security directions - release 6 and beyond
DESCRIPTION
Security Directions - Release 6 and beyond. SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02. Market Trends New Security Features in 6.0 Crypto update User Security Dialog On-line Certificate Authority Password Management - PowerPoint PPT PresentationTRANSCRIPT
Security Directions - Release 6 and beyond
SearchDomino.com WebcastPatricia BoothSecurity and Directory Product Management9/25/02
Agenda Market Trends New Security Features in 6.0
Crypto update User Security Dialog On-line Certificate Authority Password Management Execution Control List enhancements Smart Cards Off-server access by agents "Full Admin" access for clientless servers Browser access to encrypted mail
...and beyond
Encryption 4.0%
Firewall14.0%
Antivirus 27.0%
Authentication and A
55.0%
Encryption3.0%
Firewall10.9%
Antivirus19.8%
Authentication and A
66.3%
IDC WW Market Security Opportunity
WW security software market $5.1B (2000) to $14.2B (2005)
Computer security in 2002 will shift away from perimeter defense in favor of internal access control and authentication management
Security Market Trends
Source: CERT
Reports of Security Software holes more than doubledfrom 200-2001 to 2400
2000 2001 Percentage
Security Incidents
21,756 52,658 59%
Security Vulnerabilities
1,090 2,437 66%
Security Alerts(Most serious)
26 41 37%
Estimates cost of security related downtime to U.S. business in past 12 months at $273B, WW $1.39T
12% (down from 17% last year) indicate their companies suffered a total of >24 hours of system downtime in the past year
11% said companies spent >$1M on security software, hardware, and other expenses; another 22% will spend $100,000 to $1M
Information Week Research 4th Annual Global Information Security Survey, (PWC)
Cost of Security breaches
Crypto Update Large key support for Notes protocols
128-bit RC4 for Notes port encryption 128-bit RC2 for local database encryption Underlying changes for 1024-bit RSA keys (will allow
backward compatibility) S/MIMEv3 capabilities PKIX support in CA Post-6.0
Full support for 1024-bit RSA keys 128-bit RC2 support for bulk encryption keys and named
encryption keys
New in Release 6
User Security Dialog
Change Password Dialogs
Local Database Encryption by Default
Email Encryption / Signing
Domino 6 Certification Authority Better security
Administrators don't need certifier ID files & passwords Certifiers can be password- protected on server, either individually or as a group Tamper-resistant auditing of all activity
CA Process server task Signs certificates when requested via admin4 Maintains list of administrators who can approve certificate requests
(RAs) Manage both Notes and Internet (X.509) certificates Publishes CRLs for Internet certificates and supports CDP Better support for x.509 extensions
Internet Password Management
Execution Control List Enhancements Central Administration Logging of overrides Better descriptions of what applications are doing Intersection of rights using nested scripts
What's an Execution Control List?
Information on source of ESAs
Central Administration of User ECLs
Smart Card Support Smart Card enabled ID file PIN Prompt replaces password prompt Smart Card disables itself after 3 wrong guesses Internet (S/MIME) RSA key pushed onto card If Card lost or destroyed, ID file must be recovered
from backup
Agent Security - R5 Agents run with the rights of their signer
Allows unprivileged agents on servers "Out of office" agent Special privileged signers
Can only access databases local to server where agent is running
Server can only authenticate as itself to another server
Agent Security - New Server can sign agent "On Behalf of" user
Enable out of office agent via the web Agent can open off-server databases
...if its server is privileged on the remote server Unrestricted agent can choose to bypass ACLs locally
Agent Security - Futures Agent should run with intersection of rights of its
modifiers Joe wrote the agent Alice enabled the agent The agent runs on server BigIron/dotcom
If all three are on the database ACL, access is allowed
Full Administrator Access Suppose no managers listed on ACL of database Old solution
Run Notes client locally on server platform Current solution
Copy database as a file to machine supporting Notes client Fix the ACL Copy database as a file back to server
6.0 solution: Full Administrator Access to server can bypass all ACLs
Roaming User Support Permits use of Notes Client by downloading ID file from
server Server never learns the user's password Eavesdropper cannot test guesses of user's password Separate expensive interaction with server for each password
guessed
Looking Forward... Configuration options for better CA security Smart card integration with more environments Common PKI for Notes and Internet Ease of administration & auditing
Common configuration for users and servers Intersection of rights
Agents Active Content - Change History
Managing Active Content on the Web
•Submit your questions now by clicking on the “Ask A Question” button in the bottom left corner of your presentation screen.
Q & A