ResearchDrive - Admin Guide for Campus IT Staff Supporting Researchers With Restricted Data

This document is a ResearchDrive admin guide for campus IT staff who support researchers working with Restricted Data.

ResearchDrive Support Models

ResearchDrive is designed as a collaborative service with the ability to delegate many support functions to local IT staff. See ResearchDrive - Request Support for an overview of the support models. Researchers that work with Restricted Data must work through their local IT staff in order to meet the compliance requirements.

Campus IT staff are welcome to sign up for a demo ResearchDrive account to test out the service by filling out the ResearchDrive account sign up form on the ResearchDrive - Getting Started page and then contacting the ResearchDrive Team so that the account can be approved.

ResearchDrive Support Tasks

The most common support tasks associated with ResearchDrive are helping users secure endpoints, connect to the storage, transfer data, facilitate adding/removing collaborators, and restore data from snapshots. In a collaborative support model, local IT staff are added as audit contacts for a ResearchDrive account and are then able to assist researchers with the following instructions.

Endpoint Security

ResearchDrive aligns with the Secure Storage Request process and compliance requirements on the Cybersecurity Risk Management and Compliance website.

  • Any UW–⁠Madison endpoint used to access restricted data must be maintained and supported by trained IT staff to ensure they are secure and not vulnerable to malware.
  • External collaborators will need to complete an endpoint security checklist to document the security controls in place at their institution.
  • Access to restricted data from any other unauthorized endpoint is prohibited.

When a ResearchDrive account with Restricted Data is requested, the Office of Cybersecurity will follow up with the IT team(s) supporting the PI and their collaborators to ensure that the endpoints used to access the data meet the UW-Madison Endpoint Security Requirements. The IT team(s) supporting a PI and their collaborators must complete a Endpoint Security Checklist before a ResearchDrive account with Restricted Data can be provisioned.

See How to Acces OneTrust for instructions on accessing the Endpoint Security Checklist. You will be given a ResearchDrive account request reference number to include in the security checklist. OneTrust Checklist

A set of security vulnerability scans must be run and the resulting report submitted as part of the request for the creation of a ResearchDrive account configured for restricted data. ResearchDrive account requestors should consult with their departmental IT staff or designated HIPAA Security Coordinator to assist in the security scans.

Connecting to ResearchDrive

ResearchDrive is available from anywhere on the UW-Madison campus network or off-campus through a VPN.

Transferring Data

There are multiple ways to transfer data to and from ResearchDrive.

Working with Collaborators with Restricted Data

ResearchDrive is integrated with the central campus Active Directory Services for NetID-based-authentication and security permissions and also the Roles and Access Management (Manifest) service for creating collaboration groups and providing NetIDs for UW affiliates and external collaborators.

An IT Admins Manifest folder has been created for each department with researchers eligible for ResearchDrive. Manifest uw:app:restricteddrive:itadmins Folder. IT Admins can request changes to their group membership by contacting researchdrive@wisc.edu. These IT admin groups are automatically added to a PIs ResearchDrive account at activation. IT admins can view a list of their PIs with ResearchDrive accounts in the Manifest uw:app:restricteddrive:pis Folder. Contact the ResearchDrive Team if you have any questions or need additional groups created.

Each ResearchDrive account has a Manifest - uw:app:restricteddrive:pis:[netid] folder and several default collaboration groups defined that are published to Active Directory and used to provide secure access to the storage shares.

Note: you can request that individual people or existing Manifest groups be added to ResearchDrive collaboration groups. See Manifest - Manage Group Members for more details.

ResearchDrive Restricted Data Collaboration Groups
Role Manifest Group Active Directory Group Features Use Cases
Admins restricteddrive-[netid]-admin restricteddrive-[netid]-admin

Provides administrative control of a ResearchDrive account.

  • add or remove collaborators
  • change security permissions
  • Office of Cybersecurity
  • DoIT ResearchDrive Team
Audit restricteddrive-[netid]-audit restricteddrive-[netid]-audit

Provides full read/write access to a ResearchDrive account, the ability to audit security groups, and make changes to your account on your behalf.

  • add, remove, or modify all data by default
  • request changes to an account on behalf of the PI
  • purchase additional storage on behalf of the PI
  • restore data from backup snapshots
  • Lab managers
  • Research support personnel
  • Local IT staff
Lab Members restricteddrive-[netid]-lab restricteddrive-[netid]-lab

Provides full read/write access to a ResearchDrive account for lab members.

