Globus provides a suite of cloud-based, software-as-a-service services for moving, synchronizing, and sharing big data. It allows researchers to securely transfer files between computing endpoints using existing storage systems and network infrastructure.
Globus does not store any data other than minimal information required to ensure the integrity of files transferred and the security of shared data.
- Data being transferred does not flow “through” Globus. It flows directly between source and destination systems that are controlled by their respective owners.
- Shared data does not reside on the Globus infrastructure. It is stored in place on your existing storage system(s) and is subject to the access control policies implemented by the owner/administrator of the storage system.
Globus provides encryption of the "control channel" that is used to communicate with the source and destination endpoints for a transfer. In addition, when data is transferred over a "data channel," that channel exists only between the source and destination endpoints, and Globus Online does not have access to this channel.
When transferring sensitive institutional data, users should encrypt the data channel by selecting the encrypt transfer option. In addition, users should keep in mind that compliance is a shared responsibility. You must also take any steps required by your role or unit to comply with relevant regulatory requirements.
Globus does not comply with some regulatory requirements for specific types of sensitive data. Among the types of information that may not be maintained, shared, or processed when using Globus are these:
- Protected Health Information (regulated by HIPAA). This is because Globus has not signed the necessary Business Associate Agreement mandated by HIPAA.
- Export Controlled Research. This is because Globus cannot ensure that only U.S. persons have access to or maintain its systems.
- Data regulated by the Federal Information Security Management Act (FISMA). This is because Globus does not have documentation or certification that demonstrates FISMA compliance.
Social Security numbers should only be used where required by law or where they are essential for university business processes. IIA can help you explore appropriate storage locations or work with you to appropriately encrypt the data if those alternatives will not work for you. (Contact IIA via the ITS Service Center.)