security directions - release 6 and beyond searchdomino.com webcast patricia booth security and...
TRANSCRIPT
![Page 1: Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02](https://reader034.vdocuments.net/reader034/viewer/2022051619/56649e175503460f94b03149/html5/thumbnails/1.jpg)
Security Directions - Release 6 and beyond
SearchDomino.com WebcastPatricia BoothSecurity and Directory Product Management9/25/02
![Page 2: Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02](https://reader034.vdocuments.net/reader034/viewer/2022051619/56649e175503460f94b03149/html5/thumbnails/2.jpg)
Agenda Market Trends New Security Features in 6.0
Crypto update User Security Dialog On-line Certificate Authority Password Management Execution Control List enhancements Smart Cards Off-server access by agents "Full Admin" access for clientless servers Browser access to encrypted mail
...and beyond
![Page 3: Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02](https://reader034.vdocuments.net/reader034/viewer/2022051619/56649e175503460f94b03149/html5/thumbnails/3.jpg)
Encryption 4.0%
Firewall14.0%
Antivirus 27.0%
Authentication and A
55.0%
Encryption3.0%
Firewall10.9%
Antivirus19.8%
Authentication and A
66.3%
IDC WW Market Security Opportunity
WW security software market $5.1B (2000) to $14.2B (2005)
Computer security in 2002 will shift away from perimeter defense in favor of internal access control and authentication management
![Page 4: Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02](https://reader034.vdocuments.net/reader034/viewer/2022051619/56649e175503460f94b03149/html5/thumbnails/4.jpg)
![Page 5: Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02](https://reader034.vdocuments.net/reader034/viewer/2022051619/56649e175503460f94b03149/html5/thumbnails/5.jpg)
Security Market Trends
Source: CERT
Reports of Security Software holes more than doubledfrom 200-2001 to 2400
2000 2001 Percentage
Security Incidents
21,756 52,658 59%
Security Vulnerabilities
1,090 2,437 66%
Security Alerts(Most serious)
26 41 37%
![Page 6: Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02](https://reader034.vdocuments.net/reader034/viewer/2022051619/56649e175503460f94b03149/html5/thumbnails/6.jpg)
Estimates cost of security related downtime to U.S. business in past 12 months at $273B, WW $1.39T
12% (down from 17% last year) indicate their companies suffered a total of >24 hours of system downtime in the past year
11% said companies spent >$1M on security software, hardware, and other expenses; another 22% will spend $100,000 to $1M
Information Week Research 4th Annual Global Information Security Survey, (PWC)
Cost of Security breaches
![Page 7: Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02](https://reader034.vdocuments.net/reader034/viewer/2022051619/56649e175503460f94b03149/html5/thumbnails/7.jpg)
Crypto Update Large key support for Notes protocols
128-bit RC4 for Notes port encryption 128-bit RC2 for local database encryption Underlying changes for 1024-bit RSA keys (will allow
backward compatibility) S/MIMEv3 capabilities PKIX support in CA Post-6.0
Full support for 1024-bit RSA keys 128-bit RC2 support for bulk encryption keys and named
encryption keys
![Page 8: Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02](https://reader034.vdocuments.net/reader034/viewer/2022051619/56649e175503460f94b03149/html5/thumbnails/8.jpg)
New in Release 6
![Page 9: Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02](https://reader034.vdocuments.net/reader034/viewer/2022051619/56649e175503460f94b03149/html5/thumbnails/9.jpg)
User Security Dialog
![Page 10: Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02](https://reader034.vdocuments.net/reader034/viewer/2022051619/56649e175503460f94b03149/html5/thumbnails/10.jpg)
Change Password Dialogs
![Page 11: Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02](https://reader034.vdocuments.net/reader034/viewer/2022051619/56649e175503460f94b03149/html5/thumbnails/11.jpg)
Local Database Encryption by Default
![Page 12: Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02](https://reader034.vdocuments.net/reader034/viewer/2022051619/56649e175503460f94b03149/html5/thumbnails/12.jpg)
Email Encryption / Signing
![Page 13: Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02](https://reader034.vdocuments.net/reader034/viewer/2022051619/56649e175503460f94b03149/html5/thumbnails/13.jpg)
Domino 6 Certification Authority Better security
Administrators don't need certifier ID files & passwords Certifiers can be password- protected on server, either individually or as a group Tamper-resistant auditing of all activity
CA Process server task Signs certificates when requested via admin4 Maintains list of administrators who can approve certificate requests
(RAs) Manage both Notes and Internet (X.509) certificates Publishes CRLs for Internet certificates and supports CDP Better support for x.509 extensions
![Page 14: Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02](https://reader034.vdocuments.net/reader034/viewer/2022051619/56649e175503460f94b03149/html5/thumbnails/14.jpg)
Internet Password Management
![Page 15: Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02](https://reader034.vdocuments.net/reader034/viewer/2022051619/56649e175503460f94b03149/html5/thumbnails/15.jpg)
Execution Control List Enhancements Central Administration Logging of overrides Better descriptions of what applications are doing Intersection of rights using nested scripts
![Page 16: Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02](https://reader034.vdocuments.net/reader034/viewer/2022051619/56649e175503460f94b03149/html5/thumbnails/16.jpg)
What's an Execution Control List?
