More Related Content Similar to Ensure the security of your HCL environment by applying the Zero Trust principles (20) More from Roland Driesen (20) Ensure the security of your HCL environment by applying the Zero Trust principles1. © Copyright & proprietary Silverside B.V.
Zero Trust on your HCL environment
24-04-2024 - - Antwerp
2. © Copyright & proprietary Silverside B.V.
+250
CUSTOMERS
3
PLATFORMS
28
EMPLOYEES
25 years
COLLABORATION SPECIALIST
As a specialist in the best collaboration software (including
Microsoft 365, HCL Software and Zoho ONE), we ensure
that users can collaborate smarter and better in a secure
modern digital world.
We guide organizations to the right destination based on
our experience with more than 250 customers. In addition
to our professional knowledge, we believe in happiness at
work and pleasant cooperation. This enables us to achieve
measurable results that will positively surprise you.
Are you joining us?
2
Your dedicated guide
to happiness and success
in the digital world
3. © Copyright & proprietary Silverside B.V.
Zero Trust in a nutshell
3
5. © Copyright & proprietary Silverside B.V.
5
Why Zero Trust
Zero Trust in a nutshell
versus
Never trust, always verify
6. © Copyright & proprietary Silverside B.V.
Verify Explicitly
Always authenticate and
authorize based on all
available data points,
including user identity,
location, device health,
service or workload, data
classification, and anomalies.
6
3 Basic Principles
Zero Trust in a nutshell
7. © Copyright & proprietary Silverside B.V.
Least Privileged Access
7
3 Basic Principles
Zero Trust in a nutshell
Limit user access with Just-
In-Time and Just-Enough
Access (JIT/JEA), risk-based
adaptive polices, and data
protection to protect both
data and productivity.
8. © Copyright & proprietary Silverside B.V.
Minimize blast radius for
breaches and prevent lateral
movement by segmenting
access by network, user,
devices, and application
awareness. Verify all sessions
are encrypted end to end.
Use analytics to get visibility,
drive threat detection, and
improve defenses.
8
3 Basic Principles
Zero Trust in a nutshell
Assume Breach
9. © Copyright & proprietary Silverside B.V.
9
Technology Pillers
Zero Trust in a nutshell
10. © Copyright & proprietary Silverside B.V.
10
HCL Software and Zero Trust
HCL Connections with Zero Trust Identity
To see what the Zero Trust principles can do with HCL products we
have a few examples:
• HCL Connections with Zero Trust Identity
• Zero Trust Domino security
11. © Copyright & proprietary Silverside B.V.
HCL Connections with Zero Trust
11
12. © Copyright & proprietary Silverside B.V.
12
Implement a single user repository
HCL Connections with Zero Trust Identity
Requirements:
• Microsoft Entra ID as main user repository
• Guest access should be supported
• Strong Authentication
Solution:
• Use SAML and OpenID Connect (OIDC) for federation with Microsoft Entra ID
• This does not remove the need for an LDAP repository
13. © Copyright & proprietary Silverside B.V.
13
LDAP repository
HCL Connections with Zero Trust Identity
Possible options:
• Local Active Directory synchronized with Entra ID Connect
• Use Microsoft Entra ID Domain Services
• An alternative LDAP server that is synchronized with Entra ID
• All users, including guests should be managed within
Active Directory or a different LDAP repository
• A relatively expensive and complex option (starts at 110
euro per month and can go to up +1000 euro)
• Provisioning to an LDAP target is included with Entra ID
Premium P1 and can be combined with OpenLDAP.
14. © Copyright & proprietary Silverside B.V.
14
Entra ID LDAP provisioning
HCL Connections with Zero Trust Identity
The agent runs on an on-premises server and only requires outbound connectivity
Entra ID Provision Service
Microsoft ECMA
Connector Agent
User Data User Data
15. © Copyright & proprietary Silverside B.V.
15
OpenLDAP Server
HCL Connections with Zero Trust Identity
1. Configure an OpenLDAP server
2. Setup the LDAP repository on WebSphere
3. Setup the SDI synchronization
TIP: Use different OUs for internal and external account
IBM WebSphere Application Server
IBM DB2
IBM Security Directory Integrator
OpenLDAP
16. © Copyright & proprietary Silverside B.V.
16
Setup the provisioning
HCL Connections with Zero Trust Identity
Create 2 new Enterprise Applications in Entra ID
• Internal Users
• External Users
17. © Copyright & proprietary Silverside B.V.
17
Attribute Mapping
HCL Connections with Zero Trust Identity
Make sure that at least the following attributes are configured:
• distinguishedname
• displayName
• givenName
• sn
• uid
• mail
18. © Copyright & proprietary Silverside B.V.
18
Install and configure the provision agent
HCL Connections with Zero Trust Identity
19. © Copyright & proprietary Silverside B.V.
19
The result
HCL Connections with Zero Trust Identity
20. © Copyright & proprietary Silverside B.V.
20
Enable OIDC single sign-on
HCL Connections with Zero Trust Identity
When you now enable OIDC single sign-on
all users will get the Microsoft login pages.
