1 / 26

Security Directions - Release 6 and beyond

Security Directions - Release 6 and beyond. SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02. Market Trends New Security Features in 6.0 Crypto update User Security Dialog On-line Certificate Authority Password Management

indra
Download Presentation

Security Directions - Release 6 and beyond

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02

  2. Market Trends • New Security Features in 6.0 • Crypto update • User Security Dialog • On-line Certificate Authority • Password Management • Execution Control List enhancements • Smart Cards • Off-server access by agents • "Full Admin" access for clientless servers • Browser access to encrypted mail • ...and beyond Agenda

  3. IDC WW Market Security Opportunity WW security software market $5.1B (2000) to $14.2B (2005) Computer security in 2002 will shift away from perimeter defense in favor of internal access control and authentication management

  4. Security Market Trends Reports of Security Software holes more than doubled from 200-2001 to 2400 Source: CERT

  5. Cost of Security breaches • Estimates cost of security related downtime to U.S. business in past 12 months at $273B, WW $1.39T • 12% (down from 17% last year) indicate their companies suffered a total of >24 hours of system downtime in the past year • 11% said companies spent >$1M on security software, hardware, and other expenses; another 22% will spend $100,000 to $1M Information Week Research 4th Annual Global Information Security Survey, (PWC)

  6. Large key support for Notes protocols • 128-bit RC4 for Notes port encryption • 128-bit RC2 for local database encryption • Underlying changes for 1024-bit RSA keys (will allow backward compatibility) • S/MIMEv3 capabilities • PKIX support in CA • Post-6.0 • Full support for 1024-bit RSA keys • 128-bit RC2 support for bulk encryption keys and named encryption keys Crypto Update

  7. New in Release 6

  8. User Security Dialog

  9. Change Password Dialogs

  10. Local Database Encryption by Default

  11. Email Encryption / Signing

  12. Better security • Administrators don't need certifier ID files & passwords • Certifiers can be password- protected on server, either individually or as a group • Tamper-resistant auditing of all activity • CA Process server task • Signs certificates when requested via admin4 • Maintains list of administrators who can approve certificate requests (RAs) • Manage both Notes and Internet (X.509) certificates • Publishes CRLs for Internet certificates and supports CDP • Better support for x.509 extensions Domino 6 Certification Authority

  13. Internet Password Management

  14. Central Administration • Logging of overrides • Better descriptions of what applications are doing • Intersection of rights using nested scripts Execution Control List Enhancements

  15. What's an Execution Control List?

  16. Information on source of ESAs

  17. Central Administration of User ECLs

  18. Smart Card enabled ID file • PIN Prompt replaces password prompt • Smart Card disables itself after 3 wrong guesses • Internet (S/MIME) RSA key pushed onto card • If Card lost or destroyed, ID file must be recovered from backup Smart Card Support

  19. Agents run with the rights of their signer • Allows unprivileged agents on servers • "Out of office" agent • Special privileged signers • Can only access databases local to server where agent is running • Server can only authenticate as itself to another server Agent Security - R5

  20. Server can sign agent "On Behalf of" user • Enable out of office agent via the web • Agent can open off-server databases • ...if its server is privileged on the remote server • Unrestricted agent can choose to bypass ACLs locally Agent Security - New

  21. Agent should run with intersection of rights of its modifiers • Joe wrote the agent • Alice enabled the agent • The agent runs on server BigIron/dotcom • If all three are on the database ACL, access is allowed Agent Security - Futures

  22. Suppose no managers listed on ACL of database • Old solution • Run Notes client locally on server platform • Current solution • Copy database as a file to machine supporting Notes client • Fix the ACL • Copy database as a file back to server • 6.0 solution: Full Administrator Access to server can bypass all ACLs Full Administrator Access

  23. Permits use of Notes Client by downloading ID file from server • Server never learns the user's password • Eavesdropper cannot test guesses of user's password • Separate expensive interaction with server for each password guessed Roaming User Support

  24. Configuration options for better CA security • Smart card integration with more environments • Common PKI for Notes and Internet • Ease of administration & auditing • Common configuration for users and servers • Intersection of rights • Agents • Active Content - Change History • Managing Active Content on the Web Looking Forward...

  25. Q & A • Submit your questions now by clicking on the “Ask A Question” button in the bottom left corner of your presentation screen.

More Related