Sensitive Data Handling
Globus provides capabilities that support the secure management and transfer of sensitive or regulated data, including data subject to institutional policies or external requirements such as HIPAA, CMMC, NIST frameworks, or other research data protections. These capabilities are designed to help institutions meet their compliance obligations while enabling researchers to work efficiently.
High Assurance Collections
High Assurance collections enforce enhanced security controls, including restricted session lifetimes, detailed audit logging, and mandatory encryption of all data transfers. Encryption is applied automatically and cannot be disabled by end users or administrators.
Institutions can define and enforce their own access policies, manage which users or groups may interact with protected collections, and maintain local audit records of data access, user activity, and resource management.
Institutional Responsibilities
When using Globus for sensitive or regulated data, institutions retain responsibility for:
- Defining appropriate access controls
- Ensuring users are authorized for the data they access
- Configuring High Assurance collections in alignment with institutional policies
- Reviewing audit logs and monitoring data access
- Maintaining compliance with applicable regulations
Globus provides the technical controls, but institutions determine how those controls are applied.
Key Controls at a Glance
The following table summarizes the primary security and compliance controls that support the use of Globus for sensitive or regulated data. These controls are enforced by the Globus service and, where applicable, by institutional configuration of High Assurance collections.
| Control area | Description | Enforcement |
|---|---|---|
| Mandatory encryption | All data transfers to and from High Assurance collections are encrypted in transit. Encryption cannot be disabled by users or administrators. TLS 1.2 is enforced for both the data and control channels. | Globus services |
| Strong authentication | Access requires authentication through approved identity providers. Institutions may require MFA or additional identity assurance. | Globus services & institutional IdP |
| Session & token restrictions | High Assurance collections use shorter session lifetimes and stricter token scopes to reduce risk of unauthorized access. | Globus services |
| Granular access controls | Institutions define which users or groups may access sensitive collections. Access can be limited to specific operations or paths. | Institution managed |
| Audit logging | Detailed logs record access, transfers, and administrative actions. Logs support institutional monitoring and compliance review. | Globus & institution config |
| Administrative policy controls | Institutions can apply additional restrictions, such as limiting sharing, requiring specific identity providers, or restricting external access. | Institution config |
| Secure endpoint configuration | High Assurance endpoints must be configured to meet security requirements for sensitive data environments. | Institution config |
Common Use Cases for Sensitive and Regulated Data
Globus is used across a variety of highly regulated environments such as research, higher education, and healthcare to support secure, compliant workflows involving sensitive or regulated data. The examples below illustrate typical scenarios where institutions rely on Globus High Assurance capabilities.
- Research Data Subject to Institutional or Sponsor Requirements: Data governed by institutional policies or external requirements such as NIH, NSF, or foundation‑specific data protections
- Healthcare and Clinical Research Environments: Data subject to HIPAA or similar regulatory frameworks.
- University Data Stewardship and Privacy Programs: Data stewardship programs that classify and protect institutional data.
- Secure Collaboration Across Institutions: Collaborative research frequently involves sharing sensitive data between universities, national labs, healthcare organizations, and research consortia.
- Controlled Access to High‑Value or Restricted Datasets: Datasets requiring controlled access due to licensing, confidentiality, or ethical considerations.
Additional Guidance for Administrators
System administrators configuring Globus Connect Server for sensitive or regulated data can refer to the Admin Guide for Sensitive Data for detailed requirements, configuration steps, and best practices:
Admin Guide for Sensitive Data
This guide includes information on endpoint configuration, authentication requirements, audit logging, and other administrative considerations.
For additional support or please contact the Globus Compliance Team at:
compliance@globus.org