Ensure the security of your HCL environment by applying the Zero Trust principles

© Copyright & proprietary Silverside B.V.
Zero Trust on your HCL environment
24-04-2024 - - Antwerp

+250
CUSTOMERS
3
PLATFORMS
28
EMPLOYEES
25 years
COLLABORATION SPECIALIST
As a specialist in the best collaboration software (including
Microsoft 365, HCL Software and Zoho ONE), we ensure
that users can collaborate smarter and better in a secure
modern digital world.
We guide organizations to the right destination based on
our experience with more than 250 customers. In addition
to our professional knowledge, we believe in happiness at
work and pleasant cooperation. This enables us to achieve
measurable results that will positively surprise you.
Are you joining us?
2
Your dedicated guide
to happiness and success
in the digital world

Zero Trust in a nutshell
3

4

5
Why Zero Trust
versus
Never trust, always verify

Verify Explicitly
Always authenticate and
authorize based on all
available data points,
including user identity,
location, device health,
service or workload, data
classification, and anomalies.
6
3 Basic Principles

Least Privileged Access
7
3 Basic Principles
Limit user access with Just-
In-Time and Just-Enough
Access (JIT/JEA), risk-based
adaptive polices, and data
protection to protect both
data and productivity.

Minimize blast radius for
breaches and prevent lateral
movement by segmenting
access by network, user,
devices, and application
awareness. Verify all sessions
are encrypted end to end.
Use analytics to get visibility,
drive threat detection, and
improve defenses.
8
3 Basic Principles
Assume Breach

9
Technology Pillers

10
HCL Software and Zero Trust
HCL Connections with Zero Trust Identity
To see what the Zero Trust principles can do with HCL products we
have a few examples:
• HCL Connections with Zero Trust Identity
• Zero Trust Domino security

HCL Connections with Zero Trust
11

12
Implement a single user repository
Requirements:
• Microsoft Entra ID as main user repository
• Guest access should be supported
• Strong Authentication
Solution:
• Use SAML and OpenID Connect (OIDC) for federation with Microsoft Entra ID
• This does not remove the need for an LDAP repository

13
LDAP repository
Possible options:
• Local Active Directory synchronized with Entra ID Connect
• Use Microsoft Entra ID Domain Services
• An alternative LDAP server that is synchronized with Entra ID
• All users, including guests should be managed within
Active Directory or a different LDAP repository
• A relatively expensive and complex option (starts at 110
euro per month and can go to up +1000 euro)
• Provisioning to an LDAP target is included with Entra ID
Premium P1 and can be combined with OpenLDAP.

14
Entra ID LDAP provisioning
The agent runs on an on-premises server and only requires outbound connectivity
Entra ID Provision Service
Microsoft ECMA
Connector Agent
User Data User Data

15
OpenLDAP Server
1. Configure an OpenLDAP server
2. Setup the LDAP repository on WebSphere
3. Setup the SDI synchronization
TIP: Use different OUs for internal and external account
IBM WebSphere Application Server
IBM DB2
IBM Security Directory Integrator
OpenLDAP

16
Setup the provisioning
Create 2 new Enterprise Applications in Entra ID
• Internal Users
• External Users

17
Attribute Mapping
Make sure that at least the following attributes are configured:
• distinguishedname
• displayName
• givenName
• sn
• uid
• mail

18
Install and configure the provision agent

19
The result

20
Enable OIDC single sign-on
When you now enable OIDC single sign-on
all users will get the Microsoft login pages.
As a result, all security options from Entra ID
will be in place. Including MFA

Zero Trust and HCL Domino
21

22
Zero Trust and HCL Domino
Zero Trust – Domino

23
• Login handed over to a standardized "Identity Provider" (IdP); Windows ADFS, MS 365 EntraID, JumpCloud, etc
• It's not a Microsoft proprietary lock-in thing; SAML/ OIDC are std. protocols - there are many IdP providers
• An IdP specializes in secure authentication; user/ pwd, MFA, biometrics, region, trusted sites/ devices
• Single login, used for multiple applications; Notes, Nomad Web, Verse, SameTime, Zoho CRM, etc - Not a synced password!
• Optionally automated login to IdP from trusted device/ network/ Windows account
• Reduce login, prevents multiple login prompts, different passwords and user confusion

24
• The IdP tells Domino that the user is "john.doe@acme.com", through a signed certificate
• Domino validates the signature
• Links user e-mail 'claim' to a Domino user
• User is authenticated
• Extracts id-file from id-vault, kept in RAM
Service Providers (SP)
• Notes client
• Verse mail
• Sametime
• Nomad Web . . .

