Sharing dbGaP Data in a Cloud Environment

Type of Provider: Commercial

Details:

DNAnexus provides a cloud-based data analysis and management platform for storage and analysis of DNA sequence data using cloud computing from Amazon Web Services. By using DNAnexus (as part of a “Statistical Analysis Commons” Pilot) we are able to deploy sophisticated analysis efforts on large scale phenotypic and genomic datasets quickly and cost-effectively in the cloud. DNAnexus uses data centers in high-security facilities with SAS-70/SSAE-16, PCI Level 1, and FISMA Moderate certifications, and is in the process of completing FedRAMP certification. At the user level, it enforces best practices such as password strength and rotation, session expiration, and client encryption. All data access is carefully controlled, logged for auditing purposes, encrypted end-to-end (both in flight and at rest), integrity-verified, and replicated in at least three physically distinct data centers to ensure against loss. Data analysis is constrained to computing nodes that are sandboxed using virtualization and encryption technologies, and are versioned to ensure reproducibility and the ability to track data provenance. The software has undergone multiple third-party audits, including penetration testing by security experts, and the overall system has been ISO 27001 certified, an internationally recognized standard for secure data management processes. DNAnexus has summarized how their platform supports compliance with various US and International regulations and standards in a white paper, including best practices for dbGaP: https://www.dnanexus.com/papers/Compliance_White_Paper.pdf Amazon Web Services (AWS) is a secure cloud services platform offering compute power, database storage, content delivery and other functionality that will allow us to deploy sophisticated analysis efforts on large scale phenotypic and genomic datasets quickly and cost-effectively. It is a secure, durable technology platform with industry-recognized certifications and audits: PCI DSS Level 1, ISO 27001, FISMA Moderate, FedRAMP, HIPAA, and SOC 1 (formerly referred to as SAS 70 and/or SSAE 16) and SOC 2 audit reports. Their services and data centers have multiple layers of operational and physical security to ensure the integrity and safety of data. AWS has summarized how their platform supports compliance with controlled-access datasets in a white paper, including best practices for dbGaP: https://d0.awsstatic.com/whitepapers/architecting-for-genomic-data-secu…

Type of Provider: Private

Details:

FireCloud (powered by Broad Genomics’ Workbench) is operated by the Broad Institute at the FISMA (Federal Information Systems Management Act) “moderate” level and received Authority to Operate from NCI and NIH in May of 2016. FISMA is a practice of documentation, audit, and organizational risk acceptance.  It is centered on the controls outlined in NIST (National Institute of Standards and Technology) Special Publications 800-30 and 800-53.   Covered topics include: Network penetration testing and assessment by an Federally authorized outside firm; Maintaining system logs separate from the primary system for forensic analysis; Regular review of logs and changes by an in-house auditor; Security training and background screening for staff with elevated access to the system; Documented procedures to respond to security incidents. The FireCloud portal and its underlying platform, Broad Genomics’ Workbench, are hosted on Google’s Cloud Services. See below for details. Since Firecloud requires that users utilize Google logins, the application operates on top of Google’s world-class security that protects from nation-state level attacks. FireCloud supports the use of Google’s 2 Factor authentication as well. As a FISMA Moderate system, all logs are audited continually and various levels of security layering are required. These include Web Application Firewalls, weekly scanning, code scanning (dynamic and static), dependency scanning and manual penetration testing. Data analysis is constrained to computing nodes that are sandboxed using Docker within Google’s Pipelines API. Google Cloud Platform is a cloud computing service by Google that offers hosting on the same supporting infrastructure that Google uses internally for end-user products like Google Search. Google undergoes several independent third party audits on a regular basis to provide verification of security, privacy and compliance controls including annual audits for SSAE 16/ISAE 3402 Type II. Google's infrastructure provides reliable information security that can meet or exceed the requirements of HIPAA and protected health information. The Google Cloud Platform has summarized its services with respect to genomics data processing in a white paper here: https://cloud.google.com/files/genomics-data-wp.pdf

Type of Provider: Private

Details:

Flux is a high-performance computing (HPC) Linux-based cluster intended to support parallel and other applications and available to all researchers at the University of Michigan. Each Flux compute node comprises multiple CPU cores with at least 4 GB of RAM per core; Flux has more than 19,000 cores. All compute nodes are interconnected with InfiniBand networking. More information about FLUX can be found here: http://arc-ts.umich.edu/systems-and-services/flux/

Type of Provider: Private

Details:

