High Compliance Environment (HCE)

The High Compliance Environment (HCE) helps campus units meet the IS-3 compliance requirements specifically indicated for sensitive and protected data workloads by providing a secure computing enclave for applications and/or research projects which require dedicated controls for protected data classifications (e.g., NIST 800-171, DFARS, PCI, etc.)

Data classifications are based in-part off the UC Protection Level Classification Guide (https://security.ucop.edu/files/documents/uc-protection-level-classification-guide.pdf) and the controls within the HCE are focused primarily on data held at the Protection Level 4 classification. A risk assessment is to be conducted on each individual application considered for HCE hosting prior to acceptance or onboard.

The goal of the High Compliance Environment (HCE) is to provide a secure computing enclave that normalizes and abstracts the various security and compliance controls required by research, government, and other third-party data sharing agreements (e.g., FedRAMP, CMMC, export-controlled data, PCI). The computing environment provides traditional (on-premise) network, compute, storage, and memory to incubate or permanently host highly-sensitive applications and projects.

Network - The HCE network is a fully segmented, internal private network which separates out each individual workload in a zero-trust network model. External ingress/egress network traffic is governed by firewalls deployed at the edge of the enclave and inbound access must be explicitly specified, reviewed, and implemented.

Compute - The HCE leverages virtualization technology to virtually host most versions of Windows and Linux operating systems. Virtual Desktop Infrastructure (VDI) is also available to securely connect to individual workloads within the application, segmented by the hypervisor.

Storage

  1. Primary storage is provided through an all-flash storage area network (SAN) storage. The standard storage provisioned per project is up to 1TB. Additional review would be required for workloads requiring increased storage levels.
  2. Backup storage is provided through traditional SAN storage and all workloads (unless otherwise specified) retain backups per the SLA of the environment.

Memory - Memory is provisioned per the scoping and requirements necessary for each accepted project or application.

Pricing

For accepted projects or applications, this service is provided at no cost to campus.

Benefits

  • Standardized, secure computing enclave reviewed regularly for compliance
  • Integration with MFA for enhanced security
  • Fully segmented, customized environments that can be tailored for individual needs
  • Enhanced monitoring and remediation guidance available through the Information Security Office
  • Provided free of charge to all areas

Eligibility

All Campus Units can submit a request for assessment and potential hosting of their application/project.

Requirements

  • A formal Risk Assessment must be completed on the in-scope project or application prior to hosting within the HCE
    • The outcome of the assessment will determine whether the project or application is a suitable candidate for the HCE
  • Logging, vulnerability management, and endpoint protection integrations are a requirement for the systems running in the environment
    • Local agents are available for integration with project systems and training will be provided for installation/configuration
  • Application level vulnerabilities are the responsibility of the individual project owner and must be remediated within the standards set forth in the campus Vulnerability Management Standard

Getting Started

To submit a project/application for hosting in the HCE, please email security@ucla.edu.