Professional Documents
Culture Documents
• Introduction
• Trends
• Strategy
• Mechanisms
• Server
• Mobile
• Cloud
• EMCS Advanced Plus
• Compliance
Introduction
What is a secure GIS?
Introduction
What is “The” Answer?
Risk
Impact
Introduction
Where are the vulnerabilities?
Core component vulnerabilities were exposed in the past few years, application risks are still king
Trends
Michael Young
Trends
Web Application Attacks
• Password based
authentication is STILL
broken
- Use 2-factor
• Validate inputs
• Privilege Misuse
- Defense in Depth approach
• Scenario
- Organization utilizes cloud based services for disseminating disaster communications
- Required easy updates from home and at work
- Drove allowing public access to modify service information
• Lesson learned
- Enforce strong governance processes for web publication
- Don’t allow anonymous users to modify web service content
- Minimize or eliminate “temporary” modification rights of anonymous users
- If web services are exposed to the internet, just providing security at the application level
does not prevent direct service access
• Scenario
- Developers using access tokens not segmenting them appropriately from their
applications and code
- Tokens are often configured to have long life in contradiction with secure development
best practices
- Code is shared through cloud repositories (such as GitHub) and tokens exposed
- Result is tokens can be used by malicious users to perform privileged functions, intercept
private communications, eavesdrop, etc.
• Lessons learned
- Separate credentials directly from code and do not store in code repositories
- Perform routine checks of organization code repositories and applications
- Use short-lived tokens when possible
Recurring security scenarios
Leveraging leaked credentials
• Scenario
- User had account with LinkedIn or Adobe
- Account information compromised
- User changed password for their compromised service
- 4 years later account information offered on dark market
- Compromised account info utilized to access other services in May & June 2016, such as:
- GitHub, Netflix, Facebook, GoToMyPC, Reddit, TeamViewer, Twitter, and Carbonite
• Lessons Learned
- Avoid utilizing the same password between services
- Utilize enterprise strength password management tools to facilitate unique passwords
- Check if your email has been in a compromise – Services like https://haveibeenpwned.com
Recurring Security Scenarios
QUIZ – When was the last ArcGIS Security patch released?
• Hint – The Trust.ArcGIS.com site will always have this answer handy…
99.9% of vulnerabilities are exploited more than a year after being released
Trends
Strategic Shifts in Security Priorities for 2016 and Beyond
• Identity management priority increasing as security focus moves from network to data level
• Advanced Persistent Threats driving shift from Protect to Detect
• Encryption of Internet traffic via SSL v3 broken – Utilize only TLS / Configure ciphers
• Password protection is broken – Use 2-factor auth
• Cloud Access Security Brokers (CASB) – Gartner top security tech pick for 2016
• Patch! Attackers routinely use unpatched vulnerabilities to compromise organizations
• Ransomware & Trojans on rise – Backups operational & utilize email link validation tools
• Deprecation of MD5 and SHA-1 for certificates and code signing - Use SHA-256
• Silverlight died first, now it’s Adobe Flash –Ensure cross-domain is not trust all
Strategy
Michael Young
Strategy
A better answer
Distributed
Web GIS
Web GIS
Server
Desktop
GIS
GIS
• Secure Products
- Trusted geospatial services
ArcGIS
- Individual to organizations
- 3rd party assessments
CIA
Security
Triad
Availability
Strategy
Defense in Depth
Physical
Controls
• Balance People, Technology, and Operations
Policy
Controls
