S 2.207 Security concept for Lotus Notes/Domino
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Specialists Responsible, IT Security Officer
As for every software product used within an organisation, a suitable security concept must also be drawn up for the use of Lotus Notes/Domino. Depending on the size, the resources, and the organisational structure of the organisation, the security concept for Lotus Notes/Domino can be incorporated into one results document (e.g. a security policy) or a series of results documents. Modularly documenting the security concept facilitates the target group-specific distribution of the documents, for example a policy for application development could only be distributed to the application developers for the Lotus Notes/Domino platform and/or administrators.
In so doing, the items of the security concept mentioned below must be processed and the results must be documented. If parts of the security concept are irrelevant for the specific use of the Lotus Notes/Domino platform within the organisation (e.g. when there is no application development for the Lotus Notes/Domino platform), this must be documented within the framework of the security policy.
Security policy for Lotus Notes/Domino
The following aspects need to be taken into consideration within the framework of the security policy:
- The security policy must meet the applicable security policies of the organisation (see S 2.192 Drawing up a policy for information security).
- The respective target groups and the concepts/policies of the Lotus Notes/Domino security concept relevant for the target group must be mentioned.
- The concepts mentioned below must either be incorporated as part of the security policy or referenced. In so doing, it must be ensured that the version of the concepts as amended from time to time is available using the references.
- The binding nature of the policy for all target groups (for example Lotus Notes users, Lotus Domino administrators, managers, project managers, software developers, software architects) must be ensured, unless there is an appropriate general policy regarding the binding nature for all policies of the organisation.
- If several Lotus Notes/Domino environments (installations) are used in the organisation, environment-specific particularities of the security concept must be documented.
- The security policy for the use of Lotus Notes/Domino must be coordinated in the entire organisation and all users must have received the corresponding notification. Here it is recommendable to provide the respective target groups with short and concise information on the most important contents, in the form of a leaflet or a website. All users must be informed about changing security policies.
Concept for the domain and certificate hierarchies of Lotus Notes/Domino
The concept for domain and certificate hierarchies of Lotus Notes/Domino is the result of the planning activity described in S 2.206 Planing the use of Lotus Notes/Domino. The person in charge must keep the concept up to date at all times and adapt it to all changes. In the event of extensive modifications to the Lotus Notes/Domino infrastructure, this is normally performed by the competent project managers, system and software architects. Changes to this highly security-relevant concept require acceptance of the information security management department.
Concept for the use of the Lotus Notes/Domino-proprietary security mechanisms: encryption, certificates handling, and Lotus Notes IDs handling
Lotus Notes/Domino provides different encryption mechanisms both for encrypting mobile data (communication connections, communication contents) and for encrypting the databases (e.g. database encryption, email encryption). It must be defined which Lotus Domino-proprietary mechanisms are to be used. The conformity with an organisation-wide general encryption concept and/or the deviations caused by proprietary Lotus Notes/Domino mechanisms must be documented. The key management for Lotus Notes/Domino must be designed in accordance with the requirements of the organisation-wide encryption concept and must take into account the protection requirements of the Lotus Notes/Domino platform.
Certificate handling, e.g. during re-certification due to expiration, creation of cross-certificates, etc., must also be defined in this concept. Specific rules are required and not a reference to the mechanisms basically present in Lotus Notes/Domino. For example, it must be defined when sending an email for re-certification to the administrators is admissible and when it is prohibited.
Since Lotus Notes IDs constitute a security risk due to the "portability", it must be specified where copies of these IDs are to be stored for recovery purposes and how processes handling Lotus Notes IDs (e.g. re-certification, recovery) are to be implemented.
In Lotus Notes 8.5 and higher, Lotus Notes ID Vault constitutes a tool for managing Lotus Notes IDs, amongst other things, allowing for the recovery of lost Lotus Notes IDs and lost passwords, for the synchronisation of copies of IDs with native means of the Lotus Notes/Domino platform and/or extending or simplifying the already existing functionality of the platform. Using the tool is recommended. However, its use must be planned and the concept for using the Lotus Notes/Domino-proprietary security mechanisms must be adapted accordingly.
Password policies for Lotus Notes/Domino
Lotus Notes/Domino has provided its own mechanisms for assessing the password quality since the year dot. Therefore, it is necessary to adopt the organisation-wide password policies with corresponding comments or to adapt the password policy to the Lotus Notes mechanisms specifically for Lotus Notes/Domino. The Lotus Notes/Domino password policies should be a part of the security policy of Lotus Notes/Domino, if possible. If single-sign-on is used for logging in, this must be documented correspondingly in the security policy. The password quality used for single-sign-on must meet the accumulated requirements of the connected applications and/or systems.
