VMware Zimbra Security. Protecting Your VMware Zimbra Email and Collaboration Environment



Similar documents
Protecting Your Zimbra Collaboration Environment. Zimbra Security and Privacy White Paper

Security Overview Enterprise-Class Secure Mobile File Sharing

FileCloud Security FAQ

Ensuring Enterprise Data Security with Secure Mobile File Sharing.

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Zimbra Collaboration Suite Administrator s Guide. Release 6.0

vsphere Security ESXi 6.0 vcenter Server 6.0 EN

Google Identity Services for work

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

Perceptive Experience Single Sign-On Solutions

vcloud Director User's Guide

FileMaker Security Guide The Key to Securing Your Apps

Ensuring the security of your mobile business intelligence

VMware Zimbra Collaboration Server Administrator s Guide

CA Performance Center

Understanding Enterprise Cloud Governance

Feature and Technical

FTA Computer Security Workshop. Secure

VMware Horizon Workspace Security Features WHITE PAPER

Configuration Guide BES12. Version 12.2

Configuring Single Sign-on from the VMware Identity Manager Service to Dropbox

ShareFile Security Overview

BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2. Feature and Technical Overview

Microsoft Exchange 2013 Ultimate Bootcamp Your pathway to becoming a GREAT Exchange Administrator

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

Symantec App Center. Mobile Application Management and Protection. Data Sheet: Mobile Security and Management

Mobile Admin Security

AlwaysMail. Sector 5. Cloud

Advanced Administration

SAML-Based SSO Solution

MySQL Security: Best Practices

Configuration Guide BES12. Version 12.3

Flexible Identity Federation

FortiMail Filtering. Course 221 (for FortiMail v4.2) Course Overview

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

ACE Management Server Deployment Guide VMware ACE 2.0

Configuration Guide BES12. Version 12.1

vsphere Security ESXi 5.5 vcenter Server 5.5 EN

Mail Services. Easy-to-manage Internet mail solutions featuring best-in-class open source technologies. Features

Project Title: Judicial Branch Enterprise Document Management System RFP Number: FIN122210CK Appendix D Technical Features List

BlackBerry Enterprise Solution v4.1 For Microsoft Exchange Life is now

An Overview of Samsung KNOX Active Directory and Group Policy Features

BlackBerry Enterprise Service 10. Version: Configuration Guide

How To Secure Mail Delivery

FortiMail Filtering. Course 221 (for FortiMail v5.0) Course Overview

FortiMail Filtering. Course for FortiMail v4.0. Course Overview

White Paper. Anywhere, Any Device File Access with IT in Control. Enterprise File Serving 2.0

Convenience and security

VMware Zimbra Collaboration Server Administrator s Guide. Release 7.1

Security Architecture Whitepaper

Supplier Information Security Addendum for GE Restricted Data

MDaemon Vs. Microsoft Exchange Server 2013 Standard

NCSU SSO. Case Study

vsphere Upgrade vsphere 6.0 EN

CA Single Sign-On r12.x (CA SiteMinder) Implementation Proven Professional Exam

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

Top 7 Tips for Better Business Continuity

Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow

Setting Up Resources in VMware Identity Manager

Zimbra Connector for Microsoft Outlook User Guide 7.1

nexus Hybrid Access Gateway

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Zimbra Collaboration Suite Administrator s Guide. Release 5.0

BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2. Administration Guide

BUILT FOR YOU. Contents. Cloudmore Exchange

Zimbra Connector for Microsoft Outlook User Guide ZCO 8.0

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

TrustedX - PKI Authentication. Whitepaper

OVERVIEW OF TYPICAL WINDOWS SERVER ROLES

VMware Identity Manager Integration with Active Directory Federation Services 2.0

RSA Authentication Manager 8.1 Administrator s Guide

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Zimbra Connector for Microsoft Outlook User Guide ZCO 7.2

Media Shuttle s Defense-in- Depth Security Strategy

SAML-Based SSO Solution

Web Hosting. CMS Development. Domain registrations. DNS Pointing. Website Publishing. SMB Starter Package. Static Website Development

How Reflection Software Facilitates PCI DSS Compliance

Installation Guide GroupWise 2014 R2 November 2015

Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment

VMware vsphere Data Protection 5.8 TECHNICAL OVERVIEW REVISED AUGUST 2014

FBLA Cyber Security aligned with Common Core FBLA: Cyber Security RST RST RST RST WHST WHST

