ArcGIS and Enterprise Security
Leveraging ArcGIS in CybersecurityKen Stoni
Secure Enterprise ArcGIS Best PracticesMichael Young
Visualizing the Virtual:A geospatial approach to cyber operations and security
Ken Stoni
The ProblemDetection is Difficult, Cyber isn’t enough
Breach Timeline
Compromise: 97% <= daysExfiltration: 72% <= daysDiscovery: 66% >= MONTHSContainment: 63% <= days
**70% of breaches were discovered by external parties
http://www.verizonenterprise.com/DBIR/2013/
Our Goals:
1) Detect early
2) Detect internally
3) Respond appropriately (maintenance vs security)
Cyberspace Re-ConsideredIt’s Mappable
Social / Persona Layer
Device Layer
Logical Network Layer
Physical Network Layer
Geographic Layer
• Each device in cyberspace is owned by someone (no ‘global commons’)
• Electro-mechanical devices exist in space-time and interact with physical events
• Geography is required to integrate and align cyberspace with other data
CybersecurityA common sequence of questions
Destination
Compromise attempted?
Compromise Successful?
TechnicalImpact?
Intervention
MissionImpact?
Source
WAN
How should we respond?
RemediationHardening
MissionImpact
IDSIPS IT Inventory
Detection
Four Design Patterns
WANMission Assurance(Cyber Supply Line)
Signature Detection
Anomaly Detection
External Cyber Environment Internal Cyber Environment
Mission Assurance
Data
DetectionSelection & Trending at various scales
Firewall
IDS/IPS
SourceIP
DestinationIP
Campus Building FunctionCityBuilding
ITInventory
3rd PartyGeo-LocatorsGeocoding
Mission ImpactThe Cyber Supply Line
LANBldgNet
BldgNet
LAN
Campus #1 Campus #2
1. Cyber Supply Line (CSL) is a consistent path through the infrastructure 2. CSL focuses resources on only the devices that are critical3. Managing data flows is similar to traffic routing; an Esri core competency
VerizonAT&TDISA
WAN
Mission Data Flow
Mission Data FlowWAN
Cyber Supply Line
The CSL and RiskMission Assurance
• RA = f(V, T)
• R = Risk, A = Asset, V = Vulnerability, T = Threat
• Asset = Data, Device, Sub-Net, Mission
• Mitigation prioritized Likelihood & Consequence (of failure)
Cyber Supply Line
Effect PropagationMulti-level Model of Data Flow
Maintain Data Flow Mission Assurance
Cyber Supply Line
‘When’Support to all stages of development
Information Product(Monitoring)WorkflowData
Data
Data
Information Product(Reporting)
Workflow
Workflow
Workflow
Data
Geo-Coding
IT Inventory MaxMind
‘Start from Scratch’
Information Product(Monitoring)
Information Product(Reporting) Improve SA
Information Product(Monitoring)
Information Product(Reporting)
Information Product(Monitoring)
Information Product(Reporting)
Improve Reporting
Improve Performance(cheaper, quicker, more accurate)
Dashboard MS-Office Briefing BookExisting Data
Operate -- MaintainMonitor -- Respond
Design -- BuildStatusRisk
Cost/Schedule
‘How’Recommended Approach
Collector
Database
Visualization
Analysis
Collector
Database
Visualization
Analysis
Collector
Database
Visualization
Analysis
QueryWidget
Visualization Visualization Visualization
AnalysisWidget
Existing Enterprise Network
Existing Enterprise Apps Monitoring
Environmental Data
Auxiliary Data
DashboardReporting
MS-Office Briefing Book
APIs
Portal
‘Why’Information sharing leading to coordinated action
Adversary
‘Hunt Teams’Network OpsNetwork Activities
Analysis & Planning Net SecurityDivision
Network Engineers
Net Security DataNet Ops Data
Monitoring
Reporting
PerformanceOptimization
Determine Attack Indicators
Security Community(e.g. McAfee)
Threat Data
Observe &Assess
Net Model
Best Practices(e.g. NIST Framework)
Enterprise OpsCenter
Executives
Secure Enterprise ArcGISBest Practices
Michael E YoungEsri Principal Security Architect
What is a secure GIS?
IntroductionWhat is “The” Answer?
