Esri UC2013 . Technical Workshop . E Esr Esr EsriU i U i U U UC20 C20 C20 C2 C20 0 013 13 3 13 13 13 13 . T .T . T T . . T Tech ech ech ech ech ch h ch ch ic nic ni n ni ni al al al l a al al a Wor W Wor Wo Wor W W r W r rksh k ksh k ksh ksh ksh kshop op op op o op op . . Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Designing an Enterprise GIS Security Strategy Michael E. Young
65
Embed
Designing an Enterprise GIS Security Strategy · 2013-08-02 · Esri UC2013 . Technical Workshop . Strategy A better answer • Identify your Security Needs-Assess your environment-Datasets,
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Esri UC2013 . Technical Workshop . EEsrEsrEsri Ui Ui UUUC20C20C20C2C200013 13313131313 . T. T. TT. . TTechechechechechchhchch icnicninnini alalallaalala WorWWorWoWorWW rW rrkshkkshkkshkshkshkshop op opopoop op ..
Technical Workshop
2013 Esri International User ConferenceJuly 8–12, 2013 | San Diego, California
- May be utilized for tracking changes- ArcGIS Workflow Manager
- Track Feature based activities- ArcGIS Server 10+ Logging
- “User” tag tracks user requests
• 3rd Party- Web Server, RDBMS, OS, Firewall- Consolidate with a SIEM
Question: Any geospatial service monitors?- Vestra’s GeoSystems Monitor- Geocortex Optimizer
Designing an Enterprise GIS Security Strategy
Esri UC2013 . Technical Workshop .
MechanismsLogging/Auditing
• Vestra GeoSystems Monitor- ArcGIS Platform access and availability awareness- New - User consumption metrics
- SDE Table/Feature class (Who & Frequency)- ArcGIS Server Services & Apps (Who & Action)
Designing an Enterprise GIS Security Strategy
Esri UC2013 . Technical Workshop .
ArcGIS Server
EsrEsri Ui UC20C201313 13 T. Techchechnicnicnical WorWororkshshhkkshhkkss ooopop op op p .ppppp30CCss UU 13 ceccc ccaa oo sssss ooo ..hhhhhhrrkkkkkWWWnin llhh. TT1rrii 22EE ii
Esri UC2013 . Technical Workshop .
ArcGIS ServerPublic Facing Architecture
WEB
WAFWeb Adaptor
Reverse Proxy
WEB
SvrDirDBMSSvrDir
DMZ
Private
Public
1010.1
&10.2
DBMS
GIS ServerDBclient
SOM
SOCDBclient
DC
OM
HTT
P(s)
SQL
HTT
P(s)
HTT
P(s)
SQL
HTT
P(s)
Designing an Enterprise GIS Security Strategy
Esri UC2013 . Technical Workshop .
ArcGIS ServerEnterprise Deployment
Designing an Enterprise GIS Security Strategy
WAF, SSL AccelLoad Balancer
ArcGIS Site
HA NAS
Config Store
Directories
IIS/Java Web Server
ArcGIS for Server
Web Apps
WebAdaptor
Web Apps
IIS/Java Web Server
FGDB
Web Adaptor Round-Robin
Network Load Balancing
Port: 80
WebAdaptor
Port: 80
ArcGIS for Server
GIS Services
GIS Services
Web AdaptWW tor ptooundRRo -Robinb
Server RequestLoad Balancing
Port: 6080Port: 6080
rver ReqSee uestu
GIS Server A GIS Server B
Web Server A Web Server B
Fire
wal
l
Internet443
Clustered
HA DB1 HA DB2
Supporting Infrastructure
AD/ LDAP
IIS/Java Web Server
ADFS / SAML 2.0
Port: 443
Auth Web Server
rast
WWWWWWeeeeb
Firewall
yment
Port: 80
SQL
Esri UC2013 . Technical Workshop .
