Designing a Web GIS Security Strategy

Michael Young – CISO – Products

Matt Lorrain – Security Architect

Agenda

• Introduction
• Trends
• Strategy
• Mechanisms
• Server
• Mobile
• Cloud
• EMCS Advanced Plus
• Compliance
Introduction
What is a secure GIS?
Introduction
What is “The” Answer?

Risk

Impact
Introduction
Where are the vulnerabilities?

*SANS Relative Vulnerabilities

Core component vulnerabilities were exposed in the past few years, application risks are still king
Trends
Michael Young
Trends
Web Application Attacks

*Verizon 2016 DBIR

 Trends
Main threat activities from web app attacks

• Password based
authentication is STILL
broken
- Use 2-factor

• Validate inputs

• Patching process for third

party plugins

*Verizon 2016 DBIR

 Trends
Trends by Industry

• Confirmed data breaches by

industry

• Rise of web app attacks

across the board since last
year due to rise in stolen
credentials

• Privilege Misuse
- Defense in Depth approach

*Verizon 2016 DBIR

Recurring security scenarios
Disaster communications modified

• Scenario
- Organization utilizes cloud based services for disseminating disaster communications
- Required easy updates from home and at work
- Drove allowing public access to modify service information

• Lesson learned
- Enforce strong governance processes for web publication
- Don’t allow anonymous users to modify web service content
- Minimize or eliminate “temporary” modification rights of anonymous users
- If web services are exposed to the internet, just providing security at the application level
does not prevent direct service access

Lack of strong governance leads to unexpected consequences

Recurring security scenarios
Long-live the token!

• Scenario
- Developers using access tokens not segmenting them appropriately from their
applications and code
- Tokens are often configured to have long life in contradiction with secure development
best practices
- Code is shared through cloud repositories (such as GitHub) and tokens exposed
- Result is tokens can be used by malicious users to perform privileged functions, intercept
private communications, eavesdrop, etc.

• Lessons learned
- Separate credentials directly from code and do not store in code repositories
- Perform routine checks of organization code repositories and applications
- Use short-lived tokens when possible
Recurring security scenarios
Leveraging leaked credentials

• Scenario
- User had account with LinkedIn or Adobe
- Account information compromised
- User changed password for their compromised service
- 4 years later account information offered on dark market
- Compromised account info utilized to access other services in May & June 2016, such as:
- GitHub, Netflix, Facebook, GoToMyPC, Reddit, TeamViewer, Twitter, and Carbonite

• Lessons Learned
- Avoid utilizing the same password between services
- Utilize enterprise strength password management tools to facilitate unique passwords
- Check if your email has been in a compromise – Services like https://haveibeenpwned.com
Recurring Security Scenarios
QUIZ – When was the last ArcGIS Security patch released?

• Hint – The Trust.ArcGIS.com site will always have this answer handy…

99.9% of vulnerabilities are exploited more than a year after being released
 Trends
Strategic Shifts in Security Priorities for 2016 and Beyond

• Identity management priority increasing as security focus moves from network to data level
• Advanced Persistent Threats driving shift from Protect to Detect
• Encryption of Internet traffic via SSL v3 broken – Utilize only TLS / Configure ciphers
• Password protection is broken – Use 2-factor auth
• Cloud Access Security Brokers (CASB) – Gartner top security tech pick for 2016
• Patch! Attackers routinely use unpatched vulnerabilities to compromise organizations
• Ransomware & Trojans on rise – Backups operational & utilize email link validation tools
• Deprecation of MD5 and SHA-1 for certificates and code signing - Use SHA-256
• Silverlight died first, now it’s Adobe Flash –Ensure cross-domain is not trust all
Strategy
Michael Young
Strategy
A better answer

• Identify your security needs

- Assess your environment
- Datasets, systems, users
- Data categorization and sensitivity
- Understand your industry attacker motivation

• Understand security options

- Trust.arcgis.com
- Enterprise-wide security mechanisms
- Application specific options
• Implement security as a business enabler
- Improve appropriate availability of information
- Safeguards to prevent attackers, not employees
Strategy
Enterprise GIS Security Strategy

