Learn how to safely store and use FISMA data by deploying Microsoft Azure security solutions in your Terra Environment. Read on for more details about when and how to deploy features that make Terra authorized for FedRAMP-moderate use.
Overview: FedRAMP-moderate Terra on Azure
Securing data in the cloud
You may be surprised to learn that data in the cloud can be more secure than data stored locally. This is because, in a cloud-native platform, security is built-in and less dependent on individuals. Terra has several layers of effective protection for your data and tools, which is why the platform has achieved FedRAMP moderate compliance.
Using Terra on Azure to secure controlled access data is your responsibilityNIH Grants Policy Statement section 2.3.12 reminds recipients of their "vital responsibility to protect sensitive and confidential data as part of proper stewardship of federally funded research, and take all reasonable and appropriate actions to prevent the inadvertent disclosure, release or loss of sensitive personal information."
For more information, see the resources below.
Why you have more responsibility to secure controlled-access data in Terra
Your Terra Environment exists as a managed app launched within your Azure subscription, which means you must choose to deploy many of the security parameters when you set up the managed app.
Terra security resources
Additional security monitoring of protected data
If you are working with controlled access, PHI, or any sensitive data that requires additional security protections, it is your responsibility to set up your Terra on Azure environment with additional security monitoring.
Note that extra security comes with a cost
The additional logging can significantly impact your bottom line, as there is a cost each time you query or access data within your FedRAMP-moderate Terra. For this reason, you should only set up additional security logging if you work with legally protected data.
Do you actually need to turn on security monitoring (logging)?Additional security monitoring is intended to fulfill legal requirements for data governed by a compliance standard, such as HIPAA protected data, federal controlled-access data, etc. It is not intended for data that you just want to keep private. Workspace permissions are generally sufficient for that purpose.
Cost warning: Logging costs extra (sometimes significantly more)
Enabling these features will incur additional usage costs related to the logging and security monitoring based on the use of data in workspaces within the billing project. Note that these costs - which accrue whenever you run a workflow or access data - can be significant.
If your data is not governed by a compliance standard, you should not turn on logging. Workspace permissions are intended to restrict access to private data. See Controlling access to data and tools (workspace permissions).
How to set up Terra as a FedRAMP moderate platform
Note that additional security/logging affects all workspaces in your Terra Environment
Terra on Azure’s additional security monitoring is deployed as part of the infrastructure resources created when you set up your Terra environment. All workspaces created within a single Terra Environment (i.e., the same Terra billing project) will automatically inherit the security features. Note that this is different from Terra on Google, where additional security monitoring can be enabled for individual workspaces.
Enable when creating your Terra Billing project
To enable these features, when you are creating your billing project, choose additional security monitoring in Step 2 of the billing project creation screen. This will automatically deploy the security features into your Terra environment.
Screenshot of billing project creation - step 2
You may have to enable an additional resource providerYou must enable Microsoft.SecurityInsights in your Azure subscription to set up FedRAMP-moderate Terra. Microsoft.SecurityInsights is an additional resource provider required to provision Microsoft Sentinel, which is part of Terra’s additional security monitoring for controlled access data.
See the prerequisites section in How to set up Terra on Azure (admins and billing) for more details.
What to expect
Working in a protected data workspace
If you’re working in a workspace that supports the use of protected or sensitive data, you’ll see an icon indicating that the workspace has additional security monitoring enabled.
"Enhanced logging and monitoring are enabled to support the
use of controlled-access data in this workspace."
Creating a new workspace
When creating a new workspace or importing data into a workspace in your Terra environment, you will also be able to see that the workspace is inheriting additional security monitoring.
Billing projects for Terra Environments with additional security logging enabled
are indicated with a shield in the popup for creating a workspace.