ArcGIS ServerMinimize Attack Surface
• Don’t expose Server Manager to public• Disable Services Directory• Disable Service Query Operation (as feasible)• Enable Web Service Request Filtering
- Windows 2008 R2+ Request Filtering- XML Security Gateway- Does not intercept POST requests- REST API only requires GET and HEAD verbs
- Exception – Utilize POST for token requests
• Limit utilization of commercial databases under website- File GeoDatabase can be a useful intermediary
• Require authentication to services
File GeoDatabase
Designing an Enterprise GIS Security Strategy
Esri UC2013 . Technical Workshop .
ArcGIS Server10.2 Enhancements
• Single-Sign-On (SSO) for Windows Integrated Authentication- Works across ArcGIS for Server, Portal, and Desktop
• Stronger PKI validation- Leverage multi-factor authentication when accessing applications, computers, and
devices- Web adaptor deployed to web server forwards to AGS the request and username
• Integrated account management and publishing capabilities- Across ArcGIS for Server and Portal in a federated configuration
• Key SQL Injection vulnerabilities addressed- Changes made in 10.2 may affect some advanced users that were using database-
specific SQL statements in their custom applications
• Add support for - Active Directory nested groups & domain forests- Configuring Private and Public services within the same ArcGIS Server site
Designing an Enterprise GIS Security Strategy
Esri UC2013 . Technical Workshop . Esri UC2013 . Technical Workshop .p30Cs U ec ca o s o .hrkWni lh. T1ri 2E ii
Mobile
Esri UC2013 . Technical Workshop .
MobileWhat are the mobile concerns?
C20133 . TTechecchec nniccala Woro kshs op op . Designing an Enterprise GIS Security Strategy
These steps can be completed within 5 minutes – Do them!s ccaaannnn bbbeeee ccccoooommmmppppllleeeettteeeeddd wwwwiiittthhhiiinnnn 555 mmmmiiinnnnuuuuttteeeessss – DDDoooo ttthhhheeeemmm!
Designing an Enterprise GIS Security Strategy
Esri UC2013 . Technical Workshop . Esri UC2013 . Technical Workshop .p30Cs U ec ca o s o .hrkWni lh. T1ri 2E ii
• SSAE 16 Type 1 – Previously SAS 70- Esri Data Center Operations- Expanded to Managed Services in 2012
Designing an Enterprise GIS Security Strategy
Esri UC2013 . Technical Workshop . Esri UC2013 . Technical Workshop .p30Cs U ec ca o s o .hrkWni lh. T1ri 2E ii
Summary
Esri UC2013 . Technical Workshop .
Summary
• Security is NOT about just a technology- Understand your organizations GIS risk level- Realize the game has changed and prioritize efforts accordingly- Don’t just add components, simplify!
• Secure Best Practice Guidance is Available- Check out the ArcGIS for Professionals site!- Drill into details by mechanism or application- Look for ArcGIS Online Cloud Security Alliance security control
documentation soon
Designing an Enterprise GIS Security Strategy
Esri UC2013 . Technical Workshop .
SummaryUC 2013 Security Sessions
Designing an Enterprise GIS Security Strategy
Core ArcGIS Server
ArcGIS Online
Building SecureApplications
Best Practices in Setting Up Secured
Services in ArcGISfor Server
Securing ArcGIS Services
Advanced
ArcGIS Online& Cloud Computing
Security Best Practices
Securing ArcGIS Services
Introduction
Securityand
ArcGIS Online ArcG
IS Platform
Designingan
EnterpriseGIS
SecurityStrategy
Esri UC2013 . Technical Workshop .
Please fill out the session evaluation
Offering ID: 1379
Online – www.esri.com/ucsessionsurveysPaper – pick up and put in drop box
Thank you…
Designing an Enterprise GIS Security Strategy
Esri UC2013 . Technical Workshop . Esri UC2013 . Technical Workshop .p30Cs U ec ca o s o .hrkWni lh. T1ri 2E ii