Enterprise GIS: Security Strategy
Michael E. Young
Chief Product Security Officer
Matt Lorrain
Security Architect
Agenda
• Introduction
• Trends
• Strategy
• Mechanisms
• Server
• Mobile
• Cloud
• Compliance
IntroductionWhat is a secure GIS?
IntroductionWhat is “The” Answer?
Risk
Vulnerabilit
y
Thre
atImpact
IntroductionWhere are the vulnerabilities?
Core network component vulnerabilities were exposed last year, but application risks are still king
*SANS Relative Vulnerabilities
Michael Young
Current Real World Scenarios & Trends
TrendsWeb Application Attacks
*Verizon 2015 DBIR
Trends
• Number of mobile devices infected still relatively small
• 96% targeted against Android platform
• Mobile malware short lived- Piggybacks popular apps
• Mobile SDK’s being attacked- Ensure apps built with latest
SDK’s
• What can help?- Enterprise Mobility Management
enables control and visibility
Mobile attacks
* Verizon 2015 DBIR
TrendsTrends by Industry
* Verizon 2015 DBIR
• Frequency of incidents by pattern and industry
• Identify hot spots for your specific industry- Prioritize security
initiatives to mitigate against common threats
Real-world security scenarios
• Scenario- Organization utilizes cloud based services for disseminating disaster communications
- Required easy updates from home and at work
- Drove allowing public access to modify service information
• Lesson learned- Enforce strong governance processes for web publication
- Don’t allow anonymous users to modify web service content
- Minimize or eliminate “temporary” modification rights of anonymous users
- If web services are exposed to the internet, just providing security at the application level does not prevent direct service access
Disaster communications modified
Lack of strong governance leads to unexpected consequences
Real-world security scenarios
• Scenario- Hackers used a third-party vendor’s user name and password to enter network
- Hackers managed to elevate rights and deploy malware on systems
- Result- 56 million credit and debit cards compromised
- 53 million email addresses disclosed
• Lessons learned- Credential management and high-level of trust of “internal” users
- Use an Identity Provider with SAML 2.0 for accessing cloud-based applications
- Enforce 2-factor authentication – At a minimum administrators should do this
Using same username and password between systems leads to compromise
Real-World Security Scenarios
• Hint – The Trust.ArcGIS.com site will always have this answer handy…
QUIZ – When was the last ArcGIS Security patch released?
99.9% of vulnerabilities are exploited more than a year after being released
TrendsStrategic Shifts in Security Priorities for 2015 and Beyond
• Identity management priority increasing as security focus moves from network to data level
• Advanced Persistent Threats driving shift from Protect to Detect
• Encryption of Internet traffic via SSL v3 broken – Ensuring TLS utilized is necessary
• Password protection is broken – Stronger mechanisms required such as 2-factor auth
• Customers balancing security gateways for mobile solutions vs. VPN
• Patching beyond Operating systems critical
• End-of-life OS builds with XP and now Server 2003 present significant risk
Michael Young
Strategy
StrategyA better answer
• Identify your security needs- Assess your environment
- Datasets, systems, users
- Data categorization and sensitivity
- Understand your industry attacker motivation
• Understand security options- Trust.arcgis.com
- Enterprise-wide security mechanisms
- Application specific options
• Implement security as a business enabler- Improve appropriate availability of information
- Safeguards to prevent attackers, not employees
StrategyEnterprise GIS Security Strategy
Security Risk Management Process Diagram - Microsoft
StrategyEvolution of Esri Products & Services
Product
EnterpriseSolution
Isolated Systems
3rd Party Security
Integrated Systems
Embedded Security
Software as a Service
Managed Security
StrategyEsri Products and Solutions
• Secure Products- Trusted geospatial services
- Individual to organizations
- 3rd party assessments
• Secure Platform Management- Backed by Certifications / Compliance
• Secure Enterprise Guidance- Trust.ArcGIS.com site
- Online Help
ArcGIS
StrategySecurity Principles
Con
fiden
tialit
yAvailability
IntegrityCIA Security
Triad
