S 2.206 Planning the use of Lotus Notes/Domino
Initiation responsibility: Head of IT, IT Security Officer
Implementation responsibility: IT Security Officer, Administrator
The use of Lotus Notes/Domino requires careful planning. In this, the planning process should be implemented as a continuous process and not only as a one-time activity during initial implementation. The level of detail of planning and the extent of the documentation to be developed within the framework of the planning process depend on the protection requirements of the respective Lotus Notes/Domino environment, amongst other things. Furthermore, appropriateness criteria such as size and resources of the organisation must be taken into consideration for planning. Additionally, the extent of use of the different services of the Lotus Notes/Domino platform and the complexity of the architecture must be taken into consideration.
For example, using only Lotus Notes/Domino as internal and external email platform and platform for organisation-wide cooperation (workgroup support) normally requires less complex planning due to the simpler architecture when compared to a use including extranet and internet interfaces and a broad range of internet services, including instant messaging and web services, in addition to the email and workgroup services.
As a matter of principle, the following aspects must be taken into consideration when planning the use of Lotus Notes/Domino:
- architecture planning taking into consideration security aspects,
- planning of the role of Lotus Notes/Domino within the organisation-wide identity management,
- planning of the domain and certificate hierarchies,
- planning of administrative activities in the Lotus Notes/Domino environment,
- definition of the relevance of the Lotus Notes/Domino platform regarding organisation-wide business continuation and contingency planning,
- planning of the communication security for the Lotus Notes/Domino environment.
The Lotus Notes/Domino platform can be used applying server virtualisation technologies or terminal server technology. In these cases, a corresponding plan regarding the interaction of the Lotus Notes/Domino platform with the virtualisation platform used must be developed.
Depending on the protection requirements of the business processes supported by Lotus Notes/Domino, high availability of Lotus Notes/Domino services may be required. The interaction of the Lotus Notes/Domino platform with the technology used for imaging the high availability requirements and/or the configuration of the Lotus Notes/Domino mechanisms for high availability (clustering) must be described by a corresponding plan in these cases.
Architecture planning taking into consideration security aspects
It must be ensured that security aspects are taken into consideration when planning the architecture, along with the technical and functional requirements for the Lotus Notes/Domino platform and the requirements defined by IT-strategic specifications. This may be performed by taking into consideration general security guidelines or by incorporating specific specifications of the organisation regarding the proprietary security architecture.
The security guidelines and/or elements of the security architecture relevant for planning the Lotus Notes/Domino architecture must be translated into specific elements of architecture planning. For example, the security specifications of the organisation regarding the planning and protection of network transitions must be taken into consideration when positioning and protecting the Lotus Domino servers intended as transition to extranets or to the internet.
The decision as to how many Lotus Domino servers are used at which locations should depend primarily on the protection requirements of the Lotus Domino services. As a matter of principle, a selective and restrictive installation of the Lotus Domino services on the basis of the protection requirements must be aimed at. Where possible, services with high protection requirements must already be separated from services with low protection requirements on the architecture level so that any impairment of the services with high protection requirements due to weaknesses of the services with low protection requirements is avoided. For example, in the event of correspondingly high protection requirements, the central email service of the organisation must be of a redundant design and operated on servers not containing any further services which are"risky" regarding weaknesses, if possible.
Planning of the role of Lotus Notes/Domino within the organisation-wide identity management
The Lotus Notes/Domino platform offers comprehensive functionalities for designing an organisation-wide identity management. It is generally possible to use Lotus Notes/Domino as the leading identity management system and to provide other systems with information about electronic identities and the scope of their rights using interfaces (e.g. LDAP interfaces). By the same token, Lotus Notes/Domino may also receive this information from a corresponding interface of another leading system as subordinate system.
For the organisation, there must be an unambiguous definition of the leading identity management system and of how the information about electronic identities is propagated within the IT environment. This way, the role of Lotus Notes/Domino can be planned accordingly. This role has decisive effects on the protection requirements of the Lotus Domino services and the Lotus Notes/Domino infrastructure components.
Planning of the domain and certificate hierarchies
The use of the Lotus Notes/Domino platform requires planning of the domain and certificate hierarchies. This must be performed for the first time when introducing Lotus Notes/Domino and adapted accordingly during relevant changes to the organisation structure, the services used, the connected partners, etc. Given that many security-relevant settings are effective on domain level (e.g. inhibitions, security-relevant replication parameters), the security topics must be taken into consideration in any case when planning the domain hierarchy.