Risk
Impact
TrendsControls by Industry
• Industry risk patterns
• Focus security controls
• Energy Sector High Risk Areas• Web Application Attacks• Crimeware• Denial of Service (DoS) attacks
* Verizon 2014 DBIR
Trends
• Scenario• OpenSSL vulnerability (HeartBleed)
• ArcGIS Online indirectly exposed through Amazon’s Elastic Load Balancer• Patched by Amazon within a day of vulnerability announcement
• Many pre 10.3 ArcGIS components contain vulnerable version, but don’t utilize vulnerable function
• ArcGIS Server for Linux before 10.3 was vulnerable (Patch available for 10.1SP1 and later)
• Lessons learned• 3rd party / open source components are immersive across cloud and on-premises
• Many organizations still don’t have effective patch management for these underlying components
• No individual layer is full-proof
• Esri’s first cross-product vulnerability status KBA minimized confusion
• Utilize Trust.ArcGIS.com site
Open source security component vulnerability affects 2/3rd of web services
Expect More Issues with OpenSSL throughout 2015
Trends2015 and beyond
• Focus shifting from network perimeter to data- Drives need for stronger authentication of who is accessing the data
• Mobile malware continues to grow
• APTs and malware diversification
• Unpatched systems (Windows XP end-of-life)
• Hacking the Internet of Things
Strategy
StrategyA better answer
• Identify your security needs- Assess your environment
- Datasets, systems, users- Data categorization and sensitivity- Understand your industry attacker motivation
• Understand security options- Trust.arcgis.com- Enterprise-wide security mechanisms- Application specific options
• Implement security as a business enabler- Improve appropriate availability of information- Safeguards to prevent attackers, not employees
StrategyEnterprise GIS Security Strategy
Security Risk Management Process Diagram - Microsoft
StrategyEsri Products and Solutions
• Secure Products- Trusted geospatial services- Individual to organizations- 3rd party assessments
• Secure Enterprise Guidance- Trust.ArcGIS.com site- Online Help
• Secure Platform Management- SaaS Functions & Controls- Certifications / Compliance
ArcGIS
StrategySecurity Principles
Availability
CIA Security
Triad
StrategyDefense in Depth
• More layers does NOT guarantee more security
• Understand how layers/technologies integrate
• Simplify
• Balance People, Technology, and Operations
• Holistic approach to security TechnicalControls
PolicyControls
Physical Controls
Data and
Assets
Mechanisms
Mechanisms
MechanismsAuthentication
• GIS Tier (Default)- Built-in User store- Enterprise (AD / LDAP)- ArcGIS Tokens
• Web Tier (Add web adaptor)- Enterprise (AD / LDAP)- Any authentication
supported by web server- HTTP Basic / Digest- PKI- Windows Integrated
+
PublishServices
Connect to ArcGIS Server Manager
Web, mobile, and desktop clients
GIS Serveradministrators
ArcGIS for Desktop users
Data server
GIS server(s)
Web serverWeb Adaptor
MechanismsAuthorization – Role-Based Access Control
• Esri COTS- Assign access with ArcGIS Manager - Service Level Authorization across web interfaces- Services grouped in folders utilizing inheritance
• 3rd Party- Web Services
- Conterra’s Security Manager (more granular)- RDBMS
- Row Level or Feature Class Level- Versioning with Row Level degrades performance
- Alternative - SDE Views
- URL Based- Web Servers & Intercept offerings such as CA’s SiteMinder
MechanismsFilters – 3rd Party Options
• Firewalls• Reverse Proxy• Web Application Firewall• Anti-Virus Software• Intrusion Detection / Prevention Systems
MechanismsEncryption – 3rd Party Options
• Network- IPSec (VPN, Internal Systems)- SSL/TLS (Internal and External System)- Cloud Encryption Gateways
- Only encrypted datasets sent to cloud
• File Based- Operating System – BitLocker- GeoSpatial PDF with Certificates- Hardware (Disk)
• RDBMS- Transparent Data Encryption (TDE)
MechanismsLogging/Auditing
• Esri COTS- Geodatabase history
- Track changes- ArcGIS Workflow Manager
- Track detailed Feature based activities- ArcGIS Server 10+ Logging
- “User” tag added
• 3rd Party- Logs - Web Server, RDBMS, OS, Firewall
- Consolidate with a SIEM- Geospatial monitors
- Upcoming – GIS Management pack for MS System Center- Esri – System Monitor- Vestra – GeoSystems Monitor- Geocortex Optimizer
