Designing an Enterprise GIS Security Strategy

Michael E YoungCISSP

Agenda

• Introduction• Esri’s Security Strategy• Federal Security Metric Tools• Enterprise-Wide Security Mechanisms• Product Security• Cloud Computing Security• Esri Security Compliance• Summary and Next Steps

Introduction

- Michael E Young

- Esri Senior Enterprise Security Architect- FISMA C&A Application Security Officer- Certified Information Systems Security Professional (CISSP)

Application Security Risks Diagram – OWASP 2010

IntroductionWhat is a secure GIS?

• Integration with other enterprise components?- Directory Services / LDAP / MS Active Directory

• Meeting security standards requirements?• Security Certifications & Accreditations?

- FDCC / FISMA / DIACAP

• User Application Interfaces?- ADF, MS Silverlight, Adobe Flex, JavaScript, Rich Clients

• Application built-in vs. separate security products?- ArcGIS Token Service / 3rd Party Single-Sign-On products

So far, nobody has found a silver bullet for security

IntroductionDesigning an Enterprise GIS Security Strategy

• Identify your Security Needs- Assess your environment- Datasets, Systems- Sensitivity, Categorization

• Understand Security Options- Enterprise GIS Resource Center- Enterprise-wide Security Mechanisms- Application Specific Options- Utilize patterns

• Implement Security as a Business Enabler- Improve appropriate availability of information

IntroductionDesigning an Enterprise GIS Security Strategy

Security Risk Management Process Diagram - Microsoft

Esri’s Security Strategy

Esri’s Security StrategyTrends

Isolated Systems

Esri Products

IT Trend

Integrated Systemswith discretionary access

Discrete products and services supplemented by 3rd party security Enterprise system with embedded

and 3rd party security

Esri’s Security Strategy

• Secure GIS Products- Incorporate security industry best practices- Trusted geospatial services across the globe- Meet both individual user needs and entire

organizations

• Secure GIS Solution Guidance- Enterprise Resource Center Website- Esri security patterns

Esri’s Security StrategySecurity Patterns

• Esri provides security implementation patterns

- Best practice security guidance

• Leverages National Institute of Standards and Technology (NIST)

• Patterns based on risk level

- Basic Security

- Standard Security

- Advanced Security

• Identify your risk level

- Formal process – NIST 800-60

- Informal process

To prioritize information security and privacy initiatives, organizations must assess their business needs and risks

Esri’s Security StrategyFoundational Security Principles

• CIA Security Triad

• Defense in Depth

Esri’s Security StrategyDefense in Depth

TechnicalControls

PolicyControls

Physical Controls

Data and

Assets

Authentication

Authorization

Encryption

Filters

Logging

Federal Security Metric Tools

Federal Security Metric Tools

The 2010 State of Cybersecurity from theFederal CISO’s Perspective

Federal Security Metric ToolsCAG - Consensus Audit Guidelines

• 20 prioritized IT security controls- Automation is key- Map to NIST 800-53

• Let us know if this is important to your Agency

US State Department demonstrated more than 80% reduction in "measured" security risk through the rigorous automation and measurement of the Top 20 Controls

Federal Security Metric ToolsSCAP – Security Content Automation Protocol

• Standard to communicate vulnerability information - Automate compliance, manage vulnerabilities, perform

security measurements- Evaluate policy compliance for standards

Used by Esri as part of the FDCC self-certification

Federal Security Metric ToolsNIST 800-53 / FISMA

• FISMA C&A utilizes NIST 800-53 security controls• Esri security patterns based on these controls

Enterprise-wide Security Mechanisms

Enterprise-Wide Security MechanismsOverview

Enterprise-Wide Security MechanismsAuthentication

• Three ArcGIS Authentication Schemes

- Web Traffic via HTTP1. Web Services2. Web Applications

- Intranet Traffic via DCOM 3. Local Connections

Enterprise-Wide Security MechanismsAuthentication

Access Restricted

Authentication Method Protocol Description Encryption

Web Service orWeb Application

None HTTP Default Internet Connections N/A

BasicDigestWindows Integrated

HTTP (SSL optional)

Browser built-in pop-up login dialog box.

