The Protective Enclave is a physical and/or logical separation of
applications, systems and networks that process DCL3 data. The Protective
Enclave provides a high security computing environment for the limited number of
Faculty/Staff that process DCL3 data at the colleges and the CSCU System Office.
In the past, DCL3 data was accessed from applications running directly on
workstations. Now, DCL3 data must only be accessed from inside the CSCU
Protective Enclave using applications launched from a virtual desktop.
All users using the Protective Enclave will need to abide by the
usage provisions and data access responsibilities outlined in the
Rules for
using the Protective Enclave.
The Protective Enclave will require additional security controls
and restrictions to ensure the application and data remain
protected. When accessing the Protective Enclave, Faculty and Staff
will login through a secure channel to access to a virtual desktop.
Once logged onto the virtual desktop, you will be able to
access/work with DCL3 data (e.g., Banner, secure websites, documents
contain confidential information, etc.). DCL3 data will not be able
to leave the Protective Enclave.
Refer to our
Data Management Standard for more information about DCL3 data.
The additional security controls include:
- Multi-factor Authentication (MFA): MFA is used
to confirm your identity. It increases security by requiring you to
use both something you know (e.g., your NetID and password) and
something you have (e.g., a work phone or mobile device) before
allowing access. This makes it more difficult for an unauthorized
person to authenticate as you (i.e. they can't get access just by knowing your
password).
- Data Loss Prevention (DLP): DLP prevents sensitive data from
leaving the Protective Enclave. If a file is saved in the Protective
Enclave's transfer share (the location where files to be transferred
out of the Protective Enclave are located) that is found to contain
sensitive data, it will be encrypted and therefore will not be
accessible outside the Protective Enclave.
The additional restrictions include:
- Printing: Printers that are available from inside the Protective
Enclave differ from that of standard network printers because they
are protected by the boundaries of the Protective Enclave. Because
of the sensitive nature of the documents being printed and the
printer's location, Faculty/Staff are assigned to only be able to
print to specific Protective Enclave printers.
- File shares: Faculty/Staff have access to different file shares
when working from within the Protective Enclave. DCL3 file shares
are used to save documents/files containing DCL3 data and is
available only from within the Protective Enclave. A transfer file
share is available from both within the Protective Enclave and
from outside the Protective Enclave as a temporary area for transferring files into and out
of the Protective Enclave. It is securely shredded every night at
2AM and will not be backed up. Recovery is not possible once the
secure shred has shredded documents. The Transfer
file share is protected by data loss prevention (DLP) controls that
do not allow documents flagged as containing DCL3 data to leave the Protective Enclave.
- E-mail: Access to E-mail is not allowed from inside the Protective
Enclave. Faculty/Staff will need to transfer files that do not
contain DCL3 data, out of the Protective Enclave in order to send the
files via E-mail.
- Inactivity timeouts: There is a 15 minute inactivity timeout for
the Protective Enclave. It is similar to a Windows screen saver,
where you need to re-enter your password to get back into the
Protective Enclave.
Before you can use the Protective Enclave
- You will first need to be granted access
to the Protective Enclave. Work with the
Protective Enclave Liaison to have this access
granted for you.
- You will
receive an email from CSCU-Authentication-noreply with a
link to the
MFA documentation when your account is
ready to be configured. You only need to go to the
MFA site when you initially configure your settings
and when you need to make any changes to how you log
in.
- Become familiar with the usage provisions and data access
responsibilities outlined in the
Rules
for using the Protective Enclave.