ResearchDrive - Admin Guide for Campus IT Staff Supporting Researchers With Restricted Data

This document is a ResearchDrive admin guide for campus IT staff who support researchers working with Restricted Data.

Restricted ResearchDrive Support Model and Departmental Compliance

Restricted ResearchDrive secures Restricted Data in partnership with campus IT through a shared responsibility model.   All endpoints connecting to Restricted ResearchDrive must be managed by campus IT in compliance with the UW-526 Endpoint Management and Security Policy and the UW-527 IT Asset Reporting Policy   Personally owned devices are not allowed to access Restricted ResearchDrive

Campus IT groups must complete an initial Secure Storage Risk Management and Compliance Review including an Endpoint Security Checklist before researchers are eligible for Restricted ResearchDrive. Campus units who have completed the review with an accepted Risk Rating are eligible for the Departmental Compliance program that provides delegated administrative control of Restricted ResearchDrive accounts.

The Restricted ResearchDrive Departmental Compliance program gives Campus IT groups the ability to request or manage accounts on behalf of PIs and includes flexible integration options.

  • Account Provisioning: PI self-service, PI self-service with IT group review, or bulk account import?
  • Data Classification or Restricted Data Override: Use the data classification survey to determine the account type or flag all accounts for Restricted ResearchDrive?
  • Custom Security Groups: Delegated administration of Restricted ResearchDrive Manifest groups and the ability to integrate custom Campus AD security groups
  • Dept VPN and client networks: allow network access (VPN/LAN) to client network ranges that meet endpoint requirements instead of allowing access via individual static IP addresses

Campus IT groups are encouraged to contact the ResearchDrive Team to discuss support and integration options for the departments that you support.  IT staff are welcome to sign up for a demo ResearchDrive account to test out the service by filling out the ResearchDrive account sign up form on the ResearchDrive - Getting Started page.

ResearchDrive Support Tasks

The most common support tasks associated with ResearchDrive are helping users secure endpoints, connect to the storage, transfer data, facilitate adding/removing collaborators, and restore data from snapshots. In a collaborative support model, local IT staff are added as admin contacts for a ResearchDrive account and are then able to assist researchers with the following instructions.

Endpoint Security

All endpoints connecting to Restricted ResearchDrive must be managed by a Campus IT team in alignment with the UW-526 Endpoint Management and Security Policy and the UW-527 IT Asset Reporting Policy Researchers requesting Restricted ResearchDrive accounts must:

  • Ensure that collaborator(s) are using endpoints compliant with the standards listed above and ARE NOT USING PERSONAL DEVICES to access this secure storage location.
  • End-user administrator rights are revoked on this machine.
  • Qualys Cloud Agent is installed on this asset, vulnerability and compliance scans performed, found vulnerabilities are patched, and compliance percentages are raised.
  • Anti-Virus software is installed and active on this device.
  • The host firewall is enabled.
  • The hard drive on this machine is encrypted.
  • VPN software is installed and utilized.
  • Portable media being used for this study uses encrypted devices.

Campus IT groups must complete a Cybersecurity Secure Storage Review including an Endpoint Security Checklist before researchers are eligible for Restricted ResearchDrive. Campus units who have completed the review with an accepted Risk Rating are eligible for the Departmental Compliance program that provides delegated administrative control of Restricted ResearchDrive accounts.

See How to Access OneTrust for instructions on accessing the Endpoint Security Checklist. You will be given a ResearchDrive account request reference number to include in the endpoint security checklist.

Connecting to ResearchDrive

ResearchDrive is available from anywhere on the UW-Madison campus network or off-campus through a VPN.

Transferring Data

There are multiple ways to transfer data to and from ResearchDrive.

Working with Collaborators with Restricted Data

ResearchDrive is integrated with the central campus Active Directory Services for NetID-based-authentication and security permissions and also the Roles and Access Management (Manifest) service for creating collaboration groups and providing NetIDs for UW affiliates and external collaborators.

An IT Admins Manifest group has been created for each department with researchers eligible for ResearchDrive. Manifest uw:app:restricteddrive:itadmins Folder. These IT admin groups are automatically added to a PIs ResearchDrive account at activation. IT admins can view a list of their PIs with ResearchDrive accounts in the Manifest uw:app:restricteddrive:pis Folder. Contact the ResearchDrive Team if you have any questions or need additional groups created.

Each ResearchDrive account has a Manifest - uw:app:restricteddrive:pis:[netid] folder and several default collaboration groups defined that are published to Active Directory and used to provide secure access to the storage shares.

Campus IT groups participating in the Departmental Compliance program can add or remove collaborators to Restricted ResearchDrive accounts.  Please contact the ResearchDrive Team if you need assistance adding a collaborator that is supported by another campus IT team or external to the University.

