managing protected and controlled data with globus · 2018. 10. 31. · globus auth: identity...
TRANSCRIPT
![Page 2: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/2.jpg)
Globus SaaS: Research data lifecycle
Researcher initiates
transfer request; or
requested automatically
by script, science
gateway
1
Instrument
Compute Facility
Globus transfers files
reliably, securely
2
Globus controls
access to shared
files on existing
storage; no need
to move files to
cloud storage!
4
Curator reviews and
approves; data set
published on campus
or other system
7
Researcher
selects files to
share, selects
user or group,
and sets access
permissions
3
Collaborator logs in to
Globus and accesses
shared files; no local
account required;
download via Globus
5
Researcher
assembles data set;
describes it using
metadata (Dublin
core and domain-
specific)
6
6
Peers, collaborators
search and discover
datasets; transfer and
share using Globus
8
Publication
Repository
Personal Computer
Transfer
Share
Publish
Discover
• Use a Web browser
• Access any storage
• Use an existing identity
![Page 3: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/3.jpg)
Globus for high assurance data management
• Restricted data handling: PHI, PII, CUI
• Security controls: NIST 800-53, 800-171 Low
• Business Associate Agreement (BAA) w/UChicago
– University of Chicago has a BAA with Amazon
![Page 4: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/4.jpg)
Compliance focus areas
• Access Control: Least privilege model
• Configuration Management: Change control, impact/risk
• Maintenance: Automation, vulnerability mitigation
• Accountability: Detailed audit trail (protection, forensics)
• Information integrity: Protection, monitoring
![Page 5: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/5.jpg)
Restricted data disclosed to Globus
• Globus does not see file contents …and never did!
• File paths/name can have restricted data, e.g. PHI
• No other elements (endpoint definitions, labels,
collection definitions) can contain restricted data
![Page 6: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/6.jpg)
Initial release scope
• Globus Service: Auth, Transfer, Groups, DNS, Sharing
• New web app (app.globus.org) – try it now!
• Globus Connect Server v5.2
• Globus Connect Personal v3.x
• Globus Command Line Interface (CLI)
![Page 7: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/7.jpg)
Other features/services/products
• Connectors: AWS S3 as priority (future release)
• Platform: Globus Search (future release)
• Out of scope: Globus ID, data publication SaaS,
current web app, GCS v4.x, GCSv5.0, 5.1, GCP2.x
• Discontinued: Hosted CLI (as of August 1, 2018)
![Page 8: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/8.jpg)
Out with the old, in with the new
• Host endpoints Mapped collections
– Need local account to access data
• Shared endpoints Guest collections
– No local account needed for data access, permissions set in Globus
• Use host endpoint to create shared endpoint
Use storage gateway to create guest collections
• Access via GridFTP Access via GridFTP or HTTPS
• Initially available via Globus Connect Server v5.2
![Page 9: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/9.jpg)
![Page 10: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/10.jpg)
![Page 11: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/11.jpg)
![Page 12: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/12.jpg)
![Page 13: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/13.jpg)
![Page 14: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/14.jpg)
![Page 15: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/15.jpg)
Conceptual architecture: Mapped collections
Globus Endpoint
Subscriber
Security
Domain
Globus
Security
Domain
DATA
Channel
CONTROL
Channel
No data relay or staging via Globus;
files move directly between endpoints
User identity mapped
to local account
Single, globally accessible
multi-tenant service
Globus
“client” software
Subscriber owned
and administered
storage system
External Security Domain
(User, web app, data portal,
science gateway, …)
![Page 16: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/16.jpg)
Conceptual architecture: Guest Collections
Subscriber
Security
Domain
User managed ”overlay” permissions
stored in Globus service
Guest
Collection
DATA
Channel
CONTROL
Channel
Subscriber managed filesystem
and endpoint policies
External Security Domain
(User, web app, data portal,
science gateway, …)Globus Endpoint
Globus
Security
Domain
![Page 17: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/17.jpg)
Globus Connect Server v5 Milestones
v5.0: Google
Drive
v5.1: POSIX guest
collections, HTTPS
v5.x: v4 feature parity+v5.3: …
• Multi DTN support
Additional storage types
• Custom IdPs
• …
Other
features
v5.2: High assurance
![Page 18: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/18.jpg)
High Assurance features
• Additional authentication assurance
– Policy (per storage gateway) on frequency of authentication with
specific identity for access to data
– Enforce user authentication with specific identity within session
• Application instance isolation
– Authentication context is per app, per session
• Encryption of user data in transit and Globus data at rest
• Detailed audit log (on DTN via GCSv5.2)
![Page 22: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/22.jpg)
Application Instance Isolation
Authenticated in browser
session (app instance 1)
Re-authentication required in
CLI session (app instance 2)
![Page 23: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/23.jpg)
Application Instance Isolation
![Page 24: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/24.jpg)
Application Instance Isolation
