Ensure the security of your HCL environment by applying the Zero Trust principles

RolandDriesen 179 views 34 slides Apr 29, 2024
Slide 1
Slide 1 of 34
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23
Slide 24
24
Slide 25
25
Slide 26
26
Slide 27
27
Slide 28
28
Slide 29
29
Slide 30
30
Slide 31
31
Slide 32
32
Slide 33
33
Slide 34
34

About This Presentation

Covid has drastically changed the way people work. Nowadays, many individuals can work wherever and whenever they prefer. However, this shift requires a different strategy for securing your environment. By adopting the Zero Trust principles, based on the 'Never Trust, Always Verify' mindset,...

Size: 3.5 MB
Language: en
Added: Apr 29, 2024
Slides: 34 pages

Slide Content

© Copyright & proprietarySilverside B.V.
Zero Trust on your HCL environment
24-04-2024 - -Antwerp

© Copyright & proprietarySilverside B.V.
+250
CUSTOMERS
3
PLATFORMS
28
EMPLOYEES
25 years
COLLABORATION SPECIALIST
As a specialist in the best collaboration software (including
Microsoft 365, HCL Software and Zoho ONE), we ensure
that users can collaborate smarter and better in a secure
modern digital world.
We guide organizations to the right destination based on
our experience with more than 250 customers. In addition
to our professional knowledge, we believe in happiness at
work and pleasant cooperation. This enables us to achieve
measurable results that will positively surprise you.
Are you joining us?
2
Your dedicated guide
to happiness and success
in the digital world

© Copyright & proprietarySilverside B.V.
Zero Trust in a nutshell
3

© Copyright & proprietarySilverside B.V.
4

© Copyright & proprietarySilverside B.V.
5
Why Zero Trust
Zero Trust in a nutshell
versus
Never trust, always verify

© Copyright & proprietarySilverside B.V.
VerifyExplicitly
Always authenticate and
authorize based on all
available data points,
including user identity,
location, device health,
service or workload, data
classification, and anomalies.
6
3 Basic Principles
Zero Trust in a nutshell

© Copyright & proprietarySilverside B.V.
LeastPrivilegedAccess
7
3 Basic Principles
Zero Trust in a nutshell
Limit user access with Just-
In-Time and Just-Enough
Access (JIT/JEA), risk-based
adaptive polices, and data
protection to protect both
data and productivity.

© Copyright & proprietarySilverside B.V.
Minimize blast radius for
breaches and prevent lateral
movement by segmenting
access by network, user,
devices, and application
awareness. Verify all sessions
are encrypted end to end.
Use analytics to get visibility,
drive threat detection, and
improve defenses.
8
3 Basic Principles
Zero Trust in a nutshell
AssumeBreach

© Copyright & proprietarySilverside B.V.
9
Technology Pillers
Zero Trust in a nutshell

© Copyright & proprietarySilverside B.V.
10
HCL Software and Zero Trust
HCL Connections with Zero Trust Identity
To see what the Zero Trust principles can do with HCL products we
have a few examples:
•HCL Connections with Zero Trust Identity
•Zero Trust Domino security

© Copyright & proprietarySilverside B.V.
HCL Connections with Zero Trust
11

© Copyright & proprietarySilverside B.V.
12
Implement a single user repository
HCL Connections with Zero Trust Identity
Requirements:
•Microsoft Entra ID as main user repository
•Guest access should be supported
•Strong Authentication
Solution:
•Use SAML and OpenID Connect (OIDC) for federation with Microsoft Entra ID
•This does not remove the need for an LDAP repository

© Copyright & proprietarySilverside B.V.
13
LDAP repository
HCL Connections with Zero Trust Identity
Possible options:
•Local Active Directory synchronized with Entra ID Connect
•Use Microsoft Entra ID Domain Services
•An alternative LDAP server that is synchronized with Entra ID
•All users, including guests should be managed within
Active Directory or a different LDAP repository
•A relatively expensive and complex option (starts at 110
euro per month and can go to up +1000 euro)
•Provisioning to an LDAP target is included with Entra ID
Premium P1 and can be combined with OpenLDAP.

© Copyright & proprietarySilverside B.V.
14
Entra ID LDAP provisioning
HCL Connections with Zero Trust Identity
The agent runs on an on-premises server and only requires outbound connectivity
Entra ID Provision Service
Microsoft ECMA
Connector Agent
User Data User Data

© Copyright & proprietarySilverside B.V.
15
OpenLDAP Server
HCL Connections with Zero Trust Identity
1.Configure an OpenLDAP server
2.Setup the LDAP repository on WebSphere
3.Setup the SDI synchronization
TIP: Use different OUs for internal and external accountIBM WebSphere Application Server
IBM DB2
IBM Security Directory Integrator
OpenLDAP

© Copyright & proprietarySilverside B.V.
16
Setup the provisioning
HCL Connections with Zero Trust Identity
Create 2 new Enterprise Applications in Entra ID
•InternalUsers
•ExternalUsers

© Copyright & proprietarySilverside B.V.
17
Attribute Mapping
HCL Connections with Zero Trust Identity
Make sure that at least the following attributes are configured:
•distinguishedname
•displayName
•givenName
•sn
•uid
•mail

© Copyright & proprietarySilverside B.V.
18
Install and configure the provision agent
HCL Connections with Zero Trust Identity

© Copyright & proprietarySilverside B.V.
19
The result
HCL Connections with Zero Trust Identity

