Workflow Locking for Clinical Genomics and Trials

Aleksandra Zalcman

Locked-Down WorkflowsWhen working in a clinical environment, DNAnexus users need the ability to restrict how workflows on the platform can be run so that stricter guarantees can be placed on how analyses are performed and reproduced in this setting. As we continue to improve workflow management on DNAnexus, we are excited to introduce a new feature called ‘workflow locking’.

When a user attempts to run a typical DNAnexus workflow, our platform allows the user to set and override parameters to any stage within the workflow.  However, in clinical settings, this flexibility may not be desired and the developer needs to restrict the user from making certain changes that could conflict with organizational policies. For example, the developer may want to enforce that the user supplies only certain inputs while others are unchangeable or ‘locked’.

To address this need, the DNAnexus platform now supports the ability to add explicit workflow input and output specifications to the workflow configuration.   This enables the developer to package and share workflows so that specific inputs to stages within the workflow cannot be modified by the user at run-time.

For example, the developer can now set specific fixed parameters for an alignment stage of a workflow, or the developer can enforce that the reference genome is fixed to a specific file on the DNAnexus platform. Since the workflow itself has an explicit input and output specification, this feature also will enable the developer to refer to a workflow as a stage of another workflow much like they would refer to a DNAnexus application within a workflow.  The ability to embed workflows within other workflows promotes reusability since developers can directly use components of more complex pipelines without having to duplicate code or workflow definitions. Finally, these features make execution of CWL or WDL workflows on our platform more seamless since they too explicitly specify inputs and outputs to workflows.

Workflow locking was built by the Developer Experience team at DNAnexus. Thanks to Geet Duggal and Nihar Sheth for contributions to the design and review of this feature. Please see our documentation for more information on how to build and use locked-down workflows and contact if you have any feedback or questions.

A New Level in Security: ISO 27001:2013

DNAnexus is pleased to announce it has updated its Information Security Management System (ISMS) to comply with the current ISO/IEC 27001:2013 standard. DNAnexus cloud-based services for secure genomic information management and analysis are implemented and delivered within the framework of this updated internationally recognized security standard.

In recent years, ISO/IEC 27001 and accompanying ISO/IEC 27002 (information security management controls) have been revised. The new version ISO/IEC 27001:2013 is the first revision since ISO/IEC 27001:2005 and puts more emphasis on measuring and evaluating how well an organization’s ISMS is performing.

DNAnexus has always taken a proactive approach to security and compliance. With the updated ISO 27001:2013 security standard, regulatory compliance has never been more robust, providing customers with the highest level of data security for both research and clinical use.

Interested in learning more about ISO 27001 or the DNAnexus platform’s compliance with HIPAA, CLIA, dbGaP, and EU Privacy? A number of detailed white papers on the subject are provided on the DNAnexus website.

Security Update: GHOST Vulnerability

On January 27, 2015, a security vulnerability known as GHOST (CVE-2015-0235) was disclosed, impacting many Linux systems. The vulnerability could potentially be exploited to steal sensitive data such as encryption keys and user passwords. We have no evidence that any DNAnexus customer data or credentials were compromised using this vulnerability, and an in-depth analysis of the vulnerability attack vectors indicates that such a compromise was unlikely.

At DNAnexus, the security of our clients is our top priority. As soon as the vulnerability was disclosed, we started identifying services on our platform that were affected. All such services were patched to eliminate the vulnerability within 5 hours after it was initially disclosed. After this initial response, we started a thorough analysis of how our systems and the security of our clients could have been affected. The analysis found no indications of exploit, and we were able to exclude large portions of our systems from the hypothetical risk of attack. However, due to the scope of the vulnerability, we are continuing the analysis and will update here if any additional information is found.

We welcome customer feedback – if you have any questions or comments about our security practices, please reach us at