In this session, which has been presented after the Connect also at Rheinland Nachlese, Engage by BLUG and BCCon, we took you on the quest of strengthening the security while cutting costs for administration. Daily administration of the IBM Domino environment can be manual, tedious and cost-intensive. Mismanagement can also pose significant security issues and can also result in legal ramifications. Whether you need to cut costs in administration, save time spent on routine tasks, or make your audit team happy, there is help available. Specialized in administration automation and security solutions, BCC has gained an unique insight in various Notes/Domino enviroments of more than 800 customers worldwide. In this session we will share the best practices on how to streamline IBM Notes and Domino administration, enhance system and process security, and ensure compliance with legal regulations. * Automate the user, group, and app administration processes to reduce manual tasks and avoid human errors * Implement strict compliance with corporate administration standards and reduce administration costs * Prevent fraud / malicious actions from inside your company and ensure compliance with legal regulations

1. SPOT114 : No Compromise
on Compliance: Streamline
Administration, Save Time
and Money
Olaf Boerner, BCC
© 2014 IBM Corporation

2. Agenda
 Introduction
 Requirements for todays IBM Domino® infrastructure
 How to streamline Administration
 How to ensure Compliance
 Question Time

3. About us
 BCC, an IBM Business Partner since 1996
 Solution provider for secure and cost-efficient management of
IBM Collaboration Infrastructure
 Develops software products, provides consulting and
implementation services
 800 companies with more than 3 million users trust BCC
solutions

4. About me
 Administrator / Developer since 1994
 Founded BCC in 1996
 Working as senior architect with large
enterprise customers
–reducing Total cost of Ownership of IBM Notes and Domino®
–securing and optimizing Domino infrastructures
 IBM Champion
 Twitter: @OlafBoerner

5. Current situation for
Domino Infrastructure
5

6. Current situation for Domino infrastructures
Compliance
is a major
issue
The cost
pressure in
IT has grown
enormously
Hands-on
admin skills
are required
The delivery
model or
platform is
under
question
6

7. The cost pressure in IT has grown enormously
The demands in
the IT are growing
and assurance of
safe operations to
make powerful and
efficient systems is
their prime goal
7
More than 80% of
the IT companies
are under
enormous
increasing cost
pressures

8. Compliance Requirements
 Sarbanes Oxley (SOX) - related to investments and securities
 FINRA - related to investments and financial advisors
 HIPAA - related to the protection and privacy of health information
–Any company that deals with protected health information (PHI) must
ensure that all the required
• physical,
• network, and
• process security measures
–are in place and followed.

9. The cost of not being compliant
 Brand Damage
 Non-Compliance Fines
 Litigation Expenses
Examples
 $1.45 billion judgment against Morgan Stanley for being unable to
produce reliable emails in the course of fraud litigation
 $2.5 million fine against Merrill Lynch for failing to promptly produce
emails over a period of 17 months

10. Objectives for todays social business infrastructure
Streamline / TCO
Security / Compliance

11. How to handle these
conflicts of objectives ?
11

12. How to handle these conflicts of objectives ?
 How can you ensure compliance,
 Enhance security and
 Reduce total cost of ownership?
 QUESTIONS:
–Compliance and security are really expensive ?
–Trade off ?
 Let’s discuss this at current example: NSA and Snowden
12

13. NSA Security ...
 Why did they have a Security Leak ?
–“The scariest threat is the systems administrator,”
–“The system administrator has godlike access to systems they
manage.”
• Eric Chiu Hytrust , Security Advisor
http://www.nytimes.com/2013/06/24/technology/nsa-leak-puts-focus-onsystem-administrators.html?_r=0

14. Lessons learned: How will NSA increase security ?
 Additional monitoring systems
 “a two-man rule” that would limit the ability of each of its 1,000 root
system admins to gain unfettered access to the entire system
 Two–man rule is easy to implement !!!
 Automation

15. Why Automation increases security
 NSA to Axe 90 Percent of System Administrators, Adopt Automation Instead
– “What we’re in the process of doing – not fast enough – is reducing our
system administrators by about 90 percent,” Keith Alexander, NSA
– „doing things that machines are probably better at doing.“
 1000 * 90% = 900 of its root system admins
http://www.washingtonpost.com/blogs/federal-eye/wp/2013/08/13/nsa-to-cut-90percent-of-systems-administrators/
http://www.dailytech.com/NSA+to+Axe+90+Percent+of+System+Administrators+Ad
opt+Automation+Instead/article33145.htm

