This document outlines our response to the security assessment of the Globus data sharing capability conducted by CTSC, as described in the document "Globus Plus Data Sharing: Security Assessment", dated November 14th, 2014. As the various recommendations are addressed, this web page will be updated to reflect the status.
A couple of critical issues noted in the review were addressed prior to review being completed. None of the other issues are deemed critical and no vulnerabilities were identified. A set of recommended actions for the Globus team are discussed below, and a few open issues identified in the review document are listed.
Recommendations to be addressed
This is a summary of items for the Globus team to address based on the recommendations.
- Add link to what is sharing in the installation document under the "Enable Sharing" section.
Response to (1)
- Provide a best practices document for configuring Globus Connect Server with sharing enabled. Note the review talks about using GridFTP configuration files; the document should cover Globus Connect Server installation methods as well.
Response to (2)
- Document principles on how various domains interact. Agree with the proposed answers for the principles.
Response to (4)
- Document trust model between various entities both for consumption by end user (non-technical) and by administrators (technical).
Response to (5)
- Document best practices for user of share capability.
Response to (11)
- Document suggested deployment models for "lower risk tolerance"
Response to (18)
- Document RP best practice to audit GridFTP configuration.
Response to (21)
- Add (optional) notification on creation of share to creator of share.
Response to (6)
- Add (optional) notification on creation of share to host endpoint owner.
Response to (7)
- Enhance Globus Connect Server configuration management to include mechanisms to set other GridFTP configuration, such that all GridFTP configuration can be done via Globus Connect Server, and detect direct changes to the GridFTP configuration files to provider appropriate warnings.
Response to (10)
- Update GridFTP configuration to adding common excluded suffixes while finding configuration file.
Response to (12)
- Allow administrators to configure who can create and use shares (In progress).
Response to (19)
- Allow setting lifespan of a share before which user needs to authenticate to keep shares active.
Response to (20)
files are checked to ensure they are properly owned and only readable by owning user.
Response to (13)
- Shares for disabled accounts are not active and cannot be used.
Response to (14)
- Validate share configuration file contents with state in Globus to detect changes.
Response to (15)
- Disallow sharing of privileged paths.
Response to (17)
- Mechanism to verify coherence on share endpoints across Globus service and the endpoints. Also covers migration of endpoints to different path or host.
Response to (22)
Monitoring and Logging
- Add additional logging information to get details on credentials used, including full certificate chain.
Response to (8)
- Add features to Management Console to allow monitoring of sharing status and summary of usage. (In progress)
Response to (9)
- Independent code audit for the new USER : globus-sharing and SITE commands.
Response to (3)
Indiana University Review
A security review and risk assessment of the Globus transfer service and web user interface were conducted by Von Welch, Indiana University in February 2012. The findings are published here. The Globus team addressed the recommendations identified in the report and they are documented in our response.
A security review was conducted by XSEDE in December 2011. The issues identified and the corresponding response from the Globus team are documented in the following: