Secure Compute Research Environment
What is the SCRE?
The Secure Compute Research Environment (SCRE) is a private, secured, virtual environment in which researchers may remotely analyze sensitive data, create research results, and output their research results and analysis. This environment is described in detail in a Data Security Plan (DSP) that is "pre-approved" by the UCSB CISO for use with selected agency/data provider DSPs. Researchers may attach this DSP document in applications to various agencies/data providers for restricted dataset licenses. The SCRE was developed by ETS in cooperation with the Institute for Social, Behavioral and Economic Research (ISBER) with additional funding from the Office of Research.
Why is the SCRE needed?
Many restricted data providers require a minimum set of standards in the DSP: a standalone computer in a uniquely-keyed physical location, standard user account with strong password, no internet connection, USB/optical media disabled, printing disabled and an antivirus installation. The SCRE is intended to be an alternative to the creation of an individual solution each time a researcher needs to analyze restricted datasets.
This environment has initially been designed with the Critical Security Controls for Effective Cyber Defense (CSC Top 20) v5.1 as a guideline, reaching above and beyond the initial security controls required by many restricted data providers. Additional controls required by government data providers, such as the NIST 800-53rev4 Minimum Security Controls for Safeguarding Controlled Technical Information from Table 1 of DoD DFARS clause 252.204-7012 - Safekeeping of Unclassified Controlled Technical Information), have been also put in place in the SCRE.
The SCRE minimizes the security and implementation burden for researchers who can not easily construct their own data security plan. It also allows software and security updates to be made easily to the environment, and is scalable to be accessible to many users at a time. The SCRE will facilitate cost and time savings, space allocation difficulties, and eliminate redundancy of process/deployment of multiple systems across campus.
How does the SCRE work?
Each enrolled research project is assigned a unique virtual machine guest instance (the "Research Virtual Desktop") on a secured private network, in which the researcher can perform his/her research activities and analysis. A set of commonly-used research applications are installed in each Research Virtual Desktop. Additionally, an encrypted, password-protected disk image is provided for storage of the restricted dataset, interim research results and applications’ temporary file storage.
How do researchers access the SCRE?
Researchers use a web browser to connect to the secured VPN SCRE web portal, which provides a secured connection to the RDP Client running on their remote Research Virtual Desktop. The environment can be accessed from any internet-connected device, using any HTML5-compliant web browser (i.e. Internet Explorer 10/11, Mozilla Firefox, Google Chrome, Apple Safari). No additional plug-ins (i.e. Java, ActiveX) or software clients need to be installed on the researcher’s local device.
The SCRE uses a multi-factor authentication service (MFA) for login to the VPN web portal as well as the File Transfer Gateway web application. The MFA service is simple to use - first, the researcher authenticates with his/her UCSBNetID/password and is then required to enter a second token (either by interacting with an App on their smartphone, entering a code from the App or SMS message, or by responding to a phone call to his/her enrolled number). After the second authentication factor completes, the user is logged in.
The overall user experience in the SCRE is very similar to using other traditional Remote Desktop-type clients, but with substantial security controls in place, and the ability to use almost any modern hardware to connect.
How do researchers get data in/out of the SCRE?
An initial upload of a researcher's secured dataset to his/her SCRE Research Virtual Desktop will be performed by the SCRE Operator upon creation of each Research Virtual Desktop. A File Transfer Gateway web application is available within the SCRE to securely upload data files into Research Virtual Desktops, as well as share files with other colleagues/SCRE users. Researchers may also export data files outside of the SCRE when explicitly permitted by the restricted data provider. More information about how to use the File Transfer Gateway is available in the Secure Compute Research Environment User Guide.