Designing an Enterprise GIS Security Strategy -...

Designing an Enterprise GIS

Security Strategy

Michael E. Young

Agenda

• Introduction

• Strategy

• Trends

• Mechanisms

• ArcGIS Server

• Mobile

• Cloud

• Compliance

Introduction

- Michael E Young

- Esri Senior Enterprise Security Architect

- FISMA C&A Application Security Officer

- Certified Information Systems Security Professional (CISSP)

Introduction

What is a secure GIS?

Introduction

Sign in Japan Narita Airport - May 2011

Context is key for identifying the appropriate secure GIS

solution for your organization

Introduction

What is “The” Answer?

Risk

Impact

Introduction

Where Are the Vulnerabilities?

* SANS Relative Vulnerabilities

Strategy

Strategy

• Identify your Security Needs

- Assess your environment

- Datasets, Systems

- Sensitivity, Categorization

• Understand Security Options

- Enterprise GIS Resource Center

- Enterprise-wide Security Mechanisms

- Application Specific Options

- Utilize patterns

• Implement Security as a Business Enabler

- Improve appropriate availability of information

Strategy

Enterprise GIS Security Strategy

Security Risk Management Process Diagram - Microsoft

Strategy

Esri’s Security Strategy Evolution

Product

Enterprise Solution

Isolated Systems

3rd Party Security

Integrated Systems

Embedded Security

Cloud

Managed Security

Strategy

Esri Products and Solutions

• Secure Products

- Trusted geospatial services

- Individual to organizations

- Extending validation

• Secure Enterprise Guidance

- Enterprise Resource Center

- Patterns

• Secure Solution Management

- SaaS Functions & Controls

Strategy

Security Implementation Patterns

• Risk based

• 3 categories / NIST alignment

• Selection process

- Formal – NIST 800-60

- Informal

To prioritize information security and privacy initiatives, organizations must

assess their business needs and risks

Strategy

Security Principles

• CIA Security Triad

• Defense in Depth

Strategy

Defense in Depth

TechnicalControls

PolicyControls

Physical Controls

Data and

Assets

Authentication

Authorization

Encryption

Filters

Logging

Trends

Trends

Vulnerabilities / Compromises 2011

• Large-scale breaches dropped

dramatically

• Small attacks increased

• Hacking and malware is the

most popular attack method

• Stolen passwords and

credentials are out of control

Verizon 2011 Data Breach Report

Trends

Reverse Proxy’s Need to Be Maintained

• Oct 2011 – Apache Reverse

Proxy Exploit

• Allows unauthenticated access

to information that should be

confidential

• Commonly overlooked

component for updates CVE-2011-3368

Update Your Reverse Proxy!

Trends

End of Browser Plug-ins?

