Ivy Secure Environment

Ivy

Ivy is a secure computing environment for researchers consisting of virtual machines (Linux and Windows) and Jupyter Notebooks. Researchers can use Ivy to process and store sensitive data with the confidence that the environment is secure and meets HIPAA requirements.

Overview

Ivy consists of two separate computing environments. Access to one environment does not automatically grant access to the others:


Requesting Access

University of Virginia tenure stream and academic general faculty, research faculty, research scientists, and postdoctoral associates may request an account on Ivy. UVA graduate and undergraduate students are not permitted to request accounts—this must be done by their faculty advisor(s).

Access to Ivy resources is project-based, limited to PIs and their designees, and requires approval. Once a project is approved a PI and her/his researchers must sign a RUDA (one for every researcher on each project).


Pricing

Ivy resources will be provided without a fee for approved projects. Please note that the pricing model is still under evaluation. A valid PTAO is required as part of the account request process, although no charges will be made without advanced notice to the PI.

Type Specs Cost
Mini 2 cores / 2GB mem $4/month
Small 4 cores / 16GB mem $12/month
Medium 8 cores / 32GB mem $48/month
Large 16 cores / 64GB mem $96/month
Xlarge 16 cores / 124GB mem $176/month

Connecting and Signing In

1 Authentication

You will sign in to all Ivy resources using your UVA computing ID and Eservices password. Because of Ivy's high security requirements, your Eservices password must be changed every 60 days.

Need help resetting your Eservices password?

If you are working from a secure Health Systems workstation you are ready to connect. If you are working from elsewhere on or off Grounds you will need Duo MFA and a High Security VPN connection.

2 Duo MFA

Updated!
Duo 2-Factor Authentication

To connect to the Ivy environment with VPN you will need to install the Duo Mobile multi-factor authentication (MFA) app on your smartphone.

In the context of Ivy, Duo allows you two ways to provide a second factor of authentication beyond your password: via a random 6-digit key, or via a push message direct to your phone.

3 High Security VPN

Updated!

With your UVA computing ID, Eservices password, and Duo Mobile in hand, you must run the Cisco AnyConnect software to start a UVA High Security VPN connection every time you use any Ivy resource. AnyConnect will authenticate to the UVA network using a digital certificate installed on your workstation.

More information on VPN from ITS:

Once you have completed these three steps, you will be connected to the secure Ivy network. From there you can connect to a Virtual Machine, or use a web browser to access JupyterHub.


Virtual Machines

A virtual machine (VM) is a computing instance dedicated to your project. Multiple users can sign into a single VM.

Virtual machines come in two platforms, CentOS7 Linux and Windows Server 2012R2. Each platform is available in three instance types. Refer to the grid below for specifics.

Type Specs Cost
Mini 2 cores / 2GB mem $4/month
Small 4 cores / 16GB mem $12/month
Medium 8 cores / 32GB mem $48/month
Large 16 cores / 64GB mem $96/month
Xlarge 16 cores / 124GB mem $176/month

Once created, your instance will be assigned a private IP address that you will use to connect to it (in the format 10.xx.xx.xx). VMs exist in a private, secure network and cannot reach outside resources on the Internet. Most inbound and outbound data transfer is managed through the Data Transfer Node (see below).

Connecting to your VM

To connect to your VM, you must install either an SSH client to connect to your VM using the command-line interface (CentOS VMs only), or remote desktop software to connect to the desktop GUI of your VM. These options are outlined below.

MacOSX Users:

  • Terminal (for SSH, built-in. Can be found in Applications -> Utilities -> Terminal)
  • Microsoft Remote Desktop (for remote desktop to Windows or CentOS VMs, download here)

Windows Users:

  • PuTTy (for SSH, download here)
  • Microsoft Remote Desktop (built-in, for remote desktop to Windows or CentOS VMs)

To connect to Ivy follow the platform-specific steps below:

CentOS 7 Linux
  • Open your High Security VPN connection
  • Reference the IP address of your Ivy VM.
  • For SSH access:
      ssh uva-id@ip-address
  • For Remote Desktop access: Start the RDP client and point to the IP address of your VM and sign in.
Windows
  • Open your High Security VPN connection
  • Reference the IP address of your Ivy VM.
  • For Remote Desktop access: Start an RDP client and point to the IP address of your VM and sign in with your Eservices password and your computing ID prefixed by ESERVICES as the user name (i.e. ESERVICES\mst3k)

Software

Every virtual machine (Linux or Windows) comes with a base installation of software by default. These help researchers by providing the basic tools for data processing and manipulation. Additional software packages are pre-approved and available for installation upon request. See the lists below for options.

If you require additional software not listed, you must submit a request. Requests are reviewed by the UVA ISPRO office for security and regulatory compliance and, if approved, will be installed for you.

Python/R Packages - Anaconda Python and R packages are available to users through the normal pip, conda, and CRAN and library installation methods.

ADDITIONAL Linux Groups
Click on each for details:

ADDITIONAL Windows Groups
Click on each for details:

Storage

Ivy VM has a pool of over 2 petabytes of Network Attached Storage shared amongst users. A PI specifies the storage space s/he would like to have when requesting access to Ivy. Virtual machines do not come with any significant disk storage of their own.

Learn More


JupyterLab Notebooks

As of August 31, 2019 Domino Data Lab will no longer be available within Ivy. Existing projects should be migrated to a virtual machine. Interactive data sessions will be available using Jupyter Notebooks (coming soon!)

JupyterLab is a web-based interactive development environment for Jupyter notebooks, code, and data. JupyterLab is flexible: configure and arrange the user interface to support a wide range of workflows in data science, scientific computing, and machine learning. JupyterLab is extensible and modular: write plugins that add new components and integrate with existing ones.


Data Transfer In/Out of Ivy

Moving sensitive data into the Ivy VMware platform is possible through a secure Globus DTN (data transfer node). The Ivy DTN is connected to a pool of secure storage called “Ivy Central Storage” (ICS), which in turn is connected to Ivy VMs. Only active research projects using Ivy virtual machines can use this service.

Ivy Secure DTN Flow

Learn More

 


HIPAA Compliance

The Ivy platform is HIPAA compliant by design. From the UVA Institutional Review Board for Health Sciences Research (IRB-HSR):

HIPAA affects only that research which uses, creates, or discloses PHI. Researchers have legitimate needs to use, access, and disclose PHI to carry out a wide range of health research studies.

The Privacy Rule protects PHI while providing ways for researchers to access and use PHI when necessary to conduct research.

In general, there are two types of human research that would involve PHI:

  • Studies involving review of existing medical records as a source of research information. Retrospective studies, such as chart reviews, often do this. Sometimes prospective studies do it also, for example, when they contact a participant's physician to obtain or verify some aspect of the participant's health history.
  • Studies that create new medical information because a health care service is being performed as part of the research, such as testing of a new way of diagnosing a health condition or a new drug or device for treating a health condition. Virtually all sponsored clinical trials that submit data to the U.S. Food and Drug Administration (FDA) will involve PHI.

Researchers must understand that, in general, the more difficult parts of HIPAA compliance are less technical (networks, computers, and data) than they are human and how users interact with these systems and data. The mishandling of data – such as storing them on insecure devices or in insecure places – jeopardizes confidential patient data and UVA’s ability to remain a trusted keeper of those data.

All data imported into Ivy must be treated as highly sensitive data. Data and results exported from Ivy must be protected and managed appropriately according to UVA’s data classification guidelines. Guidance regarding these guidelines and data types is available from UVA Information Security, Policy, and Records Office (ISPRO) by emailing it-security@virginia.edu.