Technical Workshops | Esri International User Conference San Diego, California Designing an Enterprise GIS Security Strategy Michael E Young July 26, 2012
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Technical Workshops |
Esri International User Conference San Diego, California
Designing an Enterprise
GIS Security Strategy Michael E Young
July 26, 2012
Agenda
• Introduction
• Strategy
• Trends
• Mechanisms
• ArcGIS Server
• Mobile
• Cloud
• Compliance
Introduction
- Michael E Young
- Esri Principal Security Architect
- Certified Information Systems Security Professional (CISSP)
Introduction What is a secure GIS?
Introduction Sign in Japan Narita Airport - May 2011
Context is key for identifying the appropriate secure GIS
solution for your organization
Introduction What is “The” Answer?
Risk
Impact
Introduction Where Are the Vulnerabilities?
* SANS Relative Vulnerabilities
Strategy
Strategy
• Identify your Security Needs
- Assess your environment
- Datasets, Systems
- Sensitivity, Categorization
• Understand Security Options
- Enterprise GIS Resource Center
- Enterprise-wide Security Mechanisms
- Application Specific Options
- Utilize patterns
• Implement Security as a Business Enabler
- Improve appropriate availability of information
Strategy Enterprise GIS Security Strategy
Security Risk Management Process Diagram - Microsoft
Strategy Esri’s Security Strategy Evolution
Product
Enterprise Solution
Isolated Systems
3rd Party Security
Integrated Systems
Embedded Security
Cloud
Managed Security
Strategy Esri Products and Solutions
• Secure Products
- Trusted geospatial services
- Individual to organizations
- Extending validation
• Secure Enterprise Guidance
- Enterprise Resource Center
- Patterns
- Online Help
• Secure Solution Management
- SaaS Functions & Controls
- ArcGIS Online Security Overview
Strategy Expanded Security Online Help and Papers
Strategy Security Implementation Patterns
• Risk based
• 3 categories / NIST alignment
• Selection process
- Formal – NIST 800-60
- Informal
To prioritize information security and privacy initiatives, organizations must
assess their business needs and risks
Strategy Security Principles
• CIA Security Triad
• Defense in Depth
Strategy Defense in Depth
TechnicalControls
PolicyControls
Physical Controls
Data and
Assets
Authentication
Authorization
Encryption
Filters
Logging
Trends
Trends Perception
• End-User Perception
- I don’t ever hear about Virus issues in our company anymore
• Reality
- Modern attacks are not as much about being visible
- Layers of exploits deployed
- Goal is to obtain your company’s most value information
Trends Modern Attack
Don’t rely on Anti-Virus and Firewalls Alone to Protect Your Organization
Websense
2012 Threat Report
Trends Reverse Proxy’s Need to Be Maintained
• Apache Reverse Proxy Exploit – Oct 2011
• Allows unauthenticated access to information that should be confidential
• Commonly overlooked component for updates
CVE-2011-3368
Update Your Reverse Proxy!
Trends End of Browser Plug-ins?
• Migration away from Flash and Silverlight Plug-ins
• Security experts ready to unload plug-ins
• HTML5 limitation inconsistencies across browsers slowing migration
Trends Mobile Security
• iPhone Twitter PII compromised
• Mobile device data not secure by default
Enterprise Mobile Security Solutions can help
Trends Cloud
• Data breeches of 2011
- #1 Sony – PlayStation Cloud
- 100+ mill
- #2 Epsilon – Email Cloud
- 60+ mill
- #6 Nasdaq – Dashboard Cloud
- 10k+ Sr. Execs
*http://informationweek.com/news/security/attacks/232301079
An Enterprise Security Strategy can help through cloud data mitigation controls
and cloud security policies
Trends Events over the last month
• US loses $250 billion annually in IP theft
• $338 billion annually in financial theft
• Result of cyber espionage is the "greatest transfer
of wealth in history."