StrategyDefense in Depth
• More layers does NOT guarantee more security
• Understand how layers/technologies integrate
• Simplify
• Balance People, Technology, and Operations
• Holistic approach to security TechnicalControls
PolicyControls
Physical Controls
Data and
Assets
Esri UC 2014 | Technical Workshop |
Mechanisms
Mechanisms
MechanismsUsers & Authentication
• User Store Options- Built-in user store
- Server, Portal, ArcGIS Online
- Enterprise user store- LDAP / Active Directory
• Authentication Options- Built-in Token Service
- Server, Portal, ArcGIS online
- Web-tier (IIS/Apache) w/ Web Adaptor- Windows Integrated Auth, PKI, Digest…
- Identity Provider (IdP) / Enterprise Logins- SAML 2.0 for ArcGIS Online & Portal
• ArcGIS Server patterns- Server-tier Auth w/ Built-in users
- Server-tier Auth w/ Enterprise Users
- Web-tier Auth w/ Enterprise Users
• Portal for ArcGIS patterns- Portal-tier Auth w/ Built-in users
- Portal-tier Auth w/ Enterprise users
- Web-tier Auth w/ Enterprise users
- SAML 2.0 Auth w/ Enterprise Users
• ArcGIS Online patterns- ArcGIS Online Auth w/ Built-in users
- SAML 2.0 Auth w/ Enterprise users
MechanismsAuthorization – Role-Based Access Control
• Out-of-box roles (level of permission)- Administrators
- Publishers
- Users
- Custom – Only for Portal for ArcGIS & ArcGIS Online
• ArcGIS for Server – Web service authorization set by pub/admin- Assign access with ArcGIS Manager
- Service Level Authorization across web interfaces
- Services grouped in folders utilizing inheritance
• Portal for ArcGIS – Item authorization set by item owner- Web Map – Layers secured independently
- Packages & Data – Allow downloading
- Application – Allows opening app
MechanismsAuthorization – Extending with 3rd Party components
• Web services- Conterra’s Security Manager (more granular)
- Layer and attribute level security
• RDBMS- Row Level or Feature Class Level
- Versioning with Row Level degrades performance- Alternative – SDE Views
• URL Based- Web Server filtering
- Security application gateways and intercepts
MechanismsFilters – 3rd Party Options
• Firewalls- Host-based
- Network-based
• Reverse Proxy
• Web Application Firewall- Open Source option ModSecurity
• Anti-Virus Software
• Intrusion Detection / Prevention Systems
• Limit applications able to access geodatabase
MechanismsFilters - Web Application Firewall (WAF)
• Implemented in DMZ
• Protection from web-based attacks
• Monitors all incoming traffic at the application layer
• Protection for public facing applications
• Can be part of a security gateway- SSL Certificates
- Load Balancer
Internet
Security GatewayWAF, SSL Accel, LB
Web servers
Internal Infrastructure
ArcGIS servers
443
DMZ
MechanismsEncryption – 3rd Party Options
• Network- IPSec (VPN, Internal Systems)
- SSL/TLS (Internal and External System)
- Cloud Encryption Gateways
- Only encrypted datasets sent to cloud
• File Based- Operating System – BitLocker
- GeoSpatially enabled PDF’s combined with Certificates
- Hardware (Disk)
• RDBMS- Transparent Data Encryption
- Low Cost Portable Solution - SQL Express w/TDE
MechanismsLogging/Auditing
• Esri COTS- Geodatabase history
- May be utilized for tracking changes- ArcGIS Workflow Manager
- Track Feature based activities- ArcGIS Server 10+ Logging
- “User” tag tracks user requests
• 3rd Party- Web Server, RDBMS, OS, Firewall- Consolidate with a SIEM
• Geospatial service monitors- Esri – System Monitor- Vestra – GeoSystems Monitor- Geocortex Optimizer
MechanismsGIS monitoring with System Monitor
• Proactive
• Integrated- Dashboards across all tiers
• End-to-End- All tier monitoring
• Continuous- %Coverage provided
• Extendable- Custom queries
Esri UC 2014 | Technical Workshop |
ArcGIS ServerMatt Lorrain
ArcGIS Server10.3 Enhancements
• ArcGIS Server Manager - New dashboard for administrators
• Portal for ArcGIS extension is included with ArcGIS for Server Standard and Advanced licenses- Support for SAML 2.0 authentication
- Management of group membership based on an enterprise identity store
- Custom roles to better control privileges of users
- Activity Dashboard to understand metrics for your portal
- More streamlined approach to configuring a high-availability portal configuration
- As of 10.3.1- Query and view portal logs using Portal Directory for identifying errors, issues or troubleshooting.
