Security Improvements Report 2012
IT Infrastructure Department Yearly Security Analysis
Company Background 4
Problem Statement 4
Potential Solutions 4
Email Encryption 5
ISO document database encryption 6
Domino Web Application security and encryption 7
VPN access for employees 8
DIAB has been at the leading edge of composite core material development for over fifty years. In particular it has pioneered the use of the sandwich concept to make structures that are significantly lighter and stronger than those made from steel, aluminum and wood. The company has also been very much the technology ...view middle of the document...
Globally DIAB uses Lotus Domino from IBM as its email platform. This platform should be leveraged within the network to not only secure and encryption email messages, but also all data stored within the Domino Document server. By leveraging the internal encryption functions in Domino, DIAB INC can encrypt messages sent to other users, network ports, internet transactions, and also documents and databases. Lotus Domino uses public and private keys to encrypt data. Domino can be setup to automatically create a Lotus Notes certificate containing the user's public keys while registering a user. The user's private key is located within the user's id file. To create Lotus Notes public and private keys, Lotus Domino uses the dual-key RSA Cryptosystem and the RC2, RC4, and AES algorithms for encryption. To create the Internet public key, Lotus Domino uses the X.509 certificate format, which is an industry-standard format that many applications, including Lotus Domino, understand.
Both the Lotus Notes client and Lotus Domino server support registration of up to:
* 4096-bit RSA keys for both Lotus Notes and Internet certifiers. You can also roll over existing Lotus Notes certifiers with smaller keys to 4096-bit keys;
* 2048-bit RSA keys for user and server certificates;
* 128-bit symmetric key for S/MIME and SSL.
Larger keys provide stronger security from hackers. For instance, it would be more difficult for a private key to be deciphered based on a public one. It would also be more difficult for someone to forge cryptographic signatures on documents, agents, forms, and email.
The Lotus Notes email client can be setup to use S/MIME encryption and electronic signatures when sending mail to other users of mail applications that support S/MIME. This will provide DIAB with an end to end email security solution. However, Domino also provides the ability to provide AES encryption. AES should be the encryption method we use because it meets FIPS 140-2 requirements. By meeting the FIPS requirements, DIAB FST department will finally be able to meet Department of Defense contractor requirements. This will allow DIAB to finally compete for future contracts with the government and other contractors that require FIPS certification. The only requirement that DIAB would need to meet IBM requirements for encrypting AES for messaging will be to ensure that all Domino servers in all locations are upgraded to at least release 8.0.1. If not, then older clients will not be able to decrypt AES-encrypted messages. The user base will not experience a major change in the user interface and the encryption function is handled on the Domino server side within the users .id file. The process for updating the ID files for AES encryption is as simple as changing the ID File Encryption Settings for all users. This process can be done over night during a maintenance window to run an agent at each site to update this file.