Security concerns when working with volumes
BioData Catalyst powered by Seven Bridges has taken measures to ensure that operations on volumes by the Platform are secure and compliant with the security standards governing medical data.
Restrictions on viewing volume details
Volume owner
Only the volume's owner (the user who created the volume) can obtain the full details of that volume, including its exact configuration to the cloud storage provider.
This information never contains authentication credentials such as passwords or access keys. These credentials are never communicated back via the API. The owner of a volume is, however, free to reconfigure these credentials as well as any of the volume's other parameters.
Project members
If your project on the Platform contains aliases referring to your volume, project members can obtain the file details of these aliases which contain a restricted set of information identifying the source volume. For example, a project member viewing the details of a file imported to a project will see the following:
In short, if a user has sufficient privileges to obtain the details of an alias, both the Platform visual interface and the API will expose:
- The volume identifier, consisting of owner's username and volume name. In the example above, the username is markot and the volume name is my_import_volume.
- The key under which the object is stored on the cloud storage service. In the example above, the key is 243831_ATGTCA_L001_1P.fastq.gz.
Platform users who are not members of projects referring to your volume cannot obtain any information about your volume or any of its resources.
Restrictions on volume operations
Only the volume's owner can perform operations on that volume, including listing volume details, updating volume configuration, deleting a volume, invoking alias operations on it or checking those operations' status.
By creating a volume, you authorize the Platform to access your cloud storage service and the resources you've specified on it on your behalf. You retain ownership of your cloud resources at all times – the Platform does not read volumes' contents independently of operations you perform on the volume.
The Platform will not copy the resources elsewhere or change their native metadata unless through an operation performed by you, the owner, or by an authorized user. Note that authorized users can only effect changes on aliases but not on the volume itself.
The owner of the resources in a volume can revoke access at any time by:
- Deleting the volume from the Platform
- Reconfiguring the volume to purge access credentials shared with the Platform
- Changing or revoking the shared credentials on the storage service itself
When the Platform access to a volume is revoked (or a volume is removed), any resources that link to that volume's data objects may remain on the Platform (e.g. any imported or exported files), but their content becomes unavailable until the volume is either recreated or reconfigured.
Viewing the content of an alias via the Web browser
Most cloud storage providers implement additional security measures limiting access to the contents of stored objects. This may prevent you from viewing the content of some aliases, even when the files are otherwise readable and can be used as inputs to computation.
If this is a problem, you can configure your cloud storage to allow viewing such content in a browser:
Updated 7 months ago