Globus , profile picture
Uploaded byGlobus
PPTX, PDF205 views

Managing Protected and Controlled Data with Globus

This document discusses how Globus can be used to manage protected and controlled data with high assurance. It describes features for restricting data handling according to standards like NIST 800-53 and 800-171. Compliance focuses on access control, configuration management, maintenance, and accountability. Restricted data passed to Globus does not include file contents. The initial release includes a new web app, Globus Connect Server v5.2, and Connect Personal. High assurance capabilities include additional authentication, application instance isolation, encryption, and detailed auditing. Subscription levels like High Assurance and BAA provide these features.

Embed presentation

Download to read offline
Managing Protected and Controlled Data with Globus Vas Vasiliadis vas@uchicago.edu
Globus SaaS: Research data lifecycle Researcher initiates transfer request; or requested automatically by script, science gateway 1 Instrument Compute Facility Globus transfers files reliably, securely 2 Globus controls access to shared files on existing storage; no need to move files to cloud storage! 4 Curator reviews and approves; data set published on campus or other system 7 Researcher selects files to share, selects user or group, and sets access permissions 3 Collaborator logs in to Globus and accesses shared files; no local account required; download via Globus 5 Researcher assembles data set; describes it using metadata (Dublin core and domain- specific) 6 6 Peers, collaborators search and discover datasets; transfer and share using Globus 8 Publication Repository Personal Computer Transfer Share Publish Discover • Use a Web browser • Access any storage • Use an existing identity
Globus for high assurance data management • Restricted data handling: PHI, PII, CUI • Security controls: NIST 800-53, 800-171 Low • Business Associate Agreement (BAA) w/UChicago – University of Chicago has a BAA with Amazon
Compliance focus areas • Access Control: Least privilege model • Configuration Management: Change control, impact/risk • Maintenance: Automation, vulnerability mitigation • Accountability: Detailed audit trail (protection, forensics) • Information integrity: Protection, monitoring
Restricted data disclosed to Globus • Globus does not see file contents …and never did! • File paths/name can have restricted data, e.g. PHI • No other elements (endpoint definitions, labels, collection definitions) can contain restricted data
Initial release scope • Globus Service: Auth, Transfer, Groups, DNS, Sharing • New web app (app.globus.org) – try it now! • Globus Connect Server v5.2 • Globus Connect Personal v3.x • Globus Command Line Interface (CLI)
Other features/services/products • Connectors: AWS S3 as priority (future release) • Platform: Globus Search (future release) • Out of scope: Globus ID, data publication SaaS, current web app, GCS v4.x, GCSv5.0, 5.1, GCP2.x • Discontinued: Hosted CLI (as of August 1, 2018)
Out with the old, in with the new • Host endpoints  Mapped collections – Need local account to access data • Shared endpoints  Guest collections – No local account needed for data access, permissions set in Globus • Use host endpoint to create shared endpoint  Use storage gateway to create guest collections • Access via GridFTP  Access via GridFTP or HTTPS • Initially available via Globus Connect Server v5.2
Conceptual architecture: Mapped collections Globus Endpoint Subscriber Security Domain Globus Security Domain DATA Channel CONTROL Channel No data relay or staging via Globus; files move directly between endpoints User identity mapped to local account Single, globally accessible multi-tenant service Globus “client” software Subscriber owned and administered storage system External Security Domain (User, web app, data portal, science gateway, …)
Conceptual architecture: Guest Collections Subscriber Security Domain User managed ”overlay” permissions stored in Globus service Guest Collection DATA Channel CONTROL Channel Subscriber managed filesystem and endpoint policies External Security Domain (User, web app, data portal, science gateway, …) Globus Endpoint Globus Security Domain
Globus Connect Server v5 Milestones v5.0: Google Drive v5.1: POSIX guest collections, HTTPS v5.x: v4 feature parity+v5.3: … • Multi DTN support Additional storage types • Custom IdPs • … Other features v5.2: High assurance
High Assurance features • Additional authentication assurance – Policy (per storage gateway) on frequency of authentication with specific identity for access to data – Enforce user authentication with specific identity within session • Application instance isolation – Authentication context is per app, per session • Encryption of user data in transit and Globus data at rest • Detailed audit log (on DTN via GCSv5.2)
Additional authentication assurance userX@anl.govuserX@anl.gov
