Project discussion: Managing software/package install and licences on secure environments without internet access#
Prompts#
How do we get users actually working on their projects? Code/libraries/software etc
How do we manage licencing?
Notes#
Sheffield has 2 environments in TRE, one secure with access to internet SDSTP accreditation, one very secure with no internet access, ISO27001
Not open-source (RONIN) https://ronin.cloud and AWS TRE
Looking for experiences of how other TREs have made it work
HIC have the same issues - some open source solutions on GitHub (ansible roles)
There is some internet access
Stuff gets automatically scanned for viruses - squid proxy controls what users can/can’t access (? maybe I got that wrong)
Use of a internal licence server for matlab
Researchers put up with the limitations given that it’s the only way they can access the data
HIC have ISO27001 accreditation - this includes on prem TRE and extends to the cloud TRE now.
KCL: OpenStack at the moment, looking at Azure
Virtual box which can access external internet. Also use squid for scanning and filtering
A lot of variation in what researchers request - but trying to hold a lot of stuff locally
Encrypt data
Users aren’t allowed to control their own software (for now) but there are exceptions - for example if users need access to specific websites for data
Did research on global TREs and generated list of softwares based on this & requested lists from users/asked them to confirm they were happy with it
SCCM to allow users to install specific software without admin privileges (though it’s possibly too big for the number of expected users)
Manage Engine - Endpoint Central is free for up to 25 devices - above this only £18/year - cheap tool
Tools like this are probably useful more widely across the group
EPCC - one issue is the scale of setup, for long-term research projects encourage users to set up containers with the relevant software and then import these
Also can let users assemble a VM and import this into the environment
Some software stacks are complex and impose a huge resource cost onto the admin team - the users can accept the risk of importing that stack into the TRE - users generally happy to work in this way