![Page 25: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/25.jpg)
Application Instance Isolation
![Page 26: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/26.jpg)
Application Instance Isolation
![Page 27: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/27.jpg)
Application Instance Isolation
![Page 28: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/28.jpg)
Async transfer between HA collections
Encrypted data channel
Mapped Collection
HA timeout: 2hrs
Mapped Collection
HA timeout: 4hrs
![Page 29: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/29.jpg)
Globus Auth: Foundational IAM service
• Enables login for diverse app ecosystem
• Protects REST API communications between and among apps and services
• No new identity required
• Based on OAuth2 and OpenID Connect
– Least privileges security model: scopes/consents
– Access via OAuth2 and OIDC libraries of your choice
– Programming language and framework agnostic
![Page 30: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/30.jpg)
Globus Auth: Identity broker for research apps
Brokers authentication and authorization among…
• End-users
• Identity providers: enterprise, external (e.g. Google)
• Services: resource servers with REST APIs
• Apps: web, mobile, desktop, command line clients
• Services acting as clients to other services
Mission: Provide a platform for developers to easily
access 100’s of IdPs with just a bit of standard code
![Page 31: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/31.jpg)
Sessions: High Assurance for Globus Auth
• Determine which identities in a user’s identity set have
been used to authenticate and when
• Services make access control decisions
• Uses token introspection
• Session context = app instance, device
• Failed operation app generates specific redirect URL
docs.globus.org/api/auth/sessions
![Page 32: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/32.jpg)
Example user flow: Guest collection
HA
Guest
Collection
(timeout: 4hrs)
[Role:Access Manager]
grants:Read
![Page 33: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/33.jpg)
Example user flow: Guest collection
HA
Guest
Collection
(timeout: 4hrs)
![Page 34: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/34.jpg)
Example user flow: Guest collection
HA
Guest
Collection
(timeout: 4hrs)
![Page 35: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/35.jpg)
Example user flow: Guest collection
HA
Guest
Collection
(timeout: 4hrs)
redirect UC Medicine
![Page 36: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/36.jpg)
Example user flow: Guest collection
HA
[Permission:Read]
Guest
Collection
(timeout: 4hrs)
![Page 37: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/37.jpg)
Example user flow: Manage Permissions
HA
Guest
Collection
(timeout: 4hrs)[email protected]
grants:Read, Write
![Page 38: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/38.jpg)
Example user flow: Guest collection
HA
Guest
Collection
(timeout: 4hrs)
redirect UC Medicine
![Page 39: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/39.jpg)
Groups accessing HA guest collections
• Policy options
– High assurance – (not) strict
– Authentication assurance timeout
• Additional restrictions
– Invitations can only be issued by administrator or manager
– Changes to group policies require specific identity within session/ authentication assurance timeout
– Subgroups inherit HA policy
![Page 40: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/40.jpg)
Example management flows
• Managing High Assurance endpoints requires
authentication with authorized identity, within session
– Endpoint configuration
– Globus Groups used to provide access to high assurance data
– Management Console access (e.g. to review logs)
![Page 41: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/41.jpg)
New Globus Connect Server installation flow
• Install GCSv5.2+ binaries
• Register the endpoint at developers.globus.org
• Add connectors
• Add storage gateways
– Set as high assurance, configure authentication assurance timeout
– Set policy on type of collections supported
• Add mapped collection
– User must login with identity from configured domain
– Local account determined by removing the TLD: [email protected] username is local account
![Page 42: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/42.jpg)
Audit log on DTN via GCSv5.2
![Page 43: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/43.jpg)
Globus Connect Personal (GCP)
• New version for high assurance data handling
• Allow user to choose an identity for use with the
endpoint
– Using GCP for data access requires that identity be in session
– Guest collections will work as they do with GCS
• Additional logging
![Page 44: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/44.jpg)
Secure operations
• Intrusion detection and prevention
• Performance and health monitoring
• Logging
• Secure remote access, access control
• Uniform configuration management and change control
• Backups and disaster recovery
• AWS best practices for securing operating environment: VPCs, security groups, IAM best practices
![Page 45: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/45.jpg)
New subscription levels
• High Assurance– 33% uplift on Standard subscription
and on premium connectors used for high assurance data
• BAA– All High Assurance features + BAA
with University of Chicago
– 50% uplift on Standard subscription and on premium connectors used under a BAA
• Separate subscription ID issued
![Page 46: Managing Protected and Controlled Data with Globus · 2018. 10. 31. · Globus Auth: Identity broker for research apps Brokers authentication and authorization among… • End-users](https://reader035.vdocuments.us/reader035/viewer/2022071105/5fdeb451232cd57b6b6eddee/html5/thumbnails/46.jpg)
Questions?