25
IdP does the authentication, but Notes/ Domino still need to be secure!
• User authenticated by IdP but unknown in Domino, ends up with Default access rights
• Restrict server-access to group or */Org, all users in Address book
• Maintain Deny Access group(s); sync account status from AD/ Entra, detect inactive users in userlicenses.nsf
• Enforce server access settings for all protocols
• Disable Anonymous access (uses 'Default' if not explicitly disabled/ set)
• Notes certificates 1-2 years
• Enable Check public keys
• Enable Internet Lockout
• Set Vaulted IDs Notes to complex passwords, Remove ID-files from person docs
• Vault extract disable by username/ password
• Set a password on server.id
• Remove cert.id/ admin.id from Domino data-folder
• . . .

26
Traveler - No SAML or OIDC with autologin yet
• iPhone mail app
• Traveler app
• Allow registered devices only
• Set a complex internet password trough a QR-code
• Add certificate based authentication
• Disable web-access to .nsf

27
• Assume OS will be compromised
• Implement client/ server .nsf encryption, DAOS encrypted by default
• Set server.id password
• Use read-only accounts where possible (ie ldap bind)

28
• Close unused protocol/ services
• Have a default website for each web-enabled Domino server
• Lockdown default/ anonymous ACL
• Set maximum web access on your .nsf's
• Create ip traps for *.php, *.aspx, etc

29
Mail
• Implement SPF and DKIM, DMARC
• Check your DMARC RUA reports
• Server mail-rules to block external mail from 'hrm@', Manager names, etc
• Use cloud-based spam filters like Mimecast - specialized/ quick reaction
• Train and exercise users on phishing

30
• Enable NRPC port-encryption (client and server)
• Always use TLS for web, smtp, ldap, etc protocols
• Use read-only accounts where possible - ie LDAP bind
• Restrict which hosts can offer (relay) mail to Domino SMTP
• Close ports not needed

31
• Implement network segmentation; put servers, clients and guests in separate networks
• Send cluster traffic over a private network
• Enable firewall on Domino' host/ LAN segments
• Close Domino ports not needed
• Setup reverse [authenticated] http-proxy before web-access

32
• Monitor domlog/ session logs - automatically check source IP/ country
• Build/ collect normal IP-range list
• Sync user status (enabled/ disabled/ removed) with AD/ Entra/ HRM
• Auto-disable accounts not active for x months
• Notes certificate renewal every 1-2 year, validate before renewal
• Enable traps on .php, .aspx, . . . requests and block source-ip

33
Covers a lot
There is no single check-box "Enable Zero Trust"
It is a process/ goal/ framework
Hire a professional

Thank You!
34
WRAP-UP: ANY QUESTIONS?
Silverside B.V.
Rivium Quadrant 75-5 Capelle aan den IJssel The Netherlands
www.silverside.com
Gert van Kempen
Senior Consultant
g.vankempen@silverside.com
+31 6 22512674
Duco Bergsma
Senior Consultant
d.bergsma@silverside.com
+31 6 51087117

Ensure the security of your HCL environment by applying the Zero Trust principles

Recommended

Recommended

More Related Content

Similar to Ensure the security of your HCL environment by applying the Zero Trust principles

Similar to Ensure the security of your HCL environment by applying the Zero Trust principles (20)

More from Roland Driesen

More from Roland Driesen (20)

Recently uploaded

Recently uploaded (20)

Ensure the security of your HCL environment by applying the Zero Trust principles