  • add, remove, or modify all data by default
  • restore data from backup snapshots
  • Lab members
  • Collaboratrs who need to add, remove, or modify data
Read Only restricteddrive-[netid]-readonly restricteddrive-[netid]-readonly

Provides limited read only access to a ResearchDrive account.

  • read only access all data by default
  • cannot add, remove, or modify any data
  • Collaborators who only need to access data but not change it
External restricteddrive-[netid]-external restricteddrive-[netid]-external

Provides a UW NetID account to external collaborators and affiliates.

  • Provides access to WiscVPN
  • Does not provide access to ResearchDrive storage. Once the user has a NetID they can be added to lab members, or read only groups to provide access to the storage.
  • External collaborators or affiliates that do not have UW NetIDs

Refer to ResearchDrive - Working with Collaborators if you Have Restricted Data for more details.

Restoring ResearchDrive Data from Snapshots

Data stored on ResearchDrive is automatically backed up daily and replicated offsite for additional data protection. Snapshots are taken once a day and kept for 14 days and then weekly snapshots are kept for an additional two weeks. This allows you to recover accidentally deleted or files or folders within the past month.

Refer to ResearchDrive - Restoring Files or Folders from Snapshots for more details.

ResearchDrive Service Architecture

The ResearchDrive service uses Dell EMC Isilon scale-out NAS platform and is initially comprised of 12 PBs storage split between two clusters containing Isilon H500 and Isilon A2000 storage nodes. The primary storage cluster is hosted in the DoIT Dayton St Data Center and the mirror site is hosted off-campus in a commercial data center. The ResearchDrive service is architected based on the NIST 800-53 framework and complies with the UW-Madison - IT - Restricted Data Security Management Policy. It includes data protection and security features including encryption in transit and at rest, offsite backups, role based access control, and monitoring by the UW-Madison Office of Cybersecurity Operations Center (CSOC)

ResearchDrive Network and Firewall Considerations

ResearchDrive is hosted on private campus networks using the DoIT managed RFC 1918 Service. It is only available from UW-Madison campus networks or VPNs and is not accessible from the public internet. ResearchDrive is connected to the UW-Madison Distributed Datacenter Network (DDN) and supports 10 Gbs network connections. Note, the default UW-Madison Palo Alto Firewall Service configuration limits individual SMB connections to approximately 50MB/s. Please contact DoIT Network Services via the Help Desk to discuss configuration options if you need high performance connectivity to ResearchDrive.

ResearchDrive Networks
Networks Purpose Firewall Requirements Restricted Data
10.130.144.0/25, 10.136.63.0/24 ResearchDrive Restricted Data Client network SMBv3: 445/TCP Yes
10.128.56.128/25, 10.134.70.0/24, 128.104.79.64/26, 128.104.137.128/25 ResearchDrive Management network DNS: 53/TCP/UDP, kerberos 88/TCP/UDP, ldap: 389/TCP/UDP and 636/TCP, SMBv3: 445/TCP/UDP N/A

ResearchDrive and Windows Group Policy

Starting with Windows 10 ver. 1809 Microsoft changed how drive mapping options works and how the "reconnect" option works. If you map multiple drives to an encrypted share after a reboot the drives will report as access denied error when you try to open either of the shared drive.

Workaround for Windows 10 ver. 1809 or later:

  1. Change group policy to not have the reconnect option selected
  2. Cisconnect any currently connected drives on client
  3. Run gpupdate /force on client
  4. Reboot the machine
  5. The drives will be recreated on each login

ResearchDrive Security Permissions

IT admins that use Campus Active Directory Services (CADS) can create custom AD and/or Manifest security groups in addition to the default security roles. Contact the ResearchDrive Team if you are interested in using custom security groups.

Campus AD Reference Documents




Keywords:research drive admin administrator ad cads active directory network firewall manifest security permission group ntfs file system isilon doit hipaa cui nist encryption   Doc ID:102917
Owner:Michael L.Group:UW-Madison Research Data
Created:2020-06-09 15:16 CDTUpdated:2021-07-19 09:09 CDT
Sites:UW-Madison Research Data
Feedback:  0   0