The Protective Enclave is a physical and/or logical separation of
applications, systems and networks that process DCL3 data. The Protective
Enclave provides a high security computing environment for the limited number of
Faculty/Staff that process DCL3 data at the colleges and the CSCU System Office.
In the past, DCL3 data was accessed from applications running directly on
workstations. Now, DCL3 data should only be accessed from inside the CSCU
Protective Enclave using applications launched from a virtual desktop.
The Protective Enclave will require additional security controls
and restrictions to ensure the application and data remain
protected. When accessing the Protective Enclave, Faculty and Staff
will login through a secure channel to access to a virtual desktop.
Once logged onto the virtual desktop, you will be able to
access/work with DCL3 data (e.g., Banner, secure websites, documents
contain confidential information, etc.). DCL3 data will not be able
to leave the Protective Enclave.
The additional security controls include:
- Multi-factor Authentication (MFA): MFA is used to confirm your
identity. It increases security by requiring you to use both
something you know (e.g., your NetID and password) and something you
have (e.g., a work phone or mobile device) before allowing access.
This makes it more difficult for an unauthorized person to
authenticate as you (i.e. they can’t get access just by knowing your
password).
- Data Loss Prevention (DLP): DLP prevents sensitive data from
leaving the Protective Enclave. If a file is saved in the Protective
Enclave’s transfer share (the location where files to be transferred
out of the Protective Enclave are located) that is found to contain
sensitive data, it will be encrypted and therefore will not be
accessible outside the Protective Enclave.
The additional restrictions include:
- Printing: Printers that are available from inside the Protective
Enclave differ from that of standard network printers because they
are protected by the boundaries of the Protective Enclave. Because
of the sensitive nature of the documents being printed and the
printer's location, Faculty/Staff are assigned to only be able to
print to specific Protective Enclave printers.
- File shares: Faculty/Staff have access to different file shares
when working from within the Protective Enclave. DCL3 file shares
are used to save documents/files containing DCL3 data and is
available only from within the Protective Enclave. Transfer file
shares are available from both within the Protective Enclave and
from outside the Protective Enclave to transfer files into and out
of the Protective Enclave that do not contain DCL3 data. Transfer
file shares are protected by data loss prevention (DLP) controls
that do not allow DCL3 data to leave the Protective Enclave.
- E-mail: Access to E-mail is not allowed from inside the Protective
Enclave. Faculty/Staff will need to transfer files that do not
contain DCL data, out of the Protective Enclave in order to send the
files via E-mail.
- Inactivity timeouts: There is a 15 minute inactivity timeout for
the Protective Enclave. It is similar to a Windows screen saver,
where you need to re-enter your password to get back into the
Protective Enclave.
Before you can use the Protective Enclave
- You will first need to be granted access
to the Protective Enclave. Work with the
Protective Enclave Liaison to have this access
granted for you.
- You will
receive an email from CSCU-Authentication-noreply with a
link to the
MFA documentation when your account is
ready to be configured. You only need to go to the
MFA site when you initially configure your settings
and when you need to make any changes to how you log
in.