Globus High Assurance for Protected Data (GlobusWorld Tour - UCSD)

1. Globus High Assurance for Protected Data Vas Vasiliadis vas@uchicago.edu UCSD – May 8, 2019

2. Manage Protected Data 2 Higher assurance levels for HIPAA and other regulated data • Handle restricted data e.g. PHI, PII, CUI • Share data with collaborators while meeting compliance requirements • Security controls meet NIST 800-53 Low; 800-171 Low+ • Includes BAA option with UChicago

3. Restricted data disclosure to Globus • With High Assurance and BAA tier, PHI data can be moved and shared • Globus never sees file contents – File contents can have restricted data • File paths/name can have restricted data (e.g. PHI) • None of the other elements (endpoint definitions, labels, collection definitions) can contain restricted data

4. High Assurance services in current release • Core Services: Auth, Transfer/Sharing, Groups • Globus Connect Server v5.2 and above • Globus Connect Personal v3.x • Web app (app.globus.org) • Globus Command Line Interface (CLI) • Connectors: POSIX, Google Drive, AWS S3, CEPH, Box • Out of scope: Globus ID, old web app, GCS v4.x, GCSv5.0, 5.1, GCP2.x

11. Transitioning terminology • Host endpoints è Mapped collections – Need local account to access data • Shared endpoints è Guest collections – No local account needed for data access, permissions set in Globus • Use host endpoint to create shared endpoint è Use storage gateway to create (guest) collections • Access via GridFTP è Access via GridFTP or HTTPS • Initially available via Globus Connect Server v5.2

12. Conceptual architecture: Mapped collections Globus Endpoint Subscriber Security Domain Globus Security Domain DATA Channel CONTROL Channel No data relay or staging via Globus; files move directly between endpoints User identity mapped to local account Single, globally accessible multi-tenant service Globus “client” software Subscriber owned and administered storage system External Security Domain (User, web app, data portal, science gateway, …)

13. Conceptual architecture: Guest Collections Subscriber Security Domain User managed ”overlay” permissions stored in Globus service Guest Collection DATA Channel CONTROL Channel Subscriber managed filesystem and endpoint policies External Security Domain (User, web app, data portal, science gateway, …) Globus Endpoint Globus Security Domain

14. Globus Connect Server v5 Milestones v5.0: Google Drive v5.1: POSIX guest collections, HTTPS v5.x: v4 feature parity+ v5.3 • Mapped collections • Multi DTN support • Additional storage systems • Endpoint specific identity providers • … Other features v5.2: High assurance v5.4 • High Assurance and standard data access • POSIX systems • S3, Ceph, Box connectors • Multi-connector endpoints

15. Standard Globus security features • Data remain at institution, not hosted by Globus • Integrity checks of transferred data • High availability and redundancy • Encryption – All communications and data in transit are encrypted (data in flight) • Access Control – Identities provided and managed by institution – Institution controls all access policies – Globus is identity broker; no access to/storage of user credentials

16. High Assurance features • Additional authentication assurance – Per storage gateway policy on frequency of authentication with specific identity for access to data (timeout) – Ensure that user authenticates with the specific identity that gives them access within session (decoupling linked identities) • Session/device isolation – Authentication context is per application, per session (~browser session) • Enforces encryption of all user data in transit • Audit logging

17. Additional authentication assurance userX@anl.govuserX@anl.gov

18. Additional authentication assurance userX@anl.gov userX@uchicago.edu

19. Re-authentication timeout userX@anl.gov userX@uchicago.edu

20. Application Instance Isolation userX@uchicago.edu Authenticated in browser session (app instance 1) Re-authentication required in CLI session (app instance 2) userX@uchicago.edu

21. Application instance isolation userX@uchicago.edu Authenticated in browser session (app instance 1) Re-authentication required in different app, same browser(app instance 2) userX@uchicago.edu

22. Application Instance Isolation

27. Example user flow: Guest collection HA userA@uchicago.edu User_A@uchospitals.edu g.user@gmail.com accmgr@uchospitals.edu ham@gmail.com Guest Collection (timeout: 4hrs) [Role:Access Manager] grants:Read