PortWise Access Management Suite

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

Smart Card Certificate Authentication with VMware View 4.5 and Above WHITE PAPER

Comparing VMware Zimbra with Leading and Collaboration Platforms Z I M B R A C O M P E T I T I V E W H I T E P A P E R

The Essential Security Checklist. for Enterprise Endpoint Backup

DJIGZO ENCRYPTION. Djigzo white paper

Lync SHIELD Product Suite

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

Symantec Enterprise Vault.cloud Overview

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

etoken TMS (Token Management System) Frequently Asked Questions

VMware vsphere Data Protection 6.0

New Security Features

Frequently asked questions

MS 10135B Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010

VMware Identity Manager Administration

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA

Transcription:

Protecting Your VMware Zimbra Email and Collaboration Environment Technical WHITE PAPER

Table of Contents VMware Zimbra Approach to Security... 3 Open-Source Commitment.... 3 Flexible, Object-Based Design.... 3 Adherence to Standards....................................................... 4 Flexible Deployment Architecture... 4 Tour of the Security Life Cycle... 5 Logging In... 5 Accessing Data.... 6 Sharing Data and Sending Emails... 6 Monitoring and Tracking Access and Usage..................................... 7 Incident Response.... 8 Integrated Security and Compliance Functions... 8 Zimbra Security Ecosystem.... 9 Gateway-Level Integration..................................................... 9 Zimlet Integration............................................................. 9 FAQ....................................................................... 9 Technical white paper / 2

VMware Zimbra Approach to Security Today s IT organizations must handle competing demands for convenience and security. Users expect to work and collaborate from nearly any location and any type of device. Yet with increasing privacy and security regulations and a continually changing threat environment IT must exercise constant vigilance to protect business information and applications. As an email, calendar and collaboration platform, VMware Zimbra is at the heart of the daily collaboration and communications that drive your business. Messaging is a business-critical application for almost every organization. At VMware, we understand that you need a range of options for addressing security and compliance, and that every organization s requirements are unique. This paper describes the security measures inherent in VMware Zimbra Collaboration Server and the many ways in which you can integrate it into enterprise security, compliance and governance solutions and practices. It starts with the technologies and philosophies in Zimbra that shape its approach to security and compliance. These include a commitment to open-source development, an object-based design, widespread compatibility through industry standards and flexible deployment options. Open-Source Commitment Zimbra is an enterprise-class, open-source messaging and collaboration platform. Zimbra Collaboration Server is built using well-known and trusted open-source components, including the Linux file system (message store), Jetty (Web server and Java Servlet container), MySQL (metadata), Apache Lucene (search), Postfix (mail transfer agent), OpenLDAP (configuration data) and others. Each of these technologies draws from the broad open-source community, which imposes its own consistent level of quality assurance (QA) and scrutiny to the code. VMware contributes code to the Open Source Software (OSS) community. Not only does this give back to the OSS community that provides so much value it also helps Zimbra customers by validating and enhancing the architecture through the community. The open source commitment protects your investment in collaboration/ messaging technology and you can always revert from the commercial version to the Open Source Edition of Zimbra Collaboration Server; although you will lose much of the rich additional functionality provided by the Zimbra Collaboration Server, the core functionality will remain. Flexible, Object-Based Design A basic design precept in Zimbra is that everything (account, domain, mail folder, calendar, etc) is an object within a hierarchy, and every object has an associated Access Control List (ACL). This design enables very granular permissions to be defined and can be used to create a class-of-service. A class-of-service (COS) is a Zimbra specific object that defines for example the default attributes and features that are enabled or disabled for an email account. These attributes include default preference settings, mailbox quotas, message lifetime, password restrictions, attachment blocking and server pools for creation of new accounts. Each account is assigned a COS and a COS is used to group accounts and define the feature levels for those accounts. For example, executives can be assigned to a COS that allows the Calendar application that is disabled for all other employees. By grouping accounts into specific type of COS, account features can be updated in block. If the COS is not explicitly set, or if the COS assigned to the user no longer exists, values come from a pre-defined COS called default. A COS is not restricted to a particular domain or set of domains. Delegated administrators can be setup using COS for decentralized role based access control. The Zimbra security model enables Zimbra to accommodate a wide range of business scenarios while keeping the deployment simple and requiring minimal administration. Technical white paper / 3

