Secure Compute Research Environment - User Guide

Printer-friendly version

Access

Researchers may request a Secure Compute Research Virtual Desktop here. Researchers will receive notification when their Research Virtual Desktop is ready for use, along with a unique strong password for their Encrypted Volume.

Researcher remote access to the Secure Compute Research Environment should be done from “trusted devices” only – this means a device that you have physical control of and manage (keep up-to-date with OS patches and anti-virus updates).  Access from non-trusted devices (i.e. airport and public kiosks, friends’ or colleagues’ computers) is strongly discouraged due to potential security risks (keyloggers etc.)

Any up-to-date web browser that supports HTML5 can be used to access your Research Virtual Desktop. This includes traditional desktop browsers like Internet Explorer 10/11, Google Chrome, Mozilla Firefox, Safari as well as tablet/mobile browsers on iOS, Android, BlackBerry and Kindle. No additional software needs to be downloaded, installed or configured in order to access your Research Virtual Desktop.

 

Logging in to the SCRE Portal

To log in to the SCRE Portal, open your web browser and go to https://portal.scre.ucsb.edu

Enter your UCSB NetID and password. (A link on the Portal login page will take you to UCSB Identity Services URL if you need assistance.)

portal

After passing the first authentication, you will be presented with an additional authentication screen from Duo Security. If this is your first time logging in to the SCRE Portal, you will need to complete the in-line enrollment for Duo Security. Please have all of the devices (phones, devices, tablets) present and information for work and home phones you expect to use for secondary authentication during the in-line enrollment.

Follow the prompts during the in-line enrollment.

After you have completed the in-line enrollment for Duo, (and upon subsequent logins) you will see a screen asking you how you want to complete two-factor authentication.

duo prompts

To complete the authentication process, select one of these options:

  • Recommended - Duo Push notification– then wait for a Notification within the Duo Mobile app on your selected mobile device, and press the green "Approve" button to complete the 2nd factor authentication
  • duo push example
  • Phone call - Duo will call your registered phone number from 805-893-8000. After you answer the call, follow the prompts to complete the 2nd factor authentication.
  • Passcode – enter one of your unused Passcodes from your Duo Mobile App or from a previously-sent SMS to complete the 2nd factor authentication (If you need to have new SMS passcodes sent to your device, click “Send SMS passcodes.” )

 

If your mobile device or phone number changes in the future, you may use the Duo Security Self-Service Portal to enroll a new device or make changes – after- completing two-factor authentication with an existing device.

Once you have completed the authentication process, you will be brought to the Portal homepage. On this page you will find several bookmarks.  Each bookmark will open a resource within the secured environment.

Logging in to your Research Virtual Desktop

To access your Research Virtual Desktop, click on the Portal bookmark entitled
“My SCRE (HTML5/RDP) - project name”

(You may have more than one bookmark if you have multiple projects enrolled in SCRE.)

This will open a window from the VPN portal, within your original browser window, and begin the login process to your Research Virtual Desktop host.

You must accept the terms of the Restricted Access warning splash screen upon each login. Click OK and the login process will begin.  You should see the “Welcome” screen and spinning circle as Windows initializes your Desktop.

After the login process completes, a logon script will run and open the program "VHD Attach," which will attempt mount your Encrypted Volume. (This encrypted volume is used for your restricted data set and working file area.) You will be prompted to enter a Bitlocker password to unlock the drive.  Enter the unique Encrypted Volume password that was given to you when you received your SCRE Research Virtual Desktop details.  If you do not enter the correct password within 30 seconds, you will be logged out automatically.  

The first time you login to your Research Virtual Desktop, you should change your Encrypted Volume passwrd.  To do this, go to Computer, and right-click on the Z: Encrypted Volume.  Choose "Manage BitLocker."  Enter the initial Encrypted Volume password given to you by ETS in the email link sent to you via the Connect Box service.  Then enter a new, secure password into the next two boxes.  Your new password must be 14 characters and include at least one uppercase letter, one lowercase letter and one number.

IMPORTANT - ETS does not keep the password to your encrypted volume and can not recover if it is forgotten!  It is your responsibility to remember your unique Encrypted Volume password. Do not write down your password anywhere. You may wish to record this password within a secure password manager if you have difficulty remembering it. (Please see info at the bottom of this page for recommended password managers).

