8.2.2 Ensuring data privacy and integrity

When using the directory to support exchanges with business partners over an extranet or to support e-commerce applications with customers on the Internet, ensure the privacy and the integrity of the data exchanged.

There are several ways to do this:

By encrypting data transfers.

By using certificates to sign data transfers.

For information about encryption methods provided in Directory Server, see “Password storage schemes”

For information about signing data, see “Securing server to server connections”.

For information about encrypting sensitive information as it is stored in the Directory Server database, see “Database encryption”

8.2.3 Conducting regular audits

As an extra security measure, conduct regular audits to verify the efficiency of the overall security policy by examining the log files and the information recorded by the SNMP agents.

For more information about SNMP, including log files, see the HP-UX Directory Server administrator guide.

8.2.4 Example security needs analysis

The examples provided in this section illustrate how the imaginary ISP company "example.com" analyzes its security needs.

example.com's business is to offer web hosting and Internet access. Part of example.com's activity is to host the directories of client companies. It also provides Internet access to a number of individual subscribers.

Therefore, example.com has three main categories of information in its directory:

example.com internal information

Information belonging to corporate customers

Information pertaining to individual subscribers

example.com needs the following access controls:

Provide access to the directory administrators of hosted companies (example_a and example_b) to their own directory information.

Implement access control policies for hosted companies' directory information.

Implement a standard access control policy for all individual clients who use example.com for Internet access from their homes.

Deny access to example.com's corporate directory to all outsiders.

Grant read access to example.com's directory of subscribers to the world.

8.3Overview of security methods

Directory Server offers several methods to design an overall security policy that is adapted to specific needs. The security policy should be strong enough to prevent sensitive information from being modified or retrieved by unauthorized users, but also simple enough to administer easily. A complex security policy can lead to mistakes that either prevent people from accessing information that they need to access or, worse, allow people to modify or retrieve directory information that they should not be allowed to access.

8.3 Overview of security methods 105