Additional authentication assurance userX@anl.gov userX@uchicago.edu
Re-authentication timeout userX@anl.gov userX@uchicago.edu
Application Instance Isolation userX@uchicago.edu Authenticated in browser session (app instance 1) Re-authentication required in CLI session (app instance 2) userX@uchicago.edu
Application Instance Isolation
Application Instance Isolation
Application Instance Isolation
Application Instance Isolation
Application Instance Isolation
userX@ucmed.org Async transfer between HA collections userX@uchicago.edu Encrypted data channel Mapped Collection HA timeout: 2hrs Mapped Collection HA timeout: 4hrs
Globus Auth: Foundational IAM service • Enables login for diverse app ecosystem • Protects REST API communications between and among apps and services • No new identity required • Based on OAuth2 and OpenID Connect – Least privileges security model: scopes/consents – Access via OAuth2 and OIDC libraries of your choice – Programming language and framework agnostic
Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users • Identity providers: enterprise, external (e.g. Google) • Services: resource servers with REST APIs • Apps: web, mobile, desktop, command line clients • Services acting as clients to other services Mission: Provide a platform for developers to easily access 100’s of IdPs with just a bit of standard code
Sessions: High Assurance for Globus Auth • Determine which identities in a user’s identity set have been used to authenticate and when • Services make access control decisions • Uses token introspection • Session context = app instance, device • Failed operation  app generates specific redirect URL docs.globus.org/api/auth/sessions
Example user flow: Guest collection HA userA@uchicago.edu User_A@uchospitals.edu g.user@gmail.com accmgr@uchospitals.edu ham@gmail.com Guest Collection (timeout: 4hrs) [Role:Access Manager] grants:Read
Example user flow: Guest collection HA userA@uchicago.edu User_A@uchospitals.edu g.user@gmail.com accmgr@uchospitals.edu ham@gmail.com Guest Collection (timeout: 4hrs)
Example user flow: Guest collection HA userA@uchicago.edu User_A@uchospitals.edu g.user@gmail.com accmgr@uchospitals.edu ham@gmail.com Guest Collection (timeout: 4hrs)
Example user flow: Guest collection HA userA@uchicago.edu User_A@uchospitals.edu g.user@gmail.com accmgr@uchospitals.edu ham@gmail.com Guest Collection (timeout: 4hrs) redirect  UC Medicine
Example user flow: Guest collection HA userA@uchicago.edu User_A@uchospitals.edu g.user@gmail.com accmgr@uchospitals.edu ham@gmail.com [Permission:Read] Guest Collection (timeout: 4hrs)
Example user flow: Manage Permissions HA accmgr@uchospitals.edu ham@gmail.com Guest Collection (timeout: 4hrs) userB@uchicago.edu User_B@uchospitals.edu grants:Read, Write
Example user flow: Guest collection HA accmgr@uchospitals.edu ham@gmail.com Guest Collection (timeout: 4hrs) redirect  UC Medicine userB@uchicago.edu User_B@uchospitals.edu
Groups accessing HA guest collections • Policy options – High assurance – (not) strict – Authentication assurance timeout • Additional restrictions – Invitations can only be issued by administrator or manager – Changes to group policies require specific identity within session/ authentication assurance timeout – Subgroups inherit HA policy
Example management flows • Managing High Assurance endpoints requires authentication with authorized identity, within session – Endpoint configuration – Globus Groups used to provide access to high assurance data – Management Console access (e.g. to review logs)
New Globus Connect Server installation flow • Install GCSv5.2+ binaries • Register the endpoint at developers.globus.org • Add connectors • Add storage gateways – Set as high assurance, configure authentication assurance timeout – Set policy on type of collections supported • Add mapped collection – User must login with identity from configured domain – Local account determined by removing the TLD: username@example1.org  username is local account
Audit log on DTN via GCSv5.2
Globus Connect Personal (GCP) • New version for high assurance data handling • Allow user to choose an identity for use with the endpoint – Using GCP for data access requires that identity be in session – Guest collections will work as they do with GCS • Additional logging
Secure operations • Intrusion detection and prevention • Performance and health monitoring • Logging • Secure remote access, access control • Uniform configuration management and change control • Backups and disaster recovery • AWS best practices for securing operating environment: VPCs, security groups, IAM best practices
New subscription levels • High Assurance – 33% uplift on Standard subscription and on premium connectors used for high assurance data • BAA – All High Assurance features + BAA with University of Chicago – 50% uplift on Standard subscription and on premium connectors used under a BAA • Separate subscription ID issued
Questions?