16. Summary: Why Automation increases security
 „doing things that machines are probably better at doing.“ (Keith
Alexander)
 decrease required access rights
 provide system log trails
 TCO reduction is included for free! (currently) not important for NSA ;-)
17

17. Automation is key !
Security
Reduce
TCO
Compliance
Automation

18. That’s the reason for BCC’s mission statement

19. Case Study - Global bank
20

20. Case Study - Global bank
Reduce Cost
by 50%
21
Ensure new
compliance
req.
Project

21. Initial Situation: Domino Administration
Lot of
development
efforts
Manual
monitoring
Highly skilled
administrators
required
High access
rights
required
Frequency of
human errors
can be high
Using
“internal”
Tools
Domino
Administrator
Client
Compliance
issue

22. Case Study– Global Bank
 Simplified System Administration
– Standardized technical procedures
– Leveraging latest Domino TCO Improvements
 Automation with Web-based Self-Service Application
– User and group management
– Team rooms
– Mail-In databases
 Enhanced Compliance and Security Check
– Server Based Compliance check and Audit Trial
– Additional security layer beyond ACL with 3rd party tool
 Result:
– Reduction of management costs by 50%
– Return on Investment in 8 Months

23. How did we achieve this?
24

24. How did we achieve this?
Streamline Administration
• Organize (Helpdesk, Self-Service)
• Standardize (technical procedures &
infrastructure)
• Automate with BCC AdminSuite
Ensure compliance
• Define security settings
• Ensure with additional security product
DominoProtect
25

25. Three Steps to streamline Administration
• Delegate the tasks
to Helpdesk, HR
…
• Provide SelfService Request
1.Organize
2.Standardize
• Convert admin tasks to an
IT Process
• A detailed checklist for
every task
• “simple” standard system
environment running the
most current IBM Domino
release
• Processing checklists
by rules, profiles and
backend server tasks
• Ensuring Compliance
by having a central log
database to
automatically record all
actions
• Reduce access rights!
3.Automate

26. Streamlined IT Process examples

27. Standardized IT Process ‘New Employee‘
Request
Workflow
(optional)

28. Standardized IT Process ‘New Employee‘
Expected rule based UserID
Request
Workflow
(optional)
Creation of Person document in DominoDirectory
Group entries corresponding to the
user are set in the profile
Mail file replica including cluster created
Password calculated and distributed via
Mail / print or fax / SMS
Data directory of the user created
Basic settings is stored in ID, Address Book, Workspace
User gets links, necessary applications
on the Workspace / Bookmarks

29. Standardized IT Process ‘New Employee‘
Request
Workflow
(optional)
Send confirmation mail to
requestor
Send information mail to
business owner
Create Billing entry in billing database
Create Reporting entry
Send welcome mail to
new user

30. Live demo

31. Standardized IT Process ‘New Application‘
NSF file is based on the specifications
of template creation
Request
Workflow
(optional)
ACL group (s) in the Domino Directory, are created with
all entries
ACL group (s) in the ACL of the
Database created are corresponding
To the registered rights
Email is sent to requestor on success,
And error is notified to Admin
User gets links to necessary
applications on the
Workspace / Bookmarks
Mobile users get local replica automatically

32. What makes AdminSuite so valuable for your organization?
Delegate to
Helpdesk or
Self-Service
Ensure
proper
execution
Reduce
Access
Rights
Accelerate
request & no
manual effort

33. Ensure Compliance
with additional security product
DominoProtect
34

34. How we achieve this?
Streamline Administration
• Organize (Helpdesk, Self Service)
• Standardize (technical procedures)
• Automate with BCC AdminSuite
Ensure compliance
• Define security settings
• Automate with additional security
product BCC DominoProtect
35

35. Define security settings:
Three key elements to IBM Domino Server Security
Server ID
Database
Access
Document
Access &
Change

36. What does DominoProtect do ?
Provide an additional
security layer
Add security at
document field level
• beyond ACL and
document access rights
• Manager, Designer or
Editors are not allowed to
perform changes
• Provide different security
settings for single fields in
a document
• Manager, Designer or
Editors are not allowed to
change defined fields

37. What does DominoProtect do ?
Detailed monitoring and
tracking at real time
• Track access
• Track modifications at
field level
• Old entry
• new entry
Prevent changes at real time
• Control Domino access
rights -> even Manager
can not change
• Track blocked changes

