View
2.613
Download
4
Tags:
Embed Size (px)
Citation preview
© 2014 IBM Corporation
SPOT114 : No Compromise on Compliance: Streamline Administration, Save Time and Money
Olaf Boerner, BCC
Agenda
Introduction
Requirements for todays IBM Domino® infrastructure
How to streamline Administration
How to ensure Compliance
Question Time
About us
BCC, an IBM Business Partner since 1996
Solution provider for secure and cost-efficient management of
IBM Collaboration Infrastructure
Develops software products, provides consulting and
implementation services
800 companies with more than 3 million users trust BCC
solutions
About me
Administrator / Developer since 1994
Founded BCC in 1996
Working as senior architect with large
enterprise customers
–reducing Total cost of Ownership of IBM Notes and Domino®
–securing and optimizing Domino infrastructures
IBM Champion
Twitter: @OlafBoerner
5
Current situation for Domino Infrastructure
Current situation for Domino infrastructures
The delivery model or
platform is under
question
The cost pressure in IT has grown enormously
Compliance is a major
issue
Hands-on admin skills are required
6
The cost pressure in IT has grown enormously
The demands in the IT are growing and assurance of safe operations to make powerful and efficient systems is their prime goal
More than 80% of the IT companies are under enormous increasing cost pressures
7
Compliance Requirements
Sarbanes Oxley (SOX) - related to investments and securities
FINRA - related to investments and financial advisors
HIPAA - related to the protection and privacy of health information
–Any company that deals with protected health information (PHI) must
ensure that all the required
• physical,
• network, and
• process security measures
–are in place and followed.
The cost of not being compliant
Brand Damage
Non-Compliance Fines
Litigation Expenses
Examples
$1.45 billion judgment against Morgan Stanley for being unable to
produce reliable emails in the course of fraud litigation
$2.5 million fine against Merrill Lynch for failing to promptly produce
emails over a period of 17 months
Objectives for todays social business infrastructure
Streamline / TCO
Security / Compliance
11
How to handle these conflicts of objectives ?
How to handle these conflicts of objectives ?
How can you ensure compliance,
Enhance security and
Reduce total cost of ownership?
QUESTIONS:
–Compliance and security are really expensive ?
–Trade off ?
Let’s discuss this at current example: NSA and Snowden
12
NSA Security ...
Why did they have a Security Leak ?
–“The scariest threat is the systems administrator,”
–“The system administrator has godlike access to systems they
manage.”
• Eric Chiu Hytrust , Security Advisor
http://www.nytimes.com/2013/06/24/technology/nsa-leak-puts-focus-on-
system-administrators.html?_r=0
Lessons learned: How will NSA increase security ?
Additional monitoring systems
“a two-man rule” that would limit the ability of each of its 1,000 root
system admins to gain unfettered access to the entire system
Two–man rule is easy to implement !!!
Automation
Why Automation increases security
NSA to Axe 90 Percent of System Administrators, Adopt Automation Instead
– “What we’re in the process of doing – not fast enough – is reducing our
system administrators by about 90 percent,” Keith Alexander, NSA
– „doing things that machines are probably better at doing.“
1000 * 90% = 900 of its root system admins
http://www.washingtonpost.com/blogs/federal-eye/wp/2013/08/13/nsa-to-cut-90-
percent-of-systems-administrators/
http://www.dailytech.com/NSA+to+Axe+90+Percent+of+System+Administrators+Ad
opt+Automation+Instead/article33145.htm
Summary: Why Automation increases security
„doing things that machines are probably better at doing.“ (Keith
Alexander)
decrease required access rights
provide system log trails
TCO reduction is included for free! (currently) not important for NSA ;-)
17
Automation is key !
Automation
Compliance
Security
Reduce TCO
That’s the reason for BCC’s mission statement
20
Case Study - Global bank
Case Study - Global bank
21
Reduce Cost by 50%
Ensure new compliance
req. Project
Initial Situation: Domino Administration
Using
“internal” Tools
Domino Administrator
Client
High access rights
required
Highly skilled administrators
required
Lot of development
efforts
Manual monitoring
Frequency of human errors can be high
Compliance issue
Case Study– Global Bank
Simplified System Administration
– Standardized technical procedures
– Leveraging latest Domino TCO Improvements
Automation with Web-based Self-Service Application
– User and group management
– Team rooms
– Mail-In databases
Enhanced Compliance and Security Check
– Server Based Compliance check and Audit Trial
– Additional security layer beyond ACL with 3rd party tool
Result:
– Reduction of management costs by 50%
– Return on Investment in 8 Months
24
How did we achieve this?
How did we achieve this?
Streamline Administration
• Organize (Helpdesk, Self-Service)
• Standardize (technical procedures & infrastructure)
• Automate with BCC AdminSuite
Ensure compliance
• Define security settings
• Ensure with additional security product DominoProtect
25
Three Steps to streamline Administration
• Delegate the tasks to Helpdesk, HR …
• Provide Self-Service Request
1.Organize
• Convert admin tasks to an IT Process
• A detailed checklist for every task
• “simple” standard system environment running the most current IBM Domino release
2.Standardize
• Processing checklists by rules, profiles and backend server tasks
• Ensuring Compliance by having a central log database to automatically record all actions
• Reduce access rights!
