Secure Enclaves and ATO


Secure Enclaves

Secure Enclaves are a key part of Penn State’s overarching security strategy. Enclaves protect data through a secure computing infrastructure that meets baseline compliance needs and provides integrated security. Anyone who processes High (Level 3) or Restricted (Level 4) data is required to operate in an enclave. Secure enclaves house data and process information for a wide variety of units, from administrative functions to research projects and initiatives. Penn State Information Security provides a tool that can help you decide which level applies to your information.

An enclave can be loosely defined as a segment of network and computing devices which have defined security measures that meet regulatory and contractural compliance for certain data types. This concept can be visualized as a “container” in which all the needs of the business process occur. Users access the enclave from a day-to-day workstation through a secure connection point, and based on the user's current workflow and in compliance with regulations, data may move in and out of this container.

Authority to Operate (ATO)

Per University Policy AD-95, any information system processing or storing High (Level 3) or Restricted (Level 4) data must receive an Authority to Operate (ATO). Obtaining an ATO ensures Penn State keeps its promises regarding rules and regulations. The first step of the enclave process is to submit an ATO request. This request will help track and manage the enclave project for its entire life cycle.

An “information system” is defined as a collection of systems which process, store, or handle the same type of data. For example, a health management application that consists of a database, web server, and 20 clients that use the web interface would be a single information system and require a single ATO. If that same unit also managed a system that stored social security numbers for the purpose of royalty payments, that would be another, separate ATO.

Getting Started: 

To get started, visit the Penn State Secure Enclaves & Authority to Operate (ATO) SharePoint.



  • This is an active service


  • Any information system processing or storing High (Level 3) or Restricted (Level 4) data must receive an Authority to Operate (ATO).

Information Security: 

  • USB mass storage devices such as thumb drives and external hard drives are prohibited from connecting to the enclave storage.
  • Special considerations and planning will need to occur for specialized devices such as robotic, laboratory, and medical equipment; these devices will need permission to pass through the enclave firewall or may need to operate on a separate physical system that has approved access through the network and into the enclave.
  • Printing will also require special network configuration to be able to print information from the enclave to a standard printer or multi-function device; Unit IT staff will work with users to coordinate this process if necessary.