As a result, all security options from Entra ID
will be in place. Including MFA
21. © Copyright & proprietary Silverside B.V.
Zero Trust and HCL Domino
21
22. © Copyright & proprietary Silverside B.V.
22
Zero Trust and HCL Domino
Zero Trust – Domino
23. © Copyright & proprietary Silverside B.V.
23
Zero Trust – Domino
• Login handed over to a standardized "Identity Provider" (IdP); Windows ADFS, MS 365 EntraID, JumpCloud, etc
• It's not a Microsoft proprietary lock-in thing; SAML/ OIDC are std. protocols - there are many IdP providers
• An IdP specializes in secure authentication; user/ pwd, MFA, biometrics, region, trusted sites/ devices
• Single login, used for multiple applications; Notes, Nomad Web, Verse, SameTime, Zoho CRM, etc - Not a synced password!
• Optionally automated login to IdP from trusted device/ network/ Windows account
• Reduce login, prevents multiple login prompts, different passwords and user confusion
24. © Copyright & proprietary Silverside B.V.
24
Zero Trust – Domino
• The IdP tells Domino that the user is "john.doe@acme.com", through a signed certificate
• Domino validates the signature
• Links user e-mail 'claim' to a Domino user
• User is authenticated
• Extracts id-file from id-vault, kept in RAM
Service Providers (SP)
• Notes client
• Verse mail
• Sametime
• Nomad Web . . .
25. © Copyright & proprietary Silverside B.V.
25
Zero Trust – Domino
IdP does the authentication, but Notes/ Domino still need to be secure!
• User authenticated by IdP but unknown in Domino, ends up with Default access rights
• Restrict server-access to group or */Org, all users in Address book
• Maintain Deny Access group(s); sync account status from AD/ Entra, detect inactive users in userlicenses.nsf
• Enforce server access settings for all protocols
• Disable Anonymous access (uses 'Default' if not explicitly disabled/ set)
• Notes certificates 1-2 years
• Enable Check public keys
• Enable Internet Lockout
• Set Vaulted IDs Notes to complex passwords, Remove ID-files from person docs
• Vault extract disable by username/ password
• Set a password on server.id
• Remove cert.id/ admin.id from Domino data-folder
• . . .
26. © Copyright & proprietary Silverside B.V.
26
Zero Trust – Domino
Traveler - No SAML or OIDC with autologin yet
• iPhone mail app
• Traveler app
• Allow registered devices only
• Set a complex internet password trough a QR-code
• Add certificate based authentication
• Disable web-access to .nsf
27. © Copyright & proprietary Silverside B.V.
27
Zero Trust – Domino
• Assume OS will be compromised
• Implement client/ server .nsf encryption, DAOS encrypted by default
• Set server.id password
• Use read-only accounts where possible (ie ldap bind)
28. © Copyright & proprietary Silverside B.V.
28
Zero Trust – Domino
• Close unused protocol/ services
• Have a default website for each web-enabled Domino server
• Lockdown default/ anonymous ACL
• Set maximum web access on your .nsf's
• Create ip traps for *.php, *.aspx, etc
29. © Copyright & proprietary Silverside B.V.
29
Zero Trust – Domino
Mail
• Implement SPF and DKIM, DMARC
• Check your DMARC RUA reports
• Server mail-rules to block external mail from 'hrm@', Manager names, etc
• Use cloud-based spam filters like Mimecast - specialized/ quick reaction
• Train and exercise users on phishing
30. © Copyright & proprietary Silverside B.V.
30
Zero Trust – Domino
• Enable NRPC port-encryption (client and server)
• Always use TLS for web, smtp, ldap, etc protocols
• Use read-only accounts where possible - ie LDAP bind
• Restrict which hosts can offer (relay) mail to Domino SMTP
• Close ports not needed
31. © Copyright & proprietary Silverside B.V.
31
Zero Trust – Domino
• Implement network segmentation; put servers, clients and guests in separate networks
• Send cluster traffic over a private network
• Enable firewall on Domino' host/ LAN segments
• Close Domino ports not needed
• Setup reverse [authenticated] http-proxy before web-access
32. © Copyright & proprietary Silverside B.V.
32
Zero Trust – Domino
• Monitor domlog/ session logs - automatically check source IP/ country
• Build/ collect normal IP-range list
• Sync user status (enabled/ disabled/ removed) with AD/ Entra/ HRM
• Auto-disable accounts not active for x months
• Notes certificate renewal every 1-2 year, validate before renewal
• Enable traps on .php, .aspx, . . . requests and block source-ip
33. © Copyright & proprietary Silverside B.V.
33
Zero Trust – Domino
Covers a lot
There is no single check-box "Enable Zero Trust"
It is a process/ goal/ framework
Hire a professional
34. © Copyright & proprietary Silverside B.V.
Thank You!
34
WRAP-UP: ANY QUESTIONS?
Silverside B.V.
Rivium Quadrant 75-5 Capelle aan den IJssel The Netherlands
www.silverside.com
Gert van Kempen
Senior Consultant
g.vankempen@silverside.com
+31 6 22512674
Duco Bergsma
Senior Consultant
d.bergsma@silverside.com
+31 6 51087117