Adherence to Standards Zimbra uses widely adopted industry standards, including: Secure Sockets Layer/Transport Layer Security (SSL/TLS) Simple Mail Transfer Protocol (SMTP) Secure/Multipurpose Internet Mail Extensions (S/MIME) Security Assertion Markup Language (SAML) 2.0 Federal Information Processing Standard (FIPS) 140-2 Commitment to standards enables Zimbra Collaboration Server to work with nearly any desktop or mobile client and to operate within a wide partner ecosystem. You can either build your own integration solutions or link Zimbra Collaboration Server to third-party security and compliance tools. Flexible Deployment Architecture Zimbra Collaboration Server uses a modular architecture that supports flexible, secure deployments, with client-facing components deployed separately from the back-end components. For example, you can run the Zimbra Proxy Server and Message Transport Agent (MTA), which handle external traffic, within the DMZ. The Lightweight Directory Access Protocol (LDAP) and Mailstore Server components can reside within another firewall, with private, non-routable addresses between them. By protecting the server side and offering end-to-end encryption, Zimbra enables you to deliver secure messaging and collaboration to end users everywhere, even on their home computers. Figure 1. Components of Zimbra System Technical white paper / 4

Tour of the Security Life Cycle To implement defense in depth, you need layers of protection in every phase of the solution. To describe the security layers inherent in the Zimbra solution, we ll follow the application-access life cycle, starting from the user s perspective with the login (authentication). Figure 2. Zimbra s layered defense, from initial access to incident response Logging In Authentication allowing access to the application is the first step in Zimbra security. Zimbra offers four authentication options. Native Zimbra Authentication Zimbra supports authentication using its own internal directory. This is the simplest configuration. Administrators can define password policies with varying requirements for password length, strength and age. Zimbra Collaboration Server 7.2 and above supports two-factor authentication using smart cards, including the U.S. Department of Defense Common Access Cards, as a physical authentication factor. By supplementing the password (something you know) with a smart card (something you have), multi-factor authentication reduces the potential for unauthorized access using stolen credentials. Technical white paper / 5

Single Sign-On (SSO) You can use Zimbra with existing Identity Management systems including Microsoft Active Directory or other Lightweight Directory Access Protocol (LDAP) compliant directories using Kerberos or a pre-authentication key. This way, users have a single, secure login for authenticating to multiple enterprise services, and you can manage access and identity from a single, central directory. Identity Federation Zimbra also supports SAML-based identity federation. Using this approach, a user authenticates with a SAML identity provider. The provider and the Zimbra server exchange security certificates and identity assertions before Zimbra grants access. VMware Horizon Application Manager is an example of a SAML identity provider that works with Zimbra. Zimbra supports other federated identity solutions that use the SAML 2.0 standard. Zimbra also supports OAuth, an API-level authentication protocol popular with large consumer service providers. Mobile Authentication For certain mobile devices, Zimbra Collaboration Server can ensure that the device complies with mobile security policies before allowing access. These policies might include timeouts, personal identification numbers (PINs) and local device wipe. For example, the user must enter a PIN to unlock the device; if a preconfigured number of incorrect PINs are entered, a local program wipes the content on the device. Accessing Data After users connect to Zimbra, authorization processes control which data they can see and which functions they can perform. For example, most users can use their own email and calendars, and some may be able to check someone else s calendar. Everything in Zimbra (including accounts, domains, mail folder, contacts, calendar, tasks and briefcase folder) is an object with attributes that can be secured with object-level permissions. Administrators can easily create groups and assign access permissions to them to support specific business objectives. Zimbra supports highly granular and secure authorization frameworks, using a class-of-service model. You can define specialized and unique classes of service that fit your specific business requirements. Each class of service controls everything from specific features within Zimbra to storage policies and access to third-party integration solutions using the Zimlet extensibility framework. Sharing Permissions Zimbra offers flexible sharing permissions for shared mail folders, contacts, calendars, tasks lists and briefcase folders. You can grant internal users or groups permission to view, edit or share folders or items. You can also grant external users read-only or password-based access to shared objects. For example, you might give a colleague the permission to create, accept or delete meetings for your calendar but not to share your calendar with other users. Delegated, Role-Based Administration Zimbra lets you delegate administrative tasks with highly configurable permissions. An administrator s role can be as simple as managing a distribution list or resetting forgotten passwords for a specific group of users. You can create roles for nearly any attribute and task in Zimbra. Zimbra also provides predefined roles for domain administrators and distribution-list managers. Sharing Data and Sending Emails After users connect to their accounts, they will probably start sending or receiving email, scheduling meetings or collaborating with others. These interactions can occur within the Zimbra server (with other users in the group) or with external users, and with devices that are mobile or outside enterprise control. Zimbra offers several strategies for protecting the privacy of data as it moves through the application and between users and devices. Technical white paper / 6

