Skip to main content

Use Cases

University Deployment Scenarios

1. Researchers with a DUA

Many research projects involve work on data that has been given under a data use agreement (DUA) from an external organization by an Institutional Review Board (IRB) agreement. The data is then deposited into the tiCrypt environment by a data custodian in the form of one or more files in the Vault. The files can be organized in a hierarchy of directories.

Next, the data custodian will share the data with the researcher, who will use the data for the current research.

The user has now:

  • Authorized access to the data.
  • Ability to create an encrypted drive to hold the data for analysis within a virtual machine.
  • Freedom to define a VM of the appropriate type with the required software for the work and attach the encrypted drive to the VM.

This VM setup is then remembered by the system so that a simple click will start the VM. The user will connect to the VM by the mechanism specified by tiCrypt.

Note: Different VMs have different mechanisms, including RDP, web page, or console.

This action can be done in one session or multiple sessions spanning several weeks of work.

Once the VM is running, the user can use the transfer window to move data between My Vault and the encrypted drives on the running VM. Data can only be moved in and out of an encrypted drive when mounted on a running VM. As needed, the user can make backup copies of result files by copying them from the encrypted drive to the Vault.

Files in the Vault are replicated to another disk storage device and backed up to tape, fully encrypted, once per day. When the work is complete, the researcher can share the results in the Vault with the data custodian or whoever needs the results and then delete the encrypted drives. Results can also be downloaded to the local computer, though the research is required to acknowledge that they assume liability for properly managing restricted data and all downloads are logged. The data custodian can then revoke the sharing of access to the data.

All the sharing and copying activities are logged with the unique public key as an identifier for audit purposes.

There is no way for the data custodian to verify that the encrypted drives have been deleted or that an extra copy of the data was not taken out of the encrypted drive into the Vault in a different folder. The workflow is very similar to sharing data in special folders created on a file server and working on the data with a virtual desktop session as far as the actions needed from the researcher and the data custodian.

2. Multiple Researchers Working on Shared Sensitive Data

Some research projects involve the collaboration of multiple people working on the same data set.

If the data is read-only, then this workflow can be easily accommodated with a high level of confidentiality in the tiCrypt environment.

The shared data can be copied into a special encrypted drive that can be mounted in any VM used by any authorized researcher to carry out their part of the work. The tiCrypt environment logs all accesses to the virtual drive.

Thus audit logs will contain the necessary information to investigate any potential security incident. The traditional approach of shared write access to data on file servers is inherently insecure and does not ensure compliance. As such, this method of data sharing is not an option within tiCrypt.

It must be kept in mind that many of these workflows were developed a long time ago when the cost and capabilities of computer systems and software were very different from what it is today.

3. Staff Maintaining VMs

Research computing staff members will create and maintain the VMs that are available to authorized users of tiCrypt.

The process of creating and maintaining such VMs is carefully controlled to ensure the integrity of the tiCrypt environment.

The VMs are assembled outside of the system and then inserted into tiCrypt where it will replace an existing VM or appear as a new VM on the menu. Research Computing has a process whereby certain individuals supporting researchers can be trained and certified to build and maintain VMs for that research group. This way, changes to VMs can be implemented in the required timeframe, and the Research Computing staff does not become a bottleneck for research.