© Copyright & proprietarySilverside B.V.
20
Enable OIDC single sign-on
HCL Connections with Zero Trust Identity
When you now enable OIDC single sign-on
all users will get the Microsoft login pages.
As a result, all security options from Entra ID
will be in place. Including MFA

© Copyright & proprietarySilverside B.V.
Zero Trust and HCL Domino
21

© Copyright & proprietarySilverside B.V.
22
Zero Trust and HCL Domino
Zero Trust – Domino

© Copyright & proprietarySilverside B.V.
23
Zero Trust – Domino
•Login handed over to a standardized "Identity Provider" (IdP); Windows ADFS, MS 365 EntraID, JumpCloud, etc
•It's not a Microsoft proprietary lock-in thing; SAML/ OIDC are std. protocols - there are many IdP providers
•An IdP specializes in secure authentication; user/ pwd, MFA, biometrics, region, trusted sites/ devices
•Single login, used for multiple applications; Notes, Nomad Web, Verse, SameTime, Zoho CRM, etc - Not a synced password!
•Optionally automated login to IdP from trusted device/ network/ Windows account
•Reduce login, prevents multiple login prompts, different passwords and user confusion

© Copyright & proprietarySilverside B.V.
24
Zero Trust – Domino
•The IdP tells Domino that the user is "[email protected]", through a signed certificate
•Domino validates the signature
•Links user e-mail 'claim' to a Domino user
•User is authenticated
•Extracts id-file from id-vault, kept in RAM
Service Providers (SP)
•Notes client
•Verse mail
•Sametime
•Nomad Web . . .

© Copyright & proprietarySilverside B.V.
25
Zero Trust – Domino
IdP does the authentication, but Notes/ Domino still need to be secure!
•User authenticated by IdP but unknown in Domino, ends up with Default access rights
•Restrict server-access to group or */Org, all users in Address book
•Maintain Deny Access group(s); sync account status from AD/ Entra, detect inactive users in userlicenses.nsf
•Enforce server access settings for all protocols
•Disable Anonymous access (uses 'Default' if not explicitly disabled/ set)
•Notes certificates 1-2 years
•Enable Check public keys
•Enable Internet Lockout
•Set Vaulted IDs Notes to complex passwords, Remove ID-files from person docs
•Vault extract disable by username/ password
•Set a password on server.id
•Remove cert.id/ admin.id from Domino data-folder
•. . .

© Copyright & proprietarySilverside B.V.
26
Zero Trust – Domino
Traveler - No SAML or OIDC with autologin yet
•iPhone mail app
•Traveler app
•Allow registered devices only
•Set a complex internet password trough a QR-code
•Add certificate based authentication
•Disable web-access to .nsf

© Copyright & proprietarySilverside B.V.
27
Zero Trust – Domino
•Assume OS will be compromised
•Implement client/ server .nsf encryption, DAOS encrypted by default
•Set server.id password
•Use read-only accounts where possible (ie ldap bind)

© Copyright & proprietarySilverside B.V.
28
Zero Trust – Domino
•Close unused protocol/ services
•Have a default website for each web-enabled Domino server
•Lockdown default/ anonymous ACL
•Set maximum web access on your .nsf's
•Create ip traps for *.php, *.aspx, etc

© Copyright & proprietarySilverside B.V.
29
Zero Trust – Domino
Mail
•Implement SPF and DKIM, DMARC
•Check your DMARC RUA reports
•Server mail-rules to block external mail from 'hrm@', Manager names, etc
•Use cloud-based spam filters like Mimecast - specialized/ quick reaction
•Train and exercise users on phishing

© Copyright & proprietarySilverside B.V.
30
Zero Trust – Domino
•Enable NRPC port-encryption (client and server)
•Always use TLS for web, smtp, ldap, etc protocols
•Use read-only accounts where possible - ie LDAP bind
•Restrict which hosts can offer (relay) mail to Domino SMTP
•Close ports not needed

© Copyright & proprietarySilverside B.V.
31
Zero Trust – Domino
•Implement network segmentation; put servers, clients and guests in separate networks
•Send cluster traffic over a private network
•Enable firewall on Domino' host/ LAN segments
•Close Domino ports not needed
•Setup reverse [authenticated] http-proxy before web-access

© Copyright & proprietarySilverside B.V.
32
Zero Trust – Domino
•Monitor domlog/ session logs - automatically check source IP/ country
•Build/ collect normal IP-range list
•Sync user status (enabled/ disabled/ removed) with AD/ Entra/ HRM
•Auto-disable accounts not active for x months
•Notes certificate renewal every 1-2 year, validate before renewal
•Enable traps on .php, .aspx, . . . requests and block source-ip

© Copyright & proprietarySilverside B.V.
33
Zero Trust – Domino
Covers a lot
There is no single check-box "Enable Zero Trust"
It is a process/ goal/ framework
Hire a professional

© Copyright & proprietarySilverside B.V.
ThankYou!
34
WRAP-UP: ANY QUESTIONS?
Silverside B.V.
Rivium Quadrant 75-5 Capelle aan den IJssel The Netherlands
www.silverside.com
Gert van Kempen
Senior Consultant
[email protected]
+31 6 22512674
Duco Bergsma
Senior Consultant
[email protected]
+31 6 51087117
Tags
zerotrust hcl domino hcl connections engage silverside security hcl software gert van kempen duco bergsma
Categories
Technology Design
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 179
  • Slides 34
  • Age 583 days
Related Slideshows
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx 11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
48 views
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx 10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
47 views
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx 13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx 11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
34 views
Know for Certain 21
Know for Certain
DaveSinNM
22 views
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx 17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views
View More in This Category