More Related Content

PDF
Globus High Assurance for Protected Data (GlobusWorld Tour - UCSD)
byGlobus
 
PDF
Jupyter + Globus: The Foundation for Interactive Data Science
byGlobus
 
PPTX
GlobusWorld 2020 Keynote
byGlobus
 
PDF
Connecting Your System to Globus (APS Workshop)
byGlobus
 
PDF
Automating Research Data Management at Scale with Globus
byGlobus
 
PDF
Introduction to Globus (APS Workshop)
byGlobus
 
PPTX
Globus: Beyond File Transfer
byGlobus
 
PDF
Introduction to the Globus Platform (APS Workshop)
byGlobus
 
Globus High Assurance for Protected Data (GlobusWorld Tour - UCSD)
byGlobus
 
Jupyter + Globus: The Foundation for Interactive Data Science
byGlobus
 
GlobusWorld 2020 Keynote
byGlobus
 
Connecting Your System to Globus (APS Workshop)
byGlobus
 
Automating Research Data Management at Scale with Globus
byGlobus
 
Introduction to Globus (APS Workshop)
byGlobus
 
Globus: Beyond File Transfer
byGlobus
 
Introduction to the Globus Platform (APS Workshop)
byGlobus
 

What's hot

PPTX
"What's New With Globus" Webinar: Spring 2018
byGlobus
 
PPTX
Globus: Research Data Management as Service and Platform - pearc17
byMary Bass
 
PPTX
Globus Auth: A Research Identity and Access Management Platform
byIan Foster
 
PDF
What's New in Globus - Internet2 TechEXtra
byGlobus
 
PPTX
Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...
byMongoDB
 
PPTX
IBM Spectrum Scale Authentication For Object - Deep Dive
bySmita Raut
 
PPTX
Globus for System Administrators
byGlobus
 
PDF
A Novel methodology for handling Document Level Security in Search Based Appl...
bylucenerevolution
 
PPTX
IBM Spectrum scale object deep dive training
bySmita Raut
 
PPTX
Kerberos, Token and Hadoop
byKai Zheng
 
PPTX
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
byMongoDB
 
PPTX
Gateways 2020 Tutorial - Introduction to Globus
byGlobus
 
PPTX
Gateways 2020 Tutorial - Large Scale Data Transfer with Globus
byGlobus
 
PDF
GlobusWorld 2021 Tutorial: Globus for System Administrators
byGlobus
 
PPTX
Automating Research Data Flows with the Globus Command Line Interface (CLI)
byGlobus
 
PDF
Automating Research Data Flows with Globus (CHPC 2019 - South Africa)
byGlobus
 
PDF
Campus Bridging with Globus Services
byIan Foster
 
PPTX
Gateways 2020 Tutorial - Automated Data Ingest and Search with Globus
byGlobus
 
PPTX
Globus Platform Overview
byGlobus
 
PPTX
Gateways 2020 Tutorial - Instrument Data Distribution with Globus
byGlobus
 
"What's New With Globus" Webinar: Spring 2018
byGlobus
 
Globus: Research Data Management as Service and Platform - pearc17
byMary Bass
 
Globus Auth: A Research Identity and Access Management Platform
byIan Foster
 
What's New in Globus - Internet2 TechEXtra
byGlobus
 
Webinar: Compliance and Data Protection in the Big Data Age: MongoDB Security...
byMongoDB
 
IBM Spectrum Scale Authentication For Object - Deep Dive
bySmita Raut
 
Globus for System Administrators
byGlobus
 
A Novel methodology for handling Document Level Security in Search Based Appl...
bylucenerevolution
 
IBM Spectrum scale object deep dive training
bySmita Raut
 
Kerberos, Token and Hadoop
byKai Zheng
 
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
byMongoDB
 
Gateways 2020 Tutorial - Introduction to Globus
byGlobus
 
Gateways 2020 Tutorial - Large Scale Data Transfer with Globus
byGlobus
 
GlobusWorld 2021 Tutorial: Globus for System Administrators
byGlobus
 
Automating Research Data Flows with the Globus Command Line Interface (CLI)
byGlobus
 
