S 4.128 Secure operation of the Lotus Notes/Domino environment

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Specialists Responsible, Administrator

The secure operation of the Lotus Notes/Domino environment covers all regular activities required to maintain the operability of the Lotus Notes/Domino environment. This includes the administration of Lotus Notes/Domino, the performance of upgrades and migrations, regular data backup and, if necessary, data archiving as well as activities regarding the monitoring of the operation and the security of the platform. Changes to services taking place outside upgrades and migrations (for example, the activation of services not used so far, the initial operation of new databases and similar services) must be carried out applying the procedure for upgrades and migrations in a comparable manner. This includes the compliance with the requirements for the documentation (including the system-side logging of the changes made and archiving of the logs) as well as the compliance with the requirements for critical administrative activities (e.g. two-man-rule or release procedures for services or components such as databases or interfaces).

Operational concept

The secure operation of the Lotus Notes/Domino environment requires an operational concept regulating all mentioned topics relevant for operation in sufficient detail. The operational concept must refer to other concepts relevant for operation (see S 2.207 Security concept for Lotus Notes/Domino).

Data backups

Backing up data at regular intervals is part of the secure operation of a system and must be documented in a data backup concept. Although this is not part of contingency planning, but part of regular operation of the platform, it must be coordinated with contingency planning. If this procedure applicable to data backups is also used with regard to archiving, the data backup concept must be adapted to the archiving concept described in S 2.207 Security concept for Lotus Notes/Domino.

Since Lotus Notes/Domino keeps its information (both user data and internal administrative data, configurations, logs etc.) in proprietary databases, the data backup concept must also cover backing up these databases in addition to the backup of configuration files (such as notes.ini). General recommendations on the backups of databases can be found in safeguard S 6.49 Data backup in a database.

The following particularities of the Lotus Notes/Domino platform must be taken into account:

• In Domino Release 5 and higher and the ODS (On-Disc Structure) 41, Lotus Notes/Domino supports the transaction logging for databases. This is important not only due to the extended options of the incremental data backup via the backup and redoing the transaction logs, but also because of the repair of damaged databases via the installation of the backup and transaction logs.
• The transaction logging must be installed for all databases with high protection requirements regarding availability or integrity, especially also for the Lotus Notes/Domino system databases. Here, the parameters Logging type, Automatic fixup of damaged databases and Runtime/restart performance in particular must be configured adequately for the application scenario.
• In the newer Domino versions, it is possible to store Lotus Notes/Domino databases in a DB2 database and to access them via the Lotus Notes/Domino platform. If this option is used, the security concept for Lotus/Notes Domino must also include the backup of the DB2 databases used.
• Data backups of complex operational environments with comprehensive dependencies which might arise, for example, from using replication should not be carried out manually, but using suitable backup tools whenever possible. The tools of the manufacturer of the platform to be secured (in this case, Tivoli Storage Manager and Tivoli Data Protection for Domino) are often adapted to the particularities of the platform; therefore, the incompatibility risks are lower as compared to the tools of third party providers.

Application development for the Lotus Notes/Domino platform

If application development is performed for the Lotus Notes/Domino platform, the secure operation of the platform also includes the procedures for the transferral of the applications to operation. They must not only ensure that the transfer meets the formal requirements, but also that the required steps to secure the application development were implemented.

The operation of a Lotus Notes/Domino environment with proprietary development must be secured differently than the operation of a standard/default environment, especially taking the "subject matters Legacy locations" and "Moving proprietary developments to production" into account.

According to standard practice, the development environments, test and quality assurance environments and production environments must also be separated adequately for the Lotus Notes/Domino platform. In many cases, it is possible to use Lotus Notes/Domino environments as development environments and test and quality assurance environments using virtualisation, also with regard to lower licence costs (see S 2.493 Licence management and licencing aspects regarding procurement for Lotus Notes/Domino). Depending on the protection requirements, the adequate separation of the environments can also be realised via virtualisation.

When separating the environments, it must be taken into consideration that, in general, no access to the production environments may be permitted using developer clients (Domino Designer). If a developer access to a production environment is necessary for operational requirements in exceptional situations, procedures ensuring the monitoring and quality assurance of this access must be defined in advance within the framework of the operational concept. The access must be transparent and take place understandably on the basis of the logging.

The procedures to transfer proprietary development applications to productive operation must ensure that:

• there is a formal acceptance of the application by the person responsible,
• technical tests, integration tests and performance tests of the application were performed adequately,
• the objects integrated into the production environment correspond to the tested objects,
• that the objects integrated into the production environment are free of malware (see also S 1.6 Protection against malware) and that
• the policy for the application development for the Notes/Domino platform (see S 2.207 Security concept for Lotus Notes/Domino) was applied in an understandable manner during development.

For applications bought additionally for the Lotus Notes/Domino environment, quality standards comparable to those applicable to proprietary developments should apply within the framework of the possibilities, whereby the compliance with the policy for the application development must be replaced by corresponding statements and certification of the manufacturer.

Application integration with the Lotus Notes/Domino platform

The application integration with Lotus Notes/Domino (see S 2.493 Licence management and licencing aspects regarding procurement for Lotus Notes/Domino) can change the security requirements to be met by the platform during operation completely.