ArcGIS Server
ArcGIS ServerEnterprise Deployment
WAF, SSL AccelLoad Balancer
ArcGIS Site
HA NAS
Config Store
Directories
IIS/Java Web Server
ArcGIS for Server
Web Apps
WebAdaptor
Web Apps
IIS/Java Web Server
FGDB
Web Adaptor Round-Robin
Network Load Balancing
Port: 80
WebAdaptor
Port: 80
ArcGIS for Server
GIS Services
GIS ServicesServer Request
Load Balancing
Port: 6080Port: 6080
GIS Server A GIS Server B
Web Server A Web Server B
Fire
wal
l
Internet443
Clustered
HA DB1 HA DB2
Supporting Infrastructure
AD/ LDAP
IIS/Java Web Server
Port: 443
Auth Web Server
Firewall
SQL
ADFS / SAML 2.0
ADFS Proxy
ArcGIS ServerMinimize Attack Surface
• Don’t expose Server Manager to public• Disable Services Directory• Disable Service Query Operation (as feasible)• Enable Web Service Request Filtering
- Windows 2008 R2+ Request Filtering- XML Security Gateway Better
• Limit utilization of commercial databases under website- File GeoDatabase can be a useful intermediary (SQL injection does not work)
• Require authentication to services
Attack surface over time
Atta
ck s
urfa
ce
Time
ArcGIS ServerNew Security Hardening Guidelines
• Establishing guidelines with DISA- Create a Security Technical Implementation Guides (STIGs)- First STIG will be Windows based ArcGIS Server 10.3
- Other STIGs will be performed based on demand
• Expected completion in 2015
• Post STIG completion- STIG will be an input for an ArcGIS Server Security Hardening guide for general distribution- Additional enterprise component integration testing and best practice recommendations to
be incorporated
ArcGIS Server
• New relative risk insights for geospatial services• Optional mitigation measures to reduce risk
Awareness of Relative Risk
Service Capability Default when Enabled
Security Hardened
Map MappingMap QueryFeature ReadFeature EditFeature SyncGeocoding GeocodeGeodata QueryGeodata Data ExtractionGeodata ReplicaGeoprocessing GeoprocessingImage ImagingImage EditImage Upload
Red = Higher riskYellow = Average riskGreen = Low risk
Security Hardened SettingsRelative Service Risk
ArcGIS ServerEnhancements
• Single-Sign-On (SSO) for Windows Integrated Authentication- Works across ArcGIS for Server, Portal, and Desktop
• Stronger PKI validation- Leverage multi-factor authentication when accessing applications, computers, and devices- Web adaptor deployed to web server forwards to AGS the request and username
• Integrated account management and publishing capabilities- Across ArcGIS for Server and Portal in a federated configuration
• Key SQL Injection vulnerabilities addressed since 10.2 with Standardized Queries
• Add support for - Active Directory nested groups & domain forests- Configuring Private and Public services within the same ArcGIS Server site
ArcGIS ServerSingle ArcGIS Server machine
Front-ending GIS Server with ReverseProxy or Web Adaptor
Site AdministratorsConnect to Manager
GIS server, Data, Server directories, Configuration Store
Desktop, Web, and Mobile Clients
6080/6443
Site AdministratorsConnect to Manager
GIS server, Data, Server directories, Configuration Store
Desktop, Web, and Mobile Clients
6080/6443
80/443 Web Adaptor
ArcGIS ServerArcGIS Server HA - Sites independent of each other
Site AdministratorsConnect to Manager
80
6080 6080
80
Server directories, Configuration Store
(duplicated between sites)
Site AdministratorsConnect to Manager
ArcGIS Server site ArcGIS Server site
Web Adaptors(optional)
Network Load Balancer (NLB)
Desktop, Web, and Mobile Clients
• Active-active configuration is shown- Active-passive is also an option
• Separate configuration stores and management
- Scripts can be used to synchronize
• Cached map service for better performance
• Load balancer to distribute load
ArcGIS ServerArcGIS Server HA – Shared configuration store
80
6080 6080
80
Site AdministratorsConnect to Manager
Web Adaptors
Network Load Balancer (NLB)
Desktop, Web, and Mobile Clients
GIS servers
Data server, Data (enterprise geodatabase), Server directories, Configuration Store
• Shared configuration store
• Web Adaptor will correct if server fails
• Config change affects whole site- Example: publishing a service
• Test configuration changes
Cloud
CloudService Models
• On-Premises- Traditional systems infrastructure deployment- Portal for ArcGIS & ArcGIS Server