• Holistic approach to security Technical
Controls
Mechanisms
Matt Lorrain
Mechanisms
Mechanisms
• ArcGIS Server patterns
Users & Authentication
- Server-tier Auth w/ Built-in users
• User Store Options - Server-tier Auth w/ Enterprise Users
- Built-in user store - Web-tier Auth w/ Enterprise Users
- Server, Portal, ArcGIS Online
- Enterprise user store
• Portal for ArcGIS patterns
- LDAP / Active Directory
- Portal-tier Auth w/ Built-in users
- Portal-tier Auth w/ Enterprise users
• Authentication Options - Web-tier Auth w/ Enterprise users
- Built-in Token Service
- SAML 2.0 Auth w/ Enterprise Users
- Server, Portal, ArcGIS online
- Web-tier (IIS/Apache) w/ Web Adaptor
• ArcGIS Online patterns
- Windows Integrated Auth, PKI, Digest…
- Identity Provider (IdP) / Enterprise Logins - ArcGIS Online Auth w/ Built-in users
- SAML 2.0 for ArcGIS Online & Portal - SAML 2.0 Auth w/ Enterprise users
Mechanisms
Authorization
• Web services
- Conterra’s Security Manager (more granular)
- Layer and attribute level security
• RDBMS
- Row Level or Feature Class Level
- Versioning with Row Level degrades performance
- Alternative – SDE Views
• URL Based
- Web Server filtering
- Security application gateways and intercepts
Mechanisms
Filters – 3rd Party Options
• Firewalls
- Host-based
- Network-based
• Reverse Proxy
• Web Application Firewall
- Open Source option ModSecurity
• Anti-Virus Software
• Intrusion Detection / Prevention Systems
• Limit applications able to access geodatabase
Internet
Mechanisms
Filters - Web Application Firewall (WAF)
443
• Implemented in DMZ
Security Gateway
WAF, SSL Accel, LB
• Protection from web-based attacks
DMZ
• Network
- IPSec (VPN, Internal Systems)
- SSL/TLS (Internal and External System)
- Cloud Access Security Brokers (CASB)
- Proxy - Only encrypted datasets sent to cloud
• File Based
- Operating System – BitLocker
- GeoSpatially enabled PDF’s with Certificates
- Hardware (Disk)
• RDBMS
- Transparent Data Encryption
Mechanisms
Logging/Auditing
• Esri COTS
- Geodatabase history
- May be utilized for tracking changes
- ArcGIS Workflow Manager
- Track Feature based activities
- ArcGIS Server 10+ Logging
- “User” tag tracks user requests
- Set to a minimum of ‘INFO’
• 3rd Party
- Web Server, RDBMS, OS, Firewall
- Consolidate with a SIEM
Web Server
• Integrated
Geodatabase
- Dashboards across all tiers
• End-to-End RDBMS
• SaaS • Software
- www.arcgis.com - Part of ArcGIS Server
- Releases often - Releases 1-2 times per year
- Upgraded automatically (by Esri) - Upgraded manually (by organization)
- Esri controls SLA - Organization controls SLA
• Functionality (smart mapping…) • Functionality (smart mapping…)
• Enterprise Integration • Enterprise Integration
- Web SSO via SAML - Web SSO via SAML
- Web-tier Authentication via Web Adaptor
- Enterprise Groups
- ArcGIS Server Integration…
Web GIS
Anatomy of a Web GIS
portal
portal
portal
portal
portal
Shared Services
Web GIS
References vs. Federated
Referenced Federated
My Layer My Layer
Portal Portal
My Service My Service
Web GIS
Architecture Options and Security Considerations
• Authentication requirements
- Leverage centralized authentication (AD/LDAP)
- For an on premise portal that can be Web-tier authentication or using Enterprise Logins
Enterprise deployment
Real Permutations
Public
Business
Partner 1
Private IaaS
Internal
Portal
Business
Internal External Partner 2
AGS Filtered
AGS
Content ArcGIS Online
File
Database
Geodatabase
Field
Public IaaS
Worker
Enterprise
Business
ArcGIS Server
Implementation Guidance
Attack surface
• Disable Services Directory
• Disable Service Query Operation (as feasible)
• Limit utilization of commercial databases under
website
- File GeoDatabase can be a useful intermediary
• Require authentication to services Time
• Use HTTPS
- Or at least make it available!
