© 2014 IBM Corporation

SPOT114 : No Compromise on Compliance: Streamline Administration, Save Time and Money

Olaf Boerner, BCC

Agenda

Introduction

Requirements for todays IBM Domino® infrastructure

How to streamline Administration

How to ensure Compliance

Question Time

About us

BCC, an IBM Business Partner since 1996

Solution provider for secure and cost-efficient management of

IBM Collaboration Infrastructure

Develops software products, provides consulting and

implementation services

800 companies with more than 3 million users trust BCC

solutions

About me

Administrator / Developer since 1994

Founded BCC in 1996

Working as senior architect with large

enterprise customers

–reducing Total cost of Ownership of IBM Notes and Domino®

–securing and optimizing Domino infrastructures

IBM Champion

Twitter: @OlafBoerner

5

Current situation for Domino Infrastructure

Current situation for Domino infrastructures

The delivery model or

platform is under

question

The cost pressure in IT has grown enormously

Compliance is a major

issue

Hands-on admin skills are required

6

The cost pressure in IT has grown enormously

The demands in the IT are growing and assurance of safe operations to make powerful and efficient systems is their prime goal

More than 80% of the IT companies are under enormous increasing cost pressures

7

Compliance Requirements

Sarbanes Oxley (SOX) - related to investments and securities

FINRA - related to investments and financial advisors

HIPAA - related to the protection and privacy of health information

–Any company that deals with protected health information (PHI) must

ensure that all the required

• physical,

• network, and

• process security measures

–are in place and followed.

The cost of not being compliant

Brand Damage

Non-Compliance Fines

Litigation Expenses

Examples

$1.45 billion judgment against Morgan Stanley for being unable to

produce reliable emails in the course of fraud litigation

$2.5 million fine against Merrill Lynch for failing to promptly produce

emails over a period of 17 months

Objectives for todays social business infrastructure

Streamline / TCO

Security / Compliance

11

How to handle these conflicts of objectives ?

How to handle these conflicts of objectives ?

How can you ensure compliance,

Enhance security and

Reduce total cost of ownership?

QUESTIONS:

–Compliance and security are really expensive ?

–Trade off ?

Let’s discuss this at current example: NSA and Snowden

12

NSA Security ...

Why did they have a Security Leak ?

–“The scariest threat is the systems administrator,”

–“The system administrator has godlike access to systems they

manage.”

• Eric Chiu Hytrust , Security Advisor

http://www.nytimes.com/2013/06/24/technology/nsa-leak-puts-focus-on-

system-administrators.html?_r=0

Lessons learned: How will NSA increase security ?

Additional monitoring systems

“a two-man rule” that would limit the ability of each of its 1,000 root

system admins to gain unfettered access to the entire system

Two–man rule is easy to implement !!!

Automation

Why Automation increases security

NSA to Axe 90 Percent of System Administrators, Adopt Automation Instead

– “What we’re in the process of doing – not fast enough – is reducing our

system administrators by about 90 percent,” Keith Alexander, NSA

– „doing things that machines are probably better at doing.“

1000 * 90% = 900 of its root system admins

http://www.washingtonpost.com/blogs/federal-eye/wp/2013/08/13/nsa-to-cut-90-

percent-of-systems-administrators/

http://www.dailytech.com/NSA+to+Axe+90+Percent+of+System+Administrators+Ad

opt+Automation+Instead/article33145.htm

Summary: Why Automation increases security

„doing things that machines are probably better at doing.“ (Keith

Alexander)

decrease required access rights

provide system log trails

TCO reduction is included for free! (currently) not important for NSA ;-)

17

Automation is key !

Automation

Compliance

Security

Reduce TCO

That’s the reason for BCC’s mission statement

20

Case Study - Global bank

Case Study - Global bank

21

Reduce Cost by 50%

Ensure new compliance

req. Project

Initial Situation: Domino Administration

Using

“internal” Tools

Domino Administrator

Client

High access rights

required

Highly skilled administrators

required

Lot of development

efforts

Manual monitoring

Frequency of human errors can be high

Compliance issue

Case Study– Global Bank

Simplified System Administration

– Standardized technical procedures

– Leveraging latest Domino TCO Improvements

Automation with Web-based Self-Service Application

– User and group management

– Team rooms

– Mail-In databases

Enhanced Compliance and Security Check

– Server Based Compliance check and Audit Trial

– Additional security layer beyond ACL with 3rd party tool

Result:

– Reduction of management costs by 50%

– Return on Investment in 8 Months

24

How did we achieve this?

How did we achieve this?

Streamline Administration

• Organize (Helpdesk, Self-Service)

• Standardize (technical procedures & infrastructure)

• Automate with BCC AdminSuite

Ensure compliance

• Define security settings

• Ensure with additional security product DominoProtect

25

Three Steps to streamline Administration

• Delegate the tasks to Helpdesk, HR …

• Provide Self-Service Request

1.Organize

• Convert admin tasks to an IT Process

• A detailed checklist for every task

• “simple” standard system environment running the most current IBM Domino release

2.Standardize

• Processing checklists by rules, profiles and backend server tasks

• Ensuring Compliance by having a central log database to automatically record all actions

• Reduce access rights!

