Sensitive Data Environments

In some science environments, particularly in biomedical research, scientific data sets contain sensitive information.  A common example is Personal Health Information (PHI), the use of which is subject to HIPAA regulation.  PHI can be present in genomics data sets, data from MRI or other imaging technologies, and other data sets used in biomedical research.  However, data sets used in biomedical research are growing exponentially, just as they are in other fields.

Many science collaborations are using the Science DMZ model to improve the performance of data transfers, significantly improving scientific productivity. However, slower adoption of the Science DMZ model in the biomedical community has been mainly due to the discussions related to risk management around HIPAA - legal, monetary and reputation risk. Medical research centers have current network designs that have been approved by risk managers - those networks may not work well for high performance data transfers, but there is a large perceived risk in changing the configuration of the network, particularly in ways that apply network security technologies other than firewalls.

ESnet is actively working with several partners to find solutions to these problems, and to develop a high-performance reference architecture based on the Science DMZ model that is acceptable to risk managers in the biomedical research community.  The goal in this endeavor is the same as in other cases, namely to increase scientific productivity by effectively using high performance networks to improve the performance of cyberinfrastructure used for science.

Relationship to FISMA

It is often asked if the Science DMZ paradigm meets FISMA requirements.  The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats.

One of the more well known specifications in this space is NIST 800-53, a publication that recommends security controls for federal information systems and organizations and documents security controls for all federal information systems, except those designed for national security.

Consulting NIST SP-800-171, which is based on NIST 800-53 moderate security controls, the security requirements for protecting CUI (as listed in Chapter 3) are high level and can be met by a variety of security architectures, including the ScienceDMZ.

To fully know if a target use case that requires FISMA considerations can utilize the Science DMZ, it is recommended that implementors walk through the family of controls (access control, identification & authorization, media protection, etc), identifying which ones apply (it is possible that some won't).  After this state how the requirement can be satisfied, which can include describing a deviation from the control where necessary.