ArcGIS ServerSingle ArcGIS Server machine
Front-ending GIS Server with ReverseProxy or Web Adapter
Site AdministratorsConnect to Manager
GIS server, Data, Server directories, Configuration Store
Desktop, Web, and Mobile Clients
6080/6443
Site AdministratorsConnect to Manager
GIS server, Data, Server directories, Configuration Store
Desktop, Web, and Mobile Clients
6080/6443
80/443 Reverse Proxy Server
ArcGIS ServerArcGIS Server HA - Sites independent of each other
Site AdministratorsConnect to Manager
80
6080 6080
80
Server directories, Configuration Store
(duplicated between sites)
Site AdministratorsConnect to Manager
ArcGIS Server site ArcGIS Server site
Web Adaptors(optional)
Network Load Balancer (NLB)
Desktop, Web, and Mobile Clients
• Active-active configuration is shown- Active-passive is also an option
• Separate configuration stores and management- Scripts can be used to synchronize
• Cached map service for better performance
• Load balancer to distribute load
ArcGIS ServerArcGIS Server HA – Shared configuration store
80
6080 6080
80
Site AdministratorsConnect to Manager
Web Adaptors
Network Load Balancer (NLB)
Desktop, Web, and Mobile Clients
GIS servers
Data server, Data (enterprise geodatabase), Server directories, Configuration Store
•Shared configuration store
•Web Adaptor will correct if server fails
•Config change could affect whole site- Example: publishing a service
•Test configuration changes
ArcGIS ServerArcGIS Server HA – Clusters of Dedicated Services
80
6080 6080
80
Site AdministratorsConnect to Manager
Web Adaptors(optional)
Network Load Balancer (NLB)
Desktop, Web, and Mobile Clients
6080
Cluster A
Data server, Data (enterprise geodatabase), Server directories, Configuration Store
GIS servers
Cluster B
•Shared configuration store
•Server clusters- Perform same set of functions
•Example- Cluster A handles geoprocessing
services
- Cluster B handles less intensive services
Public IaaS
Enterprise deploymentReal Permutations
DatabaseFile
Geodatabase
FilteredContent
FieldWorker
EnterpriseBusiness
InternalPortal
InternalAGS
ExternalAGS
Business Partner 1
Business Partner 2
Public
ArcGIS Online
Private IaaS
DMZ
WAF, SSL AccelLoad Balancer
ArcGIS Site
HA NAS
Config Store
Directories
ArcGIS for Server
FGDB
Web Adaptor Round-Robin
ArcGIS for Server
GIS Services
GIS ServicesServer Request
Load Balancing
Port: 6080Port: 6080
GIS Server A GIS Server B
443
Clustered
HA DB1 HA DB2
Supporting Infrastructure
AD/ LDAP
IIS/Java Web Server
Port: 443
Auth Web Server
SQL
ADFS / SAML 2.0
ADFS Proxy
IIS/Java Web Server
Web Apps
WebAdaptor
Web Apps
IIS/Java Web Server
Network Load Balancing
Port: 80
WebAdaptor
Port: 80
Web Server A Web Server B
WebAdaptor
Web Apps
IIS/Java Web Server
Port: 80
Public Web Server
ArcGIS for ServerGIS
Services
Port: 6080
GIS Server B
Internet
ArcGIS ServerEnterprise Deployment
ArcGIS ServerImplementation Guidance
• Don’t expose Server Manager or Admin interfaces to public
• Disable Services Directory
• Disable Service Query Operation (as feasible)
• Limit utilization of commercial databases under website- File GeoDatabase can be a useful intermediary
• Require authentication to services
• Deploy ArcGIS Server(s) to DMZ if external users require access- One-way replication from enterprise database
• Restrict cross-domain requests- Implement a whitelist of trusted domains for
communications
Attack surface over time
Att
ack
surf
ace
Time
Esri UC 2014 | Technical Workshop |
MobileMatt Lorrain
MobileWhat are the mobile concerns?
*OWASP Top Ten Mobile: https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks
MobileSecurity Touch Points
Communication
Device access
Storage
Project access
Data access
Server authentication
SDE permissions
Service authorization
MobileChallenges
• Users are beyond corporate firewall- To VPN or not to VPN?
• Authentication/Authorization challenges
• Disconnected editing
• Management of mobile devices- Enterprise Mobility Management is the answer!