38. What does DominoProtect technically?
Protect Server ID
with passwords
• Assign random
password to server
ID
• Provide password
at startup
• Automatic restart
possible
Protect ACL
• Prevent ACL
Change
• Track ACL
Changes
Protect Notes
document beyond
ACL settings
• Track access to
document
• Track modification
• Prevent opening,
modification or
deletion
• Check and control
field level changes

39. How do we achieve this: Security Settings Examples
Secure your ID Vault Server with DominoProtect

40. Secure your ID Vault Server
1. Step: Password protected server ID file

41. Why secure your server ID ? Protect ID Vault !
 IBM Recommendation: Securing the server ID file
–‘We understand that most Domino servers are not password-protected
to make unattended reboots simpler, but the vault server's ID file is a
key element in the security of your ID vault.‘
–‘..a sophisticated attacker with a vault database and one of the
corresponding server Ids ... would have all of the cryptographic
information needed to masquerade as the vault server and decrypt all
of the ID files stored in the vault‘.
 http://www-10.lotus.com/ldd/dominowiki.nsf/dx/securing-your-notes-idvault-server

42. Secure your ID Vault Server
2. Step Secure your ID Vault ACL
Everyone with role Auditor and
Admin client is able to download ID
Files from ID Vault
How to Change ACL
•
•
Full Access Admins might be able to do this
Server based script agents
Preventing unwanted changes in ID
Vault ACL is mandatory

43. Secure your ID Vault Server
3. Step: Protect Configuration in Domino Directory
 Main Goal: Reduce Access Rights to ID Vault Database and ensure these settings
 Server Document:
– Protect Field: Full access administrators
– Protect optional Fields: “Programmability Restrictions“
– DominoProtect will
• Block every change in these defined fields.
• All other fields can be changed
 Protect ACL Groups providing Access to ID Vault :
– Prevent Modification of all ACL Groups related to ID Vault
– DominoProtect will
• Block every change in these defined Group Documents
• All other groups can be changed
44

44. Secure your ID Vault Server
4. Step: Control security log entries in log.nsf
 Main Goal: Reduce Access Rights to log.nsf and prevent deletion or
modification of Security Event log entries
 Log.nsf
–ACL: Protect Changes in log.nsf
–Log “Security Events”
• Protect Changes in Documents “Security Events”
• Optional Restrict access to “Security Events”
 DominoDirectory
–Protect ACL Groups providing Access to log.nsf
–Protect Full Access Admin Field
45

45. Live demo

46. What makes DominoProtect so valuable for your
organization ?
Real-time
on server
level
Different
access at
field level
No template
modification

47. Benefits for end users/employees
 Personal increase in productivity
by faster service
 Better service quality
by lesser mistakes
 Self-service possibility
‘I can help myself‘

48. Benefits for Admin/IT department
 Simplification in administration
 Concentration on mission-critical projects
and strategic measures
 Reduction on the variety of tools and
scripts
 No requirement of customized training

49. Benefits for administrators
 Prevents unauthorized modification of
server configuration
 Enhances process reliability through
request-based
change management with approval cycles
 Provides full control and automated
documentation of all configuration changes
 Recovery function for configuration
documents in case of mistakes or
configuration errors
 Alerts in case of defined protection violation

50. Benefits for Management
 Cost-efficient
–Reduces the notes infrastructure
administration cost by 70%
–Service transparency
 Minimizes risks
–Ensure compliance
–Reliable information about
unauthorized access or
modification attempts
 Increases the employee productivity

52. Question time …
BCC
Olaf Boerner
Olaf_Boerner@bcc.biz

53.  Access Connect Online to complete your session surveys using any:
– Web or mobile browser
– Connect Online kiosk onsite
54

54. Acknowledgements and Disclaimers
Availability. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates.
The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational purposes only, and are neither
intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information
contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise
related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or
its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.
All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and
performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you
will result in any specific sales, revenue growth or other results.
© Copyright IBM Corporation 2014. All rights reserved.
 U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
 IBM, the IBM logo, ibm.com, IBM Lotus and IBM Notes and Domino are trademarks or registered trademarks of International Business Machines Corporation in the United States, other
countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S.
registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A
current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml
 All BCC product names are registered trademarks of BCC.
 Other company, product, or service names may be trademarks or service marks of others.
55