Your Encrypted Volume (Z:\) should mount and a Windows Explorer window should open showing the files inside.  Your Research Virtual Desktop is now ready for use. (Ideal resolution for your Research Virtual Desktop is 1024x768 – you may wish to resize your browser window to fit this size.)

Using Applications within the Research Virtual Desktop

Each Research Virtual Desktop is pre-loaded with several licensed Applications, including Microsoft Office Professional 2013, Adobe Acrobat Pro XI, Mathematica 10, R and R Studio, SPSS 22, SAS 9.4, Notepad++.

Stata, JMP and Atlas.TI are installed on each Research Virtual Desktop, but do not have active licenses. (If you would like to use either of these, please provide a valid license file.) Additional software (Bring Your Own Software/BYOS) can also be installed upon request.

Transferring Files within the SCRE

The SCRE service allows secure file transfer in/out of your Research Virtual Desktop using the custom File Transfer Gateway web application. Export of files from the SCRE Research Virtual Desktop to the File Transfer Gateway may be enabled, depending on the requirements of the agency providing the restricted data set for your project. (A future version of the File Transfer Gateway will allow the PI of the project to require secondary disclosure approval each time a file is attempted to be exported.) All login and file transfer activity is logged within the File Transfer Gateway.

Users working on separate Research Virtual Desktops may securely share files with other SCRE users by uploading files into shared group folders within the File Transfer Gateway. To request creation of a shared group folder, please use the Modification Request for SCRE Research Virtual Desktop form and specify the username of the researchers, along with a preferred shared group name.

There are several different ways to access the File Transfer Gateway web application, depending on which action you want to perform.

To transfer files to/from your local computer:

To transfer files to/from your Research Virtual Desktop's Z: Encrypted Volume:

  • Log into your SCRE Research Virtual Desktop through the SCRE web portal, then open Internet Explorer or Firefox. The File Transfer Gateway is the default homepage.
     

Logging into the File Transfer Gateway

The File Transfer Gateway also uses multi-factor authentication. To login, first enter your UCSB NetID/Password. Next, complete the Duo Security authentication (the same as used for Portal authentication).

Once logged in, you will be presented with a Home menu. Here, you can choose to upload a file (from your local computer -or- from your SCRE Research Virtual Desktop Encrypted Volume) or to download an existing file (to your local computer -or- to your SCRE Research Virtual Desktop). 

file-xfer home menu

File Upload

To upload a file, first select the File Sharing Group that you would like to share the file with.  In most cases, this will be your default group, "username_share". (You may have access to additional File Sharing Groups with other users on your project, as well). Then select the file on your local desktop or SCRE Virtual Desktop Z: Encrypted Volume that you want to upload.
 

Click the green "Add file" button.  Repeat this process to select multiple files for upload.  Click the blue "Start upload" to begin the upload. You  may pause the upload by clicking the orange "Pause" button.  (Do not click back / refresh buttons while the upload is processing.)  A green checkbox will display next to each file as upload is complete.  All uploaded files have SHA1 checksums calculated and recorded, and are scanned for viruses before they are written to the File Transfer Gateway.

File Download and File Management

NOTE: If your restricted data provider allows export of files, your File Sharing Group will have permission to download (export) files to a local computer. By default, file downloads are only allowed from inside the SCRE, to a SCRE Research Virtual Desktop.

To download a file, log in to the SCRE File Transfer Gateway and click on the Downloads button to take you to the Downloads page. Then, click on the blue "cloud/arrow" icon next to the filename you wish to download. You will be prompted to choose a save location on the local computer your SCRE Research Virtual Desktop). In most cases, saved files should be saved to the Encrypted Volume (Z:).

On the Download page, you may also delete stored files in your Group by clicking the red "X" icon next to the filename. Orphaned files (those that are uploaded but have not been manually deleted) are automatically deleted after 7 days.

File Sharing Group Administration

File Sharing Groups are administered by the group administrator (usually the project PI).  This administrator may add and remove other registered SCRE users from the File Sharing Group that they own.  They may also enable Export of files from the group (where allowed by restricted data provider), as well as Secondary Approval for File Export (where required by restricted data provider).