Security Risk Management Process Diagram - Microsoft

Strategy
Evolution of Esri Products & Services

Distributed
Web GIS
Web GIS
Server
Desktop
GIS
GIS

3rd Party Security Embedded Security Shared Responsibilty Security

Strategy
Esri Products and Solutions

• Secure Products
- Trusted geospatial services
ArcGIS
- Individual to organizations
- 3rd party assessments

• Secure Platform Management

- Backed by Certifications / Compliance

• Secure Enterprise Guidance

- Trust.ArcGIS.com site
- Online Help
Strategy
Security Principles

CIA
Security
Triad

Availability
Strategy
Defense in Depth

• More layers does NOT guarantee more security

• Understand how layers/technologies integrate

Data
and
• Simplify Assets

Physical
Controls
• Balance People, Technology, and Operations
Policy
Controls
• Holistic approach to security Technical
Controls
Mechanisms
Matt Lorrain
Mechanisms
Mechanisms
• ArcGIS Server patterns
Users & Authentication
- Server-tier Auth w/ Built-in users
• User Store Options - Server-tier Auth w/ Enterprise Users
- Built-in user store - Web-tier Auth w/ Enterprise Users
- Server, Portal, ArcGIS Online
- Enterprise user store
• Portal for ArcGIS patterns
- LDAP / Active Directory
- Portal-tier Auth w/ Built-in users
- Portal-tier Auth w/ Enterprise users
• Authentication Options - Web-tier Auth w/ Enterprise users
- Built-in Token Service
- SAML 2.0 Auth w/ Enterprise Users
- Server, Portal, ArcGIS online
- Web-tier (IIS/Apache) w/ Web Adaptor
• ArcGIS Online patterns
- Windows Integrated Auth, PKI, Digest…
- Identity Provider (IdP) / Enterprise Logins - ArcGIS Online Auth w/ Built-in users
- SAML 2.0 for ArcGIS Online & Portal - SAML 2.0 Auth w/ Enterprise users
Mechanisms
Authorization

• Out-of-box roles (level of permission)

- Administrators
- Publishers
- Users
- Custom – Only for Portal for ArcGIS & ArcGIS Online
• ArcGIS for Server – Web service authorization set by pub/admin
- Assign access with ArcGIS Manager
- Service Level Authorization across web interfaces
- Services grouped in folders utilizing inheritance
• Portal for ArcGIS – Item authorization set by item owner
- Web Map – Layers secured independently
- Packages & Data – Allow downloading
- Application – Allows opening app
 Mechanisms
Authorization – Extending with 3rd Party components

• Web services
- Conterra’s Security Manager (more granular)
- Layer and attribute level security

• RDBMS
- Row Level or Feature Class Level
- Versioning with Row Level degrades performance
- Alternative – SDE Views

• URL Based
- Web Server filtering
- Security application gateways and intercepts
Mechanisms
Filters – 3rd Party Options

• Firewalls
- Host-based
- Network-based
• Reverse Proxy
• Web Application Firewall
- Open Source option ModSecurity
• Anti-Virus Software
• Intrusion Detection / Prevention Systems
• Limit applications able to access geodatabase
 Internet
Mechanisms
Filters - Web Application Firewall (WAF)
443

• Implemented in DMZ
Security Gateway
WAF, SSL Accel, LB
• Protection from web-based attacks
DMZ

• Monitors all incoming traffic at the

application layer Web servers ArcGIS servers

• Protection for public facing applications

• Can be part of a security gateway Internal Infrastructure

- SSL Certificates
- Load Balancer
 Mechanisms
Encryption – 3rd Party Options

• Network
- IPSec (VPN, Internal Systems)
- SSL/TLS (Internal and External System)
- Cloud Access Security Brokers (CASB)
- Proxy - Only encrypted datasets sent to cloud

• File Based
- Operating System – BitLocker
- GeoSpatially enabled PDF’s with Certificates
- Hardware (Disk)

• RDBMS
- Transparent Data Encryption
Mechanisms
Logging/Auditing

• Esri COTS
- Geodatabase history
- May be utilized for tracking changes
- ArcGIS Workflow Manager
- Track Feature based activities
- ArcGIS Server 10+ Logging
- “User” tag tracks user requests
- Set to a minimum of ‘INFO’