- Mobile Device Management
- Mobile Application Management
- Security Gateways
- Examples: MobileIron, MaaS360, Airwatch, and many more…
MobilePotential Access Patterns
DMZ
Web AdaptorIIS
NASShared config storeSQL Server
Portal
ArcGIS Server
Enterprise AD
AD FS 2.0
ArcGIS Desktop
VPN
Security Gateway
External facing GIS
ArcGIS
MobileImplementation Guidance
• Encrypt data-in-transit (HTTPS) via TLS
• Encrypt data-at-rest
• Segmentation- Use ArcGIS Online, Cloud, or DMZ systems to disseminate public-level data
• Perform Authentication/Authorization
• Use an Enterprise Mobility Management (EMM) solution- Secure e-mail
- Enforce encryption
- App distribution
- Remote wipe
- Control 3rd party apps & jailbreak detection
Esri UC 2014 | Technical Workshop |
CloudMatt Lorrain
CloudService Models
• Non-Cloud- Traditional systems infrastructure deployment- Portal for ArcGIS & ArcGIS Server
• IaaS- Portal for ArcGIS & ArcGIS Server- Some Citrix / Desktop
• SaaS- ArcGIS Online- Business Analyst Online
Dec
reas
ing
Cu
sto
mer
Res
po
nsi
bil
ity
Dec
reas
ing
Cu
sto
mer
Res
po
nsi
bil
ity
Customer ResponsibleEnd to End
Customer ResponsibleFor Application Settings
CloudDeployment Models
Cloud On-premise
IntranetIntranetIntranetIntranet
PortalPortalServerServer
On- Premises
IntranetIntranetIntranetIntranet
PortalPortalServerServer
Read-only
Basemaps
On-Premises +
IntranetIntranetIntranetIntranet
ServerServer
OnlineOnline
Hybrid 1Public
IntranetIntranetIntranetIntranet
OnlineOnline
IntranetIntranetIntranetIntranet
OnlineOnline ServerServerServerServerServerServer
Hybrid 2
CloudManagement Models
• Self-Managed- Your responsibility for managing IaaS deployment
security- Security measures discussed later
• Provider Managed- Esri Managed Services (Standard Offering)- New Esri Managed Cloud Services (EMCS) Advanced Plus
- FedRAMP Moderate environment
CloudIaaS – Amazon Web Services
• 8 Security Areas to Address- Virtual Private Cloud (VPC)
- Identity & Access Management (IAM)
- Administrator gateway instance(s) (Bastion)
- Reduce attack surface (Hardening)
- Security Information Event Management (SIEM)
- Patch management (SCCM)
- Centralized authentication/authorization
- Web application firewall (WAF)
CloudEMCS Advanced Plus Offering
ArcGIS Online front-end (Low)Managed Services back-end (Mod)
Centralized Authentication (2-factor)
Key Management
Network Address Translation
Virtual Private Cloud (Segmentation)
Redundancy (multiple data centers)
IDS/SIEM/WAF
Logging
Customer Databases
Customer Instances
ArcGIS for Server
Portal for ArcGIS
Security Infrastructure
ArcGIS Online
End Users
Esri Cloud GIS Administrator
CloudHybrid deployment combinations
On-Premises
Users
AppsAnonymous
Access
Esri Managed Cloud Services
• Ready in days
• All ArcGIS capabilities at your disposal in the cloud
• Dedicated services
• FedRAMP Moderate
• Ready in months/years• Behind your firewall• You manage & certify
• Ready in minutes• Centralized geo discovery• Segment anonymous
access from your systems• FISMA Low
ArcGIS Online
. . . All models can be combined or separate
ArcGIS Online
CloudHybrid
AGOLOrg
Group“TeamGreen”
Group“TeamGreen”
Hosted Services,Content
Public DatasetStorage
On-PremisesArcGIS Server
User RepositoryAD / LDAP
2. Enterprise Login(SAML 2.0)
1. Register Services
Users
3. Request to View 4. Access Service
ArcGIS OrgAccounts
External Accounts
Segment sensitive data internally and public data in cloud
CloudHybrid – Data sources
• Where are internal and cloud datasets combined?- At the browser - The browser makes separate requests for information to multiple
sources and does a “mash-up”- Token security with SSL or even a VPN connection could be used
between the device browser and on-premises system
On-Premises Operational Layer Service
Cloud Basemap ServiceArcGIS Online
Browser Combines Layers
http://services.arcgisonline.com...https://YourServer.com/arcgis/rest...
