At ARC we strive to deliver innovative and secure technologies to UBC researchers. This is why we have ensured that the UBC ARC Chinook object storage platform was configured and is being maintained with security and privacy in mind. This page will briefly present some of the key security and privacy features of UBC ARC Chinook.
Before you read this page
Before you read this page, it is important to know that:
- Any Eligible UBC Researcher intending to use UBC ARC Chinook for a research project is responsible for ensuring that all use remains in compliance with all applicable policies, regulations, laws, ethics requirements, and agreements. For more information see the UBC ARC Chinook Terms of Service.
- • In cases where a research project collects, stores, or process sensitive information, a Security Threat Risk Assessment (“STRA”) that examines the entire project workflow and toolchain used to protect this information during academic research may be recommended. This page is intended to provide relevant security and privacy information about UBC ARC Chinook and cannot replace an STRA. For more information about STRA, visit our Security and Privacy section.
UBC Information Security Requirements
UBC ARC Chinook security is configured to meet the requirements set by UBC Information Systems Policy (SC14) and associated standards.
Information Classification
The current security controls of UBC ARC Chinook allow UBC researchers to store UBC information of all classifications.
Ethics
At UBC, research projects may be subject to review by a Research Ethics Board, which approves the project and sets requirements around data collection, use and disclosure.
Architecture Security
UBC ARC Chinook is designed with a multi-layer architecture to ensure information is not directly exposed outside its environment. Secure architecture hardening controls including network protection, endpoint detection and response, vulnerability scanning, and patch management are in place to prevent unauthorized access and actions on the platform. Expand the sub-sections below to learn more about the current controls in place:
Architecture Diagram
Access Control
UBC ARC Chinook access controls are implemented following the Principle of Least Privilege. For end users, access is provided through the Globus application which is available using a browser with an HTTPS connection. Access to UBC ARC Chinook is described in the ARC System Access Control standard (ARCS-22) and may vary based on the allocation model.
The platform is integrated with UBC’s Campus Wide Login (CWL) for UBC, or UBC-sponsored users. Privileged accounts used to administrate the platform are further limited to the UBC ARC team from a dedicated internal network.
For certain use cases, the Amazon S3 connector is also available for UBC ARC Chinook, but the following security considerations apply:
- Access to UBC ARC Chinook is restricted to specified endpoints (or IPs);
- Multi-Factor Authentication is enforced where possible;
- S3 policies and access controls are configured to limit access to required users only
Password and passphrase must follow the requirements of UBC Information Security Standard U2 (ISS-U2). UBC ARC Chinook requires Multi-Factor Authentication for UBC users.
Network
UBC ARC Chinook is not accessible directly from the Internet. Only authenticated users connected to the Globus application with secure connection can access the platform. Only the UBC ARC Sockeye platform can communicate directly (without using the Globus application) with UBC ARC Chinook. All connections use secure network protocols including signed certificates with a minimum cryptographic hash cypher of SHA256.
Physical Security
UBC ARC Chinook is located in British Columbia, Canada. The majority of the platform physically resides within the UBC University Data Centre at the Point Grey campus, a modern secure data center with security features such as pass-card restricted and logged entry, generator-backed UPS protected power, and video surveillance.
Endpoint Protection
To ensure optimal protection, operation and performance, UBC ARC Chinook underlying infrastructure including operating systems and firmware have supported versions installed.
Vulnerability Management
UBC ARC Chinook is regularly scanned using a variety of recognized scanning tools. Reports are reviewed and inform the maintenance and patching priorities to ensure compliance with ARC System Maintenance standard (ARCS-21), and UBC Information Security Standard M5 (ISS-M5).
ARC has dedicated cybersecurity, system and platform administrators to keep track of the latest vulnerabilities potentially affecting the platform, and ensuring they are addressed in a timely fashion.
Maintenance and Patching
UBC ARC Chinook maintenance and patching is defined in the ARC System Maintenance standard (ARCS-21), and is defined as follows:
Platform and Underlying Infrastructure
To facilitate required upgrades and patches the UBC ARC Chinook platform has pre-set maintenance windows. Maintenance includes the following:
- Security patching based on priority (as defined in UBC ISS-M5);
- Underlying infrastructure regular maintenance;
- Testing prior to new update or patch release, as well as verification post-release to ensure implementation was successful;
- Documented update and user communication procedures;
- Change Management procedures;
- Contingency planning.
Software
The maintenance of the Globus software is performed by ARC system administrators following UBC requirements, and any components of the Globus software managed directly by Globus occur based on their schedule and policies which are out of ARC’s maintenance scope.
