Isode Public Key Infrastructure (PKI) and Security Labels Whitepapers
|A Short Tutorial on Distributed PKI
This whitepaper is an introduction to PKI. The papaer describes why PKI is needed and the basics of its operation, together with examples.
Distributed PKI and Smart Cards
This paper considers authentication systems based on smart cards, where the smart cards will be issued by many organizations, and authentication must work at any location. An important example of this type of deployment is the US Government planned deployment in support of HSPD (Homeland Security Presidential Directive) 12.
Directory signed operation are often requested or mandated as a part of Military ACP 133 Directory or other directory services with high security requirements. This paper explains what directory signed operations are, the benefits they provide, and situations where it makes sense to require their use.
|Why Strong Authentication for Directory?
LDAP and the X.500 directory protocols can all use strong authentication based on X.509 PKI (Public Key Infrastructure). This paper looks at the benefits and issues in using strong authentication for directory. It considers security threats to directory and looks at how strong authentication can be used to address these threats. It also looks at administrative benefits and drawbacks. This paper argues that strong authentication should used wherever possible for server to server communication, and for administrator access.
|Why Strong Authentication? – The
Security and Administrative Benefits of using X.509 PKI based Strong
Strong authentication based on X.509 PKI (Public Key Infrastructure) is available in a number of protocols and provides both security & administrative benefits and drawbacks. This paper looks at the security and administrative benefits (and draw backs) of using strong authentication. This paper looks at generic issues that apply to many applications and protocols using strong authentication. Future white papers will look at specific applications of strong authentication.
in support of large-scale PKI
This paper looks at the uses of directory made by a PKI (Public Key Infrastructure) system and PKI-enabled applications. It defines requirements in terms of directory and then looks at how directory can be used to meet these requirements, and implications on provision of a distributed directory.
in support of Large Scale PKI: Supporting Government Departments
In a previous white paper on Distributed Directory and PKI we took a "top level" view, and focused particularly on the relationship between departments and what is needed to be supported in the middle. This follow-on paper takes a departmental view, and looks at what a department will realistically need to do in order to provide a directory service that will integrate into the complete system. Whilst this white paper takes a generic approach, the models set out are written in light of the requirements of US Government departments that need to conform to Homeland Security Policy Directive 12 (HSPD12) and will interconnect using the Federal Bridge as part of the US Federal PKI.
|Security Label Capabilities in M-Switch
This White Paper looks at how Isode’s M-Switch product can make use of Security Labels to perform Access Control and how it can map between a wide range of Security Label formats and message transport mechanisms.
(2nd May 2012)
|Using Isode Security Label Server for EDRMS
This whitepaper looks at how Isode’s Security Label Server product can be used to provide Security Label and Security Label based Access Control services for an external application, via a simple interface which gives good functional separation and low integration cost. EDRMS (Electronic Document and Records Management System) is used as an example application, to illustrate the benefits of this approach and to consider how best to use Security Labels with EDRMS.
(11th Apr 2012)
|Easy Security Label Support for Email Clients
Use of Security Labels is important in many Military and Intelligence organizations to ensure correct handling of information. Correct handling of Security Labels is complex, and solutions to use them with email generally result in heavyweight desktop solutions. This paper looks at a new approach which minimizes email client complexity, enabling easy support in a wide range of email clients and improving deployment characteristics.
(10th Jan 2012)
|XMPP Boundary and Cross Domain Protection
This White Paper looks at approaches for checking XMPP (Internet Standard eXtensible Messaging and Presence Protocol) traffic at organizational and other operational boundaries. It looks at the requirements on various approaches, and shows how Isode’s M-Link and M‑Link Edge products can be used in these approaches.
(13th Oct 2009)
|Why do I need a SPIF and what Format should I choose?
Anyone deploying or considering deploying a system that uses Security Labels needs to understand and consider the use of a SPIF (Security Policy Information File). Much information on SPIFs is complex and oriented towards security experts. This paper gives a short introduction to SPIFs, in order to give a high level understanding of the subject to non-experts.
(15th Apr 2009)
| Using Security Labels to Control Message Flow in XMPP Services
XMPP is widely used by military and government organizations with stringent security requirements, where it is critical to ensure that sensitive information is not sent to inappropriate individuals or domains. Security Labeling is the mechanism of choice for handling sensitive information in high security environments. This paper looks at the use of Security Labels in conjunction with XMPP services, and how Isode is enhancing its M-Link product to provide Security Label based controls for user to user messaging and for Multi-User Chat (MUC).
(06 Nov 2008)
|Using Security Labels for Directory Access Control & Replication Control
This paper looks at how Security Labels can be used to provide security and management benefits to directory services. It shows how Security Labels can be used to control access to data based on the Security Clearance of the user accessing the directory, and how Security Labels can be used to control access to directory services and selective directory replication.
(15th Apr 2008)
|Managing and securely determining Security Clearance
Access controls based on Security Labels are made by matching the Security Label against the Security Clearance of the user or location for which the access control check is being made. In order for this check to be valid, it is essential that the correct value of the Security Clearance is used. If an incorrect value of the Security Clearance (e.g., a forged one) was used, the access control check would be worthless. This paper looks at how to ensure that the correct Security Clearance is used, and the role of directory in achieving this.
(18th Mar 2008)
|Access Control using Security Labels & Security Clearance
Security Labels provide an important mechanism for controlling access to information in many high security environments, and are also useful in environments with lower security requirements. This paper provides a reasonably detailed description of how security labels and clearances work, while attempting to avoid the high level of technical complexity seen in many papers in this area.
(31st Jan 2008)
|Isode Support for Kerberos, Active Directory and Single Sign On
This paper looks at how Isode client and server products can make use of Kerberos authentication, in configurations where Isode provides both client and server, and in conjunction with third party clients and servers, including Microsoft Active Directory. It looks at how Single Sign On (SSO) can be achieved for Isode products using Kerberos, and compares this with use of other SSO approaches.
(22nd April 2010)
|Password Policy for Directories
In this whitepaper we look at password policy for directories, its major capabilities, benefits, how it is integrated into other applications and how it is used. The paper looks at password policy features implemented by Isode’s M-Vault in Release 14.1. A few features are described that are planned for Release 14.2. M-Vault implements a comprehensive set of password policy features, and so this paper covers all features which are likely to be of interest. The paper focuses on showing how features appear to the end user and can be used and controlled by an administrator.
(27th Sept 2007)
|Identity Management: Is Directory
Inside or Outside?
The role of directory varies considerably in different Identity Management solutions. This includes; systems where directory is a central and highly visible component, systems where directory is used, but is not really visible and systems that do not use directory. This paper examines the role of directory in Identity Management, with particular focus on functionality where an externally visible directory can play a part.