At ARC we strive to deliver innovative and secure technologies to UBC researchers. This is why we have ensured that the UBC ARC Sockeye high-performance computing (HPC) platform was configured and is being maintained with security and privacy in mind. This page will briefly present some of the key security and privacy features of UBC ARC Sockeye.
Before you read this page
Before you read this page, it is important to know that:
- Any Eligible UBC Researcher intending to use UBC ARC Sockeye for a research project is responsible for ensuring that all use remains in compliance with all applicable policies, regulations, laws, ethics requirements, and agreements. For more information see the UBC ARC Sockeye Terms of Service.
- In cases where a research project collects, stores, or process sensitive information, a Security Threat Risk Assessment (“STRA”) that examines the entire project workflow and toolchain used to protect this information during academic research may be recommended. This page is intended to provide relevant security and privacy information about UBC ARC Sockeye and cannot replace an STRA. For more information about STRA, visit our Security and Privacy section.
UBC Information Security Requirements
UBC ARC Sockeye security is configured to meet the requirements set by UBC Information Systems Policy (SC14) and associated standards.
Information Classification
The current security controls of UBC ARC Sockeye allow UBC researchers to collect and temporarily store UBC information of all classifications.
Ethics
At UBC, research projects may be subject to review by a Research Ethics Board, which approves the project and sets requirements around data collection, use and disclosure.
Architecture Security
UBC ARC Sockeye is designed with a multi-layer architecture to ensure information is not directly exposed outside its environment. Secure architecture hardening controls including network protection, endpoint detection and response, vulnerability scanning, and patch management are in place to prevent unauthorized access and actions on the platform. Expand the sub-sections below to learn more about the current controls in place:
Architecture Diagram
Access Control
UBC ARC Sockeye access controls are implemented following the Principle of Least Privilege. For end users, the Secure Shell (SSH) protocol used to access the platform is integrated with UBC’s Campus Wide Login (CWL) system as described in the ARC System Access Control standard (ARCS-22) standard. Privileged accounts used to administrate the platform are further limited to the UBC ARC team from a dedicated internal network.
Password and passphrase must follow the requirements of UBC Information Security Standard U2 ( ISS-U2), and all access to UBC ARC Sockeye requires Multi-Factor Authentication.
Network
UBC ARC Sockeye is not accessible directly from the Internet. Only users connected to the UBC network directly or remotely using a UBC secure connection can access the platform. UBC ARC Sockeye nodes are implicitly denied outbound access. Only specific nodes are provided limited outbound connections as required for the operation of the platform. All connections require the use of secure network protocols including signed certificates with a minimum cryptographic hash cypher of SHA256.
Physical Security
UBC ARC Sockeye is located in British Columbia, Canada. The majority of the platform physically resides within the UBC University Data Centre at the Point Grey campus, a modern secure data center with security features such as pass-card restricted and logged entry, generator-backed UPS protected power, and video surveillance.
Endpoint Protection
To ensure optimal protection, operation and performance, UBC ARC Sockeye underlying infrastructure including operating systems and firmware have supported versions installed.
All Sockeye nodes are equipped with Endpoint Detection and Response to prevent unauthorized access and movement of potential malicious elements.
Vulnerability Management
UBC ARC Sockeye is regularly scanned using a variety of recognized scanning tools. Reports are reviewed and inform the maintenance and patching priorities to ensure compliance with ARC System Maintenance standard (ARCS-21), and UBC Information Security Standard M5 (ISS-M5).
ARC has dedicated cybersecurity, system and platform administrators to keep track of the latest vulnerabilities potentially affecting the platform, and ensuring they are addressed in a timely fashion.
Maintenance and Patching
UBC ARC Sockeye maintenance and patching is defined in the ARC System Maintenance standard (ARCS-21), and is divided into two categories:
Platform and Underlying Infrastructure
To facilitate required upgrades and patches, the UBC ARC Sockeye platform has pre-set maintenance windows. Maintenance includes the following:
- Security patching based on priority (as defined in UBC ISS-M5);
- Underlying infrastructure regular maintenance;
- Regular software updates and upgrade to ensure efficient and security operation;
- Testing prior to new update or patch release, as well as verification post-release to ensure implementation was successful;
- Documented update and user communication procedures;
- Change Management procedures;
- Contingency planning.
