ARC Sockeye Security and Privacy

UBC ARC Sockeye access controls are implemented following the Principle of Least Privilege. For end users, the Secure Shell (SSH) protocol used to access the platform is integrated with UBC’s Campus Wide Login (CWL) system as described in the ARC System Access Control standard (ARCS-22) standard. Privileged accounts used to administrate the platform are further limited to the UBC ARC team from a dedicated internal network.

Password and passphrase must follow the requirements of UBC Information Security Standard U2 ( ISS-U2), and all access to UBC ARC Sockeye requires Multi-Factor Authentication.

UBC ARC Sockeye is not accessible directly from the Internet. Only users connected to the UBC network directly or remotely using a UBC secure connection can access the platform. UBC ARC Sockeye nodes are implicitly denied outbound access. Only specific nodes are provided limited outbound connections as required for the operation of the platform. All connections require the use of secure network protocols including signed certificates with a minimum cryptographic hash cypher of SHA256.

UBC ARC Sockeye is located in British Columbia, Canada. The majority of the platform physically resides within the UBC University Data Centre at the Point Grey campus, a modern secure data center with security features such as pass-card restricted and logged entry, generator-backed UPS protected power, and video surveillance.

To ensure optimal protection, operation and performance, UBC ARC Sockeye underlying infrastructure including operating systems and firmware have supported versions installed.

All Sockeye nodes are equipped with Endpoint Detection and Response to prevent unauthorized access and movement of potential malicious elements.

UBC ARC Sockeye is regularly scanned using a variety of recognized scanning tools. Reports are reviewed and inform the maintenance and patching priorities to ensure compliance with ARC System Maintenance standard (ARCS-21), and UBC Information Security Standard M5 (ISS-M5).

ARC has dedicated cybersecurity, system and platform administrators to keep track of the latest vulnerabilities potentially affecting the platform, and ensuring they are addressed in a timely fashion.

UBC ARC Sockeye maintenance and patching is defined in the ARC System Maintenance standard (ARCS-21), and is divided into two categories:

UBC ARC Sockeye logs are compiled in a central logging system. Logs are generally intended to be used for maintenance and troubleshooting, as well as detecting and investigating information security events. Access for other purposes must be approved using one of the following methods:

• Internally, within UBC, in accordance with UBC Information Security Standards;
• Externally to law enforcement via Campus Security;
• Externally to other entities via authorization from the Office of the University Counsel.

Information transferred to and from UBC ARC Sockeye requires the usage of a secure transfer protocol such as Secure Copy Protocol (SCP) or Secure File Transfer Protocol (SFTP). Visit our Technical User Documentation for more information.

While some mechanisms and processes are in place to allow for short term information recovery, UBC ARC Sockeye does not provide backup for user information. It is the responsibility of the user to ensure information stored on the system is backed up to another location. Visit our UBC Research Storage Finder page for more information.

UBC ARC Sockeye, including some user data; is replicated to the UBC Okanagan campus datacenter.

All information stored on the platform is managed in accordance with the ARC Data Retention and Destruction standard ( ARCS-05).

Sockeye operates under a shared responsibility model. UBC ARC is responsible for the underlying infrastructure including the hardware, network, and system (operating system) management. The Allocation Owner is responsible for the data processed and stored on the platform, as well as its use, and disclosure. Additionally, the Allocation Owner is responsible for managing any software installed within an allocation.

UBC ARC does not collect any personal information as part of the operation of the UBC ARC Sockeye platform. UBC ARC only collects the necessary business information required for the provision of the allocation.

UBC ARC does not use or disclose any of the information within a UBC ARC Sockeye allocation except where required by law or as directed by the Allocation Owner. The Allocation Owner is responsible for the data processed and stored on the platform, as well as its use, and disclosure.

Privacy & Information Security – Fundamentals training is a mandatory requirement for faculty, staff, researchers, student employees and contractors who use UBC Electronic Information and Systems. Visit privacymatters.ubc.ca for more information.

In addition to UBC Privacy and Information Security training, ARC staff must complete the mandatory ARC Information Security Awareness curriculum which is specifically oriented to professionals providing support to UBC researchers and managing ARC systems and platforms.

Tutorials, and live training events are regularly available to new and existing UBC ARC Sockeye users. See our Training and Resources section for more information.