RONIN Isolate TRE/SDE

Supporting self-service research on AWS using protected information is challenging. RONIN Isolate is a research environment designed to meet the security and compliance demands of our most security-conscious customers, while providing users with an intuitive self-service platform that is as easy to work in as a laptop.

The main characteristic of RONIN Isolate in contrast to our flagship product RONIN Core is that RONIN Isolate is deployed in an AWS account that is, by default, isolated from the outside world. All AWS resources must be accessed through a secure enclave. By default the secure enclave will contain AWS workspaces for the users to access the environment. These can be restricted to IP addresses, approved devices, transit gateway connections and more..

RONIN Isolate additionally provides a configurable baseline of policies, controls and guardrails required to best position your organization to meet both regulatory and institutional IT security requirements.

RONIN Isolate is installed within your organization's AWS account (“self-hosted”). It is not Software as a Service (SaaS). This self-hosted deployment model provides your organization complete visibility and control over every aspect of the underlying AWS infrastructure and also means data never needs to leave your custody or be copied to a third party.

RONIN Isolate creates an Amazon Virtual Private Cloud (VPC) service, which allows RONIN to launch AWS resources in a virtual network. To isolate this VPC from public network access, it must be connected to your secure enclave and a NAT gateway. RONIN Isolate is architected to only allow access to the resources from the secure enclave. Machines created in RONIN have no inbound network connectivity except through the secure enclave. Outbound traffic goes via the NAT gateway and can be directed to an internet gateway, Firewall, or transit gateway to go via your on prem firewalls.

RONIN Isolate also helps customers address compliance requirements related to in-depth auditing capabilities. RONIN Isolate supports granular protection of data by user and machine to limit data access according to the principle of least privilege and separation of duties. Every action that a user makes within RONIN Isolate is logged and can be audited.

Together, RONIN Isolate logging for UI actions and AWS CloudTrail logging for AWS infrastructure actions provide clear audit trails for who accessed data, when they accessed it, who created which machines, who created keys, and who granted access to machines and keys. These audit trails support HIPAA regulations for monitoring and auditing use of electronic protected health information (ePHI) or identifying accidental exposure.

Within the environment, RONIN Isolate ensures that all data is encrypted at rest and in transit to meet industry standard best practice guidelines defined by the CIS (Center for Internet Security). All access within RONIN Isolate private networks is encrypted in transit through the use of SSH and HTTPS protocols only.

All data that is stored on drives or S3 buckets created with RONIN are encrypted at rest and bucket policies are enforced to ensure object access is only available to allowlisted machines within RONIN Isolate private subnets over internal HTTPS.

Institutions and projects often require fine-grained control over data backup and disaster recovery mechanisms to trade off cost versus risk. RONIN Isolate automates complex security capabilities such as access key regeneration and backup of data, machines and clusters to highly durable storage. These features support implementation of policies that minimize risk of accidental loss and a variety of automated or non-automated backup procedures.

Because RONIN Isolate is installed within your organization's AWS account, the shared responsibility model established between AWS and the customer applies. RONIN configures the organization’s account to be in the best position for addressing security and compliance requirements; however, organizations may tighten or relax constraints to serve their needs.

AWS provides multiple services to implement additional security controls that RONIN Isolate is fully compatible with including:

AWS Trusted Advisor: an AWS service that can perform checks (dependent upon your AWS Support Plan) to help with security based on AWS best practices.

AWS GuardDuty: a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3.