Software
A number of software, including multiple versions are made available on UBC ARC Sockeye to facilitate UBC researchers needs. Pre-installed software are offered AS-IS and ARC does not conduct any additional review of the software code provided. The software stack is periodically updated to ensure major vulnerabilities are addressed. For a detailed list of current pre-installed software please refer to the UBC ARC Sockeye Available Software list. Users may also install their own software on the platform, in which case, maintenance and patching is the responsibility of the user.
Logging and Monitoring
UBC ARC Sockeye logs are compiled in a central logging system. Logs are generally intended to be used for maintenance and troubleshooting, as well as detecting and investigating information security events. Access for other purposes must be approved using one of the following methods:
- Internally, within UBC, in accordance with UBC Information Security Standards;
- Externally to law enforcement via Campus Security;
- Externally to other entities via authorization from the Office of the University Counsel.
Information Security
UBC ARC Sockeye is configured with multiple security and information protection controls to ensure research information is protected while stored and processed on the platform. Expand the sub-sections below to learn more about the current controls in place:
Encryption
Information transferred to and from UBC ARC Sockeye requires the usage of a secure transfer protocol such as Secure Copy Protocol (SCP) or Secure File Transfer Protocol (SFTP). Visit our Technical User Documentation for more information.
Backup
While some mechanisms and processes are in place to allow for short term information recovery, UBC ARC Sockeye does not provide backup for user information. It is the responsibility of the user to ensure information stored on the system is backed up to another location. Visit our UBC Research Storage Finder page for more information.
Replication
UBC ARC Sockeye, including some user data; is replicated to the UBC Okanagan campus datacenter.
Information Retention and Destruction
All information stored on the platform is managed in accordance with the ARC Data Retention and Destruction standard ( ARCS-05).
Privacy
UBC ARC Sockeye is designed to facilitate computing of research information, primarily those of sensitive nature. It is a computing service allowing researchers to process a large amount of information, or information requiring significant computing resources.
Privacy Model
Sockeye operates under a shared responsibility model. UBC ARC is responsible for the underlying infrastructure including the hardware, network, and system (operating system) management. The Allocation Owner is responsible for the data processed and stored on the platform, as well as its use, and disclosure. Additionally, the Allocation Owner is responsible for managing any software installed within an allocation.
Collection
UBC ARC does not collect any personal information as part of the operation of the UBC ARC Sockeye platform. UBC ARC only collects the necessary business information required for the provision of the allocation.
Use and Disclosure
UBC ARC does not use or disclose any of the information within a UBC ARC Sockeye allocation except where required by law or as directed by the Allocation Owner. The Allocation Owner is responsible for the data processed and stored on the platform, as well as its use, and disclosure.
Training and Awareness
Training is available for UBC ARC Sockeye users to ensure research is conducted following the university requirements and cybersecurity best practices.
UBC privacy and information security training
Privacy & Information Security – Fundamentals training is a mandatory requirement for faculty, staff, researchers, student employees and contractors who use UBC Electronic Information and Systems. Visit privacymatters.ubc.ca for more information.
ARC information security awareness training
In addition to UBC Privacy and Information Security training, ARC staff must complete the mandatory ARC Information Security Awareness curriculum which is specifically oriented to professionals providing support to UBC researchers and managing ARC systems and platforms.
UBC ARC Sockeye users
Tutorials, and live training events are regularly available to new and existing UBC ARC Sockeye users. See our Training and Resources section for more information.
Management
Research Data Management
Research data management is the responsibility of the Allocation Owner, but ARC offers support to UBC researchers if required. Visit our rdm.ubc.ca for more information.
User Management
UBC ARC Sockeye user management is done in accordance with UBC Information Security Standard M2 (ISS-M2) and UBC Information Security Standard M3 (ISS-M3) It includes:
- Review and approval of user accounts prior to access provisioning;
- Documented Onboarding and Off-boarding procedures;
- Periodic access reviews;
- Unique user identifier allowing traceable actions.
Security Incident Response
UBC ARC has a Security Incident process in place to ensure potential and confirmed incidents are properly handled and documented. This process is in place to supplement UBC Security Incident Response procedures and includes:
- Defined security incident response based on criticality;
- Defined roles and responsibilities;
- Defined security incident reporting and activation protocols;
- Documented procedures including information breach management, communication, reporting and sharing, as well as forensic analysis;
- Documentation, logging and evidence management requirements;
- Escalation protocols;
- Post incident reviews.
Additional Resources
To learn more about UBC ARC Sockeye platform, visit:
To learn more about security and privacy for research visit:
Can’t find what you are looking for?
Send us an email at arc.suport@ubc.ca to talk to one of our subject matter experts.