Secure Enclaves


Secure Enclaves are a key part of Penn State’s overarching security strategy. They help administrative and research areas achieve regulatory and contractural compliance for high-risk data types. Enclaves protect data through a secure computing infrastructure that meets baseline compliance needs and provides integrated security.

Anyone who processes Level 4 Restricted or Level 3 High data requires an enclave. Security Enclaves house data and process information for a wide variety of units, from administrative function to research projects and initiatives. Any unit or individual that operates IT systems and/or applications that process information classified as High or Restricted under Penn State policy AD-95 must have Authority to Operate (ATO) granted by the Office of Information Security. OIS will grant this authority after performing proper due diligence confirming that the information is properly secured and meeting any compliance requirements

There are three main ways to create a secure enclave:

  1. Cloud-hosted or hosted enclave
  2. Hybrid
  3. Unit Local Enclave

These enclave options are listed in order of least burden of unit responsibility to most burden of unit responsibility. For the easiest unit experience, we recommend choosing a Cloud Hosted or Hosted Enclave.

Getting Started: 

To get started, visit the Penn State Security Enclave Authority to Operate Quick Guide, or read more about Security Enclaves through the service's FAQ page. 

More Information: 

Secure Enclaves at Penn State

Request Authority to Operate

Enclave Hosting Options


This service is part of the Computing category.



  • This is an active service


  • Anyone under the auspices of Penn State who processes Level 4 or Level 3 data requires a Security Enclave


Information Security: 

  • System owners who process and store Level 3 and/or Level 4 data must demonstrate compliance with level-specific criteria prior to receiving an Authority to Operate (ATO) from the Office of Information Security (OIS)
  • Special considerations and planning will need to occur for specialized devices such as robotic, laboratory, and medical equipment; these devices will need permission to pass through the enclave firewall or may need to operate on a separate physical system that has approved access through the network and into the enclave
  • USB mass storage devices such as thumb drives and external hard drives are prohibited from connecting to the enclave storage
  • Printing will require special network configuration to be able to print information from the enclave to your standard printer or multi-function device (Unit IT staff will work with you to coordinate this process if necessary)