ResearchDrive Restricted Data Collaboration Groups
Role Manifest Group Active Directory Group Features Use Cases
Admins restricteddrive-[netid]-admin restricteddrive-[netid]-admin

Provides administrative control of a ResearchDrive share and manifest groups.

  • add or remove collaborators
  • change security permissions
  • Allow access the ResearchDrive as root which overrides NTFS permissions
  • restore data from backup snapshots
  • Office of Cybersecurity
  • DoIT ResearchDrive Team
  • Local IT staff
Audit restricteddrive-[netid]-audit restricteddrive-[netid]-audit

Provides full read access to a ResearchDrive manifest groups, the ability to audit security groups

  • View manifest groups by default
  • request changes to an account on behalf of the PI
  • purchase additional storage on behalf of the PI
  • Lab managers
  • Research support personnel
Lab Members restricteddrive-[netid]-lab restricteddrive-[netid]-lab

Provides full read/write access to a ResearchDrive share for lab members.

  • add, remove, or modify all data by default
  • restore data from backup snapshots
  • Lab members
  • Collaboratrs who need to add, remove, or modify data
Read Only restricteddrive-[netid]-readonly restricteddrive-[netid]-readonly

Provides limited read only access to a ResearchDrive share.

  • read only access all data by default
  • cannot add, remove, or modify any data
  • Collaborators who only need to access data but not change it
External restricteddrive-[netid]-external restricteddrive-[netid]-external

Provides a UW NetID account to external collaborators and affiliates.

  • Provides access to WiscVPN
  • Does not provide access to ResearchDrive share. Once the user has a NetID they can be added to lab members, or read only groups to provide access to the storage.
  • External collaborators or affiliates that do not have UW NetIDs

Refer to ResearchDrive - Working with Collaborators if you Have Restricted Data for more details.

Restoring ResearchDrive Data from Snapshots

Data stored on ResearchDrive is automatically backed up daily and replicated offsite for additional data protection. Snapshots are taken once a day and kept for 14 days and then weekly snapshots are kept for an additional two weeks. This allows you to recover accidentally deleted or files or folders within the past month.

Refer to ResearchDrive - Restoring Files or Folders from Snapshots for more details.

ResearchDrive Service Architecture

The ResearchDrive service uses Dell EMC Isilon scale-out NAS platform and is initially comprised of 12 PBs storage split between two clusters containing Isilon H500 and Isilon A2000 storage nodes. The ResearchDrive service is architected based on the NIST 800-53 framework and complies with the UW-Madison - IT - Restricted Data Security Management Policy. It includes data protection and security features including encryption in transit and at rest, offsite backups, ransomware detection, role based access control, and monitoring by the UW-Madison Office of Cybersecurity Operations Center (CSOC)

Restricted ResearchDrive Network Considerations

ResearchDrive is hosted on private campus networks using the DoIT managed RFC 1918 Service. It is only available from UW-Madison campus networks or VPNs and is not accessible from the public internet. ResearchDrive is connected to the UW-Madison Distributed Datacenter Network (DDN) and supports 10 Gbs network connections.

The default UW-Madison Palo Alto Firewall Service configuration limits individual SMB connections to approximately 50MB/s. Please contact DoIT Network Services via the Help Desk to discuss configuration options if you need high performance connectivity to ResearchDrive.

ResearchDrive Networks
Networks Purpose
10.130.144.0/25, 10.136.63.0/24 ResearchDrive Restricted Data Client network
10.128.56.128/25, 10.134.70.0/24, 128.104.79.64/26, 128.104.137.128/25 ResearchDrive Management network

Restricted ResearchDrive Firewall Considerations

Campus IT groups participating in the Departmental Compliance should reach out to the ResearchDrive Team to get custom firewall rules set up for your client networks.  Remote client access can be automated for IT groups using a Palo Alto Dept VPN with HIP Host-Info and Firewall Security and Manifest/AD Groups rules to only allow connections to Restricted ResearchDrive from authorized users with managed endpoints.

Campus IT groups who do not have a departmental VPN or only support a small number of researchers or collaborators using Restricted ResearchDrive can reserve static IP addresses in WiscVPN or InfoBlox.

ResearchDrive and Windows Group Policy

Starting with Windows 10 ver. 1809 Microsoft changed how drive mapping options works and how the "reconnect" option works. If you map multiple drives to an encrypted share after a reboot the drives will report as access denied error when you try to open either of the shared drive.

Workaround for Windows 10 ver. 1809 or later:

  1. Change group policy to not have the reconnect option checked
  2. Disconnect any currently connected drives on client
  3. Run gpupdate /force on client
  4. Reboot the machine
  5. The drives will be recreated on each login

ResearchDrive Security Permissions

IT admins that use Campus Active Directory Services (CADS) can create custom AD groups and/or created Manifest security groups in addition to the default security roles. Contact the ResearchDrive Team if you are interested in using custom security groups.

Campus AD Reference Documents