OASIS will be implemented as separate “website instances” for each TOPMed Working Group.  For example, there will be an OASIS website for the TOPMed Diabetes Working Group and a different website, with a different URL and different user accounts, for the TOPMed Lipids Working Group.  Each “OASIS website instance” will allow access ONLY to information associated with the specific Working Group.  Thus, if TOPMed investigators are approved to access data for multiple Working Groups, they will need user accounts on multiple OASIS website instances to use the OASIS features. During the pilot phase, instances of the OASIS Server will reside on the University of Maryland OASIS Webserver.  If the pilot is successful and if additional funding is obtained, instances of the OASIS Server will be migrated/created using Amazon Web Services Website Hosting.  These website hosting environments will be “Platforms as a Service” (PaaS) for the various types of analysis and visualizations described above. These services will allow the research community to quickly and flexibly make use of nearly unlimited, on-demand, high performance computing capacity. In contrast to traditional clouds, an OASIS website does not allow download of individual-level data.  Users may download only summary statistics and analysis results calculated at the levels of variants or groups of variants. Users may upload individual-level phenotype data for use with the analysis and visualization tools.  They may also upload analysis results from other tools for web-based visualization.  But, these uploaded data cannot be downloaded.  There can be no egress of genotypes or phenotypes to an OASIS user. The University of Maryland OASIS Webserver is a high-performance Linux-based webserver intended to support parallel database searching and re-analysis of omics data.  It is a secure environment running the Apache HTTP Server software with strong encryption via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.  The server has its own SSL Certificate (SHA-2) and access to all OASIS website instances employ the HTTPS (HTTP Secure) communications protocol. Passwords are encrypted and the requirements for password strength and rotation are enforced.  The OASIS website instances and associated user accounts will be managed by the project Gatekeepers as described above.  The webserver’s software and physical environments are managed by the University of Maryland IT staff. Amazon Web Services (AWS) is a secure cloud services platform offering website hosting, compute power, database storage and retrieval and other functionality needed to deploy multiple instances of the OASIS web-based application.  It is a secure, durable technology platform with industry-recognized certifications and audits: PCI DSS Level 1, ISO 27001, FISMA Moderate, FedRAMP, HIPAA, and SOC 1 (formerly referred to as SAS 70 and/or SSAE 16) and SOC 2 audit reports. Their services and data centers have multiple layers of operational and physical security to ensure the integrity and safety of data. AWS has summarized how their platform supports compliance with controlled-access datasets including best practices for dbGaP: https://d0.awsstatic.com/whitepapers/architecting-for-genomic-data-secu…

Type of Provider: Private

Details:

The NHLBI-supported BioData Catalyst (Storage, Toolspace, Access and analytics for biG data Empowerment) (biodatacatalyst.nhlbi.nih.gov) is a cloud-based infrastructure where heart, lung, blood, and sleep (HLBS) researchers can go to find, search, access, share, cross-link, and compute on large scale datasets. It will provide tools, applications, and workflows to enable those capabilities in secure workspaces. BioData Catalyst will employ Amazon Web Services and Google Cloud Platform for data storage and compute. BioData Catalyst comprises the Data Commons Framework Services (DCFS) hosted and operated by the University of Chicago. DCFS will provide the gold master data reference as well as authorization/authentication and indexing services. The DCFS will also enable security interoperability with the secure workspaces. Workspaces will be provided by Terra, hosted and operated by the Broad Institute; Fair4Cures, hosted and operated by Seven Bridges Genomics; and i2b2/tranSMART, hosted by University of Chicago and operated by Harvard Medical School. For the NHLBI BioData Catalyst, the NHLBI Designated Authorizing Official has recognized the Authority to Operate (ATO) issued to the Broad Institute, University of Chicago and Seven Bridges Genomics as presenting acceptable risk, and therefore the NCI ATO serves as an Interim Authority to Test (IATT) when used by designated TOPMed investigators and collaborators. Amazon Web Services (AWS) is a secure cloud services platform offering compute power, database storage, content delivery and other functionality that will allow us to deploy sophisticated analysis efforts on large scale phenotypic and genomic datasets quickly and cost-effectively. It is a secure, durable technology platform with industry-recognized certifications and audits: PCI DSS Level 1, ISO 27001, FISMA Moderate, FedRAMP, HIPAA, and SOC 1 (formerly referred to as SAS 70 and/or SSAE 16) and SOC 2 audit reports. Their services and data centers have multiple layers of operational and physical security to ensure the integrity and safety of data. AWS has summarized how their platform supports compliance with controlled-access datasets in a white paper, including best practices for dbGaP: https://d0.awsstatic.com/whitepapers/architecting-for-genomic-data-secu… Google Cloud Platform is a cloud computing service by Google that offers hosting on the same supporting infrastructure that Google uses internally for end-user products like Google Search. Google undergoes several independent third party audits on a regular basis to provide verification of security, privacy and compliance controls including annual audits for SSAE 16/ISAE 3402 Type II. Google's infrastructure provides reliable information security that can meet or exceed the requirements of HIPAA and protected health information. The Google Cloud Platform has summarized its services with respect to genomics data processing in a white paper here: https://cloud.google.com/files/genomics-data-wp.pdf