• Security hardening best practices provide insights into relative risk of different
services, and optional mitigation measures to reduce risk
• ArcGIS Server and Portal ArcGIS Server Best Practices security scanner
Server
authentication
Device
Communication access
SDE
permissions Storage
Service Project
authorization access
Data
access
Mobile
Challenges
• Authentication/Authorization challenges
• Disconnected editing
- Local copies of data
DMZ
Web Adaptor
IIS Portal
VPN
ArcGIS
ArcGIS Server
Security Gateway
NAS
SQL Server Shared config store
AD FS 2.0
ArcGIS
External facing GIS Enterprise AD Desktop
Mobile
Implementation Guidance
• Non-Cloud
• IaaS
- Portal for ArcGIS & ArcGIS Server
- Some Citrix / Desktop
• SaaS
- ArcGIS Online
Customer Responsible
- Business Analyst Online For Application Settings
Cloud
Deployment Models
Online Online
Read-only
Server
Online Server
Server Basemaps
Intranet Intranet
Portal Server
Hybrid 2 On-Premises +
Cloud On-premise
Cloud
Management Models
• Self-Managed
- Your responsibility for managing IaaS deployment
security
- Security measures discussed later
• Provider Managed
- Esri Managed Services (Standard Offering)
- New Esri Managed Cloud Services (EMCS) Advanced Plus
- FedRAMP Moderate environment
Cloud
IaaS – Amazon Web Services
Users
Anonymous
Access
Apps
ArcGIS Online
On-Premises
• Ready in minutes
• Ready in months/years
• Centralized geo discovery
• Behind your firewall Esri Managed Cloud Services
• Segment anonymous
• You manage & certify
access from your systems
• Ready in days
• FISMA Low
• All ArcGIS capabilities at
your disposal in the cloud
• Dedicated services . . . All models can be combined or separate
• FedRAMP Moderate
Cloud
Hybrid
ArcGIS Online Users 4. Access Service
Hosted Services,
2. Enterprise Login
Content
(SAML 2.0) User Repository
Public Dataset
AD / LDAP
Storage
ArcGIS Org
Accounts
External Accounts
https://YourServer.com/arcgis/rest... http://services.arcgisonline.com...
Cloud
Hybrid – Deployment Scenarios
• Common for large enterprises
• Primary reason
- Data Segmentation / Prevent storing sensitive data in the
cloud
• Enterprise Logins
- SAML 2.0
- Provides federated identity management
- Integrate with your enterprise LDAP / AD
• Require HTTPS
• Do not allow anonymous access
• Allow only standard SQL queries
• Restrict members for sharing outside of organization (as feasible)
• Use enterprise logins with SAML 2.0 with existing Identity Provider (IdP)
- If unable, use a strong password policy (configurable) in ArcGIS Online
- Enable multi-factor authentication for users
• Demand
- Customers demanded FedRAMP compliance before rolling out future production operations
- Risk
- Customer risk increasing rapidly without security infrastructure
- Mandate
- OMB mandate all low and moderate impact cloud services leveraged by more than one office
or agency must comply with FedRAMP requirements
- Documentation
- A security review of all FedRAMP controls and implementation details
- Technical Assessment
- System level scans
- Web Interface scans
- Database scans
- Penetration testing
Great advisors and skilled assessors keep the effort focused
Esri Managed Cloud Services Advanced Plus
Continuous Monitoring
Monitoring Workflow
FedRAMP Reporting Workflow
AWS
Customer Infrastructure Active/Active Redundant across two Cloud Data Centers
• Esri Corporate
• Cloud Infrastructure Providers
• Products and Services
• Solution Guidance
Compliance
Extensive security compliance history
Esri GOS2 FISMA Esri Participates in Esri Hosts Federal ArcGIS Online FISMA EMCS receives
Authorization First Cloud Cloud Computing Security Authorization FedRAMP ATO
Computing Forum Workshop
Esri has actively participated in hosting and advancing secure compliant solutions for over a decade
Compliance
Esri Corporate
• ISO 27001
- Esri’s Corporate Security Charter
• Privacy Assurance
- US EU/Swiss SafeHarbor self-certified
- TRUSTed cloud certified
Compliance
Cloud Infrastructure Providers
• ArcGIS Online
- FISMA Low Authority to Operate by USDA (2014)
- FedRAMP - Upcoming
• ArcGIS Server
- DISA STIG – (2016)
• ArcGIS Desktop
- FDCC (versions 9.3-10)
- USGCB (versions 10.1+)
Compliance
Solution Level
Upcoming
2015