Written by Arshad Khalid
It doesn’t happen very often that a potential customer project comes along which is an almost exact fit for the product you are managing and have been evangelising. But that’s exactly what happened a few months ago when I was called in to participate in an initial meeting with a potential customer – not naming any names (simply because I can’t), it was with one of the biggest insurance companies in the world, if not the biggest.
First of all, it was very heartening to know that they still use and love IBM Domino.
That’s always a good starting point.
Better still they had a huge number of Domino servers. However, in light of the recent restructuring, where most of the server administrators would be external i.e. contractors, the IT Director had been tasked to make the environment more secure.
Now, you can imagine the scenario – external contractors in charge of servers with critical information. External contractors also means a high turnover rate and as we all know there is always more than one way of getting the job done, the changes in configuration would become a nightmare to manage.
So, the challenges were easy to lay out:
- Prevent data leaks
- Monitor (prevent if possible) the changes to configuration
- Audit every action for SOX compliance
- Make it easier to manage servers while increasing security
It was definitely music to my ears in that meeting. I was even more thrilled to tell them that we had exactly what they were looking for in our solution DominoProtect and that it would actually give them a lot more control and ease of management than they were asking for.
I explained to them that DominoProtect runs as an Extension Manager of the IBM Domino server and all access requests to all databases with the Domino environment have to pass through it, acting as a gatekeeper. So, for those databases that need “protection”, we can stop the request in its tracks.
Needless to say, they were all ears and we won them over right from the word go.
So, this is what we did for them, going above and beyond of what was asked of us initially:
Monitor and Prevent
That’s exactly what DominoProtect has been designed to do. DominoProtect allows real time monitoring and prevention of access to data.
Monitoring is all well and good, but it does not stop someone with malicious intent from accessing and stealing sensitive information. In today’s world of smart devices, all someone has to do is take a picture of the data and send it to whomever they want.
This is where real time prevention comes into its own.
This customer had a lot of external contractors working in administrators’ roles, and, as we know, administrators have manager access in most database ACLs.
The requirement in this scenario was to protect the executives’ emails so that no unauthorised administrator could read them even though they might have Manager access in the ACL.
This is easy to do with DominoProtect. With a simple configuration document in the DominoProtect configuration database, we could turn off access for every unauthorised administrator while allowing it for every legitimate user e.g. the executive themselves, their secretaries, their chosen substitutes etc.
Turning off access using DominoProtect really means no access i.e. you cannot view the field values in the properties box, you cannot print the document, you cannot access it via HTTP nor can you access the data using an agent which has been signed by an unauthorised ID.
The second part of Monitor and Prevent in this project was to protect the configuration changes from being changed frequently due to the high turnover rate in external contractors.
Again, with DominoProtect this was a matter of setting up configuration documents which always created a “change request” for any change in the Domino system databases. With these “protection” documents in place, whenever an administrator would attempt to make a change in any of the configuration documents, a change request would automatically be created and sent to an approving authority thereby triggering an approval workflow.
This simple change is effective in not saving against unwanted changes but also protects the administrators since every change was being approved by someone higher up.
Audit all actions
Auditing actions comes as standard with DominoProtect. Every change to the protected element – field, document and database – is automatically audited.
So, if someone tried to access an executive mail database, that would be automatically registered in the DominoProtect Log database.
Similarly, all changes to configuration documents that go through the change request workflow also get logged with detailed information about the requestor, approver and the changes made.
Easily manage servers while increasing security
The first part of securing the Domino server is to secure the server ID file with a password. In our experience, almost 70% of Domino administrators do not add a password to the server ID file simply because an unsecured ID makes it easier to restart the server!
This was thankfully not the case with this customer. Someone had obviously been paying attention to Paul Mooney’s requests (which had started taking on a darker shade!) over the years.
However, with such large number of servers being managed by a largely ad-hoc workforce meant that the server ID passwords must only be known to a secure group of permanent staff. However, servers would still need to be maintained and restarted.
With DominoProtect, this is as easy as 1-2-3! DominoProtect can work with a server ID with an existing password or passwords. It can also generate a random and secure AES 256 bit password for an unsecured ID. This password is then provided at server start up securely which removes the need for anyone to type in a password on the console at the time of starting up the server. This means the server can be started up at any time and still have a secure ID file for it.
In our case, this meant that once the Server ID configurations were set up, there was no need to distribute these passwords to the external administrator staff while still giving them the ability to carry on their day to day activities.
DominoProtect has been running in this organisation for a few months now. The customer has been able to achieve their corporate cost saving goals while at the same increasing the security, integrity and reliability of their IBM Domino environment.
Does this solution sound right for you?