Security Model

Data security is a key concern in deciding to move to cloud-based genomic storage and analysis. BaseSpace Sequence Hub is hosted on Amazon Web Services (AWS) and provides a combination of Amazon's comprehensive and well-tested approach to platform security, overlaid with Illumina's own security testing and procedures. These procedures include reviews and tests by independent security professionals. This cloud genomics solution meets or exceeds the security provided by many institutional IT infrastructures.

Amazon Web Services (AWS)

Illumina works with AWS, the leader in cloud-based infrastructure. AWS hosts customer-facing services and critical operations for both private industry and U.S. government departments including Treasury, DOE, and State. Amazon security processes and standards are publicly available for review. AWS standards and accreditation include:

  • SOC 1/SSAE 16/ISAE 3402 (auditing)
  • FISMA moderate (U.S. Federal Government; for reference, the NIH data centers are rated FISMA moderate)
  • PCI DSS Level 1 (electronic payments)
  • ISO 27001 (international security standard)
  • FIPS 140-2 (encryption)

Additionally, security staff and controlled access procedures protect AWS data centers. Staff with system access undergoes background checks, and all hardware is located behind firewalls that are configured by default to block all traffic. Operating security patches are automatically applied to AWS servers, including BaseSpace servers. AWS actively monitors its firewalls to check for vulnerabilities, a service beyond the resources of most institutions. BaseSpace encrypts all data, something that is rarely done in the institutional IT setting.

BaseSpace Data Stream Software

Illumina sequencing instruments have on-board control and workflow software. This software includes a robust data-streaming component, which acts as a software broker with the BaseSpace API. The broker allows individual base call (*.bcl) files to be sent over an encrypted connection, verified, and assembled into samples for analysis in real time as the sequencing run is conducted. Real-time monitoring of data generated by one sequencing instrument or a federation of instruments is possible through the BaseSpace interface. The instrument control software does not allow publicly addressable inbound communications. All communication is made through standard https requests initiated by the user at the instrument. Each data-upload transaction is linked to an authenticated user account.

Audit Logs

Enterprise subscription accounts can retrieve a detailed history of user, workgroup, and domain events. BaseSpace Sequence Hub records the user ID, timestamp, and event details which may include (but are not limited to) the following:

  • Login/logout events
  • Data access, including viewing, downloading, deleting, or sharing data
  • Changes to user profiles, including new profiles, authorization assignments, and delegations
  • Project, Run, Sample, Lane, and AppResult information

For information about retrieving audit log information, see History API Reference in the BaseSpace Developer help.

Additional Information

For more information, see the BaseSpace Sequence Hub Data Security Technical Note

GitHub

Contribute to this article

Want to edit or suggest changes to this content? You can do so using GitHub.