High Assurance Collections for Protected Data
1. Introduction
This document is a guide for institutions that plan to use Globus to manage Protected Health Information (PHI), Personally Identifiable Information (PII), and Controlled Unclassified Information (CUI), collectively referred to as protected data. Files that contain protected data can be transferred and shared using Globus in compliance with the data’s security requirements. To manage protected data with Globus, administrators must configure their Globus Connect Server or Globus Connect Personal installations to support high assurance collections. High assurance collections can be created only under the High Assurance or HIPAA BAA subscription tier.
When a file is transferred by Globus, the content of the file is never sent to Globus servers. Any protected data in the file is never shared with Globus, even transiently. However, the name of the file and its directory path is sent to Globus servers and stored by Globus. Globus High Assurance services are operated with appropriate controls to comply with data security requirements of protected data found in filenames and paths.
2. Eligible Services
Not all Globus services are covered by a High Assurance or HIPAA BAA subscription. Only the services and applications listed at High Assurance Eligible Services may be used to manage protected data with a High Assurance or HIPAA BAA subscription.
3. High Assurance or HIPAA BAA Subscriptions
If your institution subscribes to Globus at the High Assurance or HIPAA BAA tier, Globus will create a High Assurance or HIPAA BAA subscription ID for your institution. Any Globus Connect Server endpoints or Globus Connect Personal collections that manage protected data must be associated with this High Assurance or HIPAA BAA subscription ID.
4. Configuring Globus Connect for High Assurance
In addition to associating your Globus Connect Server endpoints or Globus Connect Personal collections with a High Assurance or HIPAA BAA subscription ID, you must also configure your endpoint or collection to be high assurance.
4.1. Globus Connect Server
Globus Connect Server can be configured to support high assurance collections for managing protected data. After an administrator creates a Globus Connect Server endpoint, either the administrator or their Globus subscription manager must associate the endpoint with the institution’s High Assurance or HIPAA BAA subscription. Subsequently, the administrator can create a high assurance storage gateway, including configuring a session authentication timeout period and an optional flag to require multi-factor authentication for data access. Note that the identity provider must be configured to release multi-factor authentication status to Globus. Administrators can then create a mapped collection on the high assurance storage gateway. Any mapped collection created on a high assurance storage gateway will inherit the high assurance policies of the storage gateway.
4.2. Globus Connect Personal
Globus Connect Personal also supports high assurance features for managing protected data. When installing Globus Connect Personal, users must choose the "High Assurance" option and specify the identity that will be used when accessing protected data on the Globus Personal Connect collection. Before the personal collection can be used, either the personal collection owner or the institution’s Globus subscription manager must associate the personal collection with a High Assurance or HIPAA BAA subscription. Any guest collection created on a high assurance Globus Connect Personal collection will inherit the high assurance policies of the Globus Connect Personal collection.
5. High Assurance Features
High assurance features offer the following benefits:
-
Higher authentication assurance for data access
-
Isolation of applications and devices
-
Forced encryption of protected data during transit
-
Option to require multi-factor authentication for data access (Globus Connect Server only)
-
Prevention of anonymous or public data sharing
-
Prevention of data sharing with an email address not recognized as belonging to a Globus identity
-
Local audit logging
5.1. Authentication Assurance
High assurance collections enforce the following higher authentication assurance policies for both data access (e.g., transferring and sharing data) and collection management (e.g., creating or configuring collections, managing data sharing permissions):
-
Authentication with a linked identity is not sufficient; a user must authenticate specifically with the authorized identity.
-
Users must re-authenticate in each new application session (e.g., web browser session) and on each new device.
-
Each authentication lasts for a specified period of time, configurable by the institution, after which the user must re-authenticate.
For example, a researcher is logged into the Globus web app on their laptop with their primary identity last_name@campus.edu
.
The researcher tries to access a guest collection that a collaborator has shared with the researcher’s linked identity first_name@cloudprovider.com
.
The guest collection has a 60 minute timeout,
and the researcher has not authenticated to the Globus web app with first_name@cloudprovider.com
within the last 60 minutes.
Therefore, the researcher must authenticate with first_name@cloudprovider.com
before they can access the guest collection.
After authenticating with first_name@cloudprovider.com
on their laptop,
the researcher immediately tries to access the guest collection on their phone.
The researcher is prompted to authenticate again with first_name@cloudprovider.com
,
despite the fact that they authenticated with that identity within the last 60 minutes on their laptop.
5.2. Protected Data Sharing
High assurance guest collections enable users to share protected data with others. All access to high assurance guest collections must meet the high assurance authentication policies described in Section 5.1 above, regardless of whether access is granted to the guest collection through an individual permission or a group permission.
Users may share protected data with identities from identity providers recognized by Globus. Anonymous and public data sharing is disabled on high assurance guest collections.
If a user wishes to share protected data with a group of identities, the user must ensure the group is configured as a high assurance group. High assurance groups require the following higher authentication assurance policies for authentication by the group administrator or group manager.
-
Authentication with a linked identity is not sufficient; a group administrator or manager must authenticate specifically with the identity that holds the role.
-
Group administrators and managers must re-authenticate in each new application session (e.g., web browser session) and on each new device.
-
Each authentication lasts for a specific period of time, configurable by the group administrator, after which the group administrator or manager must re-authenticate.
For example, a researcher has linked identities last_name@campus.edu
and first_name@cloudprovider.com
.
last_name@campus.edu
is an administrator on a high assurance group with a four-hour authentication timeout period.
If the researcher authenticates with first_name@cloudprovider.com
, the researcher will be able to see the group and its configuration.
But if the researcher attempts to make any changes to the group policy or manage group membership,
the researcher will be prompted to log in with last_name@campus.edu
.
If the researcher returns to make further changes after four hours have passed,
the researcher will again be prompted to authenticate with last_name@campus.edu
.
If the researcher attempts to manage the group using a different device,
the researcher will be prompted again to authenticate with last_name@campus.edu
on the new device.
5.3. Encryption
Encryption of files in transit to or from a high assurance collections is always enforced and may not be overridden by users or by administrators. Please review Network Communication in the High Assurance Security Overview for more information about encryption.
5.4. Audit Logging
Globus Connect generates a detailed audit trail that allows reconstruction of data access and user activities. Audit logs record details of all data access events as well as activities such as login and resource management. Logs are written by Globus Connect directly to the storage system. Management of the logs, such as policies and procedures for access, encryption, and retention, are the responsibility of the subscriber.