Blogs & News

Home Blogs & News

SATRE: Standardised Architecture for Trusted Research Environments – Introduction

This is the first in a series of blogs exploring the emergence of open standards and specifications for Trusted Research Environments, with a particular emphasis on the SATRE specification created by DARE UK, and how the Aridhia DRE performs against it.

Over the next five weeks we will score the DRE against each section of SATRE, and conclude by comparing it with other emerging standards e.g. the NHS England Secure Data Environment guidelines, and highlighting areas where the DRE exceeds these. This blog introduces the SATRE specification.

SATRE: Standardised Architecture for Trusted Research Environments

Standardised Architecture for Trusted Research Environments (SATRE) is a DARE UK driver project to support the development of a secure reference architecture for Trusted Research Environments (TRE), allowing research teams to benchmark their own TRE against an open specification.

SATRE covers more than the technical implementation of a TRE: it also covers the supporting services required to successfully maintain a secure, legally compliant TRE.

These requirements are broken into four sections, each of which contain a mixture of mandatory and recommended TRE features:

1. Information Governance
2. Computing Technology and Information Security
3. Data Management
4. Supporting Capabilities

Information Governance

This section recommends some technical controls, but is primarily concerned with the policies and procedures required to ensure good information governance. This covers a range of activities from ensuring compliance with all legal and regulatory requirements, having clearly defined policies and operating procedures, auditing your TRE against existing standards (e.g. ISO27001), having a robust risk management process in place, and providing TRE users with training material appropriate to their role.

Computing Technology and Information Security

This section contains the main SATRE technical specifications for TRE software and infrastructure. For software this covers ease of access and use, the tools and computing power that should be available to users, and programmatic security measures that should be in place to stop misuse of data. For infrastructure it covers deployment, configuration and maintenance.

This section also includes the requirements for TRE resilience, including agreed service levels, data back-up requirements, infrastructure redundancy, and the need to identify and resolve security vulnerabilities.

Data Management

This section covers a wide range of requirements related to data management from high-level product requirements (e.g. users should be provided with a searchable metadata catalogue), to granular user management policies (e.g. multi-user accounts should not be issued). Between these poles it contains a number of recommendations related to data access management from both a policy and technical implementation perspective, requirements for secure and legally compliant data ingress and egress from the TRE, and further requirements for user identification, authentication and management.

Supporting Capabilities

This section collects all other supporting services required to successfully maintain a TRE not covered in the previous three sections. These include, project management, business continuity planning, ongoing operational support for software and infrastructure, and access to legal advice regarding data protection and any contracts related to TRE provision. As with the sections above this is only a brief precis of the full specification, but it serves to illustrate the breadth of skills and resources required to successfully build and maintain a secure and legally compliant TRE, something previously explored in our Build vs Buy blog.

SATRE and the Aridhia DRE

The Aridhia DRE is an Enterprise Trusted Research Environment, fully managed with deployments across the globe, used by hospitals, research consortia and pharmaceutical companies, and we welcome the emergence and adoption of open specifications for TRE development, as it allows data owners and TRE providers to benchmark their platforms and identify gaps, therefore driving up overall standards in TRE provision.

Given that, over the next few weeks we will be benchmarking our TRE against the SATRE specification in the below series of blogs:

1. Information Governance
2. Computing Technology and Information Security
3. Data Management
4. Supporting Capabilities