Encrypting Email Messages In Zimbra Collaboration Server 7.2 we introduced support for S/MIME that enables encryption and decryption of email messages even when a Web-based email client is used. Zimbra can work with public certificate authorities or certificates issued via an internal public-key infrastructure (PKI) deployment. Data Privacy in Transit VMware recommends that you use TLS, which supercedes SSL, for all communications between the Zimbra servers and the client (whether it is a browser-based client or a mobile application). You can set this as a default value in the Zimbra Collaboration Server administration console. Zimbra uses TLS/SSL to encrypt communications with mobile devices using ActiveSync and Zimbra Mobile and with Zimbra Collaboration Server 7.2 and above, there is an additional layer of security with the content being encrypted with S/MIME. Data Privacy at Rest Data in our message store is also encrypted with S/MIME in Zimbra Collaboration Server 7.2 and above. The data is stored encrypted in our message store until the person with the appropriate private key opens the email. Third-party solutions can also be used to encrypt the file system containing Zimbra data. For example, you might use hardware-based encryption embedded in the file-system storage. FIPS 140-2 In an environment that requires operating in a FIPS140-2 compliant mode, Zimbra s cryptography libraries and desktop clients can be configured to operate in and enforce FIPS140-2 compliant algorithms and key strengths. Digital Signatures S/MIME also enables you to digitally sign messages to provide authentication and nonrepudiation for legal purposes. When you use digital signatures, recipients know that a message came from you, not from someone spoofing your email address. Protection from Outage or Disaster You can protect the broader Zimbra deployment from outages or disasters, transparently to the application. For example, you can Use data replication to remove single points of failure from your storage environment Use backups to provide disaster site resilience Implementing high availability and site resiliency are simple if you are running Zimbra in a VMware vsphere environment. Monitoring and Tracking Access and Usage While the user is busy sending and receiving email, scheduling appointments and collaborating with others, Zimbra is constantly auditing and tracking all access and usage. Zimbra logs a wide range of activities, including: User and administrator activity Login failures Slow queries Mailbox activity Mobile synchronization activity Database errors You can set different levels of logging. The Zimbra Collaboration Server supports the syslog format and Simple Network Management Protocol (SNMP). Log events, alerts and traps can be forwarded to log-management and event correlation systems to create centralized policies and notifications based on your security and compliance requirements. These logs can support forensic analysis, which is useful for our next step: incident response. Technical white paper / 7

Incident Response Even with the layers of security we ve defined so far, you may need to take action to respond to a problem or mitigate risk. For example, A user s account credentials have been stolen An executive left his or her smartphone in a taxicab Log analysis reveals problematic activity on an administrator account Zimbra supports incident response in several ways. Remote Device Wiping If a tablet or smartphone that uses Zimbra is lost or stolen, the administrator can remotely wipe the data from the device. This mitigates the risk of someone accessing the Zimbra data remotely, and of data on the device itself being compromised. Account Lockout You can configure a policy that automatically locks an account after a specific number of failed login attempts. The administrator can also immediately disable any account at any time. An administrator with appropriate access privileges can also view the email messages of the suspect account to help determine if the account has been compromised. If you are using a federated identity management solution (SAML-based SSO) with Zimbra Collaboration Server or integrating Zimbra Collaboration Server to implement SSO with internal directories such as Active Directory you can disable access from the central directory or identity store to prevent authentication to the Zimbra account. Integrated Security and Compliance Functions Zimbra Collaboration Server comes with embedded antivirus, antispam and archiving capabilities to offer essential protection for email messaging. Antivirus ClamAV is an award-winning open-source antivirus software with threat definitions (for worm, virus and phishing) updated multiple times each day. You can run ClamAV in combination with other antivirus solutions; Zimbra offers a plug-in framework for supporting antivirus. Antispam Zimbra Collaboration Server also has built-in antispam filtering on the server using the open-source SpamAssassin and DSPAM tools. These tools support ongoing spam-filter training (i.e., teaching the filter what is spam and what isn t), enabling organizations to optimize performance in their own environments. Users can train spam filters by moving messages in and out of their junk folders. Archiving and Discovery Zimbra Archiving and Discovery is a feature of the Zimbra Collaboration Server. With this integrated solution, you can select which users email messages to archive and set retention policies for both archive and live mailboxes. Zimbra Archiving and Discovery offers powerful search indexing in a simple, cost-effective platform. You can also integrate third-party archiving solutions with Zimbra Collaboration Server. Technical white paper / 8

