Five questions about the privacy and security of a digital environment

Datum: 01/10/2017

A digital environment for researchers. What does that look like? How does such an environment allow researchers to do their work while meeting the requirements of the GDPR privacy regulations and other standards? Harold van Aalderen, Security Officer, answers five questions about RSRCH’s digital research environment: the RSRCH Platform.

What makes RSRCH’s digital research environment unique?

“The RSRCH Platform is unique because it is not a bare-bones cloud infrastructure service, but rather a full-featured research environment with extensive auditing and security measures in place. The environment is immediately ready for use. The platform facilitates the researcher in complying with the privacy regulations and audit requirements that are made of his research data. Because all data processing steps are recorded in an audit log, a researcher can easily meet the requirement that states that their research must be traceable and reproducible. The audit trail shows how the results were achieved and who processed the data in what way.

What guarantees does the RSRCH Platform offer researchers?

“Researchers using the platform must be authorised to do so. An unauthorised user cannot do anything with it. Authorisation is required to safeguard the reproducibility and traceability of the research results. The authentication also complies with the strict requirements of the privacy legislation. A user’s authorisation can easily be verified by the researcher and owner of a workspace. They are free to decide whom to give access to the research data, which makes it easy to share data with other researchers working on the same project. A researcher no longer has to worry about unauthorised access to their data. The data is also backed up regularly, which guarantees its availability and eliminates the risk of years of research being lost due to a fire or a computer malfunction.

To prevent unauthorised access, we have developed advanced authentication methods with multiple identification layers (multi-factor authentication). This ensures that only the right people can access the data.”

Hypothetically, what would happen in the event of unauthorised access, a breach or a data leak?

“No security measure is ever completely airtight. Something can always go wrong. However, the audit trail makes it possible to determine exactly which data was consulted by unauthorised individuals. Due to the strict separation between users, any data leak will be limited to one or a few studies. This significantly reduces the risks of a data leak. Not only can we quickly determine which data might have leaked, but we can also tell whether this data was actually accessed by an unauthorised individual. This makes it possible to draw up a detailed and accurate report for the Data Protection Agency and reveals the exact extent of the data leak.”

What if researchers need to access the internet, e.g. online data sources? What is security’s perspective on that?

“Speaking as a Security Officer, I would prefer to limit all internet access. However, we understand that researchers need access to e.g. collect data from public data sources. That is why we have set up the RSRCH Platform to provide controlled internet access to the virtual machines. We use a whitelist of accessible systems, which means access can be limited to trusted computer systems and the risk of a breach is significantly reduced. Researchers can also use their own favourite tools for their research. The platform facilitates the use of tools that have been tested and approved beforehand.

Furthermore, the platform features an ‘airlock’ system to import or export data in a controlled and authorised manner. The audit trail is kept intact and the researcher meets all requirements for proper research.”

What is your view on the future of using IT for research purposes?

“Even today, it is unthinkable to conduct research without using IT. Furthermore, there is a strong need to collaborate with researchers from other national and international institutes. The challenge therefore mainly lies in unifying the openness of scientific research with the necessity of protecting the IT resource against misuse and safeguarding the integrity of the research data. Various risks make proper information security for research data a necessity. A rival researcher might want to change the data used by their competitor. Perhaps a rival company or the government wants to accelerate their own research programme through the unauthorised use of other researchers’ data. Unfortunately, some researchers prefer to create their own reality and conduct fraudulent research.

Another trend is the increased amount of data used for research. Because larger quantities of data are connected, it becomes more unique and starts to point to individual people. In other words, more and more researchers are using personal data for their research.

These two trends have resulted in a growing need for a secure research environment. With the RSRCH Platform, my colleagues and I want to provide a solution for both developments. The platform allows researchers and their colleagues to focus all their attention on their research, without having to worry about administrative regulations and complex privacy laws.”

Get to know our people

Harold van Aalderen works as a Security Officer at our partner Vancis. He is highly involved in RSRCH’s security and privacy activities. He started his career at Vancis at its former parent company SURFsara, a government organisation that supports research in the Netherlands with IT. Harold has years of experience with IT and information security in the research world, so we are thrilled about his contribution to the development of the RSRCH Platform.

What are your views on the use of IT in your research organisation? We would love to discuss this with you.