• IaaS- Portal for ArcGIS & ArcGIS Server- Some Citrix / Desktop
• SaaS- ArcGIS Online- Esri Managed Cloud Services
Dec
reas
ing
Cus
tom
er R
espo
nsib
ility
Customer ResponsibleEnd to End
Customer ResponsibleFor Application Settings
CloudDeployment Models
Cloud On-premise
Intranet
Portal Server
On- Prem
Intranet
Portal Server
Read-only
Basemaps
On-Prem +
Intranet
Server
Online
ArcGIS Online + On-PremPublic
Intranet
Online
Intranet
Online ServerServerServer
ArcGIS Online + EMCS
CloudManagement Models
• Self-Managed- Your responsibility for managing IaaS deployment security
• Provider Managed- Esri Managed Cloud Services
- New FedRAMP Moderate Compliant (part of Advanced Plus option)
CloudResponsibility Across Deployment Options
On-premises Esri Images& Cloud Builder
Virtual / Physical Servers
Security Infrastructure
OS/DB/Network
ArcGIS
Cloud Infrastructure
(IaaS)
OS/DB/Network
ArcGIS
Esri ManagedCloud Services
FedRAMP ModerateCompliant
Cloud Infrastructure
(IaaS)
Security Infrastructure
OS/DB/Network
ArcGIS
No Security Infrastructure by
default
Cloud Infrastructure
(IaaS)
Security Infrastructure
OS/DB/Network
ArcGIS Online
ArcGIS OnlineFISMA Low
ATO
Customer Responsibility Esri Responsibility CSP Responsibility
Esri Compliance & ATO Scope
IaaS ATO Scope
Cloud InfrastructureHypervisor, TCP/IP, Network ACLs, Routing, Storage, Hardware
EMCS Security Infrastructure
Web Application FirewallWAF
ArcGIS for Portal
ArcGIS Server
Intrusion DetectionIDS / SIEM
Centralized ManagementBackup, CM, AV, Patch, Monitor
Authentication/AuthorizationLDAP, DNS, PKI
AWS
Customer Infrastructure
Public-FacingGateway
Security Ops Center(SOC)
Esri Administrators
End Users
Dedicated Customer Application
Infrastructure
Common SecurityInfrastructure
Active/Active Redundant across two Cloud Data Centers
Agency Application Security
Relational Database
Esri AdminGateway Common Cloud
Infrastructure
Bastion GatewayMFA
Security ServiceGateway
DMZ
File Servers
Legend Cloud Provider
Cloud InfrastructureHypervisor, TCP/IP, Network ACLs, Routing, Storage, Hardware
On-Premises
Users
AppsAnonymous
Access
Esri Managed Cloud Services
• Ready in days• All ArcGIS capabilities at
your disposal in the cloud• Dedicated services• FedRAMP Moderate
• Ready in months/years• Behind your firewall• You manage & certify
• Ready in minutes• Centralized geo discovery• Segment anonymous
access from your systems• FISMA Low
ArcGIS Online
CloudHybrid deployment combinations
. . . All models can be combined or separate
CloudStandards
• Enterprise Logins- SAML 2.0 - Provides federated identity management- Integrate with your enterprise LDAP / AD- Added to Portal for ArcGIS 10.3
• API’s to Manage users & app logins- Developers can utilize OAuth 2-based API’s- https://developers.arcgis.com/en/authentication/
Compliance
ComplianceProducts and Services
• ArcGIS Online- FISMA Low Authority To Operate (ATO) by USDA - FedRAMP - Upcoming
• Esri Managed Cloud Services (EMCS)- FedRAMP Moderate (Jan 2015)
• ArcGIS Desktop- FDCC (versions 9.3-10)- USGCB (versions 10.1+)- ArcGIS Pro (Expected Q1 2015)
ComplianceCorporate Operations
• ISO 27001- Esri’s Corporate Security Charter
• Privacy Assurance- US EU/Swiss SafeHarbor self-certified- TRUSTed cloud certified
• SSAE 16 Type 1 – Previously SAS 70- Esri Data Center Operations- Expanded to Managed Services in 2012
ComplianceCloud Infrastructure Providers
• ArcGIS Online Utilizes World-Class Cloud Infrastructure Providers- Microsoft Azure- Amazon Web Services
Cloud Infrastructure Security Compliance
SSAE16SOC1 Type2 Moderate
ComplianceArcGIS Online Assurance Layers
Web Server & DB software
Operating system
Instance Security
Management
Hypervisor
ArcGISManagement
Cloud Providers
Physical
Web App ConsumptionCustomer
Esri
Cloud ProviderISO 27001 SSAE16FedRAMP Mod
AGOL SaaSFISMA Low(USDA)SafeHarbor(TRUSTe)
Summary
Summary
• Geospatial solutions can facilitate cybersecurity
• Security demands rapidly evolving- Prioritize efforts according to your industry and needs- Don’t just add components, simplified Defense In Depth
• Secure Best Practice Guidance is Available- Check out the ArcGIS Trust Site!- ArcGIS Security Architecture Workshop
Thank you! Give us your feedback!
www.esri.com/ratemyPUGsession
Thank you! Give us your feedback!
www.esri.com/ratemyPUGsession