While a single-domain concept may be sufficient for small-scale organisations (referring to the productive domains), a multi-domain concept is usually required for complex structures, e.g. in corporations or larger organisations. All elements available for defining the Lotus Domino infrastructure are part of the domain hierarchy. Along with the Lotus Domino domains, this also includes the Lotus Domino organisations and the Lotus Domino networks (DNNs, Lotus Domino Named Networks), as well as the used hierarchical name system (based on the X.500 standard).
A certificate hierarchy (PKI) is used to image the domain hierarchy (amongst other things, controlling between which servers and users communication is possible) in a security-related manner. The planning of the certificate hierarchy must be designed depending on the role of Lotus Notes/Domino within the organisation-wide identity management. Significant changes to the identity management should always be followed by an adaptation of the planning of the certificate hierarchy and not be imaged as workarounds. It must be taken into consideration that both Lotus Notes' own and internet certificates (X.509 certificates) must be managed.
The required structures and processes (as described in the X.509 standards, for example) must be defined when planning the certificate hierarchy. For example, this includes defining the certificate authority, the registration authority, and the certification process (CA process). In so doing, it must be decided whether a third party provider certificate authority is used or whether a Lotus Domino certificate authority is established.
All technical settings, as well as the administrative procedures and processes in connection with the certificate hierarchy require careful planning, must be developed conceptionally in detail, and must be documented sufficiently. It must be taken into consideration that OCSP (Online Certificate Status Protocol, RFC 2560 of the IETF) can be used to check withdrawn certificates in Lotus Notes/Domino 8.5 and higher. The planning of the certificate hierarchy must be updated accordingly.
Planning of administrative activities in the Lotus Notes/Domino environment
It is necessary to plan and define administrative activities in the Lotus Notes/Domino environment in a detailed manner in the form of binding instructions (such as a binding administration guideline). The level of detail of the planning and the extent of the documentation depend on the defined protection requirements of the Lotus Notes/Domino platform.
Above all, critical administrative activities, for example in connection with the certification process, but also in the field of user administration, database administration, when installing and configuring components and services, must be performed applying the corresponding diligence and expertise.
The administration instructions must require critical administrative activities to be documented sufficiently, which must be checked accordingly.
Improper administrative activities or administrative activities performed upon acclamation or documented insufficiently constitute significant risks, as do deliberate attacks by misusing administrative rights. Although not specific to Lotus Notes/Domino, these have significant effects on the achievement of the protection objectives for the Lotus Notes/Domino platform.
Due to the technical complexity of the Lotus Notes/Domino platform, it is generally insufficient to implement general administration instructions without including platform-specific peculiarities.
When planning the administrative activities for Lotus Notes/Domino, it must also be defined that these activities must be monitored and controlled using the technical possibilities of the Lotus Notes/Domino platform.
Definition of the relevance of the Lotus Notes/Domino platform regarding organisation-wide business continuation and contingency planning
Planning the operational procedures and the security safeguards of the Lotus Notes/Domino platform deeply interleaved with the operational procedures, the backup and recovery safeguards (Backup/Recovery), for example, requires the classification of the platform within the overall context of business continuation and contingency planning. If this was not already performed in corresponding activities of the organisation, the Lotus Notes/Domino platform should be classified regarding business continuation and contingency planning within the framework of planning the introduction or migration of Lotus Notes/Domino. This is the only way to properly plan a host of required security safeguards such as measures for securing the availability of the platform or individual services.
Planning of the communication security for the Lotus Notes/Domino environment
Due to the distributed architecture of typical Lotus Notes/Domino environments, planning the communication security plays a decisive role within the framework of security planning. In this, the following subjects relevant for communication security must be covered:
- server-to-server communication of Lotus Domino servers (both using Lotus Notes protocols, internet protocols and during database replication),
- client-to-server communication for Lotus Notes clients to Lotus Domino servers (for all Lotus Notes client types, including administrative clients),
- client-to-server communication for third party clients to Lotus Domino servers (using the POP3 and IMAP protocols),
- remote accesses and specific dial-in accesses of the Lotus Domino servers,
- use of push services for mobile end devices,
- uninstalling (and/or not installing) insecure and/or not required communication protocols (e.g. WebDAV),
- restrictive implementation of trust relationships between servers,
- use or provision of services/interfaces outside of the Lotus Notes/Domino environment, e.g. LDAP interfaces.
It must be taken into consideration that Lotus Notes/Domino still provides for modem connections between servers based on its history, whereby these are no longer contemporary and may cause security risks in today's environments. When planning the communication security, removing these connections (if applicable) and disabling the corresponding interfaces and/or connection documents must be performed.
Review questions:
- Are security aspects taken into consideration when planning the architecture for the Lotus Notes/Domino platform?
- Is there a definition of the role of Lotus Notes/Domino within the organisation-wide identity management?
- Is there sufficient documentation of the planning of the domain and certificate hierarchies?