Research Computing

The Secure Research Environment (SRE) is a university virtual environment designed to safeguard sensitive research data through secure cloud infrastructure, unlike the local desktop setup of the current UMB research computing environment. Its use reduces the risk of data misuse or unauthorized access.

 

Definition of Terms Used in this Document 

Term

Definition

AVD

Azure Virtual Desktop - the virtual environment that SRE uses

Azure infrastructure

Microsoft’s cloud platform; an evolving collection of integrated cloud services spanning compute, data storage, and software applications

Cloud computing

The delivery of computing services—including servers, storage, databases, software, and analytics—over a computer network

Data steward

Person responsible for ensuring the quality, security, and fitness of the data for the purpose of the research

Egress of data

The output flow of research results

Epic

The medical data repository UMMS uses for research data

Faculty researcher

The UMB faculty member sponsoring the research project, often the Principal Investigator. The data and SRE requestor must be a faculty researcher.

HIPAA

Health Insurance Portability and Accountability Act - a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge

Honest broker

The data steward for the owner of research data who acts to collect and provide that data to research investigators

ICTR

Institute for Clinical & Translational Research

IHC

Institute for Health Computing - leverages advances in network medicine, artificial intelligence (AI), and machine learning to create a premier learning health care system that evaluates both de-identified and secure digitized medical health data to improve outcomes for patients across the state of Maryland

Ingress of data

The input of research data used for analyses

Intellectual Property (IP)

Creations of the mind such as research work or collections of data analyses

PHI

Protected Health Information - a.k.a. personal health information. Examples include:

•Names

•Geographic subdivisions smaller than a state (Note: this includes ZIP code)

•Elements of dates (except year)

•Ages over 89

•Telephone numbers

•Vehicle identifiers and serial numbers, including license plate numbers

•Fax numbers

•Device identifiers and serial numbers

•Email addresses

•Web Universal Resource Locators (URLs)

•Social security numbers

•Internet Protocol (IP) addresses

•Medical record numbers

•Biometric identifiers, including finger and voice prints

•Health plan beneficiary numbers

•Full-face photographs and any comparable images

•Account numbers

•Any other unique identifying number, characteristic, or code

•Certificate/license numbers

PI

Principal investigator - the main researcher on a project

PII

Personally Identifiable Information - information that, when used alone or with other relevant data, can identify an individual. Examples include an individual’s first name or first initial and last name in combination with any one or more of these data elements:

• Social Security number, an Individual Taxpayer Identification Number, a passport number, or other identification number issued by the federal government

• A driver’s license number or State identification card number

•An account number, a credit card number, or a debit card number, in combination with any required security code, access code, or password, that permits access to an individual’s financial account

•Health information, including information about an individual’s mental health, Medical Record Number

•A username or e–mail address in combination with a password or security question and answer that permits access to an individual’s e–mail account

RIC

Research Informatics Core – the group within the ICTR that administers the UMMS-controlled research data

Sensitive data

Revealing personal data such as health related data and other types that are not meant to be made public

SRE

Secure Research Environment

UMB

University of Maryland Baltimore

UMMS

University of Maryland Medical System

Guidebook for the Secure Research Environment (SRE)

Introduction

UMB prioritizes data security for health-related information and other sensitive personal data, such as Social Security numbers. The SRE has been established to protect this data and the intellectual property from research studies. It is mandatory for research involving sensitive data from the University of Maryland Medical System (UMMS) and recommended for other sensitive data projects. The SRE complies with HIPAA standards and other IT security policies for securing Protected Health Information (PHI) and Personally Identifiable Information (PII).

UMB Research Computing Environment

The SRE allows UMB faculty researchers to conduct research securely without relying on local computing resources. Data and software are accessible remotely and stored in a secure cloud infrastructure, minimizing the risk of data breaches and maximizing computational power. All while providing a familiar experience for the researcher(s) with a personalized environment, tailored to their needs.

Contact Information for SRE Access

Frequently Asked Questions

To learn more about the SRE, additional information can be found on the following FAQ pages: 

Appendicies

Appendix A: What is Microsoft Azure? 

Azure, Microsoft’s cloud platform, is an evolving collection of integrated Cloud Services spanning compute, data storage, and software applications.

Appendix B: What are the Benefits of Using Microsoft Azure? 

Reduced operational overhead.  No need to:

  • Dedicate physical space for computing equipment.
  • Monitor hardware health, manage firmware, and repair failed hardware.
  • Perform complex hardware replacements.
  • Size, purchase, house, & maintain:
    • Server and data storage equipment
    • Datacenter networking equipment
    • Complex datacenter network connectivity
    • Uninterruptible power supply (UPS) equipment and power feeds
    • Large, expensive HVAC equipment

Capacity

  • Azure has massive compute capacity, virtually unlimited computing resources that can scale as needs grow. We have the ability to quickly provision resources, such as servers, in extremely large quantities, use those resources for as long as necessary and immediately de-provision them when they are no longer required.  This model eliminates the need for over-provisioning resources to meet unknown future demands.

