE, unless consent is given to move data from the enclave by the faculty sponsor.
In the event that data must leave the enclave, ARC recommends that a lab appoints a Data Use Administrator to examine any data that leaves the enclave and certifies to be clear of restricted data. This is required for CUI data, but also highly encouraged for HIPAA and other levels of data. Neither ARC nor ITS Service Request System (SRS) staff can act as Data Use Administrators for your lab. It is sufficient, in small labs of one or two people, for the Data Use Administrator to also be the data analyst. In larger groups, to prevent any conflicts, it may be preferable for the Data Use Administrator to be a separate role from the analyst.