Introduction

This is a sample of the two applications that my team at SafeInsights produced. This has been edited to remove specific links to other documentation or calling out specific organizations. The Setup App and Trusted Output app are part of a learning provider (also known as Member)’s data enclave. It is meant to communicate with the SafeInsights’ based Basic Management App (BMA) in order to keep a Member’s data separate from SafeInsights. The brief will explain more about the functionality and why it matters to the users.

You can find the code and work in their respective GitHub repositories:

Learnings

After developing these applications, we had a Pilot launch and was able to gather feedback. After the Pilot, we decided that the log in method for the Trust Output App for review was too cumbersome. We decided to develop a feature to encrypt study results that would be sent to the Basic Management App so that users could just have one log in to one application. This resulted in a separate brief so we could center the user issue and the desired behavior for study results review.

Start of the Brief

Problem alignment

What problem is this initiative solving, why is it worth solving, and why now? 

A Member's enclave needs a way to deploy a Researcher’s code to analyze a Member’s data, present results to the Member to scan for Personal Identifying Information, and then be able to present only member-approved results with no Personal Identifying Information (PII) to the Researcher. SafeInsights will eventually be providing these applications to Members in order for them to create their own enclaves.

What is the high-level approach? 

The Setup App will be created to check the Management app to see if approved studies are available, retrieve the associated research container, and it will then run the research container to analyze the data with the researcher’s code. 

The Trusted Output App will be created to take the results of the research (output from the code), present it to the Member for approval and once approved, send it one way (securely) to the Researcher via the Management app. 

How do we know if we’ve solved this problem?

  • The Setup App is able to manually poll for approved studies from the Management app and call AWS to start up a research container and run the researcher code against data that is hooked up to the Setup App. 

  • Trusted Output App is able to get the results from the research container, provide the results to the member for approval and send the results to the Management app to display to the Researcher if approved. 

  • These applications are not dependent on a specific Member’s data set to function as it will be given to other Members so they can build their enclaves and provision their data. 

  • Personal Identifying Information (PII) are not available to the researcher or will not leak.

Non-goals

  • We are not building the full Member approval communication flow for the Pilot. It’s just an output screen, and button for the Member to approve results for now.

  • We are not building the Enclave IaC, container registry or Management App. We are configuring the Enclave IaC in another brief.

  • We are not building for other Members, only the Test Enclave for the Pilot.

  • We are not building the automatic polling feature for the Setup App. 

Solution Alignment

Key Functionality by phases

Prep

  • Architecture done for both Setup and Trusted Output App. 

  • Setup App is able to poll the Management app every hour (for the Pilot - a manual or sped up poll) for an approved study

    • Stretch - Polling every hour might be a stretch goal or slightly lower priority than getting it to actually poll when a “Poll” script is run. 

    • Note: For security reasons the Setup App is not available on the internet and therefore there can never be a UI

Prototype 

  • Include Key management both applications for a secure connection to the Management app

    • Note: Someone else is designing the key management. We will be using the API keys they create. 

  • Setup App

    • Prototype the API between Setup, Container Registry, Trusted Output App and Basic Management App (BMA)

  • Trusted Output App 

    • Prototype the API between Enclave, Trusted Output App and Basic Management App

  • IaC written (as part of Base Enclave IaC) to be configured to work with the apps

Essential

  • Setup App

    • The Setup App polls the Basic Management App and retrieves information about ready studies.

      • Management app will send only the Research Container location. 

      • Add functionality to communicate with the Trusted Output App to ensure there are no Pending results so that studies aren’t ran indefinitely if results haven’t been approved.

        • containers_to_start = everything_in_managment_list (todo) - studies_with_results_in_trusted_output (done) - running_containers_in_aws_tagged_with_study (in-progress)

    • The Setup App tells the Enclave cloud provider (AWS) to find the Research Container in the SI’s Container Registry that matches the approved study.

    • The Setup App then tells the cloud provider (AWS) to start up the Research Container based on the URL received from the Management app for the study and runs the researcher’s code against the Member data.

      • Note: This all happens in the Enclave.

  • Research Container 

    • The Researcher Code in the Research Container will post the results to the Trusted Output App via API.

      • Note: We will provide Researchers with the script call or it will be in the base research container image. 

  • Trusted Output App

    • Trusted Output App stores all posted results for the Member to review until the results are approved (or rejected).

    • An Member can log-in (basic authentication for Pilot) to view the results in the Trusted Output App.

      • Results have status information about the success of the run and the ability to view the CSV file in the app.

      • The Member reviews the output to make sure that the posted results do not leak PII or otherwise inappropriate information.

      • Note: Communications between a Researcher and Member are in the Management app. Only communications in the TOA are the approved results going out. 

    • If the results are approved, the Member presses an “Approved” button to send the results to the Management App. 

      • If the results are not approved, … (to be determined later in “Full” phase) 

    • When data is marked approved, Trusted Output App will securely post the member approved results to the url of Management app via Management app’s API.    

  • Pilot Analysis Period Think about how to send failure cases, updates, etc based on experience and make further recommendations for Full Phase.

Full  (Not In Scope, but to be determined at a later date.)

  • Research container still posts the results to the TOA (no change from Pilot). No work here. Just don’t do anything to it.

  • Remove support in TOA for legacy mode (VPN/Pilot way)

  • TOA will post encrypted results to BMA

    • TOA will ask BMA for the Member users’ public keys

    • TOA will encrypt the results with a symmetric key (because public/private are too small)

    • TOA will then encrypt the symmetric key once for each user 

  • BMA saves the encrypted results

  • BMA displays the encrypted results to Member in an iFrame.

  • Each member user uses their own key to access results

  • Member needs to be able to approve/reject results from that iFrame.

  • BMA saves the Member approved decrypted results. (Context: Which will be stored in S3 temporarily (to prevent repeated access and internet scraping).)

  • BMA trashes and destroys the Member not approved encrypted results.

  • Failure cases, logging, status updates from Trusted Output App go to the Management App. 

Next

Textbook Redesign Project