The client-side application integration can increase the protection requirements of the Lotus Notes client regarding all three basic values. This also applies to using special integration components such as Alloy, a product developed in collaboration with SAP, to access SAP systems from Lotus Notes. In general, this has an impact on the configuration and use of the Notes client. This must be taken into account in the secure configuration of the client, as requested in S 4.229 Secure operation of PDAs. The secure operation of the platform must be supplemented by corresponding client-side logging and evaluation placing the focus on the client-side integrated applications.

The server-side application integration can, for example, be realised using DB2 databases for Notes data or using special integration components. In addition to this, there are further integration solutions via the Domino DIIOP service, Domino XML (DXL) and Domino JSP that support the integration using the WebSphere middleware in particular. The use of the organisation's own or third party Web services via the corresponding interfaces of Lotus Notes/Domino is also covered by these considerations.

For the server-side application integration, the protection requirements of the corresponding Notes/Domino applications and services are increased accordingly taking the protection requirements of the applications and services connected via integration into consideration. This must be taken into account both for the server-side configuration of the services of the Domino server in S 4.116 Secure installation of Lotus Notes/Domino and when defining the parameters and events to be monitored in S 4.132 Monitoring of the Lotus Notes/Domino environment. For the logging described in S 4.427 Security-relevant logging and evaluating for Lotus Notes/Domino, the parameters must also be adapted.

Therefore, application integration must be considered on a conceptual level within the framework of a policy for the application integration, as requested in S 2.207 Security concept for Lotus Notes/Domino. The compliance with the policy must be checked when the integration solutions are moved to production.

If the operation of the Lotus Notes/Domino environment (or individual components thereof) is outsourced, the outsourcing organisation still remains responsible for guaranteeing the secure operation, whereas the required regular activities are carried out in the organisation and/or at one or several service providers. The IT-Grundschutz module S 1.11 Outsourcing describes the special security safeguards required for outsourcing or partial outsourcing.

Upgrades and migrations during operation

For the secure operation of the Lotus Notes/Domino environment, the information on upgrades and migrations provided in S 4.116 Secure installation of Lotus Notes/Domino must be taken into consideration.

Administrative activities

If possible, the administrative activities must be carried out according to an administration manual documenting the planning of administrative activities referred to in S 2.206 Planning the use of Lotus Notes/Domino. For outsourcing in particular, this is the means of ensuring a traceable quality of critical administrative activities. The level of detail of this administration manual depends on the protection requirements of the Lotus Notes/Domino platform. The binding nature of the administration manual for the performance of administrative activities must be ensured, either passing it as the organisation's own policy or, if the administration is outsourced, including it in the agreements on providing the service.

Monitoring during operation

During operation, the Lotus Notes/Domino environment must be monitored. In the safeguards S 4.132 Monitoring of the Lotus Notes/Domino environment and S 4.427 Security-relevant logging and evaluating for Lotus Notes/Domino, further aspects to be implemented as part of the secure operation of the Lotus Notes/Domino platform are described.

Use of Lotus Notes/Domino as leading identity management system in the organisation

The certificate hierarchy (PKI) of Lotus Notes/Domino can be used as basis of the organisation-wide identity management. In general, this has a very substantial impact on the protection requirements of the Lotus Notes/Domino environment, since the identity management is usually the core of the central authorisation management. During operation, such a situation requires in most cases a Domino server that is strictly secured and dedicated regarding all basic values and provides the necessary services.

The required planning for using the certificate hierarchy of Lotus Notes/Domino as basis has already been outlined in safeguard S 2.206 Planning the use of Lotus Notes/Domino in the aspects "Architecture planning taking into consideration security aspects", "Planning the role of Notes/Domino in the organisation-wide identity management", "Planning the domain and certificate hierarchies".

From an operational perspective, the administrative processes relating to the certificate hierarchy as well as monitoring, logging and evaluation, in particular, and archiving must take the higher protection requirements of the server providing the services to the certificate hierarchy into account.

Connection of Lotus Notes/Domino to an external, central identity management

The connection of Notes/Domino to an external, central identity management of third party providers (for example, the Oracle Identity Manager, the Microsoft Identity and Access Management, Novell eDirectory) or of the database's own manufacturer (IBM Tivoli Identity Management) changes the protection requirements of the Lotus Notes/Domino certificate hierarchy.

Depending on the protection requirements of the Lotus Notes/Domino environment, the interface for the connection to the external identity management will, in general, have correspondingly high protection requirements with respect to all basic values. This aspect must be taken into account accordingly in the operational processes, especially in administration, monitoring, logging and evaluation. When implementing S 6.73 Contingency planning and emergency preparedness exercises for the Lotus Notes/Domino environment, the failure of the external identity management or the connection to the external identity management must be adequately taken into consideration.

Review questions:

• Is a documented operational concept or comparable operational documentation available for the Lotus Notes/Domino environment?
• Does the data backup concept take into account the size and complexity of the databases to be backed up?
• Is the procedure for moving applications to production documented for the Lotus Notes/Domino environment?
• Is the procedure for essential administrative activities during operation documented?
• Are the Domino servers on which the CA process (certification process) is run monitored and logged accordingly when using the Domino certificate infrastructure?
• Were the higher protection requirements of Lotus Notes/Domino taken into account when using the Domino-CA (Certificate Authority) for additional applications outside the Lotus Notes/Domino platform?
• If there is a Lotus Notes/Domino connection to an external, central identity management, is this connection taken into account accordingly in the instruction manual?