ResearchDrive - Admin Guide for Campus IT Staff Supporting Researchers With Restricted Data
This document is a ResearchDrive admin guide for campus IT staff who support researchers working with Restricted Data.
- Restricted ResearchDrive Support Model and Departmental Compliance
- Restricted ResearchDrive Support Tasks
- Restricted ResearchDrive Service Architecture
- Restricted ResearchDrive Network Considerations
- Restricted ResearchDrive Firewall Considerations
- Restricted ResearchDrive and Windows Group Policy
- Restrcited ResearchDrive Security Permissions
Restricted ResearchDrive Support Model and Departmental Compliance
Restricted ResearchDrive secures Restricted Data in partnership with campus IT through a shared responsibility model. All endpoints connecting to Restricted ResearchDrive must be managed by campus IT in compliance with the UW-526 Endpoint Management and Security Policy and the UW-527 IT Asset Reporting Policy Personally owned devices are not allowed to access Restricted ResearchDrive.
Campus IT groups must complete an initial Secure Storage Risk Management and Compliance Review including an Endpoint Security Checklist before researchers are eligible for Restricted ResearchDrive. Campus units who have completed the review with an accepted Risk Rating are eligible for the Departmental Compliance program that provides delegated administrative control of Restricted ResearchDrive accounts.
The Restricted ResearchDrive Departmental Compliance program gives Campus IT groups the ability to request or manage accounts on behalf of PIs and includes flexible integration options.
- Account Provisioning: PI self-service, PI self-service with IT group review, or bulk account import?
- Data Classification or Restricted Data Override: Use the data classification survey to determine the account type or flag all accounts for Restricted ResearchDrive?
- Custom Security Groups: Delegated administration of Restricted ResearchDrive Manifest groups and the ability to integrate custom Campus AD security groups
- Dept VPN and client networks: allow network access (VPN/LAN) to client network ranges that meet endpoint requirements instead of allowing access via individual static IP addresses
Campus IT groups are encouraged to contact the ResearchDrive Team to discuss support and integration options for the departments that you support. IT staff are welcome to sign up for a demo ResearchDrive account to test out the service by filling out the ResearchDrive account sign up form on the ResearchDrive - Getting Started page.
ResearchDrive Support Tasks
The most common support tasks associated with ResearchDrive are helping users secure endpoints, connect to the storage, transfer data, facilitate adding/removing collaborators, and restore data from snapshots. In a collaborative support model, local IT staff are added as admin contacts for a ResearchDrive account and are then able to assist researchers with the following instructions.
Endpoint Security
All endpoints connecting to Restricted ResearchDrive must be managed by a Campus IT team in alignment with the UW-526 Endpoint Management and Security Policy and the UW-527 IT Asset Reporting Policy Researchers requesting Restricted ResearchDrive accounts must:
- Ensure that collaborator(s) are using endpoints compliant with the standards listed above and ARE NOT USING PERSONAL DEVICES to access this secure storage location.
- End-user administrator rights are revoked on this machine.
- Qualys Cloud Agent is installed on this asset, vulnerability and compliance scans performed, found vulnerabilities are patched, and compliance percentages are raised.
- Anti-Virus software is installed and active on this device.
- The host firewall is enabled.
- The hard drive on this machine is encrypted.
- VPN software is installed and utilized.
- Portable media being used for this study uses encrypted devices.
Campus IT groups must complete a Cybersecurity Secure Storage Review including an Endpoint Security Checklist before researchers are eligible for Restricted ResearchDrive. Campus units who have completed the review with an accepted Risk Rating are eligible for the Departmental Compliance program that provides delegated administrative control of Restricted ResearchDrive accounts.
See How to Access OneTrust for instructions on accessing the Endpoint Security Checklist. You will be given a ResearchDrive account request reference number to include in the endpoint security checklist.
Connecting to ResearchDrive
ResearchDrive is available from anywhere on the UW-Madison campus network or off-campus through a VPN.
- ResearchDrive - Connecting from an Apple Computer
- ResearchDrive - Connecting from a Linux Computer
- ResearchDrive - Connecting from a Windows Computer
Transferring Data
There are multiple ways to transfer data to and from ResearchDrive.
- ResearchDrive - Transferring Data with an Apple Computer
- ResearchDrive - Transferring Data with a Linux Computer
- ResearchDrive - Transferring Data with a Windows Computer
Working with Collaborators with Restricted Data
ResearchDrive is integrated with the central campus Active Directory Services for NetID-based-authentication and security permissions and also the Roles and Access Management (Manifest) service for creating collaboration groups and providing NetIDs for UW affiliates and external collaborators.
An IT Admins Manifest group has been created for each department with researchers eligible for ResearchDrive. Manifest uw:app:restricteddrive:itadmins Folder. These IT admin groups are automatically added to a PIs ResearchDrive account at activation. IT admins can view a list of their PIs with ResearchDrive accounts in the Manifest uw:app:restricteddrive:pis Folder. Contact the ResearchDrive Team if you have any questions or need additional groups created.
