This is a somewhat strange question that I think I already know the answer to, but I would like to be sure.
Picture this. I have a bunch of classified files that need to stay in their original format (xlsx, docx, pdf and so on). To make sure that a bad guy/gal can't get their hands on them I put them in a notes db on a server with proper ACL settings to not allow access for Anonymous, Default or anyone else that shouldn't be able to read them. No access is allowed from the web either.
Then one day the unthinkable happens and a hacker get access to the file system where the Domino server resides. Is it possible for this person to one way or the other create code that makes it possible for them to read the information in the files within the database if they don't have access to a proper id-file?
I told you it is a strange question, but I just want to know how secure an attached file within a nsf-file is considered without access to a proper Notes/Nomad client. Can I sleep good at night or not?
If he has access to the file system, he can get the Notes database and the files inside (the ACL do not work on local).
- Option #1 : Encrypt database on the server. Not very efficient because if he can get the Database, he can also get the Server.id (usually without password) used to encrypt the database. So he can decrypt the database.
- Option #2 : More secure is to encrypt the documents (not the database) with an ID NOT stored on the server. So even with a copy of the database, the documents remain encrypted and the hacker won't be able to do anything with them.
You can make it impossible (at least, as long as the bad person doesn't have access to ID files and their passwords).
Two ways:
You can encrypt the database (nsf) file on the server with the server's private key stored in its ID file. But if the bad person can access the server, he could access its ID file, too. Therefore it has to be protected by a complex and long password. The disadvantage of this approach: An administrator has to enter the password each time the server is rebooted.
You can encrypt the documents in the database - either for selected persons or for a selected secret key. Both ways, for decryption the key from one of the user's ID files is needed.
Encrypted to persons: Disadvantage is, that you have to open and resave all documents for new persons on the team.
Encrypted to secret key: Disadvantage is, you have to manage and distribute the secret keys to the users in advance. It not easy to remove the key afterwards.
Attachments in NSF files within HCL Domino is pretty much secure, especially when you already have one of the best practices in place which is implementing proper ACL settings.
Here are several best practices to ensure data integrity and protection against unauthorized access.
1. Encryption: Always encrypt NSF files and attachments. Use strong encryption algorithms to protect data both at rest and in transit.
2. Access Control: Implement robust access control lists (ACLs) to restrict who can read, write, or manage the NSF files. Regularly review and update these permissions to ensure they are current.
3. Regular Backups: Perform regular backups of NSF files to prevent data loss. Ensure that backup files are also encrypted and stored securely.
4. Audit Logs: Enable and monitor audit logs to track access and modifications to NSF files. This helps in detecting and responding to unauthorized activities.
5. Use DAOS: Utilize the Domino Attachment and Object Service (DAOS) to store attachments outside the NSF files. This not only improves performance but also allows for better management and security of attachments.
6. Update and Patch: Keep your HCL Domino server and clients updated with the latest security patches and updates to protect against vulnerabilities.
7. User Training: Educate users about security best practices, such as recognizing phishing attempts and using strong, unique passwords.
Best Regards,
Jho Ann Leanne A. Labayani Technical Support - Application Integration Team HCL Technologies
Thank you all for your replies. These confirmed my understanding that there is no way to access an attachment within a nsf and that it is more a matter of securing the server and databases properly.
I think I need to go the hard way and securing the server.id with a password and then encrypt all databases with that. This is the 'best' (read as the most manageable long term) solution even though it requires entering the password at restart.
My client is mostly using Linux servers and I wish there was a solution like NSL for Windows also for Linux. That would simplify securing Domino on Linux tremendously. We are not there yet but I have written a suggestion at the Domino Ideas site and hope that HCL will accept the challenge.