Basic None, unless using SSL

Java EE Container HTTP(SSL optional)

Web container provides challenge for credentials

Container Managed

Client Certificates PKI Smart Cards HTTPS Server authenticates client using

a public key certificate PKI Managed

Web ApplicationOnly

.NET Form-based HTTP(SSL optional)

Application provides its own custom login and error pages.

None, unless using SSL

Java ArcGIS Managed HTTP(SSL optional)

ArcGIS Server provides login page for Java Web App

None, unless using SSL

Web ServiceOnly Esri Token HTTP

(SSL optional) Cross Platform, Cross API Authentication AES-128bit

Local Windows Integrated DCOMDefault Local Connections OS GroupsAGSUser. AGSAdmin

OS Managed

Enterprise-Wide Security MechanismsAuthentication – User and Role Storage Options

• Java Options- Default – Apache Derby- External Database- LDAP- MS Active Directory

• .NET Options- Default - Windows Users and Groups- MS SQL Server Express- Custom Provider

- Instructions for Active Directory and Oracle Providers available

Users Roles

JohnCindyJim

LimitedAdmin

Regions

Enterprise-Wide Security MechanismsAuthorization – Role Based Access Control

• Esri COTS- Assign access with ArcGIS Manager - Service Level Authorization across web interfaces- Services grouped in folders utilizing inheritance

• 3rd Party- RDBMS – Row Level or Feature Class Level

- Versioning with Row Level degrades RDBM performance - Alternative - SDE Views

• Custom - Limit GUI- Rich Clients via ArcObjects- Web Applications

- Sample code Links in ERC- Microsoft’s AzMan tool

Enterprise-Wide Security MechanismsFilters – 3rd Party Options

• Firewalls• Reverse Proxy

- MS free reverse proxy for IIS 7 (Windows 2008)

• Web Application Firewall- Open Source option ModSecurity

• Anti-Virus Software• Intrusion Detection / Prevention Systems• Limit applications able to access geodatabase

Enterprise-Wide Security MechanismsFilters – Firewall Friendly Scenario

• Web Application Firewall in DMZ• File Geodatabase in DMZ

• One-way replication via HTTP(s)

• Deployed to each web server for performance

• Internet users access to subset of Geodatabase

WAF

IntranetDMZ

Database

Web

GIS

HTTP

DCOM

SQL

Use

Author &Publish

Database

Web

GIS

Internet

HTTP

HTTP

Enterprise-Wide Security MechanismsFilters

• Why no Reverse Proxy in DMZ?- One-off component / no management, minimal filtering

• Multi-Function Web Service Gateways- Store SSL Certificates / SSL Acceleration- URL Rewrite- Web Application Firewall

External Internal

DM

Z

Enterprise-Wide Security MechanismsEncryption – 3rd Party Options

• Network- IPSec (VPN, Internal Systems)- SSL (Internal and External System)

• File Based- Operating System – BitLocker- GeoSpatially enabled PDF’s combined with Certificates- Hardware (Disk)

• RDBMS- Transparent Data Encryption- Low Cost Portable Solution - SQL Express 2008 w/TDE

Enterprise-Wide Security MechanismsLogging/Auditing

• Esri COTS- Geodatabase history

- May be utilized for tracking changes- ArcGIS Workflow Manager

- Track Feature based activities- ArcGIS Server 10 Logging

- New “user” tag allows tracking of user requests

• 3rd Party- Web Server, RDBMS, OS, Firewall- Consolidate with a SIEM

86 % of victims had evidence of the breach in their logs, yet 61 % of the breaches were discovered by a third party

*Verizon's 2010 Data Breach Investigations Report

Product Security

Rich Client

Mobile

ArcGIS Server

Cloud Services

Rich Client SecurityDesktop

Explorer

Rich Client SecurityArcGIS Desktop

• Client typically with most access to sensitive data• Variety of system connections

- Direct Connect – RDBMS- Application Connect – SDE- HTTP Service – GeoData Service

