Environment Components

Each research project using the SDE has a separate SDE environment. Each SDE environment brings together multiple elements to keep your work secure:

• Secure cloud environment in Google Cloud

• Secure managed endpoints: laptops managed by Northwestern IT

• Technical access controls for connections to the SDE

• User behaviors and responsibilities as outlined in the Acceptable Use Policy

Once it’s set up, your SDE environment will be given a name to identify it for service requests.

Secure Cloud Environment

All sensitive data and applications live inside a protected Google Cloud environment. Security is built in at every layer:

• Data encryption: All data is encrypted both when stored and when transmitted.

• Network protections: Firewalls, private networks, and strict access controls prevent unauthorized access.

• Access controls: Only authorized Northwestern faculty, staff, and students with a valid NetID can sign in and must use Multi-Factor Authentication (MFA).

• Monitoring: Security tools continuously watch for unusual activity and provide alerts.

Resources with the Google Cloud environment are divided into projects to separate tasks between different SDE user roles. Projects can have storage resources and virtual machines to support SDE users in accomplishing specific data management and analysis tasks. Each SDE environment can also include a GitHub organization for storing code and transferring code into and out of the SDE environment.

Secure Managed Endpoints

Endpoints are physical devices connected to a network. Within an SDE environment, your laptop is an endpoint. Access to the secure environment in Google Cloud is only possible from Northwestern IT-managed laptops, called managed endpoints. Managed endpoints are configured with strong security features:

• Built-in protections: Firewalls, antivirus, and endpoint security tools run automatically.

• Automatic updates: Regular patching ensures your system is always up to date.

• VPN access: All connections to the enclave go through an encrypted VPN tunnel.

By using only managed endpoints, we prevent unauthorized systems from connecting to the secure environment in Google Cloud.

Access Controls

Even with a secure cloud environment and endpoint, we add another layer of protection through strict access controls:

• MFA required: You must use MFA every time you sign in.

• VPN connection: Access is only possible over the Northwestern secure VPN.

• Compliance checks: Devices are checked before connecting to make sure they meet security standards.

• Activity monitoring: All sessions are logged and monitored for unusual behavior.

Together, these measures ensure that the only way into the secure cloud environment is through a verified user on a secure device over a trusted network.