Automating Research Data Flows with Globus (CHPC 2019 - South Africa)
byGlobus
 
Campus Bridging with Globus Services
byIan Foster
 
Gateways 2020 Tutorial - Automated Data Ingest and Search with Globus
byGlobus
 
Globus Platform Overview
byGlobus
 
Gateways 2020 Tutorial - Instrument Data Distribution with Globus
byGlobus
 

Similar to Managing Protected and Controlled Data with Globus

PDF
Globus High Assurance for Protected Data (GlobusWorld Tour - Columbia Univers...
byGlobus
 
PDF
Introduction to Globus for New Users (GlobusWorld Tour - Columbia University)
byGlobus
 
PDF
Introduction to Globus for New Users (GlobusWorld Tour - UCSD)
byGlobus
 
PPTX
What's New With Globus
byGlobus
 
PDF
Introduction to Globus for New Users
byGlobus
 
PDF
An Introduction to Globus for Researchers
byGlobus
 
PDF
Migrating to Globus Connect Server v5
byGlobus
 
PDF
Introduction to Globus
byGlobus
 
PPTX
What data does Globus store and how is it protected?
byGlobus
 
PDF
Getting Started with Globus for Developers
byGlobus
 
PDF
Introduction to the Globus Platform for Developers
byGlobus
 
PDF
Tutorial: Managing Protected Data with Globus Connect Server v5
byGlobus
 
PDF
Introduction to Globus (GlobusWorld Tour West)
byGlobus
 
PDF
GlobusWorld 2021 Tutorial: Introduction to Globus
byGlobus
 
PDF
Best Practices for Data Sharing (GlobusWorld Tour - Columbia University)
byGlobus
 
PDF
Best Practices for Data Sharing (GlobusWorld Tour - UCSD)
byGlobus
 
PDF
Tutorial: Best Practices for Data Sharing
byGlobus
 
PDF
Best Practices for Data Sharing (CHPC 2019 - South Africa)
byGlobus
 
PDF
Introduction to the Globus SaaS (GlobusWorld Tour - STFC)
byGlobus
 
PPTX
Identity Access and Management with Globus
byGlobus
 
Globus High Assurance for Protected Data (GlobusWorld Tour - Columbia Univers...
byGlobus
 
Introduction to Globus for New Users (GlobusWorld Tour - Columbia University)
byGlobus
 
Introduction to Globus for New Users (GlobusWorld Tour - UCSD)
byGlobus
 
What's New With Globus
byGlobus
 
Introduction to Globus for New Users
byGlobus
 
An Introduction to Globus for Researchers
byGlobus
 
Migrating to Globus Connect Server v5
byGlobus
 
Introduction to Globus
byGlobus
 
What data does Globus store and how is it protected?
byGlobus
 
Getting Started with Globus for Developers
byGlobus
 
Introduction to the Globus Platform for Developers
byGlobus
 
Tutorial: Managing Protected Data with Globus Connect Server v5
byGlobus
 
Introduction to Globus (GlobusWorld Tour West)
byGlobus
 
GlobusWorld 2021 Tutorial: Introduction to Globus
byGlobus
 
Best Practices for Data Sharing (GlobusWorld Tour - Columbia University)
byGlobus
 
Best Practices for Data Sharing (GlobusWorld Tour - UCSD)
byGlobus
 
Tutorial: Best Practices for Data Sharing
byGlobus
 
Best Practices for Data Sharing (CHPC 2019 - South Africa)
byGlobus
 
Introduction to the Globus SaaS (GlobusWorld Tour - STFC)
byGlobus
 
Identity Access and Management with Globus
byGlobus
 

More from Globus

PDF
GlobusWorld 2024 Opening Keynote session
byGlobus
 
PDF
Globus Connect Server Deep Dive - GlobusWorld 2024
byGlobus
 
PDF
Globus at the United States Geological Survey
byGlobus
 
PDF
Globus Compute Introduction - GlobusWorld 2024
byGlobus
 
PDF
Extending Globus into a Site-wide Automated Data Infrastructure.pdf
byGlobus
 
PDF
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
byGlobus
 
PDF
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
byGlobus
 
PDF
Globus Compute with Integrated Research Infrastructure (IRI) workflows
byGlobus
 
PDF
Enhancing Performance with Globus and the Science DMZ
byGlobus
 
PDF
Understanding Globus Data Transfers with NetSage
byGlobus
 
PDF
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
byGlobus
 
PDF
The Department of Energy's Integrated Research Infrastructure (IRI)
byGlobus
 
PDF
Enhancing Research Orchestration Capabilities at ORNL.pdf
byGlobus
 
PDF
Developing Distributed High-performance Computing Capabilities of an Open Sci...
byGlobus
 
PDF
Reactive Documents and Computational Pipelines - Bridging the Gap
byGlobus
 
PDF
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
byGlobus
 
PDF
Globus Compute wth IRI Workflows - GlobusWorld 2024
byGlobus
 
PDF
First Steps with Globus Compute Multi-User Endpoints
byGlobus
 
PDF
How to Position Your Globus Data Portal for Success Ten Good Practices
byGlobus
 
PDF
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
byGlobus
 
GlobusWorld 2024 Opening Keynote session
byGlobus
 
Globus Connect Server Deep Dive - GlobusWorld 2024
byGlobus
 
Globus at the United States Geological Survey
byGlobus
 
Globus Compute Introduction - GlobusWorld 2024
byGlobus
 
Extending Globus into a Site-wide Automated Data Infrastructure.pdf
byGlobus
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
byGlobus
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
byGlobus
 
Globus Compute with Integrated Research Infrastructure (IRI) workflows
byGlobus
 
Enhancing Performance with Globus and the Science DMZ
byGlobus
 
Understanding Globus Data Transfers with NetSage
byGlobus
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
byGlobus
 
The Department of Energy's Integrated Research Infrastructure (IRI)
byGlobus
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
byGlobus
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
byGlobus
 
Reactive Documents and Computational Pipelines - Bridging the Gap
byGlobus
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
byGlobus
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
byGlobus
 
First Steps with Globus Compute Multi-User Endpoints
byGlobus
 
How to Position Your Globus Data Portal for Success Ten Good Practices
byGlobus
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
byGlobus
 

Recently uploaded

PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PDF
Lab 4.3 Automated security scans with Jenkins - 2nd Sight Lab Cloud Security ...
by2nd Sight Lab
 
PDF
Smart Buildings 2025 Wrapped! The Rise of Outcomes-as-a-Service
byMemoori
 
PPTX
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
PPTX
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
PDF
The State of the Gen AI economy - 2025 - The Meliora Company
byClive Dickens
 
PPTX
Emancipatory Information Retrieval: Radically Reorienting Information Retriev...
byBhaskar Mitra
 
PPTX
How to make Ai agents using Google Gemini AI.pptx
bypkluffy111
 
PDF
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
PDF
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PDF
Machine Learning Primer: The Complete Crash Course (From Theory to Deployment)
byAeafat Ahmed Mubin
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
PDF
Lab 1.2 Introduction to Azure Automation - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
PDF
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
PPTX
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
Lab 4.3 Automated security scans with Jenkins - 2nd Sight Lab Cloud Security ...
by2nd Sight Lab
 
Smart Buildings 2025 Wrapped! The Rise of Outcomes-as-a-Service
byMemoori
 
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
The State of the Gen AI economy - 2025 - The Meliora Company
byClive Dickens
 
Emancipatory Information Retrieval: Radically Reorienting Information Retriev...
byBhaskar Mitra
 
How to make Ai agents using Google Gemini AI.pptx
bypkluffy111
 
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
API-First Architecture in Financial Systems
bycyy111112
 
Machine Learning Primer: The Complete Crash Course (From Theory to Deployment)
byAeafat Ahmed Mubin
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
Lab 1.2 Introduction to Azure Automation - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 

