Globus High Assurance Overview

The guide is designed to help you make informed decisions about where to safely store and share university data. This guide is not intended to be a complete or comprehensive catalog of storage services available at UW-Madison.

You are responsible for ensuring that your use of this service complies with laws, policies, and regulations where applicable. See Compliance below for details.

Permitted

  • Protected Health Information (HIPAA)
  • Sensitive Identifiable Human Subject Research
  • Personally Identifiable Information (PII)
  • 2020-12-07_10-24-36.pngStudent Education Records (FERPA)
  • 2020-12-07_10-24-36.pngAttorney - Client Privileged Information
  • 2020-12-07_10-24-36.pngOther Sensitive Institutional Data

Permitted with Cybersecurity Consultation

  • Social Security Numbers
  • Student Loan Application Information (GLBA)

Not Permitted

  • Controlled Unclassified Information (CUI)
  • Credit Card or Payment Card Industry (PCI) Information
  • Export Controlled Research (ITAR, EAR)
  • Federal Information Security Management Act (FISMA) Data

Service Description 

Globus provides a suite of cloud-based, software-as-a-service services for moving, synchronizing, and sharing big data. It allows researchers to securely transfer files between computing endpoints using existing storage systems and network infrastructure.

Globus High Assurance is a web-based platform for research that supports secure sharing of protected data, including PHI.  It is available to all members of the University of Wisconsin-Madison under a Globus High Assurance Subscription with a HIPAA BAA.

Risk Review

Globus and Globus High Assurance has undergone a full risk review by the Office of Cybersecurity Risk Management and Compliance and is included on The Office of Compliance Approved Tools for Exchanging and Storing PHI.

The University of Wisconsin-Madison risk review program is based on the NIST CSF control standards.  With a large Health Care Component, we also apply specific HIPAA controls to ensure the security of ePHI within tools and systems used on campus.

Based on a review of Globus, using this NIST standard, this tool has been placed on our "Approved for use with PHI" List.   

Compliance 

Globus does not store any data other than minimal information required to ensure the integrity of files transferred and the security of shared data.

  • Data being transferred does not flow “through” Globus. It flows directly between source and destination systems that are controlled by their respective owners.
  • Shared data does not reside on the Globus infrastructure. It is stored in place on your existing storage system(s) and is subject to the access control policies implemented by the owner/administrator of the storage system.

Globus provides encryption of the  "control channel" that is used to communicate with the source and destination endpoints for a transfer. In addition, when data is transferred over a "data channel," that channel exists only between the source and destination endpoints, and Globus Online does not have access to this channel.

When transferring sensitive institutional data, users should encrypt the data channel by selecting the encrypt transfer option. In addition, users should keep in mind that  compliance is a shared responsibility. You must also take any steps required by your role or unit to comply with relevant regulatory requirements. 

Globus does not comply with some regulatory requirements for specific types of sensitive data. Among the types of information that may not be maintained, shared, or processed when using Globus are these:

  • Export Controlled Research. This is because Globus cannot ensure that only U.S. persons have access to or maintain its systems.
  • Data regulated by the Federal Information Security Management Act (FISMA). This is because Globus does not have documentation or certification that demonstrates FISMA compliance.

Social Security numbers should only be used where required by law or where they are essential for university business processes. The Office of Cybersecurity can help you explore appropriate storage locations or work with you to appropriately encrypt the data if those alternatives will not work for you.

FAQ

Is my data shared with Globus?

When you use Globus, the content of your files is never sent to Globus servers. Consequently, any protected data stored in files is never shared with Globus.  Filenames and paths are shared with Globus services, and it is expected that they may contain protected data. Globus High Assurance services are intentionally designed with appropriate controls to comply with the data’s security requirements.  See Data Handling for more information.

Who is responsible for managing secured Globus endpoints?

Managing secured Globus endpoints is a shared responsibility.  See Endpoint Management and Security and Endpoint Security Checklist for more information.

Can I use Globus if I have restricted data, such as PHI?

Yes, but restricted data may only be stored, with approval, in specific Globus High Assurance Endpoints that have access managed by authorized data administrators. In addition, workstations used to access and store PHI must meet specific security guidelines. See the Office of Cybersecurity Risk Management and Compliance for more details.

Is traffic encrypted with Globus High Assurance collections?

Yes, encryption of the data channel is enforced for all transfers to or from a high assurance endpoint.  See Globus High Assurance Security Overview for more information.

Additionally, we are also using SMBv3 transport encryption between Globus servers and ResearchDrive storage.



Keywords:
cybersecurity, risk, assessment, tools, storage, PHI, Globus 
Doc ID:
133129
Owned by:
Jan C. in UW-Madison Research Data
Created:
2023-12-01
Updated:
2023-12-12
Sites:
UW-Madison Research Data