Built-in technical controls#

Each secure research environment (SRE) belongs to one of five project sensitivity tiers. Depending on which tier a particular SRE belongs to, the following technical security controls are applied by default. Most of these controls can be relaxed or tightened by the System Manager if a particular SRE requires it.

Applicable to all SREs#

Accounts#

  • Researchers must use a dedicated Data Safe Haven account to log in.

  • These accounts are created by a System Manager and are separate from any credentials used to access other services.

  • Access to any particular SRE is further controlled through membership of a security group associated with that project.

  • Only System Managers are able to assign users to groups.

Authentication#

  • Researchers access the SRE by connecting via SSL/TLS to the Remote Desktop Gateway.

  • Authentication to the Remote Desktop Gateway requires all of:

    • username

    • password

    • multi-factor authentication (phonecall or phone app notification)

Remote connections:#

  • Authenticated Researchers must use an HTML5 web application running on the Remote Desktop Gateway to connect the SRE.

  • SRE resources are available through an in-browser desktop.

Custom software#

  • Researchers are not provided with any administrative rights that would allow them to install their own software.

  • Researchers are allowed to install libraries into their userspace, for example packages from the PyPI or CRAN package repositories may be permitted.

Data access#

  • Data is stored in Azure storage which only System Managers can access from outside the environment

  • Researchers have read-only access to the data and only from inside the environment.

Infrastructure access#

  • System Managers are the only people able to make changes to infrastructure

Tier-specific#

Caution

Tier 4 defaults are not discussed below as such environments are not currently supported by the Data Safe Haven.

Important

While Tier 0 and Tier 1 are discussed below, at the Alan Turing Institute we do not generally use our Data Safe Haven for Tier 0 or Tier 1 environments. While SREs can be configured as Tier 0 or Tier 1, we generally favour supporting researchers to apply sensible controls on organisational devices and standard cloud resources for such lower sensitivity projects.

Inbound connections#

Access to the gateway is only permitted from defined IP addresses associated with specific networks at the host organisation or its partner institutes:

  • Tier 3: Access is restricted to a defined set of IP addresses. At the Alan Turing Institute, we permit access only from a restricted set of networks, which are accessible only by a known subset of Researchers.

  • Tier 2: Access is restricted to a defined set of IP addresses. At the Alan Turing Institute we permit access only from institutionally managed networks, which will generally be accessible to Researchers not authorised to access the Data Safe Haven and might also be accessible to non-Researchers.

  • Tier 0 and Tier 1: Access is permitted from any IP address by default. At the Alan Turing Institute we do not generally use our Data Safe Haven for Tier 0 or Tier 1. Organisations choosing to do so may wish to consider only allowing inbound internet access from a specific range of networks Researchers are known to work from.

Caution

Having no restrictions on which IP addresses can connect to the gateway increases the risk of external attacks, many of which may be untargeted but might still result in a degradation of service.

Outbound connections#

  • Tier 2 and Tier 3: Outbound internet access from the SRE is blocked by network-level rules.

  • Tier 0 and Tier 1: Outbound internet access from the SRE is permitted.

User devices:#

  • Tier 3: At the Alan Turing Institute we only permit Researchers to connect to Tier 3 environments from a device managed by the Alan Turing Institute or a partner organisation. Researchers must not have administrator access on such devices, the devices must have anti virus software installed, and software on the devices must be regularly updated. At the Alan Turing Institute we have a restricted network that only permits access from Turing managed devices. When permitting access to Tier 3 environments from partner networks we require that they can similarly restrict access to devices they manage.

  • Tier 0 to Tier 2: Researchers can connect from their own devices.

Physical security:#

  • Tier 3: Researchers must only connect from dedicated medium security spaces with access restricted via card access or other means and the risk of unauthorised people viewing the user’s screen must be controlled (e.g. by device location, screen adaptation or desk partitions). At the Alan Turing Institute access is limited to such areas by policy. A Researcher’s home or non-Turing office may be considered a medium security space if sufficient care is taken to avoid unauthorised people, such as family or colleagues, viewing the user’s screen.

  • Tier 0 to Tier 2: Researchers can connect from anywhere.

Data transfer from user device#

  • Tier 2 and Tier 3: Copy-and-paste and file transfer between the SRE and the Researcher’s device are disabled.

  • Tier 0 and Tier 1: Copy and paste is enabled between the SRE and the Researcher’s device is enabled but file transfer is not possible for non administrators.

Note

Note that this means that eg. password managers cannot be used to autofill a Researcher’s SRE login credentials.

Sign-off on bringing data into the environment:#

Sign-off on bringing data out of the environment:#

Sign-off on adding new users:#

Sign-off on bringing external code/software into the environment:#

Python/R package availability:#

  • Tier 3: A pre-agreed allowlist of packages from CRAN and PyPI (via proxy or local mirror).

  • Tier 2: Anything on CRAN or PyPI (via proxy or local mirror).

  • Tier 0 and Tier 1: Direct access to any package repository.