The Umpio storage space is a secure network folder for high-risk sensitive data. It can only be used with a virtual computer using two-factor authentication.
Umpio was designed as the processing environment for materials requiring special protection, such as business secrets, inventions, labeled or identifiable special categories of personal data and authoritative information with categorised protection level, instead of the usual network drives and workstations.
Ordering the service
- Place your order through Helpdesk.
- Access to the Umpio storage space is based on IAM group management as in the use of other group directories. Use this tool to check that the IAM group limiting the users of the folder exists or, if necessary, create a new group.
- Report the IAM group you are using and the desired storage space to the processor of the support request. The pricing of storage space corresponds to the price list of group directories. Please also confirm the order with your unit’s service coordinator (list in Flamma).
Read more instructions from Detailed help tab.
Implementation of the service
The service uses two-factor authentication that requires a username and a password as well as a RSA SecurID Software Token authenticated with a mobile device. The steps described in this chapter are only required when implementing the service for the first time.Please note that when you change your phone or computer, you must order a new Token for the new device.
- Install the required RSA SecurID Software Token application on your device. You can also request help for the installation. Beware of the application RSA SecurID Authenticate, which has an almost identical name to ours, but which does not support our token keys.
- Mac / iPhone: download the installation package from App Store
- Android: download the installation package SecuriID from Google Play
- Log in to the RSA Console using your UH username and password at https://2fa.it.helsinki.fi
If the Console asks for your Authentication method, select Password and use your UH password.
- Click Request a new token and, when prompted, select the operating system you are using for the RSA SecurID Software Token software mentioned in step 1.
The console will also ask you to set a PIN code for the token. Do not touch the DeviceSerialNumber field with the pre-filled serial number randomised by the software.
- Once you receive the e-mail notification New or additional Software Token request is approved, log in to the RSA Console again at https://2fa.it.helsinki.fi. Remember to check your junk mail folder!
The next steps depend on the operating system used to run the Token software.
- If you are using a mobile device to run the Token software, log in again to the RSA Console at https://2fa.it.helsinki.fi and go to step 5 of these instructions.
- If you are using a workstation to run the Token software, you can find the link and activation code required to activate the software in the approval message. After activating the software, your Securedesk desktop will display the 8-digit code required for logging in and you can go to section “Using Securedesk and Umpio storage space” in these instructions.
- Select Activate Your Token and you will see the QR code required for logging in.
- Open the RSA SecurID Software Token application. Add a new token using the + icon and select the scanning of the QR code. Point the camera of your mobile device towards the QR code displayed by the RSA Console. If the scanning of the QR code is stopped and displays the error message “Invalid QR Code”, your Android phone is likely too old to support the application. In that case, you can run the Token software on your workstation or contact Helpdesk for more tips.
After scanning the QR code, your Securedesk desktop will display the 8-digit code required for logging in.
Now go to your VMware Horizon Client software
On your computer, open the VMWare Horizon Client application or the virtual environment in your web browser at securedesk.it.helsinki.fi.
If you are using the VMWare Horizon Client application on a UH computer, add securedesk.it.helsinki.fi by clicking on the + New Server option to include it in the list of optional VDI servers.
- Start configuring the new server in the New Server menu of the Horizon Client. (1)
- In the new window, enter the address of the connection server securedesk.it.helsinki.fi (2)
- After clicking Connect, the securedesk target will appear in the Horizon start menu where you can click it to start connecting. (3)
Once the initial preparations are completed, you can start connecting to the securedesk connection server. Please note that the login process will include two consecutive authentication dialogues, the first of which is RDA-authenticated. Below, you will find instructions for workstations and mobile devices.
- In the VMware Horizon Client view, open securedesk.it.helsinki.fi.
- Open RSA SecurID and, when prompted, enter the previously set PIN code (4–6 digits).
- Copy the SecurID code and paste it into the first login window as the RSA passcode..
- In the next login window, enter your own AD credentials (for example, rkeskiva).
- In the securedesk.it.helsinki.fi view, you can now open the Umpio virtual desktop.
- In the User name section, enter your university username
- In the RSA Passcode section, enter the single-use passcode provided by the RSA app (see image below). Do not enter your PIN code or university password!
Open the RSA SecurID Software Token application on your mobile device and enter the PIN code you previously set for the application during setup.
- When launching, the app will ask you to Enter PIN. Enter the PIN code you set up when activating the token. After entering the PIN code, you will see the token screen depicted below.
Please note that if you enter the wrong PIN code in the RSA app, it will not alert you of an incorrect PIN but generates an arbitrary number that will not work. This is an intentional security feature.
Using Securedesk and Umpio storage space
After accessing Securedesk, check the folder share settings between your computer and the virtual workstation if you plan to transfer or copy files:
- If you are using VMWare Horizon Client in Windows workstation, select Sharing behind the cog icon in the top right corner and click the Add button to add the folders you want to share from a local drive. Also tick Share your local files and Allow access to removable storage.
- If you are using VMWare Horizon Client in Mac workstation, select VMWare Horizon Client -> Preferences -> Sharing tab from the upper menu and click the Add button to add the folders you want to share from a local drive. Also tick Share your local files and Allow access to removable storage.
- In the list of virtual computers, select secure desktop. Once it opens, you should see the Umpio group directory in file management as a drive connected to the letter U and the folders shared from your computer as a Z drive. Use the Connect USB Device option in the top bar to connect and use USB devices.
- Umpio is displayed as the U: drive in File Explorer:
Virtual desktops (virtual computers) VDI and VMware
Q: Does the user need to take any action to ensure that their data is erased from the system?
A: No, they do not. The data will be automatically erased after it has been removed from the backups.
Q: Can the user (accidentally or intentionally) remove data from backups?
A: No, they can't.
Q: Can the administrator (accidentally or intentionally) remove data from backups?
A: No, they can't. Administrators have the ability to delete everyone's data, but never individual pieces of data. Typically, the deletion of backups is done at the end of the storage system's life cycle.
Q: How long are backups of Umpio (both home and group directories) retained?
A: For 6 months.
Q: If a group no longer needs storage space in Umpio, should they do something?
A: The group should request deletion of its directory from IT Helpdesk. Helpdesk will forward the deletion request to the capacity services who will delete the directory.
Q: If a group no longer needs a group directory, should they do something?
A: The group should delete its directory with the group directory manager Ryhti. If a group no longer needs an IAM group, it can be deleted using the IAM group management tool.
The instructions site of the University of Helsinki's IT Helpdesk helps you with IT-related issues related to your work. Let us know how we can improve our instructions. We greatly appreciate your feedback!How would you improve these instructions?