Researchers from a wide range of academic domains face an increasingly complex set of data use requirements to conduct research with "sensitive data." The requirements that constrain use of these data are imposed by a range of entities: charitable funding agencies, data providers, state and federal agencies, and university policy. Existing services to meet the needs of researchers working with sensitive data are helpful, but increasingly insufficient to meet growing demand. Unsurprisingly, much of the regulation surrounding this issue is driven by cybersecurity threats and the potential impact of a data breach, a phenomenon and trend that is rapidly and chaotically evolving. This Research IT Reading Group session will present a survey of the current state of data management and computational research with sensitive data on campus, and propose recommendations and a roadmap for new and updated services.
When: Thursday, 29 June from 12 - 1pm
Prior to the meeting, please review the following:
Presenting: Chris Hoffman, Rich Jaffe, Jason Christopher (Research IT/RDM)
Aaron Culich, Research IT
Anna Sackman, Library
Bill Allison, Campus CTO
Chris Hoffman, Research IT
Chris Paciorek, Statistics & BRC
Deb McCaffrey, Research IT
Ian Crew, bConnected - Box
Jason Christopher, Research IT
John Lowe, Research IT
Jon Hayes, bConnected
Kelly Rowland, Research IT
Maurice Manning, Research IT
Miles Lincoln, ETS
Morteza Faraji, Psychology
Perry Willett, CDL
Rick Jaffe, Research IT
Steve Masover, Research IT
Slides presentation (not transcribed; see draft slide deck link given above, prior to meeting)
6-mo project launched in January. Outcomes include a white paper, working group, draft guideline for classifying research data, etc., including recommendations for next steps.
RDM team has found some research teams on campus using data to which the 800-171 (NIST) standard applies, and must be compliant by Dec 2017.
Secure AEoD being proposed to address requirements on data expressed by DUAs, PL2-compliant, with a single admin for the secure environment (as opposed to shared management of this secure resource); RDM will work with other UC campuses to address 800-171 need (currently in conversation with colleagues at UC Davis). No solution currently for secure HPC; good news is that UC Davis is interested in a solution for this and might well end up working with us as we explore possibilities.
Jon H: Have begun discussion with Box, we're in ISP's queue for approval for using Box for secure data, expect this to begin to come under active consideration in August. Indiana and U Mich are using Box for sensitive data currently.
John L: What about Google?
Jon H/Ian: Haven't broached yet. They lag a bit in permission and ownership models, which makes that a little harder.
Jon H: Sharepoint instance (CalShare) moving to Office365 cloud, a WIP. bConnected will take a significant service management role in this.
Chris P: How does data movement with Box when restricted data is involved?
Chris H: Requirement is for computational resource meets same requirements as storage, those under which data may be used.
Jon H: Looking at setting up a service that helps people make good decisions about what targerts restricted data can be appropriately moved.
Rick: old or ad hoc environments, expensive instruments that are bound to an old (e.g., Windows XP) machine -- sneaker-net to get data off the instrument.
Ian: definitely an issue that researchers don't want to ask for help because they fear that raising their profile will result in restrictions that they don't want to see imposed
Bill: considering how storage & other secure data services fit into campus cloud strategy, it makes sense to think of multiple layers of what's offered: hardware and software; people who hook that together; people who provide basic usage support; and more specialized support, e.g., for going the "last mile" to researchers vis-a-vis secure data services
Perry: Are all campuses going to have a need / offer something in this vein?
Chris H: All UC campuses see this as a need that needs to be addressed.