Secure Enclaves and ATO


Secure Enclaves

Secure Enclaves are a key part of Penn State’s overarching security strategy. Enclaves protect data through a secure computing infrastructure that meets baseline compliance needs and provides integrated security. Anyone who processes Level 4 Restricted or Level 3 High data requires an enclave. Secure enclaves house data and process information for a wide variety of units, from administrative function to research projects and initiatives. The Office of Information Security provides a tool that can help you decide which level applies to your information.

An enclave can be loosely defined as a segment of network and computing devices which have defined security measures that meet regulatory and contractural compliance for certain data types. This concept can be visualized this as a “container” in which all the needs of the business process occur. Users access the enclave from a day-to-day workstation through a secure connection point, and based on the user's current workflow and in compliance with regulations, data may move in and out of this container.

Authority to Operate (ATO)

Per University Policy AD-95, any system processing or storing Restricted or High data must receive an Authority to Operate (ATO). Obtaining ATO ensures Penn State keeps its promises regarding rules and regulations. The first step of the enclave process is to submit an ATO request. This request will help track and manage the enclave project for its entire life cycle.

An ATO request must be submitted for every information system that contains Level 4 Restricted or Level 3 High data. An “information system” is defined as a collection of systems which process, store, or handle the same type of data. For example, a health management application that consists of a database, web server, and 20 clients that use the web interface would be a single information system and require a single ATO. If that same unit also managed a system that stored social security numbers for the purpose of royalty payments, that would be another, separate ATO.

Getting Started: 

To get started, visit the Office of Information Security's Secure Enclaves and Authority to Operate site, or initiate an ATO request by visiting the for service request form.



  • This is an active service


Information Security: 

  • USB mass storage devices such as thumb drives and external hard drives are prohibited from connecting to the enclave storage
  • Special considerations and planning will need to occur for specialized devices such as robotic, laboratory, and medical equipment; these devices will need permission to pass through the enclave firewall or may need to operate on a separate physical system that has approved access through the network and into the enclave
  • Printing will also require special network configuration to be able to print information from the enclave to a standard printer or multi-function device; Unit IT staff will work with users to coordinate this process if necessary