- Integration with Token Service- Windows native authentication

- SSL and IPSec Utilization

• ArcObject Development Options- Record user-initiated GIS transactions- Fine-grained access control

- Edit, Copy, Cut, Paste and Print

Rich Client SecurityArcGIS Explorer Communication

• Explorers for different users or topics• Focused data and functions in one place• You manage and customize

Your main office

Sales Explorer

Marketing ExplorerCentrally managed

configurations

Your customers’ Explorer

Mobile Phone SecurityArcPad

ArcGIS Mobile

Mobile Phone Security

• More - Platforms

- ArcPad- ArcGIS Mobile- iPhone- Android- Windows

- Functionality/Storage- User-base

• Leads to- Increased Hacker Attention

Mobile Phone SecurityArcPad

• AXF Data file- Password protect and encrypt

• Memory Cards- Encrypt

• ArcGIS Server users and groups- Limit publishers

• Internet connection- Secure ArcPad synch traffic

Mobile Phone SecurityArcGIS Mobile Security Touch Points

Communication

Service authorization

Device access

Projectaccess

Dataaccess

Server authenticationSDE

permissions Storage

Mobile Phone SecurityMobile

• GeoData Service- HTTPS (SSL) or VPN tunnel

• Web Service- Credentials- Filter by OS / IP / Unique Device Identifier- Token Service

• Encrypt data at Rest- Windows Mobile Crypto API- 3rd Party tools for entire storage system

ArcGIS Server Security

ArcGIS Server SecurityPop Quiz – Defaults

• Is Communication Across Wire Secure by Default?- No

- Communication via ArcGIS Server and all clients is clear-text by default

- Secure web communication with an SSL Certificate- Secure internal DCOM communication with IPSec

ArcGIS Server SecurityPop Quiz - Filters

• Is a reverse proxy required for secure Internet facing deployments?

- No- Some customers implement to eliminate DCOM traffic

across firewalls- Used with Web Application Firewall improves security

posture

ArcGIS Server SecurityPop Quiz – Guidance

• Is there Security Hardening Guidance?- Yes

- Check out the ERC Implementation Gallery- Next update expected Q1 2011 - Version 10 Win 2k8

ArcGIS Server SecurityPop Quiz - Configuration

• Should Everyone group be assigned to root in ArcGIS Manager?

- Depends- Everyone will have access to your services by default- OK for Basic security risk environments- NOT recommended for any Standard or Advanced security- Deny by default used in higher risk environments

ArcGIS Server SecuritySecurity Model

ArcGIS Server SecurityUser Local Access to SOM

• Windows- Access managed by operating system of SOM machine

• Solaris and Linux- Users managed by ArcGIS Server Manager

• Add users to appropriate group- Simplistic access levels (None, Read, Full)

agsusersu View and access services

agsadminu Add, delete, or modify services u Start, stop, or pause services u Add, remove, or modify server directoriesu Create Web mapping applicationsu Add or remove SOC machines u View statistical information

ArcGIS Server SecurityServer Data Access

• Share folders that contain GIS resources- Grant SOC account

Read and/or Write permissionto the folder

• Add SOC as a user of your database- Grant SOC account

Read and/or Write permissionto each geodatabase

ArcGIS Server SecurityManagement User Interface Access

• ArcGIS Services Directory- Available as part of ArcGIS Server installation- Typically not exposed for Standard security needs to public

• REST API Admin- Manages access to local ArcGIS Services Directory- Maintains REST cache- Requires membership in agsadmin group- Recommend to configure no public access

• ArcGIS Manager- Recommend to configure no public access

Local security

Web security

ArcGISServer

Intranet

http://...

Internet

Web editing

Service capabilities

ArcGIS Server SecurityGIS resource access

ArcGIS Server SecurityImplementing Web Access Control

1. Define user/role store

2. Assign users to roles

3. Assign roles to resources

4. Enable security

ArcGIS Server SecurityAuthenticating to services with Token

• What is a token?

• Why do you need it?

- Services don’t have a logon user interface

• How does it work?

- ArcGIS Server Token Service

• Where do you get it?

- Request a Token from Token Service

Token server

User _______

Password ___

TokenWrite full logon access to the token service(e.g., ArcGIS Desktop, custom application )

https://...

