This document is a ResearchDrive admin guide for campus IT staff who support researchers working with Restricted Data.
Restricted ResearchDrive secures Restricted Data in partnership with campus IT through a shared responsibility model. All endpoints connecting to Restricted ResearchDrive must be managed by campus IT in compliance with the UW-526 Endpoint Management and Security Policy and the UW-527 IT Asset Reporting Policy Personally owned devices are not allowed to access Restricted ResearchDrive.
Campus IT groups must complete an initial Secure Storage Risk Management and Compliance Review including an Endpoint Security Checklist before researchers are eligible for Restricted ResearchDrive. Campus units who have completed the review with an accepted Risk Rating are eligible for the Departmental Compliance program that provides delegated administrative control of Restricted ResearchDrive accounts.
The Restricted ResearchDrive Departmental Compliance program gives Campus IT groups the ability to request or manage accounts on behalf of PIs and includes flexible integration options.
Campus IT groups are encouraged to contact the ResearchDrive Team to discuss support and integration options for the departments that you support. IT staff are welcome to sign up for a demo ResearchDrive account to test out the service by filling out the ResearchDrive account sign up form on the ResearchDrive - Getting Started page.
The most common support tasks associated with ResearchDrive are helping users secure endpoints, connect to the storage, transfer data, facilitate adding/removing collaborators, and restore data from snapshots. In a collaborative support model, local IT staff are added as admin contacts for a ResearchDrive account and are then able to assist researchers with the following instructions.
All endpoints connecting to Restricted ResearchDrive must be managed by a Campus IT team in alignment with the UW-526 Endpoint Management and Security Policy and the UW-527 IT Asset Reporting Policy Researchers requesting Restricted ResearchDrive accounts must:
Campus IT groups must complete a Cybersecurity Secure Storage Review including an Endpoint Security Checklist before researchers are eligible for Restricted ResearchDrive. Campus units who have completed the review with an accepted Risk Rating are eligible for the Departmental Compliance program that provides delegated administrative control of Restricted ResearchDrive accounts.
See How to Access OneTrust for instructions on accessing the Endpoint Security Checklist. You will be given a ResearchDrive account request reference number to include in the endpoint security checklist.
ResearchDrive is available from anywhere on the UW-Madison campus network or off-campus through a VPN.
There are multiple ways to transfer data to and from ResearchDrive.
ResearchDrive is integrated with the central campus Active Directory Services for NetID-based-authentication and security permissions and also the Roles and Access Management (Manifest) service for creating collaboration groups and providing NetIDs for UW affiliates and external collaborators.
An IT Admins Manifest group has been created for each department with researchers eligible for ResearchDrive. Manifest uw:app:restricteddrive:itadmins Folder. These IT admin groups are automatically added to a PIs ResearchDrive account at activation. IT admins can view a list of their PIs with ResearchDrive accounts in the Manifest uw:app:restricteddrive:pis Folder. Contact the ResearchDrive Team if you have any questions or need additional groups created.
Each ResearchDrive account has a Manifest - uw:app:restricteddrive:pis:[netid] folder and several default collaboration groups defined that are published to Active Directory and used to provide secure access to the storage shares.
Campus IT groups participating in the Departmental Compliance program can add or remove collaborators to Restricted ResearchDrive accounts. Please contact the ResearchDrive Team if you need assistance adding a collaborator that is supported by another campus IT team or external to the University.
Role | Manifest Group | Active Directory Group | Features | Use Cases |
---|---|---|---|---|
Admins | restricteddrive-[netid]-admin | restricteddrive-[netid]-admin |
Provides administrative control of a ResearchDrive share and manifest groups.
|
|
Audit | restricteddrive-[netid]-audit | restricteddrive-[netid]-audit |
Provides full read access to a ResearchDrive manifest groups, the ability to audit security groups
|
|
Lab Members | restricteddrive-[netid]-lab | restricteddrive-[netid]-lab |
Provides full read/write access to a ResearchDrive share for lab members.
|
|
Read Only | restricteddrive-[netid]-readonly | restricteddrive-[netid]-readonly |
Provides limited read only access to a ResearchDrive share.
|
|
External | restricteddrive-[netid]-external | restricteddrive-[netid]-external |
Provides a UW NetID account to external collaborators and affiliates.
|
|
Refer to ResearchDrive - Working with Collaborators if you Have Restricted Data for more details.
Data stored on ResearchDrive is automatically backed up daily and replicated offsite for additional data protection. Snapshots are taken once a day and kept for 14 days and then weekly snapshots are kept for an additional two weeks. This allows you to recover accidentally deleted or files or folders within the past month.
Refer to ResearchDrive - Restoring Files or Folders from Snapshots for more details.
The ResearchDrive service uses Dell EMC Isilon scale-out NAS platform and is initially comprised of 12 PBs storage split between two clusters containing Isilon H500 and Isilon A2000 storage nodes. The ResearchDrive service is architected based on the NIST 800-53 framework and complies with the UW-Madison - IT - Restricted Data Security Management Policy. It includes data protection and security features including encryption in transit and at rest, offsite backups, ransomware detection, role based access control, and monitoring by the UW-Madison Office of Cybersecurity Operations Center (CSOC)
ResearchDrive is hosted on private campus networks using the DoIT managed RFC 1918 Service. It is only available from UW-Madison campus networks or VPNs and is not accessible from the public internet. ResearchDrive is connected to the UW-Madison Distributed Datacenter Network (DDN) and supports 10 Gbs network connections.
The default UW-Madison Palo Alto Firewall Service configuration limits individual SMB connections to approximately 50MB/s. Please contact DoIT Network Services via the Help Desk to discuss configuration options if you need high performance connectivity to ResearchDrive.
Networks | Purpose |
---|---|
10.130.144.0/25, 10.136.63.0/24 | ResearchDrive Restricted Data Client network |
10.128.56.128/25, 10.134.70.0/24, 128.104.79.64/26, 128.104.137.128/25 | ResearchDrive Management network |
Campus IT groups participating in the Departmental Compliance should reach out to the ResearchDrive Team to get custom firewall rules set up for your client networks. Remote client access can be automated for IT groups using a Palo Alto Dept VPN with HIP Host-Info and Firewall Security and Manifest/AD Groups rules to only allow connections to Restricted ResearchDrive from authorized users with managed endpoints.
Campus IT groups who do not have a departmental VPN or only support a small number of researchers or collaborators using Restricted ResearchDrive can reserve static IP addresses in WiscVPN or InfoBlox.
Starting with Windows 10 ver. 1809 Microsoft changed how drive mapping options works and how the "reconnect" option works. If you map multiple drives to an encrypted share after a reboot the drives will report as access denied error when you try to open either of the shared drive.
Workaround for Windows 10 ver. 1809 or later:
IT admins that use Campus Active Directory Services (CADS) can create custom AD groups and/or created Manifest security groups in addition to the default security roles. Contact the ResearchDrive Team if you are interested in using custom security groups.
Campus AD Reference Documents