Help Desk: (814)865-HELP security@psu.edu

Enclave Hosting Options

 

There are three main ways to create a secure enclave:

  1. Cloud-hosted or hosted enclave
  2. Hybrid
  3. Unit Local Enclave

These enclave options are listed in order of least burden of unit responsibility to most burden of unit responsibility. For the easiest unit experience, we recommend choosing a Cloud Hosted or Hosted Enclave. Each of the tabs below lists the UNIT responsibilities to complete the tasks in each phase of the ATO process.

Cloud Hosted Enclave or Hosted Enclave

All data instances to Cloud Hosted Enclave or Hosted Enclave (endpoints & servers)

Unit Responsibilities:

Phase 1: 

  • Create an ATO ticket
  • Implement best practice items from Standards – User access, authentication, and authorization (started)
  • Generate all required system documentation (started)

Phase 2:

  • Encrypt data in transit (started)

Phase 3:

  • Complete security awareness training
  • Use Enterprise Active Directory (started)
  • Restrict data transfer (started)
  • Fully integrate CyberArk, including administrative account password management, one-time passwords, and password rotations (started)

 

Hybrid

Data Instances to Cloud Hosted Enclave or Hosted Enclave (e.g. servers)

Unit Responsibilities:

Phase 1: 

  • Create an ATO ticket
  • Implement best practice items from Standards – User access, authentication, and authorization (started)
  • Generate all required system documentation (started)

Phase 2:

  • Encrypt data in transit (started)

Phase 3:

  • Complete security awareness training
  • Use Enterprise Active Directory (started)
  • Restrict data transfer (started)
  • Fully integrate CyberArk, including administrative account password management, one-time passwords, and password rotations (started)

 

Systems with data instances migrated to VM hosting (i.e. servers)

Unit Responsibilities:

Phase 1:

  • Create an ATO ticket
  • Establish next-generation endpoint protection (Cylance)
  • Begin security log collection, analysis and retention (Splunk)
  • Implement best practice items from Standards – User access, authentication, and authorization
  • Implement best practice items from Standards – Enable host-based firewalls
  • Generate all required system documentation

Phase 2:

  • Encrypt data in transit (started)

Phase 3:

  • Complete security awareness training
  • Use Enterprise Active Directory
  • Restrict data transfer
  • Fully integrate CyberArk, including administrative account password management, one-time passwords, and password rotations

 

Systems with data instances secured in Unit Local Enclave (i.e., endpoints)

Unit Responsibilities:

Phase 1: 

  • Create an ATO ticket
  • Establish next-generation endpoint protection (Cylance)
  • Begin security log collection, analysis and retention (Splunk)
  • Ensure vulnerability detection (Nessus)
  • Implement best practice items from Standards – User access, authentication, and authorization
  • Implement best practice items from Standards – Enable host-based firewalls
  • Generate all required system documentation

Phase 2:

  • Encrypt data in transit
  • Secure endpoint access
  • Integrate with Penn State’s Enterprise Firewall (started)

Phase 3:

  • Complete security awareness training
  • Implement physical security
  • Use Enterprise Active Directory
  • Restrict data transfer
  • Fully integrate CyberArk, including administrative account password management, one-time passwords, and password rotations

 

Unit Local Enclave

Systems with data instances secured in Unit Local Enclave (endpoints & servers)

Unit Responsibilities:

Phase 1: 

  • Create an ATO ticket
  • Establish next-generation endpoint protection (Cylance)
  • Begin security log collection, analysis and retention (Splunk)
  • Ensure vulnerability detection (Nessus)
  • Implement best practice items from Standards – User access, authentication, and authorization
  • Implement best practice items from Standards – Enable host-based firewalls
  • Generate all required system documentation

Phase 2:

  • Encrypt data in transit
  • Secure endpoint access
  • Integrate with Penn State’s Enterprise Firewall (started)

Phase 3:

  • Complete security awareness training
  • Implement physical security
  • Use Enterprise Active Directory
  • Ensure full network segmentation (started)
  • Restrict data transfer
  • Fully integrate CyberArk, including administrative account password management, one-time passwords, and password rotations

 

Get started now