CloudArcGIS Online – Implementation Guidance
• Require HTTPS
• Do not allow anonymous access
• Allow only standard SQL queries
• Restrict members for sharing outside of organization (as feasible)
• Use enterprise logins with SAML 2.0 with existing Identity Provider (IdP)- If unable, use a strong password policy (configurable) in ArcGIS Online- Enable multi-factor authentication for users
• Use multifactor for admin accounts
• Use a least-privilege model for roles and permissions- Custom roles
Esri UC 2014 | Technical Workshop |
Compliance
ComplianceArcGIS Platform Security
• Esri Corporate
• Cloud Infrastructure Providers
• Products and Services
• Solution Guidance
ComplianceExtensive security compliance history
Esri has actively participated in hosting and advancing secure compliant solutions for over a decade
2010 2011 2012 2013 2014
FedRAMP Announced
ArcGIS Online FISMA Authorization
OMB FedRAMP Mandate
First FedRAMP Authorization
2012 2013 2014 2015 2016
EMCS FedRAMP Compliant
Esri Hosts FederalCloud Computing Security Workshop
PlannedArcGIS OnlineFedRAMPAuthorization
Esri Participates in First Cloud Computing Forum
2002…
2005…
FISMA Law Established
Esri GOS2 FISMAAuthorization
Compliance
• ISO 27001- Esri’s Corporate Security Charter
• Privacy Assurance- US EU/Swiss SafeHarbor self-certified
- TRUSTed cloud certified
Esri Corporate
Compliance
• ArcGIS Online Utilizes World-Class Cloud Infrastructure Providers- Microsoft Azure
- Amazon Web Services
Cloud Infrastructure Security Compliance
Cloud Infrastructure Providers
ComplianceProducts and Services
• ArcGIS Online- FISMA Low Authority to Operate by USDA (Jun 2014)
- FedRAMP - Upcoming
• Esri Managed Cloud Services (EMCS)- FedRAMP Moderate (Jan 2015)
• ArcGIS Server- DISA STIG – (Expected 2015)
• ArcGIS Desktop- FDCC (versions 9.3-10)
- USGCB (versions 10.1+)
- ArcGIS Pro (Expected 2015)
ComplianceSolution Level
• Geospatial Deployment Patterns to meet stringent security standards- Hybrid deployments
- On-premise deployments
• Supplemented with 3rd party security components- Enterprise Identity management integration - CA SiteMinder (Complete)
- Geospatial security constraints – ConTerra (Started)
- Mobile security gateway integration – (Upcoming)
• Upcoming best practice security compliance alignment guidance- CJIS – Law Enforcement (Started)
- STIGs – Defense (Started)
- HIPAA – Healthcare (Future)
ComplianceArcGIS Online Assurance Layers
Web Server & DB software
Operating system
Instance Security
Management
Hypervisor
ArcGISManagement
Cloud Providers
Physical
Web App Consumption
Customer
Esri
Cloud ProviderISO 27001 SSAE16FedRAMP Mod
AGOL SaaSFISMA Low(USDA)SafeHarbor(TRUSTe)
ComplianceDeployment Model Responsibility
ComplianceCloud Roadmap
ArcGIS OnlineFISMA
Low
Managed Services (EMCS)
FedRAMPMod
ArcGIS OnlineFedRAMP
2014
2015Upcoming
Esri UC 2014 | Technical Workshop |
Summary
Summary
• Security demands are rapidly evolving- Prioritize efforts accord to your industry and needs- Don’t just add components, simplified Defense In Depth approach
• Secure Best Practice Guidance is Available- Check out the ArcGIS Trust Site!- Security Architecture Workshop
• Please fill out the session survey in your mobile app
• In the agenda, click on the title of this session- Enterprise GIS: Security Strategy
• Click “Technical Workshop Survey”
• Answer a few short questions and enter any comments
Thank you…
Want to Learn More?
• ArcGIS Online: A Security, Privacy, and Compliance Overview- Wed 10:15am Room 17B
• ArcGIS Server & Portal for ArcGIS: An Introduction to Security- Tues 3:15pm Room 4, Thurs 1:30pm Room 4
• ArcGIS Server: Advanced Security- Wed 3:!5pm Room 3, Thurs Room 4
• Best Practices in Setting up Secured Services in ArcGIS for Server- Tues 5:30pm Demo Theater 14
• Building Security into your System- Tues 4:30pm Implementation Center
• Oauth 2 and Authentication in ArcGIS Online Demystified- Tues 2:30pm Demo Theater 11
• Using Enterprise Logins for Portal in ArcGIS via SAML- Tues 5:30pm, Wed 2:30pm Demo Theater 7
Esri Security Standards & Architecture [email protected]