Beyond giving me just enough knowledge to be dangerous (you have been warned), there was good coverage of some of the new features in versions 7, 8 and 8.5 that not only improve security but also improve the end user experience and ease some administrative burdens.
The ID Vault is still probably the biggest win, allowing us to remove some custom scripting and simplifying the initial configuration of the Notes client, but there was also information on setting up Active Directory as a "secondary directory" which we will need to look into soon.
There was also some good information on standard events that should be monitored to ensure security, and coverage of best practice configurations for all the new policies that can be configured.
One point that we will have to review is that apparently the Notes 8 client 'breaks' the roaming configuration we use at Mars (H: drive), but Notes 8.5 has the roaming ability built-in, again allowing us to remove more custom scripting
Something that was only briefly mentioned but triggered some thoughts was around categorisation of each database by Privacy and Security ratings, based on factors such as 'does the database contain consumer information' etc. We should make sure we do something around this in the upcoming database discovery work. I'm sure Jean-Marc will be thrilled!
I'll leave you with a telling comment from security professionals :
"Security is a trade-off between what users will put up with and what you need to protect your environment"
If our security colleagues are representing the side of "protecting our environment" in this trade-off, who is representing "what the users will put up with"? I don't think we have a clear answer on this yet, but i wouldn't be surprised if EUE are in the frame under the guise of the "Usability Centered Design" initiative. Expect to hear more about this!
I'll arrange for all the Lotusphere slides to be hosted internally so interested parties can view all the slides directly.
Posts
5 comments:
Did they say whether thats using AD with Notes on Win or Notes on Linux? If Linux is it Samba 4 or an earlier version?
2 comments to add.
1, In response to Matt's comment: It is my belief that the domino to AD connection is independent of the bas OS with domino is running.
2, In response to Biran’s comment on Notes 8 breaking the roaming profile in mars (e.g. H:\ drive): I had thought that this issue was referring to integrated roaming profiles (a feature in Domino 6.x and newer versions) and that the configuration which is used in Mars is fully independent of this feature and as such not affected. Brian can you clarify this ?
Hi Al, welcome back!
re (1) you are right - Domino to AD (or in fact any secondary LDAP directory) is independent of the underlying OS where Domino has been installed. I missed Mat's original question! Basically what Notes allows you to do is use a second directory for users. Server information, connection documents and administrative users still need to reside in the primary (domino) directory.
re (2) The 'breakage' is specifically where you are using a network fileshare for the Notes directory, primarily because some of the new features in the 8 client don't store their user information in the same place.
Have IBM FINALLY allowed authentication to non-Domino directories? Does this mean the ID file goes away? They have been promising this since version 6!
er, Not exactly. The ID file remains as the repository for the private key (the closest analogy would be that id files are IBMs implementation of certificates, and the ID Vault is their certificate distribution mechanism). So with ID Vault, once you authenticate to the Notes directory your id file is downloaded/synchronised with the workstation. Your directory password is also the password to open your id file to be able to encrpyt & decrypt Notes email etc. With the planned 'directory independence' feature due to be released "soon", you would also be able to leverage an alternative LDAP directory (such as AD) for the same ID Vault functionality.
In terms of specifically allowing 'authentication to non-Domino directories' - this is in the product now, but only for the web interface, not for the rich client.
Post a Comment