Logging and Monitoring
UBC ARC Chinook logs are compiled in a central logging system. Logs are generally intended to be used for maintenance and troubleshooting, as well as detecting and investigating information security events. Access for other purposes must be approved using one of the following methods:
- Internally, within UBC, in accordance with UBC Information Security Standards;
- Externally to law enforcement via Campus Security;
- Externally to other entities via authorization from the Office of the University Counsel.
Information Security
UBC ARC Chinook is configured with multiple security and information protection controls to ensure research information is protected while stored on the platform. Expand the sub-sections below to learn more about the current controls in place:
Encryption
By default, UBC ARC Chinook encrypt for all information transfers using TLS1.2.
Backup
UBC ARC Chinook does not provide backup for user information. It is the responsibility of the user to ensure information stored on the system is backed up to another location. Visit our UBC Research Storage Finder page for more information.
Replication
UBC ARC Chinook is partially replicated to the UBC Okanagan campus datacenter.
Information Retention and Destruction
UBC ARC Chinook storage is intended for information that is being stored from short to medium term on the system. Information is subject to deletion as defined in the UBC ARC Chinook Terms of Service.
All information stored on the platform is managed in accordance with the ARC Data Retention and Destruction standard (ARCS-05).
Privacy
UBC ARC Chinook is designed to allow researchers to retain and retrieve portions of large research datasets composed of files and unstructured data, such as short or medium-term archives, collection and aggregation of results, copies of valuable datasets, staging of reference datasets or nearline storage.
Privacy Model
UBC ARC Chinook operates under a shared responsibility model. UBC ARC is responsible for the underlying infrastructure including the hardware, network, and system (operating system) management. The Allocation Owner is responsible for the information stored on the platform, as well as its use, and disclosure.
Collection
UBC ARC does not collect any personal information as part of the operation of the UBC ARC Chinook platform. UBC ARC only collects the necessary business information required for the provision of the allocation.
Use and Disclosure
UBC ARC does not use or disclose any of the information within a UBC ARC Chinook allocation except where required by law or as directed by the Allocation Owner. The Allocation Owner is responsible for the information processed and stored on the platform, as well as its use, and disclosure.
Training and Awareness
Training is available for UBC ARC Chinook users to ensure research is conducted following the university requirements and cybersecurity best practices.
UBC privacy and information security training
Privacy & Information Security – Fundamentals training is a mandatory requirement for faculty, staff, researchers, student employees and contractors who use UBC Electronic Information and Systems. Visit privacymatters.ubc.ca for more information.
ARC information security awareness training
In addition to UBC Privacy and Information Security training, ARC staff must complete the mandatory ARC Information Security Awareness curriculum which is specifically oriented to professionals providing support to UBC researchers and managing ARC systems and platforms.
UBC ARC Sockeye users
Tutorials, and live training events are regularly available to new and existing UBC ARC Chinook users. See our Training and Resources section for more information.
Management
Research Data Management
Research data management is the responsibility of the Allocation Owner, but ARC offers support to UBC researchers if required. Visit our rdm.ubc.ca for more information.
User Management
UBC ARC Chinook user management is done in accordance with UBC Information Security Standard M2 (ISS-M2) and UBC Information Security Standard M3 (ISS-M3) It includes:
- Review and approval of user accounts prior to access provisioning;
- Documented Onboarding and Off-boarding procedures;
- Periodic access reviews;
- Unique user identifier allowing traceable actions.
Globus Access Provisioning
There are two (2) types of provisioning process available for UBC ARC Chinook:
- Allocations storing information of non-sensitive nature are managed by the Allocation Owner via the Globus application using a discretionary access control model. Access provisioning and management is the responsibility of the Allocation Owner, and the use of UBC CWL is recommended.
- Allocations storing information of sensitive nature access is provisioned and managed by ARC, at the request of the Allocation Owner, and a UBC CWL is required for users to be granted access.
Security Incident Response
UBC ARC has a Security Incident process in place to ensure potential and confirmed incidents are properly handled and documented. This process is in place to supplement UBC Security Incident Response procedures and includes:
- Defined security incident response based on criticality;
- Defined roles and responsibilities;
- Defined security incident reporting and activation protocols;
- Documented procedures including information breach management, communication, reporting and sharing, as well as forensic analysis;
- Documentation, logging and evidence management requirements;
- Escalation protocols;
- Post incident reviews.
Additional Resources
To learn more about UBC ARC Chinook, visit:
To learn more about security and privacy for research visit:
Can’t find what you are looking for?
Send us an email at arc.suport@ubc.ca to talk to one of our subject matter experts.