8. 8
Research Computing HPC
Desktop Workstations
Mass Storage Instruments
Personal Resources
National Resources
Unify data access across storage tiers…
Cloud Storage
9. Public / private cloud stores
Campus
storage
Project
repositories,
replication stores
Public repositories
…simplify sharing with collaborators…
15. Secure data sharing …from any storage
Collaborator logs into Globus
and accesses shared files;
no local account required;
download via Globus2
On-prem or public
cloud storage
Select files to share,
select user or group,
and set access
permissions
1Globally accessible
multi-tenant service
Globus controls access to
shared files on existing storage;
no staging of data required
Laptop, server,
compute facility
17. Automated instrument data egress
Cryo EM
Lightsheet
Sequencer
ALS/APS
….
Local system
download
Remote analysis,
visualization
Local
policy
store
--/cohort045
--/cohort096
--/cohort127
18. Repository data distribution
Bulk data
transfer
2
Search, request
data of interest
1
2
Browser
based
download
Globally accessible
multi-tenant service
2
19. --/run123/output (r)
Output data staged
with access control
2
Data staging for compute
Compute service
3
User accesses,
downloads results
--/run123/input (rw)
1
Input data
upload
24. Globus sustainability model
• Free Tier (transfer only)
• Standard Subscription
– File sharing
– HTTPS support
– Management console, usage reports
– Application integrated support
– Priority support
• Branded Web Site
• Premium Storage Connectors
• Alternate Identity Provider
• High Assurance Subscriptions
24
25. Standard Globus security features
• Access Control
– Identities provided and managed by institution
– Institution controls all access policies
– Globus is identity broker; no access to/storage of user credentials
• Data remain at institutions, not stored by Globus
• Integrity checks of transferred data
• High availability and redundancy
• Encryption of user files and Globus control data
26. High Assurance features for PHI, CUI
• Additional authentication assurance
– Reauthentication after specified time period
– Authenticates with the specific identity within session
• Isolation of applications
– Authentication context is per application, per session
• Enforced encryption of data in transit
• Local audit logging
27. Secure operations
• Intrusion detection and prevention
• Encryption
• Logging
• Secure remote access, access control
• Uniform configuration management and change control
• AWS best practices for securing operating environment:
VPCs, security groups, identity and access management
• Comply with HIPAA, NIST SP800-171, NIST SP800-53