CASD’s uniqueness and success lie in its core decision to have its own dedicated hardware: the SD-Box.
Data exchange is a growing issue for all organizations, particularly for research and study purposes. Data that are individual, very detailed (salaries, HR, health, etc.) or strategic in nature (economic or financial) require an extremely high level of security to avoid any harmful dissemination or misuse of these data by an unauthorized third party.
No existing solution on the market could meet the specific security requirements related to these types of data. To meet these challenges, the Secure Data Access Center or “CASD” designed dedicated secure equipment allowing for remote access to data, while ensuring strong user authentication and preventing any possible data file exports.
Our solution is based on an access device specifically designed for this purpose, the SD-Box, connected to a secure central infrastructure, hosted on the premises of GENES, and accessible only from SD-Box units. This device coupled with a centralized infrastructure form a coherent and closed environment where users can work on data without any possibility of extraction in any form whatsoever (files, printing, etc.). The CASD infrastructure was designed from the outset to be totally isolated from production networks. This infrastructure is based on a private network, both for the central unit containing the data and servers, as well as for the SD-Boxes that use encrypted tunnels initiated during each box’s installation.
The SD-Box is very simple to install, easy to replace, and updated remotely. At its core, it’s simply a computer device and a “sealed” central IT infrastructure, but this makes it the real cornerstone of the security guaranteed by CASD.
With the SD-Box, the user can work remotely on confidential data while also guaranteeing data producers the following:
• no file can be retrieved by the user (no possible copying /pasting, printing, or insertion of flash drives, etc.)
• the person connecting to the SD-Box is indeed the authorized user. Reliable biometric authentication before every entry is achieved by using a smartcard containing a security certificate and a biometric fingerprint reader. In accordance with the law, this treatment was the subject of a request for authorization to the computer and freedom commission granted in CNIL Deliberation n ° 2014-369.
• all communications between the SD-Box and the servers are encrypted
• no data can leave this bubble without prior authorisation in order to prevent any information leaks.
CASD’s technology was initially designed to provide INSEE data to external researchers without the risk of having them pass from hand to hand via various methods: laptops, flash drives, etc. This risk is all too real and detrimental to the owner of the data with potential loss of media, or it ending up in the wrong hands.
This problem is not only true for public statistics data, but for many other public and private organizations as well. The application of the new European regulation on personal data (GDPR) will hold organizations more directly responsible for the security risks associated with data. CASD is an effective answer to minimize these risks when establishing a PIA (Privacy Impact Assessment).