• 3rd Party
- Web Server, RDBMS, OS, Firewall
- Consolidate with a SIEM

• Geospatial service monitors

- Esri – System Monitor
- Vestra – GeoSystems Monitor
- Geocortex Optimizer
 Network
Mechanisms
GIS monitoring with System Monitor Hardware

Web Server

• Proactive ArcGIS Server

• Integrated
Geodatabase
- Dashboards across all tiers
• End-to-End RDBMS

- All tier monitoring

• Continuous
- %Coverage provided
• Extendable
- Custom queries
Web GIS
Matt Lorrain
Web GIS
ArcGIS Online or Portal?
ArcGIS Online
• SaaS
- www.arcgis.com
- Releases often
- Upgraded automatically (by Esri)
- Esri controls SLA
• Functionality (smart mapping…)
• Enterprise Integration
- Web SSO via SAML
Portal for ArcGIS
• Software
- Part of ArcGIS Server
- Releases 1-2 times per year
- Upgraded manually (by organization)
- Organization controls SLA
• Functionality (smart mapping…)
• Enterprise Integration
- Web SSO via SAML
- Web-tier Authentication via Web Adaptor
- Enterprise Groups
- ArcGIS Server Integration…
Web GIS
Anatomy of a Web GIS

User Applications (Desktop, Web & Mobile)

Portal (GeoInformation Model)

Services (GIS Server)

Data Stores (Enterprise GDB)

Web GIS
Multiple Portals

portal

portal
portal
portal

One Portal Many Portals?

Web GIS
Multiple Portals
Enterprise or Public Users

portal

Department A Department B Department C

Users Users Users

portal portal portal

Shared Services
Web GIS
References vs. Federated

Referenced Federated
My Layer My Layer

Portal Portal

1st Login 1st Login

2nd Login SSO

My Service My Service
Web GIS
Architecture Options and Security Considerations

• What are the confidentiality and integrity needs of your GIS?

- Drives extent to which cloud is used
- Drives potential authentication options used
- Drives encryption requirements

• What are the availability requirements of your GIS?

- Benefits of cloud scalability
- Redundancy across web tiers, GIS tier, and database tier

• Authentication requirements
- Leverage centralized authentication (AD/LDAP)
- For an on premise portal that can be Web-tier authentication or using Enterprise Logins
 Enterprise deployment
Real Permutations
Public
Business
Partner 1

Private IaaS
Internal
Portal

Business
Internal External Partner 2
AGS Filtered
AGS
Content ArcGIS Online

File
Database
Geodatabase

Field
Public IaaS
Worker
Enterprise
Business
ArcGIS Server
Implementation Guidance

• Don’t expose Server Manager or Admin Attack surface over time

interfaces to public

Attack surface
• Disable Services Directory
• Disable Service Query Operation (as feasible)
• Limit utilization of commercial databases under
website
- File GeoDatabase can be a useful intermediary
• Require authentication to services Time
• Use HTTPS
- Or at least make it available!

• Restrict cross-domain requests

- Implement a whitelist of trusted domains for
communications
 ArcGIS Server
Awareness of Relative Risk

• Security hardening best practices provide insights into relative risk of different
services, and optional mitigation measures to reduce risk

Relative Service Risk

Security Hardened Settings
Default when Security
Service Capability
Enabled Hardened
Map Mapping
Map Query
Feature Read
Feature Edit
Feature Sync
Geocoding Geocode
Geodata Query
Geodata Data Extraction
Geodata Replica
Geoprocessing Geoprocessing
Image Imaging
Image Edit
Image Upload

Red = Higher Risk

Yellow = Average Risk
Green = Low Risk
ArcGIS Server
10.4 Enhancements

• ArcGIS Server and Portal ArcGIS Server Best Practices security scanner

• Update passwords for registered and managed databases

- To meet password policy requirements for cycling passwords

• ArcGIS Server Read-Only Mode

- Disables publishing new services and blocks admin operations

• HTTP and HTTPS is enabled by default

• Security fixes and enhancements

• Enforce and choose cryptographic ciphers and algorithms

Mobile
Matt Lorrain
Mobile
What are the mobile concerns?

