The Flux high-performance computing system at the University of Michigan has been built to provide a flexible and secure HPC environment. Flux is an extremely scalable, flexible, and reliable platform that enables researchers to match their computing capability and costs with their needs while maintaining the security of their research.
Built-in Security Features
Applications and data are protected by secure physical facilities and infrastructure as well as a variety of network and security monitoring systems. These systems provide basic but important security measures including:
- Secure access – All access to Flux is via ssh or Globus. Ssh has a long history of high-security. Globus provides basic security and supports additional security if you need it.
- Built-in firewalls – All of the Flux computers have firewalls that restrict access to only what is needed.
- Unique users – Flux adheres to the University guideline of one person per login ID and one login ID per person.
- Multi-factor authentication (MFA) – For all interactive sessions, Flux requires both a UM Kerberos password and Duo authentication. File transfer sessions require a Kerberos password.
- Private Subnets – Other than the login and file transfer computers that are part of Flux, all of the computers are on a network that is private within the University network and are unreachable from the Internet.
- Flexible data storage – Researchers can control the security of their own data storage by securing their storage as they require and having it mounted via NFSv3 or NFSv4 on Flux. Another option is to make use of Flux’s local scratch storage, which is considered secure for many types of data. Note: Flux is not considered secure for data covered by HIPAA.
Flux/Globus & Sensitive Data
To find out what types of data may be processed in Flux or Globus, visit the U-M Sensitive Data Guide to IT Resources.
Additional Security Information
If you require more detailed information on Flux’s security or architecture to support your data management plan or technology control plan, please contact the Flux team at firstname.lastname@example.org.
We know that it’s important for you to understand the protection measures that are used to guard the Flux infrastructure. But since you can’t physically touch the servers or walk through the data centers, how can you be sure that the right security controls are in place?
The answer lies in the third-party certifications and evaluations that Flux has undergone. IIA has evaluated the system, network, and storage practices of Flux and Globus. The evaluation for Flux is published athttp://safecomputing.umich.edu/dataguide/?q=node/151 and the evaluation for Globus is published at http://safecomputing.umich.edu/dataguide/?q=node/155.
Shared Security and Compliance Responsibility
Because you’re managing your data in the Flux high-performance computing environment, the security responsibilities will be shared.
Flux operators have secured the underlying infrastructure, and you are obligated to secure anything you put on the your own infrastructure itself, as well meet any other compliance requirement. These requirements may be derived from your grant or funding agency, or data owners or stewards other than yourself, or state or federal laws and regulations.
The Flux support staff is available to help manage user lists for data access, and information is publicly available on how to manage file system permissions, please see:http://en.wikipedia.org/wiki/File_system_permissions.
Contacting Flux Support
The Flux Support Team encourages communications, including for security-related questions. Please email us at email@example.com.
We have created a PGP key for especially sensitive communications you may need to send.
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
-----END PGP PUBLIC KEY BLOCK-----
May I process sensitive data using Flux?
Yes, but only if you use a secure storage solution like Mainstream Storage and Flux’s scratch storage. Flux’s home directories are provided by Value Storage, which is not an appropriate location to store sensitive institutional data.One possible workflow is to use
sftp or Globus to move data between a secure solution and Flux’s scratch storage, which is secure, bypassing your home directory or any of your own Value Storage directories.Keep in mind that compliance is a shared responsibility.You must also take any steps required by your role or unit to comply with relevant regulatory requirements.
For more information on specific types of data that can be stored and analyzed on Flux, Value Storage, and other U-M services, please see the “Sensitive Data Guide to IT Services” web page on the Safe Computing website: http://safecomputing.umich.edu/dataguide/