Managing Protected and Controlled Data with Globus

  • 1.
    Managing Protected and ControlledData with Globus Vas Vasiliadis vas@uchicago.edu
  • 2.
    Globus SaaS: Researchdata lifecycle Researcher initiates transfer request; or requested automatically by script, science gateway 1 Instrument Compute Facility Globus transfers files reliably, securely 2 Globus controls access to shared files on existing storage; no need to move files to cloud storage! 4 Curator reviews and approves; data set published on campus or other system 7 Researcher selects files to share, selects user or group, and sets access permissions 3 Collaborator logs in to Globus and accesses shared files; no local account required; download via Globus 5 Researcher assembles data set; describes it using metadata (Dublin core and domain- specific) 6 6 Peers, collaborators search and discover datasets; transfer and share using Globus 8 Publication Repository Personal Computer Transfer Share Publish Discover • Use a Web browser • Access any storage • Use an existing identity
  • 3.
    Globus for highassurance data management • Restricted data handling: PHI, PII, CUI • Security controls: NIST 800-53, 800-171 Low • Business Associate Agreement (BAA) w/UChicago – University of Chicago has a BAA with Amazon
  • 4.
    Compliance focus areas •Access Control: Least privilege model • Configuration Management: Change control, impact/risk • Maintenance: Automation, vulnerability mitigation • Accountability: Detailed audit trail (protection, forensics) • Information integrity: Protection, monitoring
  • 5.
    Restricted data disclosedto Globus • Globus does not see file contents …and never did! • File paths/name can have restricted data, e.g. PHI • No other elements (endpoint definitions, labels, collection definitions) can contain restricted data
  • 6.
    Initial release scope •Globus Service: Auth, Transfer, Groups, DNS, Sharing • New web app (app.globus.org) – try it now! • Globus Connect Server v5.2 • Globus Connect Personal v3.x • Globus Command Line Interface (CLI)
  • 7.
    Other features/services/products • Connectors:AWS S3 as priority (future release) • Platform: Globus Search (future release) • Out of scope: Globus ID, data publication SaaS, current web app, GCS v4.x, GCSv5.0, 5.1, GCP2.x • Discontinued: Hosted CLI (as of August 1, 2018)
  • 8.
    Out with theold, in with the new • Host endpoints  Mapped collections – Need local account to access data • Shared endpoints  Guest collections – No local account needed for data access, permissions set in Globus • Use host endpoint to create shared endpoint  Use storage gateway to create guest collections • Access via GridFTP  Access via GridFTP or HTTPS • Initially available via Globus Connect Server v5.2
  • 15.
    Conceptual architecture: Mappedcollections Globus Endpoint Subscriber Security Domain Globus Security Domain DATA Channel CONTROL Channel No data relay or staging via Globus; files move directly between endpoints User identity mapped to local account Single, globally accessible multi-tenant service Globus “client” software Subscriber owned and administered storage system External Security Domain (User, web app, data portal, science gateway, …)
  • 16.
    Conceptual architecture: GuestCollections Subscriber Security Domain User managed ”overlay” permissions stored in Globus service Guest Collection DATA Channel CONTROL Channel Subscriber managed filesystem and endpoint policies External Security Domain (User, web app, data portal, science gateway, …) Globus Endpoint Globus Security Domain
  • 17.
    Globus Connect Serverv5 Milestones v5.0: Google Drive v5.1: POSIX guest collections, HTTPS v5.x: v4 feature parity+v5.3: … • Multi DTN support Additional storage types • Custom IdPs • … Other features v5.2: High assurance
  • 18.
    High Assurance features •Additional authentication assurance – Policy (per storage gateway) on frequency of authentication with specific identity for access to data – Enforce user authentication with specific identity within session • Application instance isolation – Authentication context is per app, per session • Encryption of user data in transit and Globus data at rest • Detailed audit log (on DTN via GCSv5.2)
  • 19.
  • 20.
  • 21.
  • 22.
    Application Instance Isolation userX@uchicago.edu Authenticatedin browser session (app instance 1) Re-authentication required in CLI session (app instance 2) userX@uchicago.edu
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
    userX@ucmed.org Async transfer betweenHA collections userX@uchicago.edu Encrypted data channel Mapped Collection HA timeout: 2hrs Mapped Collection HA timeout: 4hrs
  • 29.
    Globus Auth: FoundationalIAM service • Enables login for diverse app ecosystem • Protects REST API communications between and among apps and services • No new identity required • Based on OAuth2 and OpenID Connect – Least privileges security model: scopes/consents – Access via OAuth2 and OIDC libraries of your choice – Programming language and framework agnostic
  • 30.
    Globus Auth: Identitybroker for research apps Brokers authentication and authorization among… • End-users • Identity providers: enterprise, external (e.g. Google) • Services: resource servers with REST APIs • Apps: web, mobile, desktop, command line clients • Services acting as clients to other services Mission: Provide a platform for developers to easily access 100’s of IdPs with just a bit of standard code
