Sunday, May 1, 2005

Lotus Notes and Domino security: An essential part of the mix

INFRASTRUCTURE SECURITY

By Jesse Segovia

In a long career as a Lotus Notes professional and consultant, I've been involved in a broad range of Lotus Notes installations all over the world. I've witnessed some remarkable things, such as innovative, completely unexpected uses of Lotus Notes technology that expanded my knowledge of this product's capabilities. I've also observed things that made me want to hurl my laptop like a discus at a company's mission-critical Domino server!

Lotus Notes is a magnificent communications platform. I submit that with relatively little instruction, most anyone with a decent amount of computer familiarity can be turned into an honest-to-goodness Lotus Notes developer or administrator. However, like so many things in life, Notes' strengths are also its weaknesses.

Countless Lotus Notes environments are in a state I refer to as "The Wild West"--fast and very capable developers have almost full reign in the production environment, ready to turn any and all end user requests into full-blooded applications on a dime, and hapless managers have very little control over the process, and even less insight into what's really going on. What the organization suffers by way of application integrity--and development and administration process control--is just part and parcel of doing business with Notes, right? To security-conscious managers and technologists familiar with how to take firm control of more traditional business and development environments, Lotus Notes must seem the very blackest of family sheep. Now why is this?

Isn't Notes RAD?

Many developers equate Notes with the term RAD (Rapid Application Development), and see anything that compromises that rapidity as selling out Notes, or altogether destroying everything that makes it a valuable development environment. These folks tell you any effort to instill traditional change management or IT compliance practices to Notes will ruin its performance edge--and hey, that's the only reason we have Notes here in the organization, right? Forget about its matchless strengths as a collaboration platform, never mind its seamless integration with virtually all accepted Web and communications protocols, and who cares about its extremely flexible user security model? We use it 'cause it's fast!

I often speak to managers who have seriously considered throwing Notes out of their organizations, or technologists who have forbidden the use of Notes to handle any sensitive data or workflow processes because Notes isn't secure. When I offer an exposition of the powerful Notes server, database, and content-level security model, we usually get to the root of the problem--it's the process, or more precisely the lack thereof, around Lotus Notes.