Least access model

Least access model

for Lotus Notes to Exchange data migrations

In many organisations to achieve accessing mail data for a migration you add the Lotus Notes Migration ID to the administrators group of the domain(s). However, when requesting 3rd party trusted migration experts like Nero Blanco to perform the migration, you may not like the exposure to data even with all the appropriate non-disclosure agreements, sometimes it is simply not palatable. Some organisation do not even allow their own IT personalle access to data without sophisticated privilege elevation processes. Furthermore, some companies do not even have an “administrative” group to add people or Lotus Notes Migration ID’s into. In this article we cover some of the options available to achieve a least access model to mitigate data exposure ensuring the migration coordinator or admin has the minimum amount of access possible.

This article is written from the perspective of using Binary Tree CMTe & CMTc products, the majority of the below are customisations which Nero Blanco bring can bring after consultation to enhance the migration process based on business requirements and needs, and the majority of the options below are not available out of the box without extensive customisations.

Firstly, what access do we typically need? And then we can move onto what is achievable…

Lotus Notes mail file

Usually we only need editor access to read data, but if you wish to change ACL or ACL settings, or change database properties/design you will need Manager Access. Manager access is especially handy for remediation.

This level of access also allows us to perform audits to check the integrity and consistency. We also might take a staging replica and replicate your data to another server for data cleansing purposes and moving the migration to a dedicated server rather on the same which other users are using. We might also choose to modify some of your data and/or design in this cleansing exercise, with PULL-Only replication we can do this without fear of these changes getting back to your home mail server.

We do not just need access to the person’s data who is migrating. If you want to provide full coexistence you actually require access to all the users’ calendar data in the entire firm. Coexistence here is defined as maintaining full workflow for migrated repeating meetings from your calendar. To achieve and maintain the best possible user experience, accessing the chair persons data (whom might not be migrating) is required to populate the calendar workflow information into the coexistence server. This sometimes is one of the biggest challenges in large 100,000+ multinational organisations, and there are numerous ways to facilitate this.

Once all this data is provisioned, we also need a Lotus Notes account on a migration worker which has access to the mailfile data which will read the information and CMTe will inject it into the local Outlook.

In most organisations a single Lotus Notes Migration ID is used for all the above tasks.

Domino directory access

To be able to make the routing flip, which essentially forwards messages to the coex server(s) to be processed and sent over via SMTP to MS Exchange, we need access to modify the domino directory person or database document. Editor access is usually required with the Person modifier and Net modifier roles.

In most organisations a single Lotus Notes Migration ID is used for the above tasks, which is the same account which accesses and migrates the user data. And runs under the GUI of the notes client.

Exchange access

This falls into a few areas. Firstly we need recipient management rights to be able to enable the mailbox. Depending on your environment configuration we might have to delete contacts and/or create MEUs and/or convert a MEU into a mailbox, or even modify attributes to ensure full coexistence.

The next part is the ability to elevate the Migration Outlook mailbox access to FullAccess so we can insert data into Exchange and modify it accordingly, messages will then come from the correct recipients/senders and have full replyability. We obviously need to remove the access after the migration.

The final part is actually having the Outlook client running the account which you have assigned fullaccess to in non-cached mode.

In the vast majority of migrations, companies are comfortable using a single account for all the above tasks. All these tasks are manually triggered while you are logged onto an Migration server with this authority.

Overview

Now that we’ve seen what we need, here are the potential concerns some organisations have with the approach.

  • The Lotus Notes migration ID needs access to all user mailfiles (nsf’s) to ensure it can access the data, perform routing flips on the domino directory, and maintain calendar work flow. This is very large data exposure. Additionally, there is practically non existent monitoring or auditing to know whom was using the ID at the time of the breach. Furthermore, large number of migration operators might need this accounts password. In this article I will not be focussing on the unwise methodology and pitfalls of companies having “administrator” group(s) which has unadulterated access to everything in the environment. There are simple ways to avoid this practice mitigating not only data exposure but also risk of unplanned configuration changes.
  • When you have an account with recipient management rights you can perform a lot of activities over and above what is required for a migration. Someone malicious can assign themselves access to user data.
  • All the workers are logged on using high privilege accounts which have far more access than required to read lotus notes data and inject the message information into Exchange. They also have the ability to change domino records and configuration, when the only access they need is to the mailfile data and flip the routing.
  • Password sharing of migration accounts.

What can we do to mitigate the data exposure?

Rather than going through every permeation of what we can achieve, which are probably endless, I will provide a single scenario/example that is proven and works well. With enough time, money and knowledge, unfortunately no system is impenetrable. There is a balance between being able to achieve a velocity migration and restricting access so much that you cannot remediate. The below example tries to meet these challenges with minimal compromises. Furthermore, these examples are a holistic view of the configuration… I am not going into the N’th degree of configuration settings in the article on things like Admin servers and CALC issues, downgrading access after migration, to name only a few of items.

So, what can achieve working towards a least access model?…..

Lotus Notes access to mailfile data for auditing, cleansing and migration.

Initially you will most probably have a staging server, as this offers the best migration experience. The staging replica will be created a few weeks in advance to allow for replication and data remediation.

You will simply use the existing ACL on the home mail server and use server side agents to access, audit data and cleanse. Notice that NO administrative account and NO migration account has been given access at this point in time.

notes_access_before

 

On the day of the migration, you provision (via server side agents running under the authority of the server) the Lotus Notes low privilege account you have configured on the worker to access to the Data. This account does not have access to anything else in the environment other than this specific mail file you are currently migrating. Furthermore, you actually do not need to know the Lotus Notes password for this account as it is encrypted on the worker and used by the Notes API. This therefore means the migration operator has NO access to ANY lotus notes data.

 

notes_access_after

 

Regarding performing the notes routing flip and any other migration activities like maintaining the workflow, these again can all be performed by server side agents signed with a high privilege account or the server ID. Therefore, in the Lotus Notes and Domino land the migration operator does not have access to ANY data. This does produce challenges in terms of remediation and fixing migration issues, which are hopefully rare. In these circumstances you will need some other tools to temporally elevate your access to the mailfile to review when permission has been granted.

Powershell and Exchange mailbox access to inject data.

There are a few options here. And you have to choose the best or a combination suitable for your circumstances.

Firstly, you will probably want to use RBAC to limit the cmdlets available to people or generic admin accounts.

If you wish for the migration operator to have minimal access and not run via a high privileged account, you could run the scripts with a secure string. However, if someone knows the migration AD password for that machine, then theoretically this is circumventable by someone very malicious to run operations under the authority of the account with recipient management rights. However, this is usually acceptable for most organisations.

Exchange does a great job of logging, and you can use any account to perform these operations of mail enablement and FullAccess provisioning, even personal admin accounts for this. And as your workers will have a dedicated Outlook client on them, configured with dedicated mailbox, you could even restrict access to this password and allow users to assign access to this account only via implementing cmdlet extensions agents. That way you almost completely eradicate ability to access data, however, this will be exceptionally limiting in terms of remediation capabilities.

Finally, you could also have the powershell commands triggered every 5 minutes from a scheduled task on the server which takes its actions from a csv file which your domino agents might deposit.

Conclusion

Over all you have some great options in Lotus Notes, Domino, Exchange and Powershell where you can nearly reach a fully restricted environment where the migration operator’s ability access data is negligible. But as always in I.T. this will have detrimental affects when it comes to remediation and issue diagnosis, remediation & achieving velocity. So there is a balance to be had.