Zimbra Security Ecosystem You may want or need to integrate Zimbra with broader enterprise security and compliance solutions, or extend email security and policy capabilities with third-party solutions. Zimbra integrates easily with many other solutions and supports a wide partner ecosystem. VMware maintains the VMware Ready Mail Security program for partners that deliver complementary solutions in areas including: Data-loss prevention Antivirus and antispam Email archiving and discovery With an open partner ecosystem, you can invest in and deploy the measures that are most appropriate for your specific business environment. Zimbra Collaboration Server supports two levels of integration with third-party solutions: Gateway-level integration Zimlet integration You can find a complete list of partners at http://www.vmware.com/partners/programs/vmware-ready/ mail-security.html. Gateway-Level Integration Through its support for SMTP protocols, Zimbra Collaboration Server offers gateway-level integration with a wide range of third-party solutions. For example, Zimbra Collaboration Server can be configured to send all messages to an SMTP gateway, which can then provide email archiving, content filtering and data-loss prevention, message policy enforcement, messaging security, spam and virus prevention, and so on. Zimlet Integration Tight integration with Zimbra Collaboration Server is supported by the Zimlet framework. Zimlets let users interact with third-party applications from the Zimbra Web client. VMware partners such as Proofpoint have used Zimlets to build tight integration between their messaging-security solutions and Zimbra Collaboration Server. You can also build your own Zimlets to add custom functionality to your deployment. Zimlets (both third-party and community-developed) are available from the Zimbra Gallery (http://gallery.zimbra.com). FAQ This section answers a few of the more common questions about security and Zimbra. Q Does Zimbra support digital signatures? A Zimbra Collaboration Server 7.2 and above support digital signatures through S/MIME. You can both send and receive digitally signed email messages. Q Do you support certificate encryption? A Zimbra Collaboration Server supports certificate encryption through S/MIME or through a partner such as Proofpoint. Q Does Zimbra provide content filters? A Zimbra itself does not do content filtering, but our partners do. See http://www.vmware.com/partners/programs/vmware-ready/mail-security.html. Q Which encryption standards does Zimbra support? A Zimbra Collaboration Server 7.2 supports S/MIME 3.2, S/MIME 3.1 and TLS/SSL. Technical white paper / 9

Q How does Zimbra support two-factor authentication? A Zimbra Collaboration Server 7.2 and above support multi-factor authentication natively using PKCS#11 compliant tokens storing X.509 certificates, such as smartcards. Zimbra can also be configured to use SSO where authentication to the Identity Management system, either locally or through a secure access gateway, requires multi-factor authentication. Q How does Zimbra support federated identity? A Zimbra supports identity federation using the SAML 2.0 protocol. VMware Zimbra can be used with a SAML 2.0 Identity Provider such as VMware Horizon Application Manager or Microsoft Active Directory Federation Services. Q How do I get Zimbra to work in the FIPS 140-2 mode? A Using Desktop Operating Systems and web browsers that support FIPS140-2 mode, configure the client machine to operate in FIPS mode. Zimbra will respect and enforce using FIPS140-2 compliant algorithms and key lengths. Q Do I need Java for the S/MIME functionality? A Yes. Zimbra uses a Java applet to access local keystores and cryptography libraries on client devices for security, cross platform, and multi-browser compatibility. Q Does Zimbra support SPNEGO? A Yes. Zimbra uses SPNEGO with supporting browsers to negotiate Kerberos Authentication. Acronyms ACL Access Control List ADFS Active Directory Federation Services COS Class-of-service FIPS Federal Information Processing Standard LDAP Lightweight Directory Access Protocol MBS Mailstore Server MTA Message Transfer Agent OSS Open source software SAML Security Assertion Markup Language S/MIME Secure Multipurpose Internet Mail Extensions SMTP Simple Mail Transfer Protocol SSL Secure Socket Layer SSO Single sign-on TLS Transport Layer Security ZCS Zimbra Collaboration Server Technical white paper / 10

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com Copyright 2012 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item No: VMW-TWP-ZIMBRA-SECURITY-USLET-104 05/12

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information