Agility

  • Virtual servers can be provisioned and deployed quickly, rather than taking weeks or months needed to procure and configure on-campus equipment.

Redundancy

  • Microsoft has 69 Azure geographic regions, which offers system redundancy across regions.
    • Traditional on-premises redundancy requires doubling hardware which must be maintained for just-in-case situations and sits mostly idle. Microsoft’s hardware infrastructure is fully redundant with the cost spread across all Azure customers to minimize the cost of infrastructure redundancy to UMB. This alleviates concerns related to the availability and disaster recovery of on-campus data centers.

Availability

  • The Microsoft agreement with University of Maryland, Baltimore (UMB) assures high availability, with an almost 100% Azure uptime/availability.

Sustainability

  • Shift UMB power consumption for computing to renewable energy sources.
    • Microsoft is dedicated to their increased use of green and renewable energy sources to power their datacenters. Microsoft has a commitment to sustainability, making a $1 billion investment in a climate fund; UMB computing power consumption and carbon footprint will be reduced by using Microsoft Azure

Security

  • IT security and data protection is enhanced by leveraging Microsoft’s personnel and sophisticated security tools. Microsoft has over 3,500 security experts who continually monitor sensitive data stored in Azure. Microsoft invests over $1 billion annually in IT security.

Cost

  • The pay-as-you-go model for the cloud infrastructure only requires paying for those services (compute and storage) that are used and consumed over a particular period of time. There is a reduced cost to run Windows computers in Azure due to the Master agreement that UMB has with Microsoft; and we achieve cost savings with the pay-as-you-use subscription model.

Partnerships

  • Microsoft also has an Innovation/Research focus, having established partnerships with the National Science Foundation and National Institutes of Health to provide computing resources to research organizations, e.g., STRIDES program (Science and Technology Research Infrastructure for Discovery, Experimentation & Sustainability).

Appendix C: What is Azure Virtual Desktop (AVD)? 

AVD is a Microsoft Azure-based system used for accessing the Azure Cloud infrastructure. With an Internet connection, it provides access to applications and data in Azure.  The hardware used for access does not need strong computing capabilities since that work is handled on the virtual end in Azure. 

Appendix D: What are the Benefits of using Microsoft Azure Virtual Desktop? 

  • The Azure Virtual Desktop (AVD) infrastructure is an important element in enhancing the security of data. AVD provides secure access to data stored in highly secured computing environments.
  • AVD provides direct access, after logging in, to the software that you need and to your file/data storage.
  • The presentation of AVD is very similar to logging in remotely to your desktop.
  • AVD accounts can be quickly created.
  • The computing resources within an AVD account can quickly scale to meet the computing needs of the user.
  • There is a reduction in physical server hardware and hardware maintenance costs.
  • There is no longer a need to buy and use costly, high-end computers.
  • AVD supports multiple computing endpoints: Windows, Apple, Chromebook, and Android.
  • There is a persistent user experience, where an individual can get access to applications and data at any time and from anywhere.

 

Appendix E: More About the Secure Research Environment (SRE) Security 

The University of Maryland, Baltimore (UMB) Secure Research Environment (SRE) is a centralized virtual environment designed to protect sensitive and restricted research data.  Secure virtual desktop environments and custom compute allow researchers to access sensitive data under a higher level of control and data protection. Data is segregated per research project and only accessible by the research team that is assigned to the enclave.

 

Azure Defender for Cloud helps keep your data and applications safe when you're using Microsoft's Azure cloud services. It scans for any suspicious activity or potential problems and takes action to prevent or address them, making your cloud environment more secure.  It will be enabled for all subscriptions as part of the deployment automation.

 

  • User authentication is configured to the existing UMB Azure active directory tenant and active directory service.
  • Private network access is isolated from existing UMB networks.
  • All access to the secure enclave resources will be via endpoints in AVD.
  • Monitoring, logging and reporting will be via Azure Log Analytics Workspace in the SRE Environment.
  • Approved data is brought in and out of project-specific secured enclaves via an Honest Broker/Data Steward.
  • Only de-identified data is allowed to leave the SRE environment.
  • Access to the public internet is blocked from within the SRE environment.
  • A NIST 800-171 compliance policy will be applied as a default to research subscriptions; research/funding source requirements may require NIST 800-53 to be applied in certain instances.
  • All Platform as a Service (PaaS) services will be deployed with private endpoints and public access disabled except where required.
  • Azure Cloud Security Posture Management is enabled.
  • Defender for Cloud Workload Protection enabled where required.