*OWASP Top Ten Mobile: https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks

Mobile
Security Touch Points

Server
authentication
Device
Communication access

SDE
permissions Storage

Service Project
authorization access

Data
access
Mobile
Challenges

• Users are beyond corporate firewall

- To VPN or not to VPN?

• Authentication/Authorization challenges
• Disconnected editing
- Local copies of data

• Management of mobile devices

- Enterprise Mobility Management is the answer!
- Mobile Device Management
- Mobile Application Management
- Security Gateways
- Examples: MobileIron, MaaS360, Airwatch, and many more…
Mobile
Potential Access Patterns

DMZ

Web Adaptor
IIS Portal

VPN
ArcGIS
ArcGIS Server

Security Gateway
NAS
SQL Server Shared config store

AD FS 2.0

ArcGIS
External facing GIS Enterprise AD Desktop
Mobile
Implementation Guidance

• Encrypt data-in-transit (HTTPS) via TLS

• Encrypt data-at-rest
• Segmentation
- Use ArcGIS Online, Cloud, or DMZ systems to disseminate public-level data
• Perform Authentication/Authorization
• Use an Enterprise Mobility Management (EMM) solution
- Secure e-mail
- Enforce encryption
- App distribution
- Remote wipe
- Control 3rd party apps & jailbreak detection
Cloud
Matt Lorrain
Cloud
Service Models Customer Responsible
End to End

• Non-Cloud

Decreasing Customer Responsibility

- Traditional systems infrastructure deployment
- Portal for ArcGIS & ArcGIS Server

• IaaS
- Portal for ArcGIS & ArcGIS Server
- Some Citrix / Desktop

• SaaS
- ArcGIS Online
Customer Responsible
- Business Analyst Online For Application Settings
Cloud
Deployment Models

Online Online

Intranet Intranet Intranet

Server Portal Server

Public Hybrid 1 On- Premises

Read-only
Server
Online Server
Server Basemaps

Intranet Intranet

Portal Server

Hybrid 2 On-Premises +
Cloud On-premise
Cloud
Management Models

• Self-Managed
- Your responsibility for managing IaaS deployment
security
- Security measures discussed later

• Provider Managed
- Esri Managed Services (Standard Offering)
- New Esri Managed Cloud Services (EMCS) Advanced Plus
- FedRAMP Moderate environment
Cloud
IaaS – Amazon Web Services

• 8 Security Areas to Address

- Virtual Private Cloud (VPC)
- Identity & Access Management (IAM)
- Administrator gateway instance(s) (Bastion)
- Reduce attack surface (Hardening)
- Security Information Event Management (SIEM)
- Patch management (SCCM)
- Centralized authentication/authorization
- Web application firewall (WAF)
Cloud
IaaS – Reduce your risk in 10 minutes!

• Minimize RDP surface

- Update OS patches
- Many AMI’s disable automatic updates
- Enable NLA for RDP
- Set AWS Firewall to Limit RDP access to specific IP’s
- Use strong passwords, account lockout policies
• Minimize Application Surface
- Disable ArcGIS Services Discovery
- Don’t expose ArcGIS Manager web app to Internet
• Enable 2-factor Authentication to your AWS console
- The AWS console is a “one-stop shop” for access to all
your instances in the cloud
Cloud
Hybrid deployment combinations

Users
Anonymous
Access
Apps

On-Premises
• Ready in months/years
• Behind your firewall
• You manage & certify
ArcGIS Online
• Ready in minutes
• Centralized geo discovery
Esri Managed Cloud Services
• Segment anonymous
access from your systems
• Ready in days
• FISMA Low
• All ArcGIS capabilities at
your disposal in the cloud
• Dedicated services . . . All models can be combined or separate
• FedRAMP Moderate
Cloud
Hybrid
ArcGIS Online Users 4. Access Service

Group 1. Register Services

“TeamGreen”
On-Premises
AGOL ArcGIS Server
Org

Hosted Services,
2. Enterprise Login
Content
(SAML 2.0) User Repository
Public Dataset
AD / LDAP
Storage
ArcGIS Org
Accounts
External Accounts

Segment sensitive data internally and public data in cloud

Cloud
Hybrid – Data sources

• Where are internal and cloud datasets combined?