3.Automate
Streamlined IT Process examples
Request
Standardized IT Process ‘New Employee‘
Workflow (optional)
User gets links, necessary applications on the Workspace / Bookmarks
Basic settings is stored in ID, Address Book, Workspace
Data directory of the user created
Password calculated and distributed via Mail / print or fax / SMS
Mail file replica including cluster created
Group entries corresponding to the user are set in the profile
Creation of Person document in DominoDirectory
Expected rule based UserID
Standardized IT Process ‘New Employee‘
Request Workflow (optional)
Create Billing entry in billing database
Send confirmation mail to requestor
Standardized IT Process ‘New Employee‘
Send information mail to business owner
Create Reporting entry
Send welcome mail to new user
Request Workflow (optional)
Live demo
Standardized IT Process ‘New Application‘
User gets links to necessary applications on the Workspace / Bookmarks
ACL group (s) in the Domino Directory, are created with all entries
Mobile users get local replica automatically
ACL group (s) in the ACL of the Database created are corresponding To the registered rights
NSF file is based on the specifications of template creation
Email is sent to requestor on success, And error is notified to Admin
Request Workflow (optional)
What makes AdminSuite so valuable for your organization?
Delegate to Helpdesk or Self-Service
Ensure proper
execution
Reduce Access Rights
Accelerate request & no manual effort
34
Ensure Compliance with additional security product DominoProtect
How we achieve this?
Streamline Administration
• Organize (Helpdesk, Self Service)
• Standardize (technical procedures)
• Automate with BCC AdminSuite
Ensure compliance
• Define security settings
• Automate with additional security product BCC DominoProtect
35
Define security settings: Three key elements to IBM Domino Server Security
Document Access & Change
Database Access
Server ID
What does DominoProtect do ?
Provide an additional security layer
• beyond ACL and document access rights
• Manager, Designer or Editors are not allowed to perform changes
Add security at document field level
• Provide different security settings for single fields in a document
• Manager, Designer or Editors are not allowed to change defined fields
What does DominoProtect do ?
Detailed monitoring and tracking at real time
• Track access
• Track modifications at field level
• Old entry
• new entry
Prevent changes at real time
• Control Domino access rights -> even Manager can not change
• Track blocked changes
What does DominoProtect technically?
Protect Server ID with passwords
• Assign random password to server ID
• Provide password at startup
• Automatic restart possible
Protect ACL
• Prevent ACL Change
• Track ACL Changes
Protect Notes document beyond
ACL settings
• Track access to document
• Track modification
• Prevent opening, modification or deletion
• Check and control field level changes
How do we achieve this: Security Settings Examples Secure your ID Vault Server with DominoProtect
Secure your ID Vault Server 1. Step: Password protected server ID file
Why secure your server ID ? Protect ID Vault !
IBM Recommendation: Securing the server ID file
–‘We understand that most Domino servers are not password-protected
to make unattended reboots simpler, but the vault server's ID file is a
key element in the security of your ID vault.‘
–‘..a sophisticated attacker with a vault database and one of the
corresponding server Ids ... would have all of the cryptographic
information needed to masquerade as the vault server and decrypt all
of the ID files stored in the vault‘.
http://www-10.lotus.com/ldd/dominowiki.nsf/dx/securing-your-notes-id-
vault-server
Secure your ID Vault Server 2. Step Secure your ID Vault ACL
Everyone with role Auditor and
Admin client is able to download ID
Files from ID Vault
How to Change ACL
• Full Access Admins might be able to do this
• Server based script agents
Preventing unwanted changes in ID
Vault ACL is mandatory
Secure your ID Vault Server 3. Step: Protect Configuration in Domino Directory
Main Goal: Reduce Access Rights to ID Vault Database and ensure these settings
Server Document:
– Protect Field: Full access administrators
– Protect optional Fields: “Programmability Restrictions“
– DominoProtect will
• Block every change in these defined fields.
• All other fields can be changed
Protect ACL Groups providing Access to ID Vault :
– Prevent Modification of all ACL Groups related to ID Vault
– DominoProtect will
• Block every change in these defined Group Documents
• All other groups can be changed
44
Secure your ID Vault Server 4. Step: Control security log entries in log.nsf
Main Goal: Reduce Access Rights to log.nsf and prevent deletion or
modification of Security Event log entries
Log.nsf
–ACL: Protect Changes in log.nsf
–Log “Security Events”
• Protect Changes in Documents “Security Events”
• Optional Restrict access to “Security Events”
DominoDirectory
–Protect ACL Groups providing Access to log.nsf
–Protect Full Access Admin Field
45
Live demo
What makes DominoProtect so valuable for your organization ?
Real-time on server
level
Different access at field level
No template modification
Benefits for end users/employees
Personal increase in productivity
by faster service
Better service quality
by lesser mistakes
Self-service possibility
‘I can help myself‘
Benefits for Admin/IT department
Simplification in administration
Concentration on mission-critical projects
and strategic measures
Reduction on the variety of tools and
scripts
No requirement of customized training
Benefits for administrators
Prevents unauthorized modification of server configuration
Enhances process reliability through request-based change management with approval cycles
Provides full control and automated documentation of all configuration changes
Recovery function for configuration documents in case of mistakes or configuration errors
Alerts in case of defined protection violation
Benefits for Management
Cost-efficient
–Reduces the notes infrastructure
administration cost by 70%
–Service transparency
Minimizes risks
–Ensure compliance
–Reliable information about
unauthorized access or
modification attempts
Increases the employee productivity
Question time …
BCC
Olaf Boerner
Access Connect Online to complete your session surveys using any:
– Web or mobile browser
– Connect Online kiosk onsite
54
Acknowledgements and Disclaimers
© Copyright IBM Corporation 2014. All rights reserved.
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM, the IBM logo, ibm.com, IBM Lotus and IBM Notes and Domino are trademarks or registered trademarks of International Business Machines Corporation in the United States, other
countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S.
registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A
current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml
All BCC product names are registered trademarks of BCC.
Other company, product, or service names may be trademarks or service marks of others.
55
Availability. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates.
The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational purposes only, and are neither
intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information
contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise
related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or
its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.
All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and
performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you
will result in any specific sales, revenue growth or other results.