File Export Secondary Approval

Some projects' restricted data providers may require secondary approval of the PI before files related to the project are allowed to be Exported (downloaded to computers) outside of the SCRE.  If this feature is enabled for a File Sharing Group, when a user attempts to export a file, the file is uploaded and held for approval.  Then an email is sent to the File Sharing Group's administrator, notifying them that a file requires approval, and that he/she must log in to the File Transfer Gateway to approve the file for Export.  The file is held until the File Sharing Group's administrator approves or denies the file for Export.  Once it is approved, it can be downloaded (Exported) outside of the SCRE. 

Virus Scanning of FIles

All files are scanned for viruses at the time of upload.  If a virus is detected in an upload, the SCRE File Transfer Gateway administrator will be notified and the file will be deleted.

Logout

The File Transfer Gateway has an session idle timeout of 15 minutes. To manually logout of the File Transfer Gateway, click on the "Logout" button in the upper right corner of your browser window.

Saving Data within the Research Virtual Desktop

The Z:\ drive (“Encrypted Volume”) is your working area where all restricted data, any copies and all application TMP files should be stored. For security reasons, do not store files anywhere else on the C: \ filesystem.

If permitted by the restricted dataset provider, and specified at the time of your initial Research Virtual Desktop creation request, the Z:\ drive can be backed up on a regular basis. Files stored on other volumes (C:\ ) will NOT be backed up and could be erased between sessions. For questions about restricted dataset backup, please contact us at scre-support@lists.ets.ucsb.edu.

Troubleshooting problems within the SCRE

Encrypted Volume didn't mount

If, for some reason, your Encrypted Volume does not mount properly at login time, or you enter an incorrect password, you may be automatically logged out. Try logging in again and re-entering your Encrypted Volume password. If you still receive an error message, contact us at scre-support@lists.ets.ucsb.edu.

Internet Access

Direct access to the internet is not allowed from any SCRE Research Virtual Desktop. Proxied access to whitelisted internet sites is allowed only for explicitly-permitted software and antivirus updates within the environment.

For other questions or problems regarding your SCRE Research Virtual Desktop, contact us at scre-support@lists.ets.ucsb.edu.

Service Outages

The “deferred maintenance window “for the SCRE occurs on the 2nd Tuesday of each month between 7-10pm. There may be outages of various aspects of the service during this time period, as operating system and software updates are applied and systems are restarted. Additionally, SCRE Research Virtual Desktops that have elected for weekly backups  will be inaccessible between 12midnight and 5am every Sunday morning, resulting in limited accessibility. Any other SCRE maintenance actions outside of these windows will be announced to the SCRE Customer Mailing List (scre-customers@lists.ets.ucsb.edu).
 

Exiting the SCRE

Idle Timeouts

To meet restricted data provider requirements, each SCRE Research Virtual Desktop has an Idle Timeout of 25 minutes. If you do not perform any action within that time period, your session with the Remote Desktop will be terminated and you will be taken back to the Portal bookmark page.

Additionally, the SCRE File Transfer Gateway has an Idle Timeout of 15 minutes. If you are inactive during that time period, you will be automatically logged out of the File Transfer Gateway.

Finally, the SCRE Portal website has an Idle Timeout of 30 minutes. If you are inactive during that time period, you will be automatically logged out of the Portal.

Leaving your Research Virtual Desktop Session

If you need to leave Applications open within your Research Virtual Desktop for processing, then you will need to leave your account logged in but simply terminate your Session. Any open Applications will continue to run, your Encrypted Volume will stay attached, and you can resume activity right where you left off, during your next Session. To do this, go to the Portal Toolbar in the upper right hand corner of your browser window and click on the Home icon. This will take you back to the Portal Bookmarks page.

Log Out of your Research Virtual Desktop

If you do not need to leave any Applications or processes running, the easiest way to leave your Research Virtual Desktop is to go to the Windows Start Menu in the bottom left corner and click the arrow next to “Log Out”. This will log you out of your Research Virtual Desktop, detach your Encrypted Volume, and terminate any running Applications.

SCRE Portal Logout

From the Portal Bookmarks page, click the Sign Out button at the top right menu of the screen to exit the SCRE. Close your web browser to remove all Cookies and ensure security of your credentials and data.