myDRE is a solution for organizations employing researchers. The anDREa myDRE provides secure collaboration workspaces primarily for processing and analyzing data in a research context as can be found in University Medical Centers (UMCs).
myDRE is provided as-a-Service to any organization having a Microsoft Azure billing contract.
Data processed and/or analyzed in the workspaces, though not always sensitive if exposed to the outside world, should only be accessed and/or changed by authorized users and/or processes. Hence the importance of information security.
Information security is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or at least reducing the probability of unauthorized/inappropriate access, use, disclosure, disruption, deletion/destruction, corruption, modification, inspection, recording or devaluation, although it may also involve reducing the adverse impacts of incidents. Information may take any form, e.g. electronic or physical, tangible (e.g. paperwork) or intangible (e.g. knowledge).
Information security's primary focus is the balanced protection of the confidentiality, integrity and availability of data (also known as the CIA/BIV triad) while maintaining a focus on efficient policy implementation, all without hampering organization productivity. This is largely achieved through a structured risk management process that involves:
- Identifying information and related assets, plus potential threats, vulnerabilities and impacts;
- Evaluating the risks;
- Deciding how to address or treat the risks i.e. to avoid, mitigate, share or accept them;
- Where risk mitigation is required, selecting or designing appropriate security controls and implementing them;
- Monitoring the activities, making adjustments as necessary to address any issues, changes and improvement opportunities.
Analysis of the need
For various activities, primarily but not limited to (medical) (scientific) research, it is necessary to receive, process, and analyze in a safe (collaborative) environment and/or further egress data. This (collaborative) environment is further referred to in the document as a Workspace.
The term Tenant in this document refers to the organization that has entered into an agreement with anDREa. anDREa-consortium develops, manages and maintains the myDRE as an environment to create Workspaces; Workspace-as-a-Service.
The Workspaces are created and managed by anDREa-consortium within the subscription(s) created by the Tenant on its own part of Microsoft Azure and made available to anDREa.
The Workspace is the responsibility of one person who has the role Accountable. This person is a) employed by the Tenant in whose subscription the Workspace is located, and b) mandated by the Tenant to request and use Workspaces. The Accountable determines the purpose, who can access when in what role, what Azure Resources can be used, what tooling and options can be used and who can do data egress.
The Workspace is data agnostic and by default, the data used is located in the Workspace. The data in a workspace can be from a few Megabytes to Terabytes in size. From images to unstructured and structured data. From public to business logistical to privacy-sensitive data. This is up to the Accountable. anDREa-consortium is a processor in this regard.
To ensure the integrity and confidentiality of the data / IP, and cost control only authorized persons and processes should have access to the specific meDRE Workspace; for data ingress, processing, analysis and egress.
By default, there are no automated links to or from servers outside the myDRE Workspace. By default, it is also not possible to access the internet from an myDRE Workspace for direct ingress or egress of data.
Users of a requested myDRE Workspace are:
- At least one person associated with and mandated by the Tenant (Accountable), and/or
- Employed by the Tenant, and/or
- People external to the Tenant
The myDRE Workspace must be accessible from anywhere in the world.
It is up to the Accountable to comply with the Tenant's policy prior to commissioning a Workspace, which may require a CIA classification for the specific use. The implementation and supervision for obtaining a CIA classification are up to the Tenant.
There is no (inter)dependence of the Workspaces.
The myDRE Workspace can contain confidential information. Violation of confidentiality will lead to repair costs (improving security, communication activities, etc.). Those involved will have to be informed about this. Potential financial consequences are expected in the event of a breach of confidentiality, due to the reporting of a data breach. Image damage will occur to the Tenant if the confidentiality is breached.
Incorrect and/or incomplete information in the myDRE Workspace means extra work for the employees involved. Potentially wrong data is used, but this is overcome by quality control, which is a standard method for many studies, after data ingress, processing, and/or analysis and before egress.
Via a self-service principle, members can restore data that was on the data share up to 30 days ago. It is not possible to overwrite data during an upload, uploaded data comes in a separate time-stamped folder, which also makes it possible to check the upload. It is traceable who has uploaded the data and when. Only members of a Workspace can upload data. Financial consequences or claims for the Tenant as a result of incorrect and/or incomplete functioning of the myDRE are not expected. There will be limited damage to the image of the Tenant. A loss of up to 24 hours of data is acceptable if it has been available in rolling increment for the past 20 days.
myDRE unavailability means that the data in the Workspace is not accessible, cannot be processed and cannot be analyzed. No direct financial consequences are expected in the event of short-term, infrequent failures. Damage to the Tenant will result from a long-term or repeated failure of myDRE due to non-fulfilment of contracts with customers and delays in scientific collaborations. A maximum outage of 3 working days is acceptable.
Classification of the required work in the myDRE Workspace
Based on the consequences mentioned in the previous chapter and there is no (inter)dependence of the Workspaces. The myDRE Workspace is classified for work that requires.
The maximum allowable outage duration of the myDRE, (the period within which the information system must be operational again after an incident/calamity occurs) is 3 working days. The maximum permissible data loss of the data is 1 working day.
When a higher classification is needed
If a higher classification is required for a specific workspace, it is the responsibility of the workspace accountable to ensure the higher requirements are demonstrably implemented and maintained. If possible, the Core Support Team will assist in implementing the higher requirements for that specific workspace via non-standard change or project request.
Confidentiality HIGH implies:
- Every login requires MFA, also on-premise
- Role-Based Access
- Data encryption in-transit and at-rest
- Data can only be extracted from a Workspace with authorization
- No production data is being used for testing
- Each workspace has its own encryption key stored in the key vault
- No data is stored on local devices except for extracted data
- Physical access to storage and compute and destruction is highly regulated Microsoft Azure data center Policies
Integrity of data MEDIUM implies:
- Check on data ingest done by the executor is sufficient, it is assumed that there is:
- No need for ingest to be checked by 2nd executor
- No need for authorization on the mutation of data
- Correction response time is 1 workday, it is assumed there is:
- No need for immediate recovery after an issue is ascertained
- (if self-service restore of snapshot is not sufficient)
Availability MEDIUM implies:
- 30 day running daily read-only snapshot of the data share, it is assumed that there is
- No need to mirroring data in a different data center
- No need to backup VMs, because
- The workspace data share is independent of a VM
- Losing a VM has no impact on the data stored on the data share
- Microsoft Azure has a high availability
- VMs can relatively quickly be restored with necessary applications
- Image gallery that allows for self-service creation of VM images will be available in the near future
- Costs are not justified by the numbers thus far
Threats and vulnerability analysis
Data encryption in-transit (sha256RSA)
Research Support, Accountable or Privileged Member invites the wrong person.
Always copy/paste the @mydre.org username from the ticket or email, verify after adding and remove if alternate email address is not correct. Ask for Login, VM access or Data Requests logging when in doubt.