Each ResearchDrive account has a Manifest - uw:app:restricteddrive:pis:[netid] folder and several default collaboration groups defined that are published to Active Directory and used to provide secure access to the storage shares.
Campus IT groups participating in the Departmental Compliance program can add or remove collaborators to Restricted ResearchDrive accounts. Please contact the ResearchDrive Team if you need assistance adding a collaborator that is supported by another campus IT team or external to the University.
| Role | Manifest Group | Active Directory Group | Features | Use Cases |
|---|---|---|---|---|
| Admins | restricteddrive-[netid]-admin | restricteddrive-[netid]-admin |
Provides administrative control of a ResearchDrive share and manifest groups.
|
|
| Audit | restricteddrive-[netid]-audit | restricteddrive-[netid]-audit |
Provides full read access to a ResearchDrive manifest groups, the ability to audit security groups
|
|
| Lab Members | restricteddrive-[netid]-lab | restricteddrive-[netid]-lab |
Provides full read/write access to a ResearchDrive share for lab members.
|
|
| Read Only | restricteddrive-[netid]-readonly | restricteddrive-[netid]-readonly |
Provides limited read only access to a ResearchDrive share.
|
|
| External | restricteddrive-[netid]-external | restricteddrive-[netid]-external |
Provides a UW NetID account to external collaborators and affiliates.
|
|
Refer to ResearchDrive - Working with Collaborators if you Have Restricted Data for more details.
Restoring ResearchDrive Data from Snapshots
Data stored on ResearchDrive is automatically backed up daily and replicated offsite for additional data protection. Snapshots are taken once a day and kept for 14 days and then weekly snapshots are kept for an additional two weeks. This allows you to recover accidentally deleted or files or folders within the past month.
Refer to ResearchDrive - Restoring Files or Folders from Snapshots for more details.
ResearchDrive Service Architecture
The ResearchDrive service uses Dell EMC Isilon scale-out NAS platform and is initially comprised of 12 PBs storage split between two clusters containing Isilon H500 and Isilon A2000 storage nodes. The ResearchDrive service is architected based on the NIST 800-53 framework and complies with the UW-Madison - IT - Restricted Data Security Management Policy. It includes data protection and security features including encryption in transit and at rest, offsite backups, ransomware detection, role based access control, and monitoring by the UW-Madison Office of Cybersecurity Operations Center (CSOC)
Restricted ResearchDrive Network Considerations
ResearchDrive is hosted on private campus networks using the DoIT managed RFC 1918 Service. It is only available from UW-Madison campus networks or VPNs and is not accessible from the public internet. ResearchDrive is connected to the UW-Madison Distributed Datacenter Network (DDN) and supports 10 Gbs network connections.
The default UW-Madison Palo Alto Firewall Service configuration limits individual SMB connections to approximately 50MB/s. Please contact DoIT Network Services via the Help Desk to discuss configuration options if you need high performance connectivity to ResearchDrive.
| Networks | Purpose |
|---|---|
| 10.130.144.0/25, 10.136.63.0/24 | ResearchDrive Restricted Data Client network |
| 10.128.56.128/25, 10.134.70.0/24, 128.104.79.64/26, 128.104.137.128/25 | ResearchDrive Management network |
Restricted ResearchDrive Firewall Considerations
Campus IT groups participating in the Departmental Compliance should reach out to the ResearchDrive Team to get custom firewall rules set up for your client networks. Remote client access can be automated for IT groups using a Palo Alto Dept VPN with HIP Host-Info and Firewall Security and Manifest/AD Groups rules to only allow connections to Restricted ResearchDrive from authorized users with managed endpoints.
Campus IT groups who do not have a departmental VPN or only support a small number of researchers or collaborators using Restricted ResearchDrive can reserve static IP addresses in WiscVPN or InfoBlox.
ResearchDrive and Windows Group Policy
Starting with Windows 10 ver. 1809 Microsoft changed how drive mapping options works and how the "reconnect" option works. If you map multiple drives to an encrypted share after a reboot the drives will report as access denied error when you try to open either of the shared drive.
Workaround for Windows 10 ver. 1809 or later:
- Change group policy to not have the reconnect option checked
- Disconnect any currently connected drives on client
- Run gpupdate /force on client
- Reboot the machine
- The drives will be recreated on each login
ResearchDrive Security Permissions
IT admins that use Campus Active Directory Services (CADS) can create custom AD groups and/or created Manifest security groups in addition to the default security roles. Contact the ResearchDrive Team if you are interested in using custom security groups.
Campus AD Reference Documents
- Campus Active Directory - Requesting an Oranizational Unit (OU)
- Campus Active Directory - Requesting an Organizational Unit (OU) Administrator
- Campus Active Directory - Firewall and Network Information
- Campus Active Directory - Naming Convention
- Campus Active Directory - Join Windows Computer to Active Directory
- Campus Active Directory - Joining Mac OS X 10.7 or later to Campus Active Directory
- Campus Active Directory - Linux Authentication
- Campus Active Directory - Security Group Management Recommendation
- Campus Active Directory - Forest Trusts
- Campus Active Directory - Forest Trust Technical Requirements
- SharedDrive - File Permissions and Security Groups