ArcGIS Server SecurityWeb Service API Security Options

Web Server ArcGIS

SOAP/RESTToken

Embed Token

Bind token in a proxy page

Secured container

Proxypage

Token

ArcGIS Server SecurityFlowing web user identity down to the database

• Integrated Security Model (ISM)• Flow web user identity to database via proxy user

- Logging - Non-repudiation across all architecture tiers for high risk security environments

- Row-Level Security - Database driven security model for high-risk security environments

• Current Status- Customer scenarios collected- Simple configuration performance validation completed

- 10-20% performance overhead- More complex scenarios to be validated next- Basic documentation online for Java ArcGIS Server

ArcGIS Server Security ISM Initial Validation Configuration

- Web Server- MS IIS

- Application Server- Java ArcGIS Server 10- LDAP (Derby) Users & Groups Security Provider

- Oracle Database- Proxy user sessions- Table level access

ArcGIS Server SecurityRow Level Security With ISM

• Virtual Private Database (VPD)

- Transparently modifies requests

- Presents partial table view

•Oracle Label Security (OLS)•Optional add-on•Provides interface for row-level security

ArcGIS Server SecurityVersion 10 Security Enhancements

• AGS Manager- Searchable user/roles- Application Level User Activity Logging

• Database level security option- Added to REST API- Passes user context to database- Control all data access at data tier

• Web Service Interface Security Improvements

ArcGIS Server Security Amazon

• ArcGIS Server For Amazon- Esri built ArcGIS Server Amazon Machine Image (AMI)- Deploy to Amazon Elastic Compute Cloud (EC2)

instance

• Addressing Security- Current AMI not hardened beyond Windows 2008 Server

defaults- Typical Firewall Entries for Cloud implementations

- ArcGIS Server- Port 80/443 for IIS & Remote desktop

- Enterprise GeoDB AMI- Port 5151

Biggest Cloud Computing Concern is Security and Privacy…

Cloud Computing Security

Cloud Computing Security

• Is Cloud computing safe?- Classic answer: It depends…

• Security Benefits- Virtualization / Automation

- Expedite secure configurations with images- Broad network access

- Reduce removable media needs- Segmentation - Public data -> Cloud & sensitive -> Internal

- Potential economies of scale- Lower cost backup copies of data

- Self-service technologies- Apply security controls on demand

Cloud Computing Security2010 Cloud Computing Risks

Cloud Computing SecurityRisks

• Vendor Practice Dependence- Potential sub-standard security controls

- Loss of governance over data

• Vendor Lock-In- Services termination data loss

- Portability

- Lost internal capabilities to support

• Sharing resources (Multi-tenancy)- Access to other’s data

- Unclear security responsibilities

- Increased data transmitted = Increased disclosure risk

• Deployment Model Threat Exposure Levels- Private = Lowest Community = More Highest = Public

Cloud Computing SecurityWhich cloud service model?

• System Admin Access (IaaS)- ArcGIS Server on Amazon EC2- Federal Terremark Cloud- Private Cloud

• Developer Access (PaaS)- Esri Web Mapping APIs (JavaScript, Flex, Silverlight)- Microsoft Azure ArcGIS Applications

• End User Solutions (SaaS)- ArcGIS.com- Business Analyst Online- ArcGIS Explorer Online

Cloud Computing SecurityWhich cloud deployment model?

• Cloud Deployment Location- Public (e.g Amazon)- Private (e.g. Internal Corporate)

• Primary driver -> Security• Agencies segmenting datasets to mitigate cloud risks

- Public clouds for public datasets- Private clouds for sensitive datasets

• June 2010 IDC IT Executive Survey- Preference for using a private versus a public cloud

- 55% - Private cloud was more appealing than a public cloud- 22% - Equally appealing

Organizations from the midmarket up, will have a mix of public & private

Cloud Computing SecurityWhat are your security needs?

