FASRC DOCS

Skip to main content

Search Docs by Keyword

Table of Contents

FASSE / Protected Data Transfers

FASSE / Protected Data Transfers

To preface this:  You are responsible for knowing, and complying with applicable Harvard Information Security Policy (controls that apply to DSL3 and lower), Harvard Research Data Security Policy, and any applicable contracts / data use agreements.

FASSE data transfers generally work the same as transfers for other environments.  For example:

  • When connected to the FASSE VPN realm, you can copy files to and from the FASSE cluster, assuming this meets policy/DUA compliance requirements.
  • While on FASSE nodes (compute, login, etc.) and the FASSE VPN, you have full access to the Internet through a proxy.
    • Generally, this means that you can push to or pull from any HTTPS, SFTP, or other service that supports a proxy.
    • For example, this means you should be able to pull data from data providers that provide an HTTPS, SFTP, or other service.  You may need to adjust certain configurations and workflows to use the proxy – Some details on this here

With that said, given that FASSE is rated for data security level (DSL) 3 data:

  • Do not store DSL 3 / FASSE data in your home directory.
  • If you have a DUA that requires encryption at rest, you must not use scratch for any data that the DUA applies to.  Neither local scratch, nor our global scratch, support encryption at rest.
  • FASSE VPN, login, compute, and VDI environments use a proxy.  Some transfer solutions do not work through a proxy.  If you run into this:
    • Please ensure you have tried to use a proxy, and if you still run into trouble,
    • Open a ticket with rchelp@rc.fas.harvard.edu indicating
      • What you have tried
      • What you expected to happen
      • What actually happened
      • Include specific commands, where these ran, and output messages including all errors.
  • Data security level 3 / FASSE storage is intentionally not included in Globus by default.  If you would like your FASSE project to be exposed through Globus, consider the following:
    • If any data in this project is governed by a contract / data use agreement (DUA), please review the DUA to ensure Globus is compliant.  You might consult your School Security Officer for this.
      • An example scenario where Globus would not be compliant:  DUAs indicating that a VPN or private network must be used for all access to the data.  Globus makes data available over the Internet without a VPN or private network
    • Please submit a ticket to rchelp@rc.fas.harvard.edu as follows:
      • This must include the path to the project to add to Globus (e.g. “/n/piname_project_l3”)
      • This must indicate that the PI attests to Globus being compliant with any contracts/DUAs governing the data in this project storage
      • This must be from, or receive a reply directly from the PI for this project confirming this information
  • For Storage, FASSE storage is intentionally not provided SMB shares by default.  If you need your FASSE project exposed through an SMB share, consider the following:
    • Please submit a ticket to rchelp@rc.fas.harvard.edu as follows:
      • This must include the path to the project (e.g. “/n/piname_project_l3”)
      • This must indicate that the PI attests to understanding and accepting the risks of enabling SMB access to this data, given that any system or network that can talk to this tiered storage, could access this data if the credentials from an account in the project were used.  Some example scenarios:
        • Someone with access to your storage accesses it / copies data down to an unmanaged lab computer without data security level controls
        • Someone with access to your storage accidentally clicks the wrong link on a computer with access to this storage. Their computer is compromised, malware identifies SMB access to your data, and compromises the confidentiality, integrity, and/or availability of your data – maybe ransomware, stealing the data, etc.
      • This must include a brief explanation of why SMB access is needed, and from where you will use this SMB access
      • This must be from, or receive a reply directly from the PI for this project confirming this information

If you have any questions or concerns, please do not hesitate to consult us at at security@rc.fas.harvard.edu, although in some cases we may end up pulling in or pointing you to your school privsec officer.

Last Updated
Tags:
  • © The President and Fellows of Harvard College.
    Except where otherwise noted, this content is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license.