Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Globus High Assurance for Protected Data (GlobusWorld Tour - UCSD)

Presented at the GlobusWorld Tour workshop at the University of California, San Diego on May 8, 2019.

  • Be the first to comment

  • Be the first to like this

Globus High Assurance for Protected Data (GlobusWorld Tour - UCSD)

  1. 1. Globus High Assurance for Protected Data Vas Vasiliadis vas@uchicago.edu UCSD – May 8, 2019
  2. 2. Manage Protected Data 2 Higher assurance levels for HIPAA and other regulated data • Handle restricted data e.g. PHI, PII, CUI • Share data with collaborators while meeting compliance requirements • Security controls meet NIST 800-53 Low; 800-171 Low+ • Includes BAA option with UChicago
  3. 3. Restricted data disclosure to Globus • With High Assurance and BAA tier, PHI data can be moved and shared • Globus never sees file contents – File contents can have restricted data • File paths/name can have restricted data (e.g. PHI) • None of the other elements (endpoint definitions, labels, collection definitions) can contain restricted data
  4. 4. High Assurance services in current release • Core Services: Auth, Transfer/Sharing, Groups • Globus Connect Server v5.2 and above • Globus Connect Personal v3.x • Web app (app.globus.org) • Globus Command Line Interface (CLI) • Connectors: POSIX, Google Drive, AWS S3, CEPH, Box • Out of scope: Globus ID, old web app, GCS v4.x, GCSv5.0, 5.1, GCP2.x
  5. 5. Transitioning terminology • Host endpoints è Mapped collections – Need local account to access data • Shared endpoints è Guest collections – No local account needed for data access, permissions set in Globus • Use host endpoint to create shared endpoint è Use storage gateway to create (guest) collections • Access via GridFTP è Access via GridFTP or HTTPS • Initially available via Globus Connect Server v5.2
  6. 6. Conceptual architecture: Mapped collections Globus Endpoint Subscriber Security Domain Globus Security Domain DATA Channel CONTROL Channel No data relay or staging via Globus; files move directly between endpoints User identity mapped to local account Single, globally accessible multi-tenant service Globus “client” software Subscriber owned and administered storage system External Security Domain (User, web app, data portal, science gateway, …)
  7. 7. Conceptual architecture: Guest Collections Subscriber Security Domain User managed ”overlay” permissions stored in Globus service Guest Collection DATA Channel CONTROL Channel Subscriber managed filesystem and endpoint policies External Security Domain (User, web app, data portal, science gateway, …) Globus Endpoint Globus Security Domain
  8. 8. Globus Connect Server v5 Milestones v5.0: Google Drive v5.1: POSIX guest collections, HTTPS v5.x: v4 feature parity+ v5.3 • Mapped collections • Multi DTN support • Additional storage systems • Endpoint specific identity providers • … Other features v5.2: High assurance v5.4 • High Assurance and standard data access • POSIX systems • S3, Ceph, Box connectors • Multi-connector endpoints
  9. 9. Standard Globus security features • Data remain at institution, not hosted by Globus • Integrity checks of transferred data • High availability and redundancy • Encryption – All communications and data in transit are encrypted (data in flight) • Access Control – Identities provided and managed by institution – Institution controls all access policies – Globus is identity broker; no access to/storage of user credentials
  10. 10. High Assurance features • Additional authentication assurance – Per storage gateway policy on frequency of authentication with specific identity for access to data (timeout) – Ensure that user authenticates with the specific identity that gives them access within session (decoupling linked identities) • Session/device isolation – Authentication context is per application, per session (~browser session) • Enforces encryption of all user data in transit • Audit logging
  11. 11. Additional authentication assurance userX@anl.govuserX@anl.gov
  12. 12. Additional authentication assurance userX@anl.gov userX@uchicago.edu
  13. 13. Re-authentication timeout userX@anl.gov userX@uchicago.edu
  14. 14. Application Instance Isolation userX@uchicago.edu Authenticated in browser session (app instance 1) Re-authentication required in CLI session (app instance 2) userX@uchicago.edu
  15. 15. Application instance isolation userX@uchicago.edu Authenticated in browser session (app instance 1) Re-authentication required in different app, same browser(app instance 2) userX@uchicago.edu
  16. 16. Application Instance Isolation
  17. 17. Application Instance Isolation
  18. 18. Application Instance Isolation
  19. 19. Application Instance Isolation
  20. 20. Application Instance Isolation
  21. 21. Example user flow: Guest collection HA userA@uchicago.edu User_A@uchospitals.edu g.user@gmail.com accmgr@uchospitals.edu ham@gmail.com Guest Collection (timeout: 4hrs) [Role:Access Manager] grants:Read
  22. 22. Example user flow: Guest collection HA userA@uchicago.edu User_A@uchospitals.edu g.user@gmail.com accmgr@uchospitals.edu ham@gmail.com Guest Collection (timeout: 4hrs)
  23. 23. Example user flow: Guest collection HA userA@uchicago.edu User_A@uchospitals.edu g.user@gmail.com accmgr@uchospitals.edu ham@gmail.com Guest Collection (timeout: 4hrs)
  24. 24. Example user flow: Guest collection HA userA@uchicago.edu User_A@uchospitals.edu g.user@gmail.com accmgr@uchospitals.edu ham@gmail.com Guest Collection (timeout: 4hrs) redirect à UC Medicine
  25. 25. Example user flow: Guest collection HA userA@uchicago.edu User_A@uchospitals.edu g.user@gmail.com accmgr@uchospitals.edu ham@gmail.com [Permission:Read] Guest Collection (timeout: 4hrs)
  26. 26. Example user flow: Manage Permissions HA accmgr@uchospitals.edu ham@gmail.com Guest Collection (timeout: 4hrs) userB@uchicago.edu User_B@uchospitals.edu grants:Read, Write
  27. 27. Example user flow: Guest collection HA accmgr@uchospitals.edu ham@gmail.com Guest Collection (timeout: 4hrs) redirect à UC Medicine userB@uchicago.edu User_B@uchospitals.edu
  28. 28. Managing High Assurance resources • Endpoint configuration • Management of Globus Groups that provide access to protected data • Access to management console, e.g. to review logs • All have the same requirements as end users: (re)authenticate with authorized identity, within session
  29. 29. Groups accessing HA guest collections • Policy options – Session enforcement – strict – Authentication assurance timeout • Additional restrictions – Invitations can only be issued by administrator or manager – Changes to group policies require specific identity within session/ authentication assurance timeout – Subgroups inherit HA policy
  30. 30. Globus Connect Server v5 installation flow • Install GCSv5.3+ binaries • Register the endpoint at developers.globus.org • Add connectors • Add storage gateways – Set as high assurance, configure authentication assurance timeout – Set policy on type of collections supported • Add mapped collection – User must login with identity from configured domain – Local account determined by removing the TLD: username@example1.org è username is local account docs.globus.org/globus-connect-server-v5-installation-guide
  31. 31. Audit log on DTN via GCSv5.3
  32. 32. Globus Connect Personal (GCP) • New version for high assurance data handling • Allow user to choose an identity for use with the endpoint – Using GCP for data access requires that identity be in session – Guest collections will work as they do with GCS • Additional logging
  33. 33. Globus security features - service • Secure operations – Intrusion detection and prevention – Performance and health monitoring – Logging – Secure remote access, access control – Uniform configuration management and change control – Backups and disaster recovery – All data stored by Globus is encrypted at rest • Use AWS best practices for securing environment – Virtual Private Clouds – host security – AWS security groups – network security – AWS IAM (identity and access management) best practices – individual security
  34. 34. New subscription levels • High Assurance – 33% uplift on Standard subscription and on premium connectors used for high assurance data • BAA – All High Assurance features + BAA with University of Chicago – 50% uplift on Standard subscription and on premium connectors used under a BAA • Separate subscription ID issued
  35. 35. Resources • New terminology, architecture changes, GCSv5.3 installation, configuration, etc.: docs.globus.org/globus-connect-server-v5- installation-guide • Creating a high assurance collection: docs.globus.org/high-assurance
  36. 36. Questions?

×