sciCOREmed: Secure Data Research Environment

 


i sciCOREmed is a secure research platform offering a powerful computing environment in which users can transfer, store, manage and analyze sensitive research data.

It is designed to support research scenarios involving sensitive data (e.g. personal data protected by law):

sciCOREmed is operated by sciCORE, the Scientific Computing Centre of the University of Basel. It is one of the three nodes of the national BioMedIT network, collaborating closely with the partner nodes in Zurich (Leonhard Med, operated by the Scientific IT Services (SIS)) and Lausanne (SENSA, operated by the Core-IT / Vital-IT group (SIB)).

 

Usage

The sciCOREmed infrastructure is meant for researchers from institutions around Switzerland wishing to perform research with sensitive personal data in a secure research environment (secure project space).

Within our infrastructure users can:

 


 

sciCOREmed at a glance

 

Overview of a secure project space ("B-Space" or "tenant"). Image credit: biomedit.ch

 

Architecture Design of sciCOREmed

sciCOREmed provides a scalable OpenStack infrastructure with the aggregated compute power of a midsize high performance computing (HPC) system. It includes multi-CPU (central processing unit) and multi-GPU (graphics processing unit) compute nodes. The current data storage capacity at sciCOREmed is 30 TB in SSD storage and over 1 PB in NFS storage. sciCOREmed provides support for data encryption, secure backup, private-cloud and high-performance computing environment based on slurm (HPC) leveraging general-purpose compute and GPU nodes.

State-of-the-art software for data science and specialized tools for data management are provisioned alongside with long-standing expertise in scientific IT support for research data management, bioinformatics, HPC and computational analysis.


 

Definitions

Secure Project Space (B-Space)

With secure project space we refer to the secure research environment (tenant) within which the project data is stored and where all research activities relating to the sensitive data take place. A tenant consists of a workspace in a private (virtual) network containing project-specific access, computing and data resources (storage) and protected by its own set of firewall rules. Tenants can be setup for any research process requiring a higher level of data security, e.g. for a dedicated project or for a research group which is working on a daily basis with sensitive data. Collaborative tenants (shared across multiple groups) can also be established.

sciCOREmed tenants are accessible by 2-Factor Authentication, as implemented by the Swiss academic identity broker SWITCH Edu ID (https://www.switch.ch/edu-id/). The user is required to install the second factor of authentication (a smartphone app) according to the specifications of sciCORE. (The process and app will generally be as already implemented for other university services based on Switch Edu ID: https://www.switch.ch/edu-id/docs/services/login/two-step-login/)

sciCOREmed Roles

In collaboration with the BioMedIT network, we have defined user roles that will be attributed to the users of the sciCOREmed secure project space:

The User Roles are1):

All the roles listed above are responsible to follow the University of Basel IT rules for confidentiality of their personal identification and access information (e.g. passwords).

1)Adapted from the BioMedIT User Management SOP.

Data Provider 2)

Data Provider in the BioMedIT sense is a Hospital, data platform or other health-related institution that collaborates with a university research project to provide data to the project.  It is also referred to as Data Controller in legal contexts like Data Transfer and Use Agreements (DTUA) or Data Transfer and Processing Agreements (DTPA).

2)Adapted from the BioMedIT Data Provider Management SOP.

 

Project creation

Interested PLs who want to use sciCOREmed should send us a request at: scicore-admin@unibas.ch, or through our service ceter, by clicking here: Service Center

Upon receipt of the request we will contact the interested party for a more detailed discussion regarding the project data and overall project needs. In this meeting we will collaboratively complete the sciCOREmed project onboarding form.

The information we require for onboarding a project clarifies, among others:

 

User accounts

In order to gain access to a sciCOREmed secure tenant, users are required to have a SWITCH eduID, enabled with 2 Factor Authentication. Information on the SWITCH eduID and instructions on how to create one can be found on the SWITCH website. Once a user has a SWITCH eduID account, linked to one of the SWITCH verified institutions, they can use their account to login to the sciCOREmed or DCC BioMedIT portal and create a username.

Prior to access a sciCOREmed tenant, users are also required to accept the sciCOREmed Terms of Use (ToU). The sciCOREmed ToU are essentially a reminder of the responsibilities and duties of users when working with sensitive data.

 

Data transfers

Data imports

Sensitive data: Sensitive data originating from institutions out of the university of Basel can be performed using sett (the standard BioMedIT Secure Encryption and Transfer Tool, which is dedicated to this purpose, see: https://sphn.ch/document/sett-info-sheet/).

In exceptional cases, where the use of sett is not possible, an sftp channel with 2FA enabled can be setup, with explicit authorization from the PLs. 

Non-sensitive data: In principle a sciCOREmed tenant is designed to accommodate sensitive data. However, in cases where the aggregation of sensitive and non-sensitive data in the tenant is desired for research purposes, it is possible to transfer non-sensitive data through an sftp channel with 2FA enabled.
 
Data exports

Data can be exported from a sciCOREmed tenant provided it is allowed by the project contracts (data protection requirements and/or research agreements). Data export is always conducted under the responsibility (and on behalf) of the Project Leader.

As there is no technical solution to evaluate whether data are sensitive or not, the PL (or an approved deputy) must review the contents of exported data.

The technical method to export data is via 2FA-enabled sftp service.

 

Software, containers and compute resources

On the tenant, users can have access to the following software and compute resources:

Users can also install their own scripts as long as these are approved by the PLs. The latter can be transferred with a sftp with 2FA enabled, or through a gitlab repository.

If the software cannot be provided by the means described above, users can contact us with their specific request and we can take care of the installation.

 

Usage fees

Usage of sciCOREmed is subject to fee-for-service.

The sciCOREmed pricing model is available here: https://scicore.unibas.ch/using-scicore/user-fees/

 

Additional information