• What is AnVIL?
  • NIH Data Management and Sharing Policy Requirements
  • Platform and Data Security
  • Supported by NHGRI
  • Publications
  • Citing AnVIL

Platform and Data Security

The NHGRI AnVIL and the data it contains are secured in accordance with the industry best practices, the NIST 800-53 Rev 4 security controls at the Moderate baseline, and NIST 800-53 privacy controls documented in Appendix J.

Across the AnVIL, we aim to adhere to information security best practices, making use of four proven design concepts to implement defense-in-depth security:

  • Authenticate: All components require authentication at every step, not just the perimeter
  • Authorize: All data requires explicit authorization to access
  • Audit: All data access is logged (to a different system), with alerts for anomalous events
  • Encrypt: All data-in-transit and all data-at-rest is encrypted.

AnVIL systems also follow a model of continual assessment. This means the code is continually penetration tested, scanned, and tested. Additionally, systems are tested annually by independent auditors.

Platform Services

The AnVIL is made up of a variety of software developed by different institutions including the Broad Institute’s Terra platform and the University of California Santa Cruz’s AnVIL Data Explorer platform and Dockstore software. These are collectively referred to as "Platform Services."

Third Party Applications

In addition to Platform Services, third parties may write their own tools using the APIs from Terra, the AnVIL Data Explorer, or Dockstore. These tools are referred to as "3rd party applications" and may have their own authentication and authorization abilities. They exist outside the security boundaries of the Platform Services.

Authority to Operate

Platform Services maintain an Authority to Operate from a US Federal Government Authorizing Official but that is not a requirement for inclusion in the AnVIL ecosystem.

Instead, all Platform Services and third-party applications must be approved by the Broad Institute Office of the Chief Information Security Officer (CISO) who functions as the AnVIL Authorizing Official (AO) and who reviews the security package of each system to ensure that Anvil’s standard security baseline is met.

Cloud Use Statement

To gain access to some datasets, you may be required to provide a Cloud Use Statement in your access request. You can modify the following to suit your needs, but we recommend exploring other examples for specific use cases. For example, PRIMED Cloud Use and Provider Statements.

Name of Cloud Provider: The NHGRI Analysis, Visualization, and Informatics Lab-space (AnVIL)

Type of Cloud Provider: Commercial, Platform as a Service (PaaS)

Cloud Use Statement: The NHGRI AnVIL (www.anvilproject.org) is a cloud-based infrastructure currently provided by Google Cloud Platform where researchers can search, find, access, share, cross-link, and compute on large scale datasets. It provides tools, applications, and workflows to enable those capabilities in secure workspaces. Workspaces are provided by Terra, hosted and operated by the Broad Institute. AnVIL's datasets and compute infrastructure are secured in accordance with the industry best practices, the NIST 800-53 Moderate security controls following the FedRAMP standard. Most Platform Services maintain an Authority to Operate (ATO) from a US Federal Government Authorizing Official. All Platform Services and third-party applications on AnVIL are approved by the Broad Institute Office of the Chief Information Security Officer (CISO) who functions as the AnVIL Authorizing Official (AO) and who reviews the security package of each system to ensure that AnVIL’s standard security baseline is met.

Help us make these docs great!
All AnVIL docs are open source. See something that’s wrong or unclear? Submit a pull request.
Make a contribution
NHGRINIHHHSUSA.GOV
HelpPrivacy
v2.11.12-22a805f