VMware Zimbra Security. Protecting Your VMware Zimbra and Collaboration Environment

Transcription

1 Protecting Your VMware Zimbra and Collaboration Environment Technical WHITE PAPER

2 Table of Contents VMware Zimbra Approach to Security... 3 Open-Source Commitment Flexible, Object-Based Design Adherence to Standards Flexible Deployment Architecture... 4 Tour of the Security Life Cycle... 5 Logging In... 5 Accessing Data Sharing Data and Sending s... 6 Monitoring and Tracking Access and Usage Incident Response Integrated Security and Compliance Functions... 8 Zimbra Security Ecosystem Gateway-Level Integration Zimlet Integration FAQ Technical white paper / 2

3 VMware Zimbra Approach to Security Today s IT organizations must handle competing demands for convenience and security. Users expect to work and collaborate from nearly any location and any type of device. Yet with increasing privacy and security regulations and a continually changing threat environment IT must exercise constant vigilance to protect business information and applications. As an , calendar and collaboration platform, VMware Zimbra is at the heart of the daily collaboration and communications that drive your business. Messaging is a business-critical application for almost every organization. At VMware, we understand that you need a range of options for addressing security and compliance, and that every organization s requirements are unique. This paper describes the security measures inherent in VMware Zimbra Collaboration Server and the many ways in which you can integrate it into enterprise security, compliance and governance solutions and practices. It starts with the technologies and philosophies in Zimbra that shape its approach to security and compliance. These include a commitment to open-source development, an object-based design, widespread compatibility through industry standards and flexible deployment options. Open-Source Commitment Zimbra is an enterprise-class, open-source messaging and collaboration platform. Zimbra Collaboration Server is built using well-known and trusted open-source components, including the Linux file system (message store), Jetty (Web server and Java Servlet container), MySQL (metadata), Apache Lucene (search), Postfix (mail transfer agent), OpenLDAP (configuration data) and others. Each of these technologies draws from the broad open-source community, which imposes its own consistent level of quality assurance (QA) and scrutiny to the code. VMware contributes code to the Open Source Software (OSS) community. Not only does this give back to the OSS community that provides so much value it also helps Zimbra customers by validating and enhancing the architecture through the community. The open source commitment protects your investment in collaboration/ messaging technology and you can always revert from the commercial version to the Open Source Edition of Zimbra Collaboration Server; although you will lose much of the rich additional functionality provided by the Zimbra Collaboration Server, the core functionality will remain. Flexible, Object-Based Design A basic design precept in Zimbra is that everything (account, domain, mail folder, calendar, etc) is an object within a hierarchy, and every object has an associated Access Control List (ACL). This design enables very granular permissions to be defined and can be used to create a class-of-service. A class-of-service (COS) is a Zimbra specific object that defines for example the default attributes and features that are enabled or disabled for an account. These attributes include default preference settings, mailbox quotas, message lifetime, password restrictions, attachment blocking and server pools for creation of new accounts. Each account is assigned a COS and a COS is used to group accounts and define the feature levels for those accounts. For example, executives can be assigned to a COS that allows the Calendar application that is disabled for all other employees. By grouping accounts into specific type of COS, account features can be updated in block. If the COS is not explicitly set, or if the COS assigned to the user no longer exists, values come from a pre-defined COS called default. A COS is not restricted to a particular domain or set of domains. Delegated administrators can be setup using COS for decentralized role based access control. The Zimbra security model enables Zimbra to accommodate a wide range of business scenarios while keeping the deployment simple and requiring minimal administration. Technical white paper / 3

4 Adherence to Standards Zimbra uses widely adopted industry standards, including: Secure Sockets Layer/Transport Layer Security (SSL/TLS) Simple Mail Transfer Protocol (SMTP) Secure/Multipurpose Internet Mail Extensions (S/MIME) Security Assertion Markup Language (SAML) 2.0 Federal Information Processing Standard (FIPS) Commitment to standards enables Zimbra Collaboration Server to work with nearly any desktop or mobile client and to operate within a wide partner ecosystem. You can either build your own integration solutions or link Zimbra Collaboration Server to third-party security and compliance tools. Flexible Deployment Architecture Zimbra Collaboration Server uses a modular architecture that supports flexible, secure deployments, with client-facing components deployed separately from the back-end components. For example, you can run the Zimbra Proxy Server and Message Transport Agent (MTA), which handle external traffic, within the DMZ. The Lightweight Directory Access Protocol (LDAP) and Mailstore Server components can reside within another firewall, with private, non-routable addresses between them. By protecting the server side and offering end-to-end encryption, Zimbra enables you to deliver secure messaging and collaboration to end users everywhere, even on their home computers. Figure 1. Components of Zimbra System Technical white paper / 4

