High Assurance Security Overview

Globus delivers secure and scalable data management capabilities to the research community, including data transfer and sharing. Globus allows researchers to use a secure, unified interface to orchestrate a variety of data management tasks across multiple Globus-enabled sites, all within the visibility and access control limits set by each site. By leveraging federated identities, existing institutional logins may be used for authentication to Globus. Computer scientists at the University of Chicago and Argonne National Laboratory have developed Globus to meet the specific needs and requirements of the research community. For over a decade, tens of thousands of researchers, including most leading US universities and national laboratories, have relied on Globus to provide data management capabilities.

Globus uses a hybrid Software as a Service architecture. Two primary components make up the Globus ecosystem: Globus services and Globus endpoints. Globus services are hosted on Amazon Web Services (AWS) and operated by Globus. Services provide secure platform interfaces (APIs) and are accessed via clients including a Globus provided web application and command line client. Globus endpoints are storage systems hosted and operated by the subscriber running Globus Connect software to enable use of Globus data management capabilities, including access to data via GridFTP and HTTPS protocols.

Globus security is based on well-established standards such as OAuth 2 and OpenID Connect. Globus services leverage federated login and allow user authentication using one of the many supported identity providers (e.g., institutional identities, ORCID, Google). Since Globus acts as an identity broker and uses federated login, institutional credentials are never seen by Globus. Globus services also allow the user to link their identities from multiple identity providers into a single account. Globus Auth, the identity and access management service in Globus, is based on OAuth 2 and is used to secure all Globus services and used for integration with third-party applications. This provides an advanced, user consent based delegated authorization model that allow applications and services to act on behalf of users and other services.

The Globus High Assurance tier provides additional security controls to meet the higher authentication and authorization standards required for access to restricted data, such as Protected Health Information, Personally Identifiable Information, and Controlled Unclassified Information. Users must authenticate with specific identities as determined by the policy set by administrators at the institution to obtain access; authenticating with one of the linked identities is not sufficient to obtain access. Users must re-authenticate in each new application session with the required identity. For example users will need to reauthenticate within each new instance of an application, web browser session and on each new device to obtain access. Each authentication lasts for a specific period of time, determined by policy set by the administrator, after which the user must re-authenticate to continue access. The time configured by the administrator is called the authentication assurance timeout. It is a shared responsibility of the subscriber, who sets the access control policies, including the authentication assurance timeout, and Globus, who enforces these rules, to ensure the security and confidentiality of the data.

Globus endpoints are storage systems that are accessible via Globus services. Endpoints are created by installing Globus Connect on the subscriber’s own storage systems, whether local, campus, or cloud. Endpoints are configured with one or more storage gateways, which are specific storage instances and policies that govern access to data on that instance. For example, an endpoint may have three storage gateways: one for data on on-premises object store, another for data on scratch a file system and another for data on a tape archive. Each of these gateways have their own access policies and may be designated as high assurance. The architecture of Globus Connect Server version 5, which supports High Assurance Gateways, is shown in Figure 1.

Data stored on endpoints are strictly under the purview of the subscriber. Using standard system tools and Globus Connect software, endpoint administrators (e.g., storage owners or storage administrators) set all authorization and access policies and can change policies or revoke user access at any time.

For storage gateways designated as high assurance, the administrator must configure the authentication assurance timeout, which is the length of time an authentication is valid. This determines how often a user has to authenticate with the identity within a session for continued access. In addition, for multi-user storage systems, such as campus storage, the administrator must specify the institutional identity provider required for authentication and the set of authorized users. For single-user storage systems, such as laptops, the administrator must choose the specific identity from their set of linked identities that is required for access to the endpoint.

Collections are hosted on storage gateways, and provide the interfaces needed for users to access data. Both HTTPS and GridFTP protocols are supported for accessing data from collections. The high assurance policies specified at the storage gateway by the administrator are inherited by the collection and govern both collection access and management. In the follow sections, we describe data access via the two types of collections: mapped and guest.

As part of service operation and logging, Globus services store information associated with tasks, such as temporary user credentials and information entered by the researcher, including username, email address, and endpoint name. Although files are never shared with the Globus service, the service does access and store filenames and directory paths in order to control the flow of research data. All filenames and directory paths are deleted within 90 days. When managing files containing restricted data, it is expected that filenames and paths may contain restricted data, and the Globus service protects filenames and paths accordingly.

All Globus operational and log data stored in AWS are encrypted at rest, using either AWS Key Management Service encryption or AWS service-specific encryption options. All AWS resources are monitored to ensure that their encryption options are set correctly. It is the responsibility of the subscriber to encrypt data at rest on the Globus endpoint.

Globus Connect generates a detailed audit trail that allows reconstruction of data access and user activities. Audit logs record details of all data access events as well as activities such as login and resource management. Logs are written by Globus Connect directly to the subscriber’s storage system. Management of the logs, such as policies and procedures for access, encryption, and retention, are the responsibility of the subscriber.