3.Automate

Streamlined IT Process examples

Request

Standardized IT Process ‘New Employee‘

Workflow (optional)

User gets links, necessary applications on the Workspace / Bookmarks

Basic settings is stored in ID, Address Book, Workspace

Data directory of the user created

Password calculated and distributed via Mail / print or fax / SMS

Mail file replica including cluster created

Group entries corresponding to the user are set in the profile

Creation of Person document in DominoDirectory

Expected rule based UserID

Standardized IT Process ‘New Employee‘

Request Workflow (optional)

Create Billing entry in billing database

Send confirmation mail to requestor

Standardized IT Process ‘New Employee‘

Send information mail to business owner

Create Reporting entry

Send welcome mail to new user

Request Workflow (optional)

Live demo

Standardized IT Process ‘New Application‘

User gets links to necessary applications on the Workspace / Bookmarks

ACL group (s) in the Domino Directory, are created with all entries

Mobile users get local replica automatically

ACL group (s) in the ACL of the Database created are corresponding To the registered rights

NSF file is based on the specifications of template creation

Email is sent to requestor on success, And error is notified to Admin

Request Workflow (optional)

What makes AdminSuite so valuable for your organization?

Delegate to Helpdesk or Self-Service

Ensure proper

execution

Reduce Access Rights

Accelerate request & no manual effort

34

Ensure Compliance with additional security product DominoProtect

How we achieve this?

Streamline Administration

• Organize (Helpdesk, Self Service)

• Standardize (technical procedures)

• Automate with BCC AdminSuite

Ensure compliance

• Define security settings

• Automate with additional security product BCC DominoProtect

35

Define security settings: Three key elements to IBM Domino Server Security

Document Access & Change

Database Access

Server ID

What does DominoProtect do ?

Provide an additional security layer

• beyond ACL and document access rights

• Manager, Designer or Editors are not allowed to perform changes

Add security at document field level

• Provide different security settings for single fields in a document

• Manager, Designer or Editors are not allowed to change defined fields

What does DominoProtect do ?

Detailed monitoring and tracking at real time

• Track access

• Track modifications at field level

• Old entry

• new entry

Prevent changes at real time

• Control Domino access rights -> even Manager can not change

• Track blocked changes

What does DominoProtect technically?

Protect Server ID with passwords

• Assign random password to server ID

• Provide password at startup

• Automatic restart possible

Protect ACL

• Prevent ACL Change

• Track ACL Changes

Protect Notes document beyond

ACL settings

• Track access to document

• Track modification

• Prevent opening, modification or deletion

• Check and control field level changes

How do we achieve this: Security Settings Examples Secure your ID Vault Server with DominoProtect

Secure your ID Vault Server 1. Step: Password protected server ID file

Why secure your server ID ? Protect ID Vault !

IBM Recommendation: Securing the server ID file

–‘We understand that most Domino servers are not password-protected

to make unattended reboots simpler, but the vault server's ID file is a

key element in the security of your ID vault.‘

–‘..a sophisticated attacker with a vault database and one of the

corresponding server Ids ... would have all of the cryptographic

information needed to masquerade as the vault server and decrypt all

of the ID files stored in the vault‘.

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/securing-your-notes-id-

vault-server

Secure your ID Vault Server 2. Step Secure your ID Vault ACL

Everyone with role Auditor and

Admin client is able to download ID

Files from ID Vault

How to Change ACL

• Full Access Admins might be able to do this

• Server based script agents

Preventing unwanted changes in ID

Vault ACL is mandatory

Secure your ID Vault Server 3. Step: Protect Configuration in Domino Directory

Main Goal: Reduce Access Rights to ID Vault Database and ensure these settings

Server Document:

– Protect Field: Full access administrators

– Protect optional Fields: “Programmability Restrictions“

– DominoProtect will

• Block every change in these defined fields.

• All other fields can be changed

Protect ACL Groups providing Access to ID Vault :

– Prevent Modification of all ACL Groups related to ID Vault

– DominoProtect will

• Block every change in these defined Group Documents

• All other groups can be changed

44

Secure your ID Vault Server 4. Step: Control security log entries in log.nsf

Main Goal: Reduce Access Rights to log.nsf and prevent deletion or

modification of Security Event log entries

Log.nsf

–ACL: Protect Changes in log.nsf

–Log “Security Events”

• Protect Changes in Documents “Security Events”

• Optional Restrict access to “Security Events”

DominoDirectory

–Protect ACL Groups providing Access to log.nsf

–Protect Full Access Admin Field

45

Live demo

What makes DominoProtect so valuable for your organization ?

Real-time on server

level

Different access at field level

No template modification

Benefits for end users/employees

Personal increase in productivity

by faster service

Better service quality

by lesser mistakes

Self-service possibility

‘I can help myself‘

Benefits for Admin/IT department

Simplification in administration

Concentration on mission-critical projects

and strategic measures

Reduction on the variety of tools and

scripts

No requirement of customized training

Benefits for administrators

Prevents unauthorized modification of server configuration

Enhances process reliability through request-based change management with approval cycles

Provides full control and automated documentation of all configuration changes

Recovery function for configuration documents in case of mistakes or configuration errors

Alerts in case of defined protection violation

Benefits for Management

Cost-efficient

–Reduces the notes infrastructure

administration cost by 70%

–Service transparency

Minimizes risks

–Ensure compliance

–Reliable information about

unauthorized access or

modification attempts

Increases the employee productivity

Question time …

BCC

Olaf Boerner

Olaf_Boerner@bcc.biz

Access Connect Online to complete your session surveys using any:

– Web or mobile browser

– Connect Online kiosk onsite

54

Acknowledgements and Disclaimers

© Copyright IBM Corporation 2014. All rights reserved.

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM, the IBM logo, ibm.com, IBM Lotus and IBM Notes and Domino are trademarks or registered trademarks of International Business Machines Corporation in the United States, other

countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S.

registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A

current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml

All BCC product names are registered trademarks of BCC.

Other company, product, or service names may be trademarks or service marks of others.

55

Availability. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates.

The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational purposes only, and are neither

intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information

contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise

related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or

its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.

All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and

performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you

will result in any specific sales, revenue growth or other results.