Service Description
Globus provides a suite of cloud-based, software-as-a-service services for moving, synchronizing, and sharing big data. It allows researchers to securely transfer files between computing endpoints using existing storage systems and network infrastructure. Globus is a U-M Advanced Research Computing (ARC) service.
Compliance
Globus does not store any data other than minimal information required to ensure the integrity of files transferred and the security of shared data.
- Data being transferred does not flow “through” Globus. It flows directly between source and destination systems that are controlled by their respective owners.
- Shared data does not reside on the Globus infrastructure. It is stored in place on your existing storage system(s) and is subject to the access control policies implemented by the owner/administrator of the storage system.
Globus provides encryption of the "control channel" that is used to communicate with the source and destination endpoints for a transfer. In addition, when data is transferred over a "data channel," that channel exists only between the source and destination endpoints, and Globus Online does not have access to this channel.
When transferring sensitive institutional data, users should encrypt the data channel by selecting the encrypt transfer option. In addition, users should keep in mind that compliance is a shared responsibility. You must also take any steps required by your role or unit to comply with relevant regulatory requirements.
Before using Globus with Protected Health Information (PHI) regulated by HIPAA, contact ITS Information Assurance (IA) through the ITS Service Center for a consultation. You must use the Globus High Assurance configuration and compatible storage that is permitted for PHI (Turbo Research Storage (NFSv4+Kerberos or CIFS). You must install your Globus server with High Assurance enabled. The personal version for workstations auto adjusts when talking to a Globus High Assurance server.
Complying with HIPAA's requirements is a shared responsibility. You are responsible for complying with HIPAA safeguards, including:
- Using and disclosing only the minimum necessary PHI for the intended purpose.
- Obtaining all required authorizations for using and disclosing PHI.
- Ensuring that PHI is seen only by those who are authorized to see it.
- Following any additional steps required by your unit to comply with HIPAA.
Social Security numbers should only be used where required by law or where they are essential for university business processes. ITS Information Assurance (IA) can help you explore appropriate storage locations or work with you to appropriately encrypt the data if those alternatives will not work for you. (Contact IA via the ITS Service Center.)