Introducing DAFNI’s Security Service

Pete Feeney

Security concerns over sensitive data have been one of the top barriers preventing academics, industry and government sharing infrastructure information within or across their groups. So, naturally, security is enshrined in everything we do at the Data and Analytics Facility for National Infrastructure (DAFNI).

With the DAFNI 1.0 platform, anyone in the infrastructure system – from planners and policymakers to construction companies and academics – can model proposed multiple infrastructure developments using a system-of-systems approach, thus breaking the significant barrier that was in place up till now of only having enough data or computing power to model one infrastructure in isolation.

Currently in alpha testing, DAFNI 1.0 offers enough High Performance Computing power to make running complex models, across a variety of scenarios, a possibility in minutes rather than days.

DAFNI consists of five key parts:

  1. National Infrastructure Database (NID) This is an increasingly large library of datasets – some of which DAFNI holds, some of which DAFNI facilitates access to. Metadata tags are incorporated to make searching the database easier.
  2. National Infrastructure Modelling Service (NIMS) This is split into two main parts – the national modelling catalogue, and the workflow section, where you can drag and drop elements of different models to create new ones. The aim is to democratise access to models whilst allowing modellers to set permissions on who can use their work.
  3. National Infrastructure Cloud Environment (NICE) Users can make use of the High Performance Computing power behind DAFNI 1.0 to develop and increase the speed of their models, which may involve hundreds of gigabytes. DAFNI 1.0 uses best practices in industry – such as hybrid cloud and onsite investment.
  4. National Infrastructure Visualisation Suite (NIVS) Modellers can use GPUs and CPUs to create 3D renders and 2D plots to tell effective and meaningful stories through visualisations.
  5. Data Security Service (DSS) This provides security assurances to those providing the data that the datasets are looked after in a secure and controlled fashion, based on industry best practices. It includes authentication, authorisation, monitoring and accounts management.

As you can imagine, what with the sheer amount of data we handle, coupled with complex ownership issues, data sharing can be hard to achieve for a variety of reasons, from security to licensing.

So my role as DAFNI’s security engineer is to ensure that before datasets are added to DAFNI 1.0, we understand who the individuals or organisations are and carry out background checks; and that we understand any licensing restrictions, General Data Protection Regulation (GDPR) requirements and national security implications of that data.

Our starting point, when working with data owners, is to understand who the person is and what they’re trying to do with the data.

As the user comes on the system, we assume any data is private data and that no one else would see that data. It’s then the data owner’s decision as to how they allow access to that data. We can facilitate many layers of security through which data can be applied, so the data owner can be comfortable with who sees the data, and when and where.

We work to ensure that users can keep the datasets they upload personal to their project or project team, until they are ready to publish their model, research or results. Our current alpha testers are academics and PhD researchers, typically working with a supervisor and a couple of assistants. We facilitate groups working together by giving the project lead rights to grant access to selected members or to all team members, and by allowing them access to selected project data or to the whole of it.

Licensed Data

There is also licensing to consider. A licence may be granted to one user for a dataset and our job is to ensure that the intellectual property rights aren’t infringed. That means initial checks when the data is uploaded and ongoing monitoring to ensure that people aren’t publishing data in a way that breaks the licensing.

Infrastructure research can involve accessing data which is of a sensitive nature. Exploitation of the data or results could lead to abuse of national infrastructure, leaving these assets exposed or damaged. Therefore, it is imperative to monitor who is accessing data and results, through from initial stages of checking to verify that the researcher has the right permissions in place, through to checking what outcomes are being achieved, and finally identifying what exactly they are doing with the data.

Other considerations are datasets where individual people or companies could be identified. In this instance the data might need to be anonymised so that the information set is reduced and users cannot allocate a piece of data to a particular person. We also have instances where some users need permissions to access the whole set of data and other users might only be able to access the anonymised data or a sub dataset.

Secure Research Service

We’re starting a process with the Office for National Statistics to be validated as a secure data provider and to gain permission to work with their data. Some of this data is subject to particularly high levels of security, as it is highly personal data on individuals.

We are also in the first stages of working with National Cyber Security to undergo penetration testing for our current system. This will be an ongoing process; systems have to evolve as the threats evolve, and there are regulations from National Cyber Security which mean they have to assess DAFNI 1.0 and review it every year. If we, or they, find any spurious activity, it’s a signal to us that we must evolve the security still further. Security doesn’t stand still, it must constantly move forward with the times.

DAFNI 1.0 will also be compliant with a number of ISO (International Organization for Standardization) standards – global IT security standards.

If we start to work with government bodies outside the UK, they would also wish to review and audit DAFNI 1.0 and have particular standards we would be required to meet. We are ready to understand their priorities and their views when the time comes.

Achieving a balance between a system that’s secure yet accessible is our ongoing challenge.

It’s certainly a huge responsibility and an honour to be running and evolving DAFNI’s complex security systems during this exciting development period.

18th May 2020