Admin Guide for Sensitive Data

The endpoint deployment key is in the deployment-key.json file, which is generated during successful endpoint setup. This file must be kept confidential because it contains the secret to authenticate the endpoint node to Globus services and the encryption key used to encrypt your endpoint configuration. Protect the deployment key as you would a password. Globus cannot recover your deployment key.

The encryption cipher used to encrypt the data transfer channel is selected from the OpenSSL libraries installed on each data transfer node. The first common cipher is selected from the preference-ordered list of OpenSSL ciphers on the source and destination nodes. By default, OpenSSL uses the HIGH cipher suites with AES256-SHA as the first cipher in the list. Generally, there is no need to change the default list. If you require FIPS 140-2 compliance, you must enable FIPS mode on your operating system. When FIPS is enabled, OpenSSL will use only FIPS compliant ciphers. Consult your Linux distribution’s documentation for enabling FIPS mode.

The node client secret is used to authenticate the node to Globus services. When an endpoint node is first configured, its secret is set to the secret stored in the endpoint deployment key. You can replace this shared secret with a node specific secret, which can be routinely rotated.

If your users will use Globus to access sensitive data, you must configure the storage gateway to be high assurance. High assurance storage gateways support features such as automatic enforced encryption, local audit log generation, session isolation, sharing permission expiration, and multi-factor authentication requirements. A storage gateway may only be configured as high assurance on creation and cannot be changed.

Users must authenticate with the identity providers you have configured as the storage gateway authentication domain. Select a domain from an institution that provides an appropriate level of authentication assurance for sensitive data, typically your campus domain rather than, for example, gmail.com. You may not select globusid.org as the authentication domain for a high assurance storage gateway.

Users must reauthenticate after the authentication timeout period has passed. The default timeout period is 11 days. For sensitive data access, we recommend you shorten the authentication timeout.

Identity mapping defines a user’s local storage system account and can be derived from a user’s identity information in Globus. You should confirm that the default mapping is appropriate for your system, or otherwise generate custom mapping for your system.

Users may never use Globus to access parts of the filesystem beyond their local access permissions. Data access using Globus is always constrained by local access permissions. You can further constrain access using Globus by configuring paths that users may or may not access via Globus. For example, you may want to restrict access through Globus to home directories only.

You can deny or allow a local account or group of local accounts to access data via Globus by configuring user access restrictions. For example, you may want to prevent access by Globus to an admin-user account. You can further narrow access by configuring which local accounts may access which paths via Globus.

You can configure a collection to restrict data transfers to high assurance collections only, ensuring data leaving your system remains on a high assurance collection.

You can require users to authenticate with their identity providers using MFA in order to access their data via Globus. However, before configuring your system to require MFA, please confirm with Globus at support@globus.org that the identity provider you have selected for your storage gateway authentication domain reports to Globus that MFA was used.

You can configure a custom user message and link that is displayed in the Globus Web app when a user accesses your system. For example, the message can remind users they are accessing sensitive data and the link can take users to your acceptable use policies.

Consider your policies and procedures for log access, encryption, retention and monitoring when managing your high assurance audit logs. High assurance audit logs can contain sensitive data and should be protected accordingly.

You can configure a custom domain name for a Globus Connect Server collection. A custom domain makes it easy for your users to search for and recognize your collection.