Data security statement:
“The COSMIC2 gateway will implement several mechanisms to ensure proper use of the resources and security of users’ data. The web server will be deployed with Secure Sockets Layer (SSL) to encrypt all communication between the gateway and the users. The gateway will log all user logins and job activities; this will give us the ability to monitor our system and resource usage and an audit trail if we detect suspicious or abusive activities. The addition of Globus Auth and Globus Transfer will provide industry-standard level of protection for identity management and ensure proper access authorization between users, data and storage resources. Internally, the gateway will be running from an account that has no login ability and the database is restricted to allow only access from the gateway host through a single account. All user jobs submitted to the XSEDE compute resources will go through a single community account that uses a 2048-bit Rivest-Shamir-Adleman (RSA) public-key cryptosystem for authentication and authorization. Lastly, since the gateway is located within the University of California, San Diego network domain, the regular scans performed by the university will also serve to notify us if any issues are found. Security is based on Globus Auth, an identity and access management platform designed specifically to meet the needs of research services and users. Globus Auth brokers authentication and authorization between identity providers, resource services, and clients. It implements the OAuth 2 and OpenID Connect standard protocols for integration. Users authenticate via Globus Auth using their existing credentials from a trusted identity provider, e.g. their campus username and password. Once authenticated, users can access Globus endpoints using either the same credential (if the endpoint supports single sign-on), or by providing a separate set of credentials recognized by the endpoint’s local security system. Files on a given Globus endpoint are accessible only to authorized users, as defined by the permissions set by the endpoint’s administrator. The endpoint administrator can further control the data that users may access by configuring Globus to explicitly deny or restrict access to specific parts of the filesystem. Data may optionally be encrypted during transfer; if configured for encryption, Globus will use OpenSSL and the associated default cipher stack available on the endpoint. 9 For all data on SDSC, we will take the following steps to ensure data security. We will 1) set boundaries on the filesystem level for individual user folders (read/write permissions); 2) run on exclusive nodes (compute instead of shared nodes); 3) have tight control on what applications/options run via COSMIC2.”