• Assess your security needs- Data sensitivity

- Public domain, sensitive, classified- User types

- Public, internal- Categorize security needs

- Basic, standard, advanced

• Most public cloud implementations are basic- Security similar to social networking sites (Facebook)- Most GIS users have only basic security needs

Cloud Computing SecurityBest practices

• Similar to internal ops- Break up tiers- Protect in transit- Protect at rest- Credential management- Built-in OS Firewalls- AGS App Security

Cloud Computing SecurityArcGIS Server on Amazon EC2

• Default- Web and App Tiers combined

• Scaling out- Elastic Load Balancing- What about supporting

infrastructure?

Default Deployment

Scaling Out

Cloud Computing SecurityArcGIS Server on Amazon EC2

• Minimize your administrative attack surface

Cloud Computing SecurityAmazon EC2 Security

• Secured physical facilities• Logically secure EC2 instances• Configurable firewall to control ingress access• Standard ArcGIS Server security• Optional multifactor authentication

Cloud Computing SecurityCloud Directive

• White House urging Federal agencies to adopt- Clear focus on streamlining infrastructure management,

improving service, and saving money- Security concerns continue to hold agencies back

• Cloud Security Status- Half of those who have implemented cloud apps DO

NOT KNOW if they have experienced a breach

• Are government cloud information security standards available?

- Requested by 91% of Agencies

Statistics from 2010 Symantec Break in the Cloud Report

Cloud Computing SecurityFedRAMP

• Work in Progress Standard

• Cross-agency Cloud security C&A process- Initial standard for Low and Moderate security

• Esri actively engaged in working groups & commenting period

• Esri actively identifying interested Agencies- FedRAMP initially focused on large user base systems

or used by multiple Federal agencies

Esri Security Compliance

Esri Security ComplianceSecurity Patterns

• Esri security implementation patterns- Leverage NIST 800-53 security controls- Based on same standards as FISMA C&A process- Not provided as full certification compliance representations

• As validated, patterns released in Enterprise GIS Resource Center

Esri Security ComplianceDesktop Software

• FDCC (Federal Desktop Core Configuration) certified- Esri fully supports and tests product compatibility since 9.2- Starting with Windows 7 name changing to USGCB

- United States Government Configuration Baseline

• PKI (Public Key Infrastructure) w/ CAC or PIV- Common customer deployment

Esri Security ComplianceArcGIS Server

• Configurable for FIPS 140-2 encryption requirements- ArcGIS Server .NET requires a workaround procedure

• Security hardening guidelines available- Whitepaper update in couple months

- Win 2k8 and ArcGIS 10

- Based on in-the-field lessons learned and test environment

Esri Security ComplianceHosting Services

• 2010 SAS 70 type 1 audit of ArcGIS.com

• FISMA certification and accreditation- Esri hosts low risk category environments- Each solution currently requires a separate certification

• FedRAMP standard for cloud deployments- Actively reviewing / feedback this due this week- Let us know if you are interested

Esri Security ComplianceSummary

• Esri provides security due diligence with our solutions, but is not a security software company

• Utilize 3rd party security software for high level IA functions

• Many successful Esri high risk security deployments- International - ISO 17799/2700X, BS 7799, Common Criteria (CC) - Federal - FISMA (NIST), DITSCAP/DIACAP - Industry - HIPPA, SOX, PCI

Esri is Fully Committed to Federal Security Requirements

Summary and Next Steps

Summary

• Security is NOT about just a technology- Understand your organizations GIS risk level- Utilize Defense-In-Depth

• Secure Best Practice Guidance is Available- Check out the Enterprise GIS Resource Center!- Drill into details by mechanism or application type- Professional Services Enterprise GIS Security

Assessment

• Cloud Computing for GIS Has Arrived- Security is evolving quickly- Security in the cloud is a shared responsibility

Next Steps Supporting Secure Solutions

• Your Feedback and Insight Today is Essential- Current Security Issues- Upcoming Security Requirements- Feedback on Integrated Security Model- Suggestions for the Enterprise Resource Center- Areas of concern Not addressed Today

Contact Us At:Enterprise Security esinfo@esri.comMichael Young myoung@esri.com

Session Evaluation Reminder

Session Attendees:

Please turn in your session evaluations.

. . . Thank you