• Migration away from Flash and Silverlight Plug-ins has begun

• Security experts ready to unload plug-ins

• HTML5 limitation inconsistencies across browsers will slow migration

Trends

Mobile Security

• iPhone Twitter PII compromised

• Mobile device data not secure by default

Enterprise Mobile Security Solutions can help

Trends

Cloud

• Data breeches of 2011

- #1 Sony – PlayStation Cloud

- 100+ mill

- #2 Epsilon – Email Cloud

- 60+ mill

- #6 Nasdaq – Dashboard Cloud

- 10k+ Sr. Execs

*http://informationweek.com/news/security/attacks/232301079

An Enterprise Security Strategy can help through cloud data mitigation controls

and cloud security policies

Mechanisms

Mechanisms

Mechanisms

Authentication

• Three ArcGIS Authentication Schemes

- Web Traffic via HTTP

1. Web Services

2. Web Applications

- Intranet Traffic via DCOM

3. Local Connections

Mechanisms

Authentication

Access

Restricted

Authentication

Method Description Encryption

Web Service or

Web Application

None Default Internet Connections N/A

Basic

Digest

Windows Integrated

Browser built-in pop-up logon Basic None,

unless using SSL

Java EE Container Web container challenge Container

Managed

PKI / Smartcards Public key certificate* PKI Managed

Web

Application

Only

.NET Form-based Custom login and error pages. None,

unless using SSL

Java ArcGIS Managed ArcGIS Server provides login None,

unless using SSL

Web Service

Only Esri Token Cross Platform, Cross API AES-128bit

Local DCOM Windows Integrated OS Groups

AGSUser. AGSAdmin OS Managed

*PKI / Smartcard Validation Environment Recently Stood up

Mechanisms

Authorization – Role Based Access Control

• Esri COTS

- Assign access with ArcGIS Manager

- Service Level Authorization across web interfaces

- Services grouped in folders utilizing inheritance

• 3rd Party

- RDBMS – Row Level or Feature Class Level

- Versioning with Row Level degrades RDBM performance

- Alternative - SDE Views

• Custom - Limit GUI

- Rich Clients via ArcObjects

- Web Applications

- Sample code Links in ERC

- Microsoft’s AzMan tool

Mechanisms

Filters – 3rd Party Options

• Firewalls

• Reverse Proxy

• Web Application Firewall

- Open Source option ModSecurity

• Anti-Virus Software

• Intrusion Detection / Prevention Systems

• Limit applications able to access geodatabase

Mechanisms

Filters – Firewall Friendly Scenario

• Web Application Firewall in DMZ

• File Geodatabase (FGDB) in DMZ

• One-way replication via HTTP(s)

• Deployed to each web server for performance

• Internet users access to subset of Geodatabase

• Same replication model could be used to push data to cloud

WAF

Intranet DMZ

Database

Web

GIS

HTTP

DCOM

SQL

Use

Author &

Publish FGDB

Web

GIS

Internet

HTTP

HTTP

Mechanisms

Filters

• Why no Reverse Proxy in DMZ?

- One-off component / no management, minimal filtering

• Multi-Function Web Service Gateways

- Store SSL Certificates / SSL Acceleration

- URL Rewrite

- Web Application Firewall

External Internal

DM

Z

Mechanisms

Encryption – 3rd Party Options

• Network

- IPSec (VPN, Internal Systems)

- SSL (Internal and External System)

- Cloud Encryption Gateways

- Only encrypted datasets sent to cloud

• File Based

- Operating System – BitLocker

- GeoSpatially enabled PDF’s combined with Certificates

- Hardware (Disk)

• RDBMS

- Transparent Data Encryption

- Low Cost Portable Solution - SQL Express 2008 w/TDE

Mechanisms

Logging/Auditing

• Esri COTS

- Geodatabase history

- May be utilized for tracking changes

- ArcGIS Workflow Manager

- Track Feature based activities

- ArcGIS Server 10 Logging

- “User” tag tracks user requests

• 3rd Party

- Web Server, RDBMS, OS, Firewall

- Consolidate with a SIEM

Mechanisms

Questions?

• What mechanisms are you struggling with?

• Where can we provide further guidance?

ArcGIS Server

ArcGIS Server

Public Facing Architecture

WEB

WAF

Web Adaptor Reverse Proxy

WEB

SvrDir DBMS SvrDir

DMZ

Private

Public

10 10.1

DBMS

GIS Server

DBclient

SOM

SOC

DBclient

GIS Server

http://host/arcgis/rest

OS Service Acct

Primary Site Admin Acct

Config Store

Server Directories

ArcGIS Server Site

IIS or Apache

Web Adaptor

ArcGIS 10.1

• Goodbye DCOM issues!

• Token Security enabled by default

• Added Publisher Role

• AGSAdmin / AGSUser OS Roles dropped

• All tier capabilities installed by default

- Web, application, data

- Ready to run developer platform

• Deploy Web Adapter to web server for production

• Editor feature service tracking

- Owner based control

• Integrated Security Model still available

• Administrator API

Mobile

Mobile

Just Secure the Web Service Endpoints, Right?

Mobile

OWASP Top 10 Mobile Issues

Issue Solution Question

Physical Loss Device Security Options?

Malicious App What app stores allowed?

Rooted Device Encryption/Strength?

Patches How enforced?

Insecurely Written App How is code tested?

Compromised Password How secured/encrypted?

Unprotected Transport TLS/SSL Utilized?

Weak Session Management Tokens always passed?

Unprotected Services Hardening Guidance?

