HP-UX Directory Server 8.1 deployment guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

101

102

103

104

105

106

107

108

109

110

8.2.2 Ensuring data privacy and integrity

When using the directory to support exchanges with business partners over an extranet or to

support e-commerce applications with customers on the Internet, ensure the privacy and the

integrity of the data exchanged.

There are several ways to do this:

• By encrypting data transfers.

• By using certificates to sign data transfers.

For information about encryption methods provided in Directory Server, see “Password storage

schemes”

For information about signing data, see “Securing server to server connections”.

For information about encrypting sensitive information as it is stored in the Directory Server

database, see “Database encryption”

8.2.3 Conducting regular audits

As an extra security measure, conduct regular audits to verify the efficiency of the overall security

policy by examining the log files and the information recorded by the SNMP agents.

For more information about SNMP, including log files, see the HP-UX Directory Server administrator

guide.

8.2.4 Example security needs analysis

The examples provided in this section illustrate how the imaginary ISP company "example.com"

analyzes its security needs.

example.com's business is to offer web hosting and Internet access. Part of example.com's activity

is to host the directories of client companies. It also provides Internet access to a number of

individual subscribers.

Therefore, example.com has three main categories of information in its directory:

• example.com internal information

• Information belonging to corporate customers

• Information pertaining to individual subscribers

example.com needs the following access controls:

• Provide access to the directory administrators of hosted companies (example_a and

example_b) to their own directory information.

• Implement access control policies for hosted companies' directory information.

• Implement a standard access control policy for all individual clients who use example.com

for Internet access from their homes.

• Deny access to example.com's corporate directory to all outsiders.

• Grant read access to example.com's directory of subscribers to the world.

8.3 Overview of security methods

Directory Server offers several methods to design an overall security policy that is adapted to

specific needs. The security policy should be strong enough to prevent sensitive information

from being modified or retrieved by unauthorized users, but also simple enough to administer

easily. A complex security policy can lead to mistakes that either prevent people from accessing

information that they need to access or, worse, allow people to modify or retrieve directory

information that they should not be allowed to access.

8.3 Overview of security methods 105