Mechanisms
Mechanisms
Mechanisms Authentication
• Pre-10.1 Options
- Web Traffic via HTTP
1. Web Services
2. Web Applications
- Intranet Traffic via DCOM
3. Local Connections
Mechanisms Authentication
Access
Restricted
Authentication
Method Description Encryption
Web Service or
Web Application
None Default Internet Connections N/A
Basic
Digest
Windows Integrated
Browser built-in pop-up logon Basic None,
unless using SSL
Java EE Container Web container challenge Container
Managed
PKI / Smartcards Public key certificate* PKI Managed
Web
Application
Only
.NET Form-based Custom login and error pages. None,
unless using SSL
Java ArcGIS Managed ArcGIS Server provides login None,
unless using SSL
Web Service
Only Esri Token Cross Platform, Cross API AES-128bit
Local DCOM
(Gone in 10.1) Windows Integrated
OS Groups
AGSUser. AGSAdmin OS Managed
*PKI / Smartcard Validation Environment Recently Stood up
Mechanisms Authorization – Role Based Access Control
• Esri COTS
- Assign access with ArcGIS Manager
- Service Level Authorization across web interfaces
- Services grouped in folders utilizing inheritance
• 3rd Party
- RDBMS – Row Level or Feature Class Level
- Versioning with Row Level degrades RDBM performance
- Alternative - SDE Views
• Custom - Limit GUI
- Rich Clients via ArcObjects
- Web Applications
- Sample code Links in ERC
- Microsoft’s AzMan tool
Mechanisms Filters – 3rd Party Options
• Firewalls
• Reverse Proxy
• Web Application Firewall
- Open Source option ModSecurity
• Anti-Virus Software
• Intrusion Detection / Prevention Systems
• Limit applications able to access geodatabase
Mechanisms Filters – Firewall Friendly Scenario
• Web Application Firewall in DMZ
• File Geodatabase (FGDB) in DMZ
• One-way replication via HTTP(s)
• Deployed to each web server for performance
• Internet users access to subset of Geodatabase
• Same replication model could be used to push data to cloud
WAF
Intranet DMZ
Database
Web
GIS
HTTP
DCOM
SQL
Use
Author &
Publish FGDB
Web
GIS
Internet
HTTP
HTTP
Mechanisms Filters
• Why no Reverse Proxy in DMZ?
- One-off component / no management, minimal filtering
• Multi-Function Web Service Gateways
- Store SSL Certificates / SSL Acceleration
- URL Rewrite
- Web Application Firewall
External Internal
DM
Z
Mechanisms Encryption – 3rd Party Options
• Network
- IPSec (VPN, Internal Systems)
- SSL (Internal and External System)
- Cloud Encryption Gateways
- Only encrypted datasets sent to cloud
• File Based
- Operating System – BitLocker
- GeoSpatially enabled PDF’s combined with Certificates
- Hardware (Disk)
• RDBMS
- Transparent Data Encryption
- Low Cost Portable Solution - SQL Express 2008 w/TDE
Mechanisms Logging/Auditing
• Esri COTS
- Geodatabase history
- May be utilized for tracking changes
- ArcGIS Workflow Manager
- Track Feature based activities
- ArcGIS Server 10+ Logging
- “User” tag tracks user requests
• 3rd Party
- Web Server, RDBMS, OS, Firewall
- Consolidate with a SIEM
ArcGIS Server
ArcGIS Server Public Facing Architecture
WEB
WAF
Web Adaptor Reverse Proxy
WEB
SvrDir DBMS SvrDir
DMZ
Private
Public
10 10.1
DBMS
GIS Server
DBclient
SOM
SOC
DBclient
DC
OM
H
TT
P(s
) S
QL
H
TT
P(s
)
HT
TP
(s)
SQ
L
HT
TP
(s)
GIS Server
http://host/arcgis/rest
OS Service Acct
Primary Site Admin Acct
Config Store
Server Directories
ArcGIS Server Site
IIS or Apache
Web Adaptor
• Goodbye DCOM issues!
• Token Security enabled by default
• Added Publisher Role
• AGSAdmin / AGSUser OS Roles dropped
• All tier capabilities installed by default
- Web, application, data
- Ready to run developer platform
• Deploy Web Adapter to web server for production
• Editor feature service tracking
- Owner based control
• Integrated Security Model still available
• Administrator API
ArcGIS Server 10.1 Changes
ArcGIS Server 10.1 Deployment
Want to know more about ArcGIS Server 10.1 Security?
Checkout: 3:15-4:30pm - Building Secure Applications – Room 32B
Mobile
Mobile Just Secure the Web Service Endpoints, Right?