5 Tour of the Security Life Cycle To implement defense in depth, you need layers of protection in every phase of the solution. To describe the security layers inherent in the Zimbra solution, we ll follow the application-access life cycle, starting from the user s perspective with the login (authentication). Figure 2. Zimbra s layered defense, from initial access to incident response Logging In Authentication allowing access to the application is the first step in Zimbra security. Zimbra offers four authentication options. Native Zimbra Authentication Zimbra supports authentication using its own internal directory. This is the simplest configuration. Administrators can define password policies with varying requirements for password length, strength and age. Zimbra Collaboration Server 7.2 and above supports two-factor authentication using smart cards, including the U.S. Department of Defense Common Access Cards, as a physical authentication factor. By supplementing the password (something you know) with a smart card (something you have), multi-factor authentication reduces the potential for unauthorized access using stolen credentials. Technical white paper / 5

6 Single Sign-On (SSO) You can use Zimbra with existing Identity Management systems including Microsoft Active Directory or other Lightweight Directory Access Protocol (LDAP) compliant directories using Kerberos or a pre-authentication key. This way, users have a single, secure login for authenticating to multiple enterprise services, and you can manage access and identity from a single, central directory. Identity Federation Zimbra also supports SAML-based identity federation. Using this approach, a user authenticates with a SAML identity provider. The provider and the Zimbra server exchange security certificates and identity assertions before Zimbra grants access. VMware Horizon Application Manager is an example of a SAML identity provider that works with Zimbra. Zimbra supports other federated identity solutions that use the SAML 2.0 standard. Zimbra also supports OAuth, an API-level authentication protocol popular with large consumer service providers. Mobile Authentication For certain mobile devices, Zimbra Collaboration Server can ensure that the device complies with mobile security policies before allowing access. These policies might include timeouts, personal identification numbers (PINs) and local device wipe. For example, the user must enter a PIN to unlock the device; if a preconfigured number of incorrect PINs are entered, a local program wipes the content on the device. Accessing Data After users connect to Zimbra, authorization processes control which data they can see and which functions they can perform. For example, most users can use their own and calendars, and some may be able to check someone else s calendar. Everything in Zimbra (including accounts, domains, mail folder, contacts, calendar, tasks and briefcase folder) is an object with attributes that can be secured with object-level permissions. Administrators can easily create groups and assign access permissions to them to support specific business objectives. Zimbra supports highly granular and secure authorization frameworks, using a class-of-service model. You can define specialized and unique classes of service that fit your specific business requirements. Each class of service controls everything from specific features within Zimbra to storage policies and access to third-party integration solutions using the Zimlet extensibility framework. Sharing Permissions Zimbra offers flexible sharing permissions for shared mail folders, contacts, calendars, tasks lists and briefcase folders. You can grant internal users or groups permission to view, edit or share folders or items. You can also grant external users read-only or password-based access to shared objects. For example, you might give a colleague the permission to create, accept or delete meetings for your calendar but not to share your calendar with other users. Delegated, Role-Based Administration Zimbra lets you delegate administrative tasks with highly configurable permissions. An administrator s role can be as simple as managing a distribution list or resetting forgotten passwords for a specific group of users. You can create roles for nearly any attribute and task in Zimbra. Zimbra also provides predefined roles for domain administrators and distribution-list managers. Sharing Data and Sending s After users connect to their accounts, they will probably start sending or receiving , scheduling meetings or collaborating with others. These interactions can occur within the Zimbra server (with other users in the group) or with external users, and with devices that are mobile or outside enterprise control. Zimbra offers several strategies for protecting the privacy of data as it moves through the application and between users and devices. Technical white paper / 6

