Using the Silo LDS Environment

Silo is the SSCC's restricted data environment. It's actually made up of two environments with different levels of security. Silo LDS is appropriate for data sets classified as "Limited Data Sets" under HIPAA and other data with similar security requirements. Silo RD is appropriate for data sets classified as "Protected Health Information" under HIPAA and other data with similar requirements. Each environment consists of an isolated file system and servers for running analysis with statistical software installed. This article will discuss using Silo LDS.

Silo LDS has a Windows server farm called WinLDS for doing analysis. Once everything is set up it's very similar to using Winstat, but there are some additional steps required to get set up. The security measures required by the kinds of data WinLDS was built to work with do impose some limitations—you would not want to use WinLDS unless your data required it.

If you are interested in using Silo, please contact the SSCC Help Desk. Depending on the nature of your data you may still need to get explicit approval from your IRB, the UW-Madison Office of Cybersecurity, or other relevant authorities before you can store data in Silo, but using Silo will expedite that process because it has already been approved for other projects.

Installing the Citrix Receiver

To use WinLDS you'll need to have the Citrix Receiver installed on your computer. Just click on the appropriate link below and then run the installer after it finishes downloading. If you've already installed the Citrix Receiver on your computer in order to use Winstat you do not need to install it again.

See Using Winstat for more information about using the Citrix Receiver.

Setting Up Two-Factor Authentication

Logging into WinLDS requires "two-factor authentication." When you log in you'll first be asked for your SSCC username and password and then for a code that appears in Google Authenticator, a free app for your smartphone or tablet. If you do not have a smartphone or tablet, you can purchase a hardware token that will do the same thing for about $15. Contact the Help Desk for details.

To set up two-factor authentication, log into Winstat using the Citrix Receiver, click on the Start/Windows logo button, and type sms2 in the search box. This will locate the SMS2 Administrative Console for you, which is the tool you'll use to set up the server side of two-factor authentication. It will start with your name and some other information already filled in but you don't need to fill in anything else on the main screen.

Click on Authentication Options. Set Token generation type to TOTP (time-based). Set Authenticator to Google Authenticator. Then click on Generate Shared Secret and Save Configuration. The shared secret is a alphanumeric code that needs to be entered on your phone, but the program will also generate a QR code that your phone can scan to read it in for you.

Next you'll need to install the Google Authenticator app on your phone. On an iPhone go to the App Store, or on an Android phone go to Google Play. Search for Google Authenticator and then install it and open the program. Tap Begin Setup and then Scan Barcode. Allow Authenticator to access your phone's camera if asked. Then point it at your computer screen until it reads the QR code successfully. (We have seen Authenticator have difficulty with some laptop screens. If it fails to read the code try again on a desktop computer or another laptop, or enter the information manually.) Authenticator should then show a six digit number which will change every thirty seconds. You are now set up to use two-factor authentication.

Logging In

To log in to WinLDS, you will need go to the web site On a Windows PC use Internet Explorer, and on a Mac use Safari. The web browser may not recognize that the Citrix Receiver is installed and prompt you to install it; you can bypass that by clicking Log in. If you're asked to give permission for programs to run, do so.

At the login screen, first give your SSCC username and password as usual. You'll then be asked for a Message challenge. Open the Authenticator app on your phone and type in the number you see there. It's okay if the number changes while you're typing it: there's a "grace period" during which the server will accept a number after it has expired on your phone.

The Silo File System

Silo uses a Linux-based file system. It is separate from the SSCC's main Linux file system, but we've given the drives the same names. Thus Z: is your home directory on WinLDS, and project folders are found on V:.

Moving Files To and From Silo

Silo has its own file system and the ability to move files to and from that file system is intentionally limited.

To move sensitive data to Silo, contact the SSCC Help Desk and we'll work with you to find the most convenient way to transfer your data.

To move public data, program files, or other files to Silo, put them in a folder on your Z: drive in the regular SSCC file system and then contact the SSCC Help Desk and ask that that folder be copied to Silo.

Moving data off of Silo's file system is simpler. We have created a folder called silosync in the Z: drive of each Silo user. Every five minutes, an automated script copies anything placed in this folder to a corresponding folder in the user's Z: drive on the SSCC's primary file sytem. Similar folders can be created within project folders. Files are not copied from the main SSCC file system to Silo. It is your responsibility to ensure any data you place in the silosync folder can be appropriately stored on the SSCC's main file system and do not require the additional security Silo provides.

Unlocking a WinLDS Session

A WinLDS session will automatically lock after 15 minutes of idle time. You can't unlock it by pressing Ctrl-Alt-Del as usual because that will affect your computer rather than your session on the server. Instead, expand the Citrix Receiver control bar at the top of the screen and click Ctrl+Alt+Del there. You will then be asked to give your username and password.

Using WinLDS

Once you've logged in, WinLDS behaves just like a regular Winstat server, with a few important exceptions:

  • WinLDS cannot access the Internet. This can affect programs in unexpected ways: for example, Stata's findit command takes much longer to run than usual and then only gives partial results, because it tries to reach Stata's web server and does not display any results until that attempt times out. Fortunately the results it does give are the ones you're most likely to need.
  • Stata ado files and R packages must be installed by the system administrators. Send requests to the Help Desk. Unlike on Winstat, ado files and packages will be installed such that everyone can use them and must be updated by SSCC staff when new versions are released.
  • You cannot copy and paste between WinLDS and your own computer.
  • WinLDS cannot access disk space on your computer.
  • You cannot print from WinLDS.
  • WinLDS does not have as much software installed as Winstat, but let us know if there is any additional software you need.

Silo Downtime

Silo has a downtime from 7:00am-9:00am the first Wednesday of the month for security updates.  

If you have any questions about using Silo, feel free to contact the Help Desk.

Last Revised: 3/6/2019