28. Example user flow: Guest collection HA userA@uchicago.edu User_A@uchospitals.edu g.user@gmail.com accmgr@uchospitals.edu ham@gmail.com Guest Collection (timeout: 4hrs)

29. Example user flow: Guest collection HA userA@uchicago.edu User_A@uchospitals.edu g.user@gmail.com accmgr@uchospitals.edu ham@gmail.com Guest Collection (timeout: 4hrs)

30. Example user flow: Guest collection HA userA@uchicago.edu User_A@uchospitals.edu g.user@gmail.com accmgr@uchospitals.edu ham@gmail.com Guest Collection (timeout: 4hrs) redirect à UC Medicine

31. Example user flow: Guest collection HA userA@uchicago.edu User_A@uchospitals.edu g.user@gmail.com accmgr@uchospitals.edu ham@gmail.com [Permission:Read] Guest Collection (timeout: 4hrs)

32. Example user flow: Manage Permissions HA accmgr@uchospitals.edu ham@gmail.com Guest Collection (timeout: 4hrs) userB@uchicago.edu User_B@uchospitals.edu grants:Read, Write

33. Example user flow: Guest collection HA accmgr@uchospitals.edu ham@gmail.com Guest Collection (timeout: 4hrs) redirect à UC Medicine userB@uchicago.edu User_B@uchospitals.edu

34. Managing High Assurance resources • Endpoint configuration • Management of Globus Groups that provide access to protected data • Access to management console, e.g. to review logs • All have the same requirements as end users: (re)authenticate with authorized identity, within session

35. Groups accessing HA guest collections • Policy options – Session enforcement – strict – Authentication assurance timeout • Additional restrictions – Invitations can only be issued by administrator or manager – Changes to group policies require specific identity within session/ authentication assurance timeout – Subgroups inherit HA policy

36. Globus Connect Server v5 installation flow • Install GCSv5.3+ binaries • Register the endpoint at developers.globus.org • Add connectors • Add storage gateways – Set as high assurance, configure authentication assurance timeout – Set policy on type of collections supported • Add mapped collection – User must login with identity from configured domain – Local account determined by removing the TLD: username@example1.org è username is local account docs.globus.org/globus-connect-server-v5-installation-guide

37. Audit log on DTN via GCSv5.3

38. Globus Connect Personal (GCP) • New version for high assurance data handling • Allow user to choose an identity for use with the endpoint – Using GCP for data access requires that identity be in session – Guest collections will work as they do with GCS • Additional logging

39. Globus security features - service • Secure operations – Intrusion detection and prevention – Performance and health monitoring – Logging – Secure remote access, access control – Uniform configuration management and change control – Backups and disaster recovery – All data stored by Globus is encrypted at rest • Use AWS best practices for securing environment – Virtual Private Clouds – host security – AWS security groups – network security – AWS IAM (identity and access management) best practices – individual security

40. New subscription levels • High Assurance – 33% uplift on Standard subscription and on premium connectors used for high assurance data • BAA – All High Assurance features + BAA with University of Chicago – 50% uplift on Standard subscription and on premium connectors used under a BAA • Separate subscription ID issued

41. Resources • New terminology, architecture changes, GCSv5.3 installation, configuration, etc.: docs.globus.org/globus-connect-server-v5- installation-guide • Creating a high assurance collection: docs.globus.org/high-assurance

42. Questions?

Globus High Assurance for Protected Data (GlobusWorld Tour - UCSD)

Globus High Assurance for Protected Data (GlobusWorld Tour - UCSD)

Recommended

More Related Content

What's hot

What's hot(19)

Similar to Globus High Assurance for Protected Data (GlobusWorld Tour - UCSD)

Similar to Globus High Assurance for Protected Data (GlobusWorld Tour - UCSD)(20)

More from Globus

More from Globus (20)

Recently uploaded

Recently uploaded(20)

Globus High Assurance for Protected Data (GlobusWorld Tour - UCSD)