![Page 17: Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02](https://reader034.vdocuments.net/reader034/viewer/2022051619/56649e175503460f94b03149/html5/thumbnails/17.jpg)
Information on source of ESAs
![Page 18: Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02](https://reader034.vdocuments.net/reader034/viewer/2022051619/56649e175503460f94b03149/html5/thumbnails/18.jpg)
Central Administration of User ECLs
![Page 19: Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02](https://reader034.vdocuments.net/reader034/viewer/2022051619/56649e175503460f94b03149/html5/thumbnails/19.jpg)
Smart Card Support Smart Card enabled ID file PIN Prompt replaces password prompt Smart Card disables itself after 3 wrong guesses Internet (S/MIME) RSA key pushed onto card If Card lost or destroyed, ID file must be recovered
from backup
![Page 20: Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02](https://reader034.vdocuments.net/reader034/viewer/2022051619/56649e175503460f94b03149/html5/thumbnails/20.jpg)
Agent Security - R5 Agents run with the rights of their signer
Allows unprivileged agents on servers "Out of office" agent Special privileged signers
Can only access databases local to server where agent is running
Server can only authenticate as itself to another server
![Page 21: Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02](https://reader034.vdocuments.net/reader034/viewer/2022051619/56649e175503460f94b03149/html5/thumbnails/21.jpg)
Agent Security - New Server can sign agent "On Behalf of" user
Enable out of office agent via the web Agent can open off-server databases
...if its server is privileged on the remote server Unrestricted agent can choose to bypass ACLs locally
![Page 22: Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02](https://reader034.vdocuments.net/reader034/viewer/2022051619/56649e175503460f94b03149/html5/thumbnails/22.jpg)
Agent Security - Futures Agent should run with intersection of rights of its
modifiers Joe wrote the agent Alice enabled the agent The agent runs on server BigIron/dotcom
If all three are on the database ACL, access is allowed
![Page 23: Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02](https://reader034.vdocuments.net/reader034/viewer/2022051619/56649e175503460f94b03149/html5/thumbnails/23.jpg)
Full Administrator Access Suppose no managers listed on ACL of database Old solution
Run Notes client locally on server platform Current solution
Copy database as a file to machine supporting Notes client Fix the ACL Copy database as a file back to server
6.0 solution: Full Administrator Access to server can bypass all ACLs
![Page 24: Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02](https://reader034.vdocuments.net/reader034/viewer/2022051619/56649e175503460f94b03149/html5/thumbnails/24.jpg)
Roaming User Support Permits use of Notes Client by downloading ID file from
server Server never learns the user's password Eavesdropper cannot test guesses of user's password Separate expensive interaction with server for each password
guessed
![Page 25: Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02](https://reader034.vdocuments.net/reader034/viewer/2022051619/56649e175503460f94b03149/html5/thumbnails/25.jpg)
Looking Forward... Configuration options for better CA security Smart card integration with more environments Common PKI for Notes and Internet Ease of administration & auditing
Common configuration for users and servers Intersection of rights
Agents Active Content - Change History
Managing Active Content on the Web
![Page 26: Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02](https://reader034.vdocuments.net/reader034/viewer/2022051619/56649e175503460f94b03149/html5/thumbnails/26.jpg)
•Submit your questions now by clicking on the “Ask A Question” button in the bottom left corner of your presentation screen.
Q & A