  • 31.
    Sessions: High Assurancefor Globus Auth • Determine which identities in a user’s identity set have been used to authenticate and when • Services make access control decisions • Uses token introspection • Session context = app instance, device • Failed operation  app generates specific redirect URL docs.globus.org/api/auth/sessions
  • 32.
    Example user flow:Guest collection HA userA@uchicago.edu User_A@uchospitals.edu g.user@gmail.com accmgr@uchospitals.edu ham@gmail.com Guest Collection (timeout: 4hrs) [Role:Access Manager] grants:Read
  • 33.
    Example user flow:Guest collection HA userA@uchicago.edu User_A@uchospitals.edu g.user@gmail.com accmgr@uchospitals.edu ham@gmail.com Guest Collection (timeout: 4hrs)
  • 34.
    Example user flow:Guest collection HA userA@uchicago.edu User_A@uchospitals.edu g.user@gmail.com accmgr@uchospitals.edu ham@gmail.com Guest Collection (timeout: 4hrs)
  • 35.
    Example user flow:Guest collection HA userA@uchicago.edu User_A@uchospitals.edu g.user@gmail.com accmgr@uchospitals.edu ham@gmail.com Guest Collection (timeout: 4hrs) redirect  UC Medicine
  • 36.
    Example user flow:Guest collection HA userA@uchicago.edu User_A@uchospitals.edu g.user@gmail.com accmgr@uchospitals.edu ham@gmail.com [Permission:Read] Guest Collection (timeout: 4hrs)
  • 37.
    Example user flow:Manage Permissions HA accmgr@uchospitals.edu ham@gmail.com Guest Collection (timeout: 4hrs) userB@uchicago.edu User_B@uchospitals.edu grants:Read, Write
  • 38.
    Example user flow:Guest collection HA accmgr@uchospitals.edu ham@gmail.com Guest Collection (timeout: 4hrs) redirect  UC Medicine userB@uchicago.edu User_B@uchospitals.edu
  • 39.
    Groups accessing HAguest collections • Policy options – High assurance – (not) strict – Authentication assurance timeout • Additional restrictions – Invitations can only be issued by administrator or manager – Changes to group policies require specific identity within session/ authentication assurance timeout – Subgroups inherit HA policy
  • 40.
    Example management flows •Managing High Assurance endpoints requires authentication with authorized identity, within session – Endpoint configuration – Globus Groups used to provide access to high assurance data – Management Console access (e.g. to review logs)
  • 41.
    New Globus ConnectServer installation flow • Install GCSv5.2+ binaries • Register the endpoint at developers.globus.org • Add connectors • Add storage gateways – Set as high assurance, configure authentication assurance timeout – Set policy on type of collections supported • Add mapped collection – User must login with identity from configured domain – Local account determined by removing the TLD: username@example1.org  username is local account
  • 42.
    Audit log onDTN via GCSv5.2
  • 43.
    Globus Connect Personal(GCP) • New version for high assurance data handling • Allow user to choose an identity for use with the endpoint – Using GCP for data access requires that identity be in session – Guest collections will work as they do with GCS • Additional logging
  • 44.
    Secure operations • Intrusiondetection and prevention • Performance and health monitoring • Logging • Secure remote access, access control • Uniform configuration management and change control • Backups and disaster recovery • AWS best practices for securing operating environment: VPCs, security groups, IAM best practices
  • 45.
    New subscription levels •High Assurance – 33% uplift on Standard subscription and on premium connectors used for high assurance data • BAA – All High Assurance features + BAA with University of Chicago – 50% uplift on Standard subscription and on premium connectors used under a BAA • Separate subscription ID issued
  • 46.

Editor's Notes

  • #2 July 16th Globus team presentation
  • #19 Access Control Identities provided and managed by institution Globus acts as identity broker only, does not access or store any institutional user credentials Institution controls all access policies (at multiple levels) who can access what data and with what permissions who can share what data and with what permissions all access policies can be changed or revoked at any time
  • #22 Administrator configurable reauthentication timeout
  • #30 Single sign on preferred Want to encourage application development to the Globus Service. Want to encourage others to use Globus Auth for their own services. But not only for Apps, for other service to service communication.
  • #31 NOT and identity manager …think: an “Identity provider Proxy” Getting user authenticated Consented so users are consenting to what tokens are being used for Issuing tokens Verifying tokens Globus Auth is a Foundational service for all of these In some sense it’s an IdP but think of it more as an Identity Broker Two protocols: OAuth2 – OpenID Connect (Web World) SAML – Shibboleth (Universities)
  • #32 OAuth2 – OpenID Connect (Web World) OpenID Connect – Authentication Layer (RESTful / JSON) RA: some concepts to follow, and then present use cases for integration with Auth with specific solutions on using our SDK for that.
  • #41 Anything that can either access PHI or lead to access to PHI == filename and paths
  • #45 Highlights of some of the Globus security features.