7 Encrypting Messages In Zimbra Collaboration Server 7.2 we introduced support for S/MIME that enables encryption and decryption of messages even when a Web-based client is used. Zimbra can work with public certificate authorities or certificates issued via an internal public-key infrastructure (PKI) deployment. Data Privacy in Transit VMware recommends that you use TLS, which supercedes SSL, for all communications between the Zimbra servers and the client (whether it is a browser-based client or a mobile application). You can set this as a default value in the Zimbra Collaboration Server administration console. Zimbra uses TLS/SSL to encrypt communications with mobile devices using ActiveSync and Zimbra Mobile and with Zimbra Collaboration Server 7.2 and above, there is an additional layer of security with the content being encrypted with S/MIME. Data Privacy at Rest Data in our message store is also encrypted with S/MIME in Zimbra Collaboration Server 7.2 and above. The data is stored encrypted in our message store until the person with the appropriate private key opens the . Third-party solutions can also be used to encrypt the file system containing Zimbra data. For example, you might use hardware-based encryption embedded in the file-system storage. FIPS In an environment that requires operating in a FIPS140-2 compliant mode, Zimbra s cryptography libraries and desktop clients can be configured to operate in and enforce FIPS140-2 compliant algorithms and key strengths. Digital Signatures S/MIME also enables you to digitally sign messages to provide authentication and nonrepudiation for legal purposes. When you use digital signatures, recipients know that a message came from you, not from someone spoofing your address. Protection from Outage or Disaster You can protect the broader Zimbra deployment from outages or disasters, transparently to the application. For example, you can Use data replication to remove single points of failure from your storage environment Use backups to provide disaster site resilience Implementing high availability and site resiliency are simple if you are running Zimbra in a VMware vsphere environment. Monitoring and Tracking Access and Usage While the user is busy sending and receiving , scheduling appointments and collaborating with others, Zimbra is constantly auditing and tracking all access and usage. Zimbra logs a wide range of activities, including: User and administrator activity Login failures Slow queries Mailbox activity Mobile synchronization activity Database errors You can set different levels of logging. The Zimbra Collaboration Server supports the syslog format and Simple Network Management Protocol (SNMP). Log events, alerts and traps can be forwarded to log-management and event correlation systems to create centralized policies and notifications based on your security and compliance requirements. These logs can support forensic analysis, which is useful for our next step: incident response. Technical white paper / 7

8 Incident Response Even with the layers of security we ve defined so far, you may need to take action to respond to a problem or mitigate risk. For example, A user s account credentials have been stolen An executive left his or her smartphone in a taxicab Log analysis reveals problematic activity on an administrator account Zimbra supports incident response in several ways. Remote Device Wiping If a tablet or smartphone that uses Zimbra is lost or stolen, the administrator can remotely wipe the data from the device. This mitigates the risk of someone accessing the Zimbra data remotely, and of data on the device itself being compromised. Account Lockout You can configure a policy that automatically locks an account after a specific number of failed login attempts. The administrator can also immediately disable any account at any time. An administrator with appropriate access privileges can also view the messages of the suspect account to help determine if the account has been compromised. If you are using a federated identity management solution (SAML-based SSO) with Zimbra Collaboration Server or integrating Zimbra Collaboration Server to implement SSO with internal directories such as Active Directory you can disable access from the central directory or identity store to prevent authentication to the Zimbra account. Integrated Security and Compliance Functions Zimbra Collaboration Server comes with embedded antivirus, antispam and archiving capabilities to offer essential protection for messaging. Antivirus ClamAV is an award-winning open-source antivirus software with threat definitions (for worm, virus and phishing) updated multiple times each day. You can run ClamAV in combination with other antivirus solutions; Zimbra offers a plug-in framework for supporting antivirus. Antispam Zimbra Collaboration Server also has built-in antispam filtering on the server using the open-source SpamAssassin and DSPAM tools. These tools support ongoing spam-filter training (i.e., teaching the filter what is spam and what isn t), enabling organizations to optimize performance in their own environments. Users can train spam filters by moving messages in and out of their junk folders. Archiving and Discovery Zimbra Archiving and Discovery is a feature of the Zimbra Collaboration Server. With this integrated solution, you can select which users messages to archive and set retention policies for both archive and live mailboxes. Zimbra Archiving and Discovery offers powerful search indexing in a simple, cost-effective platform. You can also integrate third-party archiving solutions with Zimbra Collaboration Server. Technical white paper / 8