Internal Resource Access VPN Options?

Mobile Phone Security

ArcGIS Mobile Security Touch Points

Communication

Service

authorization

Device

access

Project

access

Data

access

Server

authentication SDE

permissions Storage

Mobile

• Enterprise Mobile Security Validation Efforts

- Enterprise device solutions

- Benefits: Secure email, browser, remote wipe, app distribution

- Application specific solutions

- Benefits: Secure connections and offline device data

- Esri iOS SDK + Security SDK

Mobile

Questions?

• Are there particular mobile security concerns you

would like Esri to address more?

The Cloud

The Cloud

Who is Responsible for Security Controls?

• IaaS

- ArcGIS Server for Amazon

- CSP -> Infrastructure

- Agency -> CSP Config, OS, Apps

• SaaS

- ArcGIS Online

- CSP -> Infrastructure

- Esri -> CSP Config, OS, Apps

- Agency -> App Config

The Cloud

Choice of deployment models

The Cloud

Amazon Options

The Cloud

Going Beyond 1 Tier

The Cloud

IaaS - ArcGIS Server in Amazon – Deployment Options

• Ease Deployment

- New Cloud Builder 10.1 Tool

- Default not hardened

• Offload Management (Cloud Broker Role)

- Esri Managed Services

• Simplify FISMA

- GeoCloud – GSA / FGDC Initiative

- Security hardened AMI

- Shared security certification focus this year

The Cloud

SaaS - ArcGIS online for Organizations

• Organization Administrator options

- Require SSL encryption

- Allow anonymous access to org site

• Consume Token Secured ArcGIS Server services

- 10 SP1 and later

- User name and password prompts upon adding the

service to a map, and viewing

• Upcoming

- Operation Transparency pages (Trust.Salesforce.com)

- Federated Identities (SAML/ADFS)

- FISMA Certification and Accreditation

Compliance and Standards

Compliance

• FDCC

- Desktop products 9.3-10

• USGCB

- Planned Desktop products 10.1

• SSAE 16 Type 1 – Previously SAS 70

- Esri Data Center Operations

Cloud / SaaS Compliance Efforts

• FISMA

- ArcGIS online for Organizations coming soon

• FedRAMP

- Actively aligning with requirements

• Cloud Security Forum Participation

- Lack of segmentation guidance

FY12 – Initial Ops FY13 – Fully Op FY14 – Sustained Ops

Compliance Workarounds

• Password Management

- Prevent saving in MXD files

- Registry entry

- http://support.esri.com/en/knowledgebase/techarticles/detail/36695

• FIPS Compliance

- Additional steps necessary for .NET server 9.3-10

- http://support.esri.com/en/bugs/nimbus/role/beta10_1/TklNMDQ1MjA5

Compliance

Questions?

• Any compliance questions or suggestions?

Summary & Next Steps

Summary

• Security is NOT about just a technology

- Understand your organizations GIS risk level

- Utilize Defense-In-Depth

• Secure Best Practice Guidance is Available

- Check out the Enterprise GIS Resource Center!

- Drill into details by mechanism or application type

What is still needed?

Your Input is Crucial

• Your Feedback and Insight Today is Essential

- Current Security Issues

- Upcoming Security Requirements

- Areas of concern Not addressed Today

Contact Us At:

Enterprise Security esinfo@esri.com

March 8 - MeetUp at Esri (Vienna, VA)

April 12 - MeetUp in DC area (location TBD)

Mar 24-27 – Esri Partner Conference (Palm Springs, CA)

Mar 26-29 – Esri Developer Summit (Palm Springs, CA)

July 21-24 – Esri Homeland Security Summit (San Diego, CA)

July 23-27 – Esri International User Conference (San Diego, CA)

Upcoming Events (www.esri.com/events)

.

Friday Closing Session and Hosted Lunch

• Join conference attendees for lunch and closing session

• 11:30 am – 1:30 pm

• Ballrooms A-C, Third Level

• Closing Speaker – Chris Smith, United States Department

of Agriculture

• Wrap-up and request for feedback with Jack Dangermond

of closing session.

.

Thank You

Please complete session evaluation form