- At the browser
- The browser makes separate requests for information to multiple sources and
does a “mash-up”
- Token security with SSL or even a VPN connection could be used between the
device browser and on-premises system
On-Premises Operational Cloud Basemap Service Browser Combines Layers
Layer Service ArcGIS Online

https://YourServer.com/arcgis/rest... http://services.arcgisonline.com...
Cloud
Hybrid – Deployment Scenarios
• Common for large enterprises

• Primary reason
- Data Segmentation / Prevent storing sensitive data in the
cloud

• What is stored in AGOL? – Service Metadata

- Username & password - Default, not saved
- Initial extent - Adjust to a less specific area
- Name & tags - Address with organization naming convention
- IP Address - Utilize DNS names within URL’s
- Thumbnail image – Replace with any image as appropriate
Cloud
ArcGIS Online Standards

• Enterprise Logins
- SAML 2.0
- Provides federated identity management
- Integrate with your enterprise LDAP / AD

• New API’s to Manage users & app logins

- Developers can utilize OAuth 2-based API’s
- https://developers.arcgis.com/en/authentication/
Cloud
ArcGIS Online – Implementation Guidance

• Require HTTPS
• Do not allow anonymous access
• Allow only standard SQL queries
• Restrict members for sharing outside of organization (as feasible)
• Use enterprise logins with SAML 2.0 with existing Identity Provider (IdP)
- If unable, use a strong password policy (configurable) in ArcGIS Online
- Enable multi-factor authentication for users

• Use multifactor for admin accounts

• Use a least-privilege model for roles and permissions
- Custom roles
Esri Managed Cloud Services
Advanced Plus
Michael Young
Esri Managed Cloud Services Advanced Plus
What is it?

• Cloud-based GIS infrastructure support,

including:
- Enterprise system design
- Infrastructure management
- Software (Esri & 3rd Party) installation, updates,
and patching
- Application deployment
- Database management
- 24/7 support and monitoring
- FedRAMP Moderate ATO by US Census Bureau
- Security infrastructure
- Security controls and processes
Esri Managed Cloud Services Advanced Plus
Why did Esri pursue FedRAMP authorization?

• Demand
- Customers demanded FedRAMP compliance before rolling out future production operations

- Risk
- Customer risk increasing rapidly without security infrastructure

- Mandate
- OMB mandate all low and moderate impact cloud services leveraged by more than one office
or agency must comply with FedRAMP requirements

Accelerates Review and Acceptance of Cloud Based Services

Esri Managed Cloud Services Advanced Plus
Documentation
• FIPS 199
• Control Implementation Summary (CIS)
• System Security Plan (SSP)
• Information System Security Policies
• User Guide
• E-Authentication Template
• Privacy Threshold Analysis (PTA)
• Rules of Behavior (ROB)
• IT Contingency Plan
• Security Assessment Plan (SAP)
• Test Case Workbook
• Security Assessment Report (SAR)
• Plan of Action and Milestone (POA&M)
• Policies and procedures
• Business Impact Analysis
• Configuration Management Plan
• Incident Response Plan
• Interconnection Security Agreement (ISA / MOU)
• Penetration Test Plan
1000’s of pages ensuring rigorous security
Esri Managed Cloud Services Advanced Plus
Rigorous Third Party Security Assessment

- Must occur annually

- Third Party Assessment Organization (3PAO) accredited by FedRAMP

- Documentation
- A security review of all FedRAMP controls and implementation details

- Technical Assessment
- System level scans
- Web Interface scans
- Database scans
- Penetration testing
Great advisors and skilled assessors keep the effort focused
Esri Managed Cloud Services Advanced Plus
Continuous Monitoring

Monitoring Workflow
FedRAMP Reporting Workflow

Ensures maintenance of acceptable risk posture

EMCS Security Infrastructure

AWS
Customer Infrastructure Active/Active Redundant across two Cloud Data Centers

