High Assurance Collections for Protected Data
Last Updated: July 28, 2018
1. Introduction
This document is a guide for institutions that plan to use Globus to manage protected data. Managing protected data is made possible by adding the High Assurance or HIPAA BAA tier to a Globus subscription.
Protected data includes: Protected Health Information (PHI), Personally Identifiable Information (PII), and controlled-but-unclassified data. To safely manage protected data, the High Assurance and HIPAA BAA subscription tiers allow administrators to explicitly designate their Globus Connect Server and Globus Connect Personal installations as "high-assurance endpoints."
2. High-assurance features
High-assurance features are enabled by managing an endpoint under a subscription with the High Assurance or HIPAA BAA tier. They offer the following features for data access designated as high assurance.
-
Higher authentication assurance for data access
-
Isolation of applications and devices
-
Forced encryption of protected data during transit
-
Audit logging
-
Mapped Collections (Globus Connect Server version 5 only)
2.1. Data handling
With a High Assurance or HIPAA BAA subscription, files that contain protected data can be transferred and shared using Globus in compliance with the data’s security requirements. When you use Globus, the content of your files is never sent to Globus servers. Consequently, any protected data stored in files is never shared with Globus.
Filenames and paths are shared with Globus services, and it is expected that they may contain protected data. Globus High Assurance services are intentionally designed with appropriate controls to comply with the data’s security requirements.
2.2. Eligible Services
Not all Globus services provide special provisions for protected data, even with a High Assurance or HIPAA BAA subscription. Only the services and applications listed at High Assurance Eligible Services should be used to manage protected data with a High Assurance or HIPAA BAA subscription.
2.3. Subscription management
If your subscription includes the High Assurance or HIPAA BAA tier, Globus will create a separate subscription ID for the High Assurance or BAA tier. This allows you to manage your standard and high assurance use independently of each other. You will assign subscription managers to the standard subscription ID and to the High Assurance or HIPAA BAA subscription ID.
Any endpoints you create for managing protected data must be managed under the High Assurance or HIPAA BAA subscription ID.
2.4. Globus Connect Server for high assurance
Version 5 of Globus Connect Server supports the high-assurance features for managing protected data. Details on using Globus Connect Server version 5 can be found in the Globus Connect Server v5 Guide.
When using Globus Connect Server version 5, an administrator creates an endpoint and their Globus subscription manager sets the endpoint as managed under the institution’s High Assurance or HIPAA BAA subscription. This allows use of premium features on the endpoint, including the high-assurance features described in this document. The administrator then adds one or more high assurance storage gateways and authorizes mapped and/or guest collections. A mapped collection allows authorized Globus users with accounts on the endpoint system to access data. If guest collections are permitted, authorized Globus users with accounts on the endpoint system can create guest collections that allow authorized Globus users who don’t have accounts on the endpoint system to access data.
2.5. Globus Connect Personal for high assurance
Version 3 of Globus Connect Personal also supports the high-assurance features for managing protected data. Choose the "High Assurance" option when installing Globus Connect Personal. You will be asked to specify an identity to use when accessing your personal endpoint. When the installation completes, ask your Globus subscription manager to set the endpoint as managed and flagged for use with high-assurance features.
With the "High Assurance" option, you must authenticate using the identity specified at installation to access your personal endpoint, even if you have other linked identities. Guest collections on your personal endpoint behave similarly to high-assurance guest collections in Globus Connect Server version 5.
3. Using high-assurance collections
Above, we mentioned "higher authentication assurance for data access" as a feature of high-assurance endpoints. In practice, this means that Globus enforces tighter authentication requirements for accessing storage gateways and collections on high-assurance endpoints.
In the high-assurance environment, access to data and management of collections is subject to the following configurable policies.
-
Users must authenticate with specific identities to obtain access. Authenticating with a linked identity is not sufficient to obtain access.
-
Users must re-authenticate in each new application session (e.g., web browser session) and on each new device to obtain access.
-
Each authentication lasts for a specific period of time, after which the user must re-authenticate to maintain access.
The policy controlling these requirements is unique to each high-assurance storage gateway and is specified when the endpoint administrator creates the gateway. The policy governs both data access (transferring and sharing data within a collection) and collection management (creating or changing collections via the gateway).
If a user attempts to access a storage gateway or collection to which they have access via a linked identity, but the user hasn’t authenticated with that identity within the current session or within the required time period, the user will be prompted to authenticate with the necessary identity.
3.1. Mapped collections
Mapped collections are created by the endpoint administrator. Access to mapped collections requires an account on the endpoint’s host system. Mapped collections created on storage gateways that are flagged for high-assurance data are automatically configured for use with protected data. Creating and configuring mapped collections is described in the Globus Connect Server v5 Guide.
The endpoint administrator specifies the identities required for access and an authentication assurance timeout period. If a user attempts access without having authenticated as required within the timeout period, the user will be prompted to authenticate with the required identity.
The steps for discovering and using mapped collections to access data are described in the how-to guide, "Find and use a mapped collection from the Globus web app."
3.2. Guest collections
Guest collections inherit access policies from the storage gateways in which they are created, including high-assurance policies.
Globus users who access a high-assurance guest collection must authenticate with the identity that grants them access. For example, imagine a user with linked identities user1@example.org
and user1@campus.org
, and data in a guest collection is shared with user1@example.org
. If the user authenticates using user1@campus.org
and attempts to access data in the guest collection, the user will be prompted to authenticate with user1@example.org
. If the user returns and attempts access again after the collection’s authentication assurance timeout has passed, the user will again be prompted to authenticate.
The how-to guide Access and share data from a guest collection provides more details on using Guest collections in the high-assurance environment.
3.3. Using groups for access control
With guest collections, access can be defined for groups as well as for individual users. A Globus user who manages a guest collection can use Globus to create and configure a group, add individual identities as members, then assign access privileges in the guest collection to the group. The group’s privileges govern access by each member of the group.
In the high-assurance environment, there are additional requirements for group management.
-
Groups that are used to manage access for protected data must be designated as high-assurance groups.
-
A users with the administrator or manager role for a group must authenticate with the specific identity that has the role in order to manage the group.
-
Users must re-authenticate in each new application session (e.g., web browser session) and on each new device to manage the group.
-
High-assurance groups must be configured with an authentication assurance timeout period. If a group administrator or manager hasn’t authenticated within the timeout period, they must re-authenticate to manage the group.
For example, imagine a user has linked identities user1@example1.org
and user1@example2.edu
, and user1@example1.org
has a group’s administrator role. The group’s authentication assurance timeout period is four hours. If the user has authenticated with user1@example2.edu
, the user will be able to see the group and its configuration. But if the user attempts to make any changes to the group policy or manage membership, the user will be prompted to log in with user1@example1.org
. If the user returns to make further changes after four hours have passed, the user will again be prompted to authenticate. If the user attempts to manage the group using a different device, the user will be prompted to authenticate with user1@example1.org
on the new device.
Group members who have access to data in a guest collection by virtue of group membership have similar requirements.
-
Group members must authenticate with the specific identity that is named in the group membership to access the data.
-
Group members must re-authenticate in each new application session and on each new device to access the data.
-
Group members must re-authenticate after the timeout period has passed to access the data.