Connecticut State Colleges & Universities
IT Support Center

IT Support Center | Connecticut State Colleges & Universities - Protective Enclave

Protective Enclave Login

The Protective Enclave is a physical and/or logical separation of applications, systems and networks that process DCL3 data.  The Protective Enclave provides a high security computing environment for the limited number of Faculty/Staff that process DCL3 data at the colleges and the CSCU System Office. In the past, DCL3 data was accessed from applications running directly on workstations. Now, DCL3 data must only be accessed from inside the CSCU Protective Enclave using applications launched from a virtual desktop.

All users using the Protective Enclave will need to abide by the usage provisions and data access responsibilities outlined in the Rules for using the Protective Enclave.

The Protective Enclave will require additional security controls and restrictions to ensure the application and data remain protected. When accessing the Protective Enclave, Faculty and Staff will login through a secure channel to access to a virtual desktop. Once logged onto the virtual desktop, you will be able to access/work with DCL3 data (e.g., Banner, secure websites, documents contain confidential information, etc.). DCL3 data will not be able to leave the Protective Enclave.

Refer to our Data Management Standard for more information about DCL3 data.

The additional security controls include:
  • Multi-factor Authentication (MFA): MFA is used to confirm your identity. It increases security by requiring you to use both something you know (e.g., your NetID and password) and something you have (e.g., a work phone or mobile device) before allowing access. This makes it more difficult for an unauthorized person to authenticate as you (i.e. they can't get access just by knowing your password).
  • Data Loss Prevention (DLP): DLP prevents sensitive data from leaving the Protective Enclave. If a file is saved in the Protective Enclave's transfer share (the location where files to be transferred out of the Protective Enclave are located) that is found to contain sensitive data, it will be encrypted and therefore will not be accessible outside the Protective Enclave.
The additional restrictions include:
  • Printing: Printers that are available from inside the Protective Enclave differ from that of standard network printers because they are protected by the boundaries of the Protective Enclave. Because of the sensitive nature of the documents being printed and the printer's location, Faculty/Staff are assigned to only be able to print to specific Protective Enclave printers.
  • File shares: Faculty/Staff have access to different file shares when working from within the Protective Enclave. DCL3 file shares are used to save documents/files containing DCL3 data and is available only from within the Protective Enclave. A transfer file share is available from both within the Protective Enclave and from outside the Protective Enclave as a temporary area for transferring files into and out of the Protective Enclave. It is securely shredded every night at 2AM and will not be backed up. Recovery is not possible once the secure shred has shredded documents. The Transfer file share is protected by data loss prevention (DLP) controls that do not allow documents flagged as containing DCL3 data to leave the Protective Enclave.
  • E-mail: Access to E-mail is not allowed from inside the Protective Enclave. Faculty/Staff will need to transfer files that do not contain DCL3 data, out of the Protective Enclave in order to send the files via E-mail.
  • Inactivity timeouts: There is a 15 minute inactivity timeout for the Protective Enclave. It is similar to a Windows screen saver, where you need to re-enter your password to get back into the Protective Enclave.

Before you can use the Protective Enclave

  • You will first need to be granted access to the Protective Enclave. Work with the Protective Enclave Liaison to have this access granted for you.
  • You will receive an email from CSCU-Authentication-noreply with a link to the MFA documentation when your account is ready to be configured. You only need to go to the MFA site when you initially configure your settings and when you need to make any changes to how you log in.
  • Become familiar with the usage provisions and data access responsibilities outlined in the Rules for using the Protective Enclave.