High Assurance Collections for Protected Data

With a High Assurance or HIPAA BAA subscription, files that contain protected data can be transferred and shared using Globus in compliance with the data’s security requirements. When you use Globus, the content of your files is never sent to Globus servers. Consequently, any protected data stored in files is never shared with Globus.

Filenames and paths are shared with Globus services, and it is expected that they may contain protected data. Globus High Assurance services are intentionally designed with appropriate controls to comply with the data’s security requirements.

Not all Globus services provide special provisions for protected data, even with a High Assurance or HIPAA BAA subscription. Only the services and applications listed at High Assurance Eligible Services should be used to manage protected data with a High Assurance or HIPAA BAA subscription.

If your subscription includes the High Assurance or HIPAA BAA tier, Globus will create a separate subscription ID for the High Assurance or BAA tier. This allows you to manage your standard and high assurance use independently of each other. You will assign subscription managers to the standard subscription ID and to the High Assurance or HIPAA BAA subscription ID.

Any endpoints you create for managing protected data must be managed under the High Assurance or HIPAA BAA subscription ID.

Version 5 of Globus Connect Server supports the high-assurance features for managing protected data. Details on using Globus Connect Server version 5 can be found in the Globus Connect Server v5 Guide.

When using Globus Connect Server version 5, an administrator creates an endpoint and their Globus subscription manager sets the endpoint as managed under the institution’s High Assurance or HIPAA BAA subscription. This allows use of premium features on the endpoint, including the high-assurance features described in this document. The administrator then adds one or more high assurance storage gateways and authorizes mapped and/or guest collections. A mapped collection allows authorized Globus users with accounts on the endpoint system to access data. If guest collections are permitted, authorized Globus users with accounts on the endpoint system can create guest collections that allow authorized Globus users who don’t have accounts on the endpoint system to access data.

Version 3 of Globus Connect Personal also supports the high-assurance features for managing protected data. Choose the "High Assurance" option when installing Globus Connect Personal. You will be asked to specify an identity to use when accessing your personal endpoint. When the installation completes, ask your Globus subscription manager to set the endpoint as managed and flagged for use with high-assurance features.

With the "High Assurance" option, you must authenticate using the identity specified at installation to access your personal endpoint, even if you have other linked identities. Guest collections on your personal endpoint behave similarly to high-assurance guest collections in Globus Connect Server version 5.

Mapped collections are created by the endpoint administrator. Access to mapped collections requires an account on the endpoint’s host system. Mapped collections created on storage gateways that are flagged for high-assurance data are automatically configured for use with protected data. Creating and configuring mapped collections is described in the Globus Connect Server v5 Guide.

The endpoint administrator specifies the identities required for access and an authentication assurance timeout period. If a user attempts access without having authenticated as required within the timeout period, the user will be prompted to authenticate with the required identity.

The steps for discovering and using mapped collections to access data are described in the how-to guide, "Find and use a mapped collection from the Globus web app."

Guest collections inherit access policies from the storage gateways in which they are created, including high-assurance policies.

Globus users who access a high-assurance guest collection must authenticate with the identity that grants them access. For example, imagine a user with linked identities user1@example.org and user1@campus.org, and data in a guest collection is shared with user1@example.org. If the user authenticates using user1@campus.org and attempts to access data in the guest collection, the user will be prompted to authenticate with user1@example.org. If the user returns and attempts access again after the collection’s authentication assurance timeout has passed, the user will again be prompted to authenticate.

The how-to guide Access and share data from a guest collection provides more details on using Guest collections in the high-assurance environment.

With guest collections, access can be defined for groups as well as for individual users. A Globus user who manages a guest collection can use Globus to create and configure a group, add individual identities as members, then assign access privileges in the guest collection to the group. The group’s privileges govern access by each member of the group.

In the high-assurance environment, there are additional requirements for group management.

For example, imagine a user has linked identities user1@example1.org and user1@example2.edu, and user1@example1.org has a group’s administrator role. The group’s authentication assurance timeout period is four hours. If the user has authenticated with user1@example2.edu, the user will be able to see the group and its configuration. But if the user attempts to make any changes to the group policy or manage membership, the user will be prompted to log in with user1@example1.org. If the user returns to make further changes after four hours have passed, the user will again be prompted to authenticate. If the user attempts to manage the group using a different device, the user will be prompted to authenticate with user1@example1.org on the new device.

Group members who have access to data in a guest collection by virtue of group membership have similar requirements.