Planning security

Before you prepare your environment for the service, make decisions about implementing security in the service by answering questions described in this topic.

About this task

Table 1. Security questions
Question Considerations

Will you use federated identity management?

Federated identity management allows users who are logged on to your company system to use the service without logging on again. To enable federated identity management, you register your organization as a trusted identity provider in the IBM Connections™ Cloud service. Before you register, you must implement and test a federated identity management system that uses Security Assertion Markup Language (SAML). While you are implementing your system, you must make some choices and prepare several artifacts.

For more information about this option and other login options, see Configuring logins.

Do your company top-level organization certifiers comply with service requirements?

There are some restrictions on organization certifier names. Your organization certifiers must be at least three characters and must be different from certifiers used by other companies in the service. In addition, specific organization certifier names are prohibited for use with the service.

If you use more than one organization certifier, decide which one to use for the following servers. All of these servers must be certified under the same organization certifier.
  • Passthru servers that the service uses to connect to your environment
  • Directory synchronization servers and mail hub servers in the on-premises hub domain
  • Your mail servers in the service, which are created for you in the service using the OU certifier that you provide

For more information, see Certifier requirements in a hybrid environment.

What decisions do you need to make about the OU certifier to use for your mail servers?

Decide on a name for the OU certifier. A short name is best. Consider carefully the name you choose; after you upload the OU certifier ID file to the service during service configuration, you cannot change to a certifier of a different name.

Decide who will create the OU certifier and who will upload the certifier ID file to the service. Uploading the ID file to the service requires physical access to the ID file. Companies often allow only specific people to create certifiers and to access certifier ID files, so account for this possibility in your planning.

Is public key checking enabled on on-premises servers that the service will connect to?
If public key checking is enabled on the following servers, it must be disabled.
  • Passthru servers that the service uses to connect to your environment
  • Directory synchronization servers and mail hub servers in the on-premises hub domain

What firewall changes are required?

Your firewall must be opened to specific ports and host names. For more information, see Planning network connections.

Do you use wildcard groups to control access?

Put wildcard groups, for example, */Austin/Renovations, directly in access control lists, mail or calendar delegation lists, or policy assignment fields. Do not put wildcard groups in a directory group and add the directory group to the access list or policy assignment fields; this configuration isn't supported.
Parent topic: Planning