9 Zimbra Security Ecosystem You may want or need to integrate Zimbra with broader enterprise security and compliance solutions, or extend security and policy capabilities with third-party solutions. Zimbra integrates easily with many other solutions and supports a wide partner ecosystem. VMware maintains the VMware Ready Mail Security program for partners that deliver complementary solutions in areas including: Data-loss prevention Antivirus and antispam archiving and discovery With an open partner ecosystem, you can invest in and deploy the measures that are most appropriate for your specific business environment. Zimbra Collaboration Server supports two levels of integration with third-party solutions: Gateway-level integration Zimlet integration You can find a complete list of partners at mail-security.html. Gateway-Level Integration Through its support for SMTP protocols, Zimbra Collaboration Server offers gateway-level integration with a wide range of third-party solutions. For example, Zimbra Collaboration Server can be configured to send all messages to an SMTP gateway, which can then provide archiving, content filtering and data-loss prevention, message policy enforcement, messaging security, spam and virus prevention, and so on. Zimlet Integration Tight integration with Zimbra Collaboration Server is supported by the Zimlet framework. Zimlets let users interact with third-party applications from the Zimbra Web client. VMware partners such as Proofpoint have used Zimlets to build tight integration between their messaging-security solutions and Zimbra Collaboration Server. You can also build your own Zimlets to add custom functionality to your deployment. Zimlets (both third-party and community-developed) are available from the Zimbra Gallery ( FAQ This section answers a few of the more common questions about security and Zimbra. Q Does Zimbra support digital signatures? A Zimbra Collaboration Server 7.2 and above support digital signatures through S/MIME. You can both send and receive digitally signed messages. Q Do you support certificate encryption? A Zimbra Collaboration Server supports certificate encryption through S/MIME or through a partner such as Proofpoint. Q Does Zimbra provide content filters? A Zimbra itself does not do content filtering, but our partners do. See Q Which encryption standards does Zimbra support? A Zimbra Collaboration Server 7.2 supports S/MIME 3.2, S/MIME 3.1 and TLS/SSL. Technical white paper / 9

10 Q How does Zimbra support two-factor authentication? A Zimbra Collaboration Server 7.2 and above support multi-factor authentication natively using PKCS#11 compliant tokens storing X.509 certificates, such as smartcards. Zimbra can also be configured to use SSO where authentication to the Identity Management system, either locally or through a secure access gateway, requires multi-factor authentication. Q How does Zimbra support federated identity? A Zimbra supports identity federation using the SAML 2.0 protocol. VMware Zimbra can be used with a SAML 2.0 Identity Provider such as VMware Horizon Application Manager or Microsoft Active Directory Federation Services. Q How do I get Zimbra to work in the FIPS mode? A Using Desktop Operating Systems and web browsers that support FIPS140-2 mode, configure the client machine to operate in FIPS mode. Zimbra will respect and enforce using FIPS140-2 compliant algorithms and key lengths. Q Do I need Java for the S/MIME functionality? A Yes. Zimbra uses a Java applet to access local keystores and cryptography libraries on client devices for security, cross platform, and multi-browser compatibility. Q Does Zimbra support SPNEGO? A Yes. Zimbra uses SPNEGO with supporting browsers to negotiate Kerberos Authentication. Acronyms ACL Access Control List ADFS Active Directory Federation Services COS Class-of-service FIPS Federal Information Processing Standard LDAP Lightweight Directory Access Protocol MBS Mailstore Server MTA Message Transfer Agent OSS Open source software SAML Security Assertion Markup Language S/MIME Secure Multipurpose Internet Mail Extensions SMTP Simple Mail Transfer Protocol SSL Secure Socket Layer SSO Single sign-on TLS Transport Layer Security ZCS Zimbra Collaboration Server Technical white paper / 10

11 VMware, Inc Hillview Avenue Palo Alto CA USA Tel Fax Copyright 2012 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item No: VMW-TWP-ZIMBRA-SECURITY-USLET /12