Hyland Connect

Defense in Depth is key to robust, effective security in your environment. We've discussed the idea in abstract in a previous article. To quickly recap, defense in depth is about creating independent layers of protection in your environment to prevent misuse, abuse, or information leakage. Well managed defenses create protection for your legitimate users and their actions, while putting walls and roadblocks in the way of potential attackers. Assuming the worst, that you've been breached, the right kind of layers may delay an attacker, causing them either to get caught or give up and move on to an easier target.

In the standard OnBase deployment, thick client machines need direct access to the fileshares that contain your Disk Groups. It is easy to segregate this access by the type of documents and the user groups that need access by creating independent disk groups for each department’s or team's documents, and only allowing those specific users access. However, there is immense value in preventing *every* user in the system from having direct access to a shared or central resource repository like your file servers.

Distributed Disk Services(DDS) can provide that value. This module puts into place a proxy server that acts on the user's behalf when they access Disk Groups. The security and management benefit is immediately clear. Rather than creating, applying, and monitoring the permissions of dozens or even hundreds of users, you've reduced that overhead to a single user. In terms of security, it is much easier to spot abuse or anomalous behavior in a single account than it is to track that across an entire user community. Regarding management overhead, you can now eliminate the duplicate work of setting up fileshare permissions to match the OnBase permissions you've already created. Similar to how the Application Server acts as a proxy for users of the Web or Unity client when they access the database and disk groups, DDS stands between Thick Client users and the disk groups. In the event of a compromise, attackers can use a single compromised account to pivot through your network anywhere that user has permission. With a single point of configuration, monitoring for both the baseline activity and anomaly can be that much easier and countermeasures can be deployed that much more effectively.

An additional benefit of DDS is AES encrypted communications between client endpoints and the DDS server. Depending on the security posture of your unique environment, this encryption layer can add value in Core based solutions in addition to Thick Client solutions. The encrypted communication channel adds that independent security layer that helps prevent Man-in-the-Middle style attacks or disclosures where a malicious actor can see raw network traffic of other users. DDS does not use an initial or hard-coded key, so each installation will have a unique value protecting its traffic. In addition, DDS includes the controls to update this key at any time.

Defense in Depth is a difficult concept to implement well, but OnBase provides many tools that can fit your unique environment. DDS is just one tool to add a specific solution to a specific set of problems. If you believe that DDS will help you protect your environment, please contact your first line of support today.