Introducing RONIN Isolate (TRE/SDE): Self-service research computing in a bubble

Organizations face many challenges when moving research operations into the cloud. Ease of use, security, and budget control are at the top of that list. RONIN Core, our flagship cloud-based self-service research environment, addresses just those concerns. But then we were asked to make it easier to help organizations meet stringent regulatory and institutional IT security requirements, without making it harder for researchers to use RONIN.

So we are excited to introduce RONIN Isolate, an extension of RONIN Core, which provides a Trusted Research Environment (TRE) and Secure Data Environment (SDE) with a configurable baseline of policies, controls and guardrails designed to protect research-created resources and critical data from unauthorized access or exposure.

RONIN Isolate allows researchers to do everything they want but nothing that they shouldn’t (from a security/compliance perspective).

CUSTODY

You own the account in which RONIN Isolate is installed. It is not Software as a Service (SaaS). This self-hosted deployment model provides your organization complete visibility and control over every aspect of the underlying AWS infrastructure. This approach means that your production deployment of RONIN Isolate can be audited and certified by your internal IT security team or by a third party compliance and risk assessment service. This self-hosted approach also means data never need to leave your custody or be copied to the third party, as they would with a SaaS product.

CONSISTENCY

Multiple researchers are served within a single AWS account controlled by RONIN Isolate. This is an intentional and important design decision. Because researchers only have access to resources in this account through the RONIN user interface, every action is guaranteed to conform to a set of specified policies and permissions. For example, it is impossible for a RONIN user to make a bucket publicly accessible or to open a port on a machine. All compute and storage resources are guaranteed to be tagged correctly every time so that we can calculate AWS spend. Because AWS policies and services are both powerful and complex, it is far more difficult to ensure this kind of absolute consistency across a diverse set of projects and data sets when each researcher gets their own account, even with guardrails. It is also harder to help researchers fix non-compliant configurations than to avoid that possibility in the first place.

ISOLATION

You might wonder why we keep using the word “Isolate”.  A key design element of RONIN Isolate is network isolation. Network engineering best practices dictate separating each individual project (or research lab) in its own subnet to minimize the blast radius. This means that if something goes wrong, every machine in the affected project can be stopped with a single button without affecting any other researchers. RONIN Isolate also puts each autoscaling cluster in its own subnet. This sets a new industry standard for workload isolation of high performance computing on  sensitive datasets. Instead of copying sensitive datasets to a single shared cluster with hundreds or even thousands of users, you can access sensitive data from a cluster, created on demand, that is restricted to a single user. This isolation of resources is labor intensive to do manually, but RONIN Isolate automates it, reducing networking best practice to a button click.

The entire RONIN Isolate environment is isolated from the internet, accessible only through a secure enclave of machines. This design allows the machines in the secure enclave to be part of your corporate domain and be managed as part of your enterprise - removing the risk of security breaches through compromised endpoints that are not under your control. Research assets created within RONIN Isolate have no inbound network connectivity back to your corporate network except through the secure enclave. You can make sure data do not enter or exit the RONIN Isolate environment without going through a firewall and without your knowledge. You can even disable the ability to transfer data through cut and paste.

We connect RONIN Isolate to your network to allow researchers to launch thousands of machines without using up your entire IP range to do so. RONIN Isolate is designed to map only the IP addresses in the secure enclave to your subnet, limiting the number of institutional IP addresses that it uses.

COMPLIANCE

RONIN Isolate is designed put you in the best position to ensure compliance for sensitive data, supporting regulatory requirements such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Federal Information Security Management Act (FISMA), even in an account without guardrails. As a controlled environment, RONIN Isolate ensures that all data is encrypted at rest and in transit. RONIN Isolate supports granular protection of data by user and machine to limit data access according to the principle of least privilege and separation of duties.

Every action that a user takes in the RONIN Isolate user interface  is logged (together with session and user information, underlying Amazon S3 bucket reads or writes, and all other AWS infrastructure calls) to provide a comprehensive audit trail. Nothing can happen that you cannot monitor.

Institutions and projects often require fine-grained control over data back-up and disaster recovery mechanisms to trade off cost versus risk. RONIN Isolate automates complex security capabilities such as access key regeneration and backup of data, machines and clusters to highly durable storage. Together with native services such as AWS CloudTrail and Amazon CloudWatch, these features support implementation of policies that minimize risk of accidental loss and a variety of automated or non-automated backup procedures.

COLLABORATION

Most researchers do not actually work alone.  RONIN Isolate can provide a secure research backbone for large scale distributed projects that use sensitive data. For example, several RONIN installations can be coupled to provide a single point of oversight, but with specific security profiles and financial control for each. Or at a smaller scale, data can reside securely behind a RONIN Isolate user interface, accessible through several projects that each have their own budget.

Email us at contact@ronin.cloud to learn more about how RONIN Isolate can address your needs for secure research while unleashing your researchers. Or just activate your anti-booby suits and keep an eye on us.

Video Credits: Rick and Morty Season 4 Ep 3