RIS Infrastructure Services Resources

The CHOP Research network is comprised of multiple 10 Gb/s private Wide Area Networks (WAN) that interconnects various CHOP facilities with two geographically diverse data centers; one in Norristown, PA and the other in Breinigsville, PA. Secure remote access to networked resources is permitted via a VMware View secure gateway, Citrix Access Gateway or a Cisco AnyConnect Secure Mobility client, which is pre-loaded onto all assigned CHOP laptops. The VMware and Citrix gateways allow access to applications and data via thin client technology, whereby all data remains within the CHOP network. All remote sessions utilize two-factor authentication and are fully encrypted to provide end-to-end authentication and session security. In addition, a secure WPA2-encrypted wireless network is available for visitor access to the Internet. This wireless network is completely isolated from the CHOP private network.

CHOP Research leases data center space in two professionally operated and managed commercial computing facilities. The primary data center is located in Norristown, PA. The second data center, in Breiningsville, provides network and system redundancy to protect against unexpected outages, and to facilitate rapid disaster response and recovery. Each facility includes the following features:

• Redundant power, cooling, fire suppression, fiber and telecommunications
• A dedicated path redundant backbone network between facilities
• Physical access controls that include mantrap entrances, biometrics, and auditable entry and exit tracking
• Closed circuit visual monitoring
• Environmental monitoring
• Remote system administrator alerts and notifications
• On-site technical support for basic troubleshooting
• Regularly scheduled physical security checks of all computer rooms and equipment

CHOP Research IS maintains a 100+ Node HPC available for all research users. Combined the cluster has over 47TB RAM, 4000 CPU Cores, and 40 NVIDIA Tesla A100 GPUs. For storage, the cluster has direct access to over 20PB all flash of Network Attached Storage over dedicated 80Gb inter-switch connections. HPC scratch space is 900TB. Most common life sciences software is preinstalled for easy access.

The system is managed using Bright Cluster Manager, uses SLURM as the scheduler, and a 100Gb cluster interconnect network.

Learn how to request high performance computing access.

File storage, which is housed on EMC Isilon Scale-out NAS file storage arrays:

• A combination of Microsoft Active Directory (AD) Users, Groups, Share, NTFS, and NFS permissions are used to manage authorized access to specific datasets. Additionally, data access is logged and aggregated to a centralized ArcSight log management server for long-term storage and audit capability.
• The Isilon system, which is built as an array of redundant nodes and drives, can accommodate large file systems in excess of 20PB as well as being capable of surviving multiple hard drive or node failures without the loss of data.
• When required data can be replicated between datacenters allowing for high data availability in the event of a complete system or data center failure.
• Data access is managed through a centralized ticketing system. Access must be approved via this ticketing system by the data owner or an authorized delegate.

CHOP Research has significant investment in a VMware Virtual environment is comprised of 50 servers with a total 10 TB of RAM, 1640 GHZ of processing power and 100 Terabytes of disk space. This system acts as a load balancing and redundant host for independent guest operating systems. As built, the system is capable of supplying over 1000 separate servers to support different lab and administrative requirements.

Request a new virtual machine, data center hosting services or database services.

CHOP Research also provides data analysis capabilities via dedicated servers for statistical software packages like SAS, Stata, and R.

All file shares are secured using Microsoft Active Directory Groups and Users. All access is controlled by the data owner or their delegate. The owner or delegate can request access for new users through CIRRUS or the user can request access directly. In either case, the owner or delegate must electronically approve the access before it is granted. All requests are logged for audit purposes.

Learn how to request a new file share, file sharing high speed transfer services, a file share member access list or removal of a File Share user.

Enterprise backup services include traditional agent-based backup, as well as data snapshots. Snapshots of User and Group file storage are taken twice daily, and retained on the system for seven days, which allows for quick recovery of lost or corrupted data. Incremental backups of the file systems are run daily, and retained on disks onsite for two weeks. Full system and data backups are performed bi-weekly, and stored for 2 months. Longer term storage is maintained in dedicated cross-site backup systems with larger datasets stored in S3 compatible storage in a third data center.

Learn more about server backup services, and CrashPlan Cloud PC Backup Service.

All general file shares are replicated to a secondary site every 10 minutes. In the event of a complete failure at the primary site, these shares would be available from the secondary site in as little as 4 hours.

All Research IT Systems Administrators and Engineers are qualified IT professionals.

Checkpoint firewalls are utilized for network segregation. In addition, intrusion detection and prevention technologies are deployed throughout the network to identify and protect against malicious code, denial of service attacks, and viruses. A variety of tools and techniques are used to conduct regular internal and external vulnerability scans so that security vulnerabilities can be quickly identified and addressed, in accordance with CHOP policies and regulatory requirements.

Workstation services are designed and managed with security in mind. All authorized CHOP users can choose from a list of CHOP standard laptops, desktops or workstations, which are pre-imaged with a secure, currently supported release of Microsoft Windows or Apple Macintosh OSX operating system. In addition, a secure VMware View Virtual Desktop Infrastructure (VDI) is available, which supports Microsoft Windows 32 or 64bit workstations. Other security features include:

• Centralized access management via the AD infrastructure.
• Automated patch management, antispam and antivirus protection.
• Centralized deployment and management of approved applications and services.
• Role-based Administrator access is limited to authorized personnel based on the principles of Least Privilege, in accordance with CHOP’s Access Control Policy.
• Restrictive system configurations prevent users from loading unauthorized software applications or altering system configurations in a way that could circumvent security.
• Whole disk encryption is included with all laptop hard drives. Currently, FileVault is utilized for Apple products and Microsoft Bitlocker for PC laptop whole disk encryption.

All network accounts are created and maintained by a centralized access administration group within the CHOP IS department. Microsoft AD is used for identity and access management for CHOP information assets. AD allows CHOP Research to take advantage of single sign-on capabilities for centralized access management to most business, medical, and research applications and resources. Each user is assigned a unique user ID and password. Sharing of access credentials is prohibited. User IDs and passwords are required for access to all information systems. Microsoft Authenticator is utilized for multi-factor authentication, which is required for remote access to specialized resources, such as the CHOP VPN, VMware, VDI, and Citrix. Password controls are enforced to establish common criteria for managing passwords across multiple systems. Automated mechanisms are in place to enforce these controls, which include password length and complexity requirements, minimum/maximum age, re-use limitations, and failed attempt/lockout settings. Idle timeout features are configured to activate after 20 minutes of inactivity.

All CHOP staff must be fingerprinted and undergo a thorough background check prior to the start of employment. Additional screening may be required for specific job functions.

Photo ID badges are issued during new employee orientation or as required to identify contractors, students, researchers, partners and business associates. These badges, which are linked to an electronic access control system, are configured to only permit entry to specific areas, as designated by job functions. Data center visitors are required to check in at the guard station to register and receive a Visitor badge. All data center visitors must be escorted by authorized personnel for the duration of their stay. User access to CHOP information resources requires review and approval from appropriate management to ensure that only authorized users are granted access to system resources. Users must sign a Statement of Responsibility before their account will be created.