Web Application Firewall DMZ

WAF
Public-Facing
Gateway ArcGIS for Portal
End Users
Dedicated
ArcGIS Server
Customer Application
Infrastructure
Relational Database File Servers
Security Ops Center Security Service
(SOC) Gateway Intrusion Detection Centralized Management
IDS / SIEM Backup, CM, AV, Patch, Monitor
Cloud Infrastructure Common Security
Hypervisor, TCP/IP, Network ACLs, Routing, Storage, Hardware
Bastion Gateway Authentication/Authorization Infrastructure
MFA LDAP, DNS, PKI
Esri Admin
Gateway Cloud Infrastructure Common Cloud
Esri Administrators Hypervisor, TCP/IP, Network ACLs, Routing, Storage, Hardware
Infrastructure

Legend Agency Application Cloud Provider Security

Compliance
Michael Young
Compliance
ArcGIS Platform Security

• Esri Corporate
• Cloud Infrastructure Providers
• Products and Services
• Solution Guidance
Compliance
Extensive security compliance history

FISMA Law First FedRAMP OMB FedRAMP Planned

FedRAMP
Established Authorization Mandate ArcGIS Online
Announced
FedRAMP
Authorization

2002… 2005… 2010 2011 2012 2013 2014 2015 2016

Esri GOS2 FISMA Esri Participates in Esri Hosts Federal ArcGIS Online FISMA EMCS receives
Authorization First Cloud Cloud Computing Security Authorization FedRAMP ATO
Computing Forum Workshop

Esri has actively participated in hosting and advancing secure compliant solutions for over a decade
Compliance
Esri Corporate

• ISO 27001
- Esri’s Corporate Security Charter

• Privacy Assurance
- US EU/Swiss SafeHarbor self-certified
- TRUSTed cloud certified
Compliance
Cloud Infrastructure Providers

• ArcGIS Online Utilizes World-Class Cloud Infrastructure Providers

- Microsoft Azure
- Amazon Web Services
Cloud Infrastructure Security Compliance
Compliance
Products and Services

• ArcGIS Online
- FISMA Low Authority to Operate by USDA (2014)
- FedRAMP - Upcoming

• Esri Managed Cloud Services (EMCS)

- FedRAMP Moderate (2015)
- HIPAA Ready (2016)

• ArcGIS Server
- DISA STIG – (2016)

• ArcGIS Desktop
- FDCC (versions 9.3-10)
- USGCB (versions 10.1+)
Compliance
Solution Level

• Geospatial Deployment Patterns to meet stringent security standards

- Hybrid deployments
- On-premise deployments

• Supplemented with 3rd party security components

- Enterprise Identity management integration - CA SiteMinder (Complete)
- Geospatial security constraints – ConTerra
- Mobile security gateway integration

• Best practices for compliance alignment

- CJIS – Law Enforcement
- HIPAA – Healthcare
 Compliance
Responsibility Across Hosting Options

On-premises Esri Images Esri Managed ArcGIS Online

& Cloud Builder Cloud Services
FedRAMP Moderate FISMA Low

ArcGIS Server ArcGIS Server ArcGIS Server ArcGIS Online

OS/DB/Network OS/DB/Network OS/DB/Network OS/DB/Network

No Security Security Security

Security
Infrastructure by Infrastructure Infrastructure
Infrastructure
default

Virtual / Cloud Cloud Cloud

Physical Infrastructure Infrastructure Infrastructure
Servers (IaaS) (IaaS) (IaaS)

Customer Responsibility Esri Responsibility CSP Responsibility

Compliance
Cloud Roadmap

Upcoming
2015

Managed Services ArcGIS Online

(EMCS) FedRAMP
2014
FedRAMP
Mod
ArcGIS Online
FISMA
Low
Summary
Summary

• Security demands are rapidly evolving

- Prioritize efforts accord to your industry and needs
- Don’t just add components, simplified Defense In Depth approach

• Secure best practice guidance is available

- Check out the ArcGIS Trust Site!
- Security Architecture Workshop
- SecureSoftware@esri.com
Thank you…

• Please fill out the session survey in your mobile app

• In the agenda, click on the title of this session

- Enterprise GIS: Security Strategy

• Click “Technical Workshop Survey”

• Answer a few short questions and enter any comments

Want to learn more?