ARC Chinook Security and Privacy

UBC ARC Chinook access controls are implemented following the Principle of Least Privilege. For end users, access is provided through the Globus application which is available using a browser with an HTTPS connection. Access to UBC ARC Chinook is described in the ARC System Access Control standard (ARCS-22) and may vary based on the allocation model. 
The platform is integrated with UBC’s Campus Wide Login (CWL) for UBC, or UBC-sponsored users. Privileged accounts used to administrate the platform are further limited to the UBC ARC team from a dedicated internal network.

For certain use cases, the Amazon S3 connector is also available for UBC ARC Chinook, but the following security considerations apply:

• Access to UBC ARC Chinook is restricted to specified endpoints (or IPs);
• Multi-Factor Authentication is enforced where possible;
• S3 policies and access controls are configured to limit access to required users only

Password and passphrase must follow the requirements of UBC Information Security Standard U2 (ISS-U2). UBC ARC Chinook requires Multi-Factor Authentication for UBC users.

UBC ARC Chinook is not accessible directly from the Internet. Only authenticated users connected to the Globus application with secure connection can access the platform. Only the UBC ARC Sockeye platform can communicate directly (without using the Globus application) with UBC ARC Chinook. All connections use secure network protocols including signed certificates with a minimum cryptographic hash cypher of SHA256.

UBC ARC Chinook is located in British Columbia, Canada. The majority of the platform physically resides within the UBC University Data Centre at the Point Grey campus, a modern secure data center with security features such as pass-card restricted and logged entry, generator-backed UPS protected power, and video surveillance.

To ensure optimal protection, operation and performance, UBC ARC Chinook underlying infrastructure including operating systems and firmware have supported versions installed.

UBC ARC Chinook is regularly scanned using a variety of recognized scanning tools. Reports are reviewed and inform the maintenance and patching priorities to ensure compliance with ARC System Maintenance standard (ARCS-21), and UBC Information Security Standard M5 (ISS-M5).

ARC has dedicated cybersecurity, system and platform administrators to keep track of the latest vulnerabilities potentially affecting the platform, and ensuring they are addressed in a timely fashion.

UBC ARC Chinook maintenance and patching is defined in the ARC System Maintenance standard (ARCS-21), and is defined as follows:

UBC ARC Chinook logs are compiled in a central logging system. Logs are generally intended to be used for maintenance and troubleshooting, as well as detecting and investigating information security events. Access for other purposes must be approved using one of the following methods:

• Internally, within UBC, in accordance with UBC Information Security Standards;
• Externally to law enforcement via Campus Security;
• Externally to other entities via authorization from the Office of the University Counsel.

By default, UBC ARC Chinook encrypt for all information transfers using TLS1.2.

UBC ARC Chinook does not provide backup for user information. It is the responsibility of the user to ensure information stored on the system is backed up to another location. Visit our UBC Research Storage Finder page for more information.

UBC ARC Chinook is partially replicated to the UBC Okanagan campus datacenter.

UBC ARC Chinook storage is intended for information that is being stored from short to medium term on the system. Information is subject to deletion as defined in the UBC ARC Chinook Terms of Service. 
All information stored on the platform is managed in accordance with the ARC Data Retention and Destruction standard (ARCS-05).

UBC ARC Chinook operates under a shared responsibility model. UBC ARC is responsible for the underlying infrastructure including the hardware, network, and system (operating system) management. The Allocation Owner is responsible for the information stored on the platform, as well as its use, and disclosure.

UBC ARC does not collect any personal information as part of the operation of the UBC ARC Chinook platform. UBC ARC only collects the necessary business information required for the provision of the allocation.

UBC ARC does not use or disclose any of the information within a UBC ARC Chinook allocation except where required by law or as directed by the Allocation Owner. The Allocation Owner is responsible for the information processed and stored on the platform, as well as its use, and disclosure.

Privacy & Information Security – Fundamentals training is a mandatory requirement for faculty, staff, researchers, student employees and contractors who use UBC Electronic Information and Systems. Visit privacymatters.ubc.ca for more information.

In addition to UBC Privacy and Information Security training, ARC staff must complete the mandatory ARC Information Security Awareness curriculum which is specifically oriented to professionals providing support to UBC researchers and managing ARC systems and platforms.

Tutorials, and live training events are regularly available to new and existing UBC ARC Chinook users. See our Training and Resources section for more information.