Logging and evaluation concept for Lotus Notes/Domino
A specific concept complying with the policy for logging and evaluating security-relevant data applicable to the entire organisation must be developed for the Lotus Notes/Domino platform. Coordination with data protection officers, personnel board, supervisory board, and other authorities to be involved in these concepts is necessary if there is no corresponding generally applicable logging and evaluation policy or if the policy is characterised by an insufficient level of detail.
When developing the security policy, it must be taken into consideration that the specifications regarding the data volumes to be evaluated are realistic and that implementation during operation is possible with the existing resources. If tools for centralised logging and automatic protocol evaluation are already used in the organisation, it must be checked whether Lotus Notes/Domino logging and evaluation can be performed with the help of the aforementioned.
Archiving concept for Lotus Notes/Domino
The Lotus Notes/Domino platform may include different data requiring archiving: Emails, workflow elements requiring archiving, databases containing Lotus Notes applications and services requiring archiving, etc. When using Lotus Notes/Domino as a central identity management system, data requiring archiving is generated here as well. Therefore, it is necessary to develop and accordingly implement a functional and technical archiving concept for the Lotus Notes/Domino platform or to adapt the existing organisation-wide archiving concept to the requirements of the Lotus Notes/Domino environment.
Concepts for protecting all Lotus Domino services used
Normally, protecting all services (often also on the level of installed modules) is required in the security policy. It is not absolutely necessary to document the measures for protecting the services in the security policy for Lotus Notes/Domino, since it is intended mainly only for the target group of administrators and for the information security management department, but they can also be documented within the framework of the operations concept. Both the technical measures regarding the Lotus Notes/Domino platform (hardening, configuration of server- and client-side components) and organisational measures and additional security components used in order to protect all services should be described.
Concept for handling legacy applications posing security risks and configurations of the Lotus Notes/Domino platform posing security risks required for their operation
Lotus Domino legacy applications that cannot be migrated require possibly "insecure" settings in order to be operated on the newer platforms. If these are absolutely indispensable, it is necessary to provide a concept stating how these can be operated and monitored in order to minimise the resulting security risk. Above all, it must be ensured that "insecure" parameterisations of the platform are few and far between and not made the organisation-wide standard due to their compatibility with the legacy locations.
Policy for application development for the Lotus Notes/Domino platform
Lotus Notes/Domino offers both the option of developing applications using the former, proprietary technologies and developing applications using an Eclipse-based Java development environment. A corresponding policy for application development must be developed for each of the two options, if used. These policies must include both coding standards for the usable programming languages and best practice of the development, as well as a description of the application development process.
Policy for application integration with the Lotus Notes/Domino platform
Lotus Notes/Domino is increasingly positioned as a platform for server- and client-side application integration, both based on the new Lotus Notes client deemed a "universal" client in the manufacturer's strategic positioning and based on the optional SAP integration. In order to prevent application integration from becoming a source of security-related weaknesses, it is necessary to develop a platform-specific policy for application integration with the Lotus Notes/Domino platform.
Protection against malware for Lotus Notes/Domino
The malware protection for Lotus Notes/Domino constitutes the conceptional implementation of the general malware protection specifications applicable through the entire organisation. This includes both malware protection at network transitions where Lotus Domino is used as web or email gateway and the "downstream" malware protection of the Lotus Domino databases (including the email databases). The interaction of the server- or client-side protection programs installed by default with the installed Lotus Notes/Domino components must also be described in this concept.
Hardening concept and configuration specifications for Lotus Notes/Domino
The Lotus Notes/Domino components to be installed must be hardened and configured in accordance with the protection requirements and their application scenario. Along with the service level protection measures described in the concept for the protection of the services used, "basic hardening" of the server must also be described conceptionally. Furthermore, the description must state which services are used and how they can be uninstalled (and/or not installed) accordingly. The hardening and/or configuration specifications required on part of the client must be described conceptionally for all client types (including browser-based clients) used.
Concept for the use of push services
The Lotus Domino email service can be used in connection with push services by connecting third party push services (for example by connecting smartphones) or by using the Lotus Notes Traveler component. It is necessary to conceptionally describe the arising security-relevant topics when using push services.
Review questions:
- Are there current security policies for the use of Lotus Notes?
- Does Lotus Notes include all relevant security specifications of the organisation?
- Do all users receive information about new or changed security specifications regarding Lotus Notes?