Secure Data Servers at SSRI
Over the last few years, there has been an increasing interest in using restrictive data sets for research at Penn State. While a number of solutions for storing data exist, we have settled on offering 3 basic scenarios. They are described from least to most descriptive. The offerings below are described in terms of a Microsoft Windows setup, but Unix or Linux could be used as the OS as well.
Level 1 Security - Basic file server with restricted permissions.
Data stored using this scenario would be stored on one of the data servers. All the data would be saved under a folder that has restrictive file and folder permissions. These folders would be limited to individual access or group access. Backups of this data would automatically occur with the regular backup schedule. Access to the server is restricted to the main Penn State campus via direct connection, however, could be accessed from off campus using the university's VPN.
Level 2 Security - Data server with restricted access.
This scenario calls for an independent server that has only the data set or project data of one project. The only individuals who have access to the server are those who are on the project contract. All data, applications, and programs are on this server. Typically the server is not backed up (by contract). Individuals access the server using Remote Desktop and Windows Terminal Services. This allows individuals to access the computer from this university offices (or home if allowed via contract). No data transits the network, just the screenshots of the individual 's session. These sessions are encrypted with RSA RC4. We set the level to high, which encrypts both the data sent from client to server and the data sent from server to client using a 128 bit key. These servers are not file servers, so no folders are shared and access is restricted to WTS. In addition, Symantec AntiVirus is installed and running on a level 2 server. The system is patched on a regular basis using Windows Update. Physical access to the server is restricted to the professional computing staff. The server is stored in one of several locked server rooms. The server is behind a firewall, so the server cannot be reached outside the building without individual IP addresses added to the firewall filter.
Individual data contracts may allow for remote printing of data, individual uploading and down loading of files, and back ups of data or programs. We allow or disallow these services based on the data agreement.
Level 3 Security - Stand alone computer
This is the most secure level of computing, however, it has the highest cost in terms of access and resources. The computer systems under this scenario are typically in a locked room accessible only by project members. The computers are not connected to any network and are password protected. Backups are typically forbidden.
This scenario typically results in less usage of the data due to the physical requirement of being in the data room. Project members have to travel to the secure data room and typically do not have access to the other networked resources they need. There is the additional expense of a room dedicated to the secure data server.
Last modified: 07/15/09 | Contact Webmaster