Mobile OWASP Top 10 Mobile Issues
Issue Solution Question
Physical Loss Device Security Options?
Malicious App What app stores allowed?
Rooted Device Encryption/Strength?
Patches How enforced?
Insecurely Written App How is code tested?
Compromised Password How secured/encrypted?
Unprotected Transport TLS/SSL Utilized?
Weak Session Management Tokens always passed?
Unprotected Services Hardening Guidance?
Internal Resource Access VPN Options?
Mobile Phone Security
ArcGIS Mobile Security Touch Points
Communication
Service
authorization
Device
access
Project
access
Data
access
Server
authentication SDE
permissions Storage
Mobile Enterprise Mobile Security
• Built-in device capabilities
- Can store features iOS5 encrypted with Flex 3.0 API
• Enterprise device solutions (InTune, AirWatch, Good, MaaS360)
- Benefits: Secure email, browser, remote wipe, app distribution
• Application specific solutions
- Benefits: Secure connections and offline device data
- Esri iOS SDK + Security SDK
Cloud
Cloud Is cloud right for you?
• Common deployment delays
- Analysis paralysis
- Complex Proof-of-Concepts (POC)
- Technical details primary focus
- Security & performance
- Cost predictability concerns
• What type of cloud
- Deployment model (where it’s located)
- Service model (How much it does)
Cloud Responsibility across cloud service models
• IaaS
- ArcGIS Server for Amazon
- CSP -> Infrastructure
- Cust -> CSP Config, OS, Apps
• SaaS
- ArcGIS Online
- CSP -> Infrastructure
- Esri -> CSP Config, OS, Apps
- Cust -> App Config
Cloud Deployment models
Cloud SaaS Deployment options
• Three ArcGIS Online patterns
1. Store data and publish service to cloud
2. Only publish service metadata to cloud
3. Deploy solution on-premises
Cloud Amazon
Cloud Going Beyond 1 Tier in Amazon
Cloud IaaS - ArcGIS Server in Amazon – Deployment Options
• Ease deployment
- New Cloud Builder 10.1 Tool
- Default not hardened
• Offload management (Cloud Broker Role)
- Esri Managed Services
• Hardened instances
- GeoCloud – GSA / FGDC Initiative
- Security hardened AMI
- Shared security certification focus this year
Cloud IaaS – Common security issues
1. Access to ports not limited
- If you utilize the default image and open RDP to all IP
addresses, expect to be compromised in as little as a day
2. System patches not applied
- There have been a number of significant RDP vulnerabilities
3. Authentication weak
- Multi-factor authentication recommended
- Check out AWS Virtual MFA for a free option
4. System not hardened
- Turn off/uninstall components you don’t use
- Utilize built-in capabilities such as NLA for RDP
Cloud SaaS - ArcGIS online for Organizations
• Organization administrator options
- Require SSL encryption
- Allow anonymous access to org site
• Consume Token secured ArcGIS Server services
- 10 SP1 and later
- User name and password prompts upon adding the service
to a map, and viewing
• Transparency
- Status.ArcGIS.com
• Upcoming
- Federated Identities (SAML/ADFS)
Compliance and Standards
Compliance
• FDCC
- Desktop products 9.3-10
• USGCB
- Desktop products 10.1 – Almost completed
• SSAE 16 Type 1 – Previously SAS 70
- Esri data center operations
- Expanding to Managed Services for 2012
• FISMA
- ArcGIS Online – In progress
Summary & Next Steps
Summary
• Security is NOT about just a technology
- Understand your organizations GIS risk level
- Utilize Defense-In-Depth
• Secure best practice guidance is available
- Check out the Enterprise GIS Resource Center!
- Drill into details by mechanism or application type
Summary & Next Steps
• Your feedback and insight today is essential
- Current security issues
- Upcoming security requirements
- Areas of concern not addressed today
Contact Us At:
Enterprise Security [email protected]
Steps to evaluate UC sessions
• My UC Homepage >
“Evaluate Sessions”
• Choose session from planner
OR
• Search for session
www.esri.com/ucsurveysessions
• Thank you for attending
• Have fun at UC2012
• Open for questions
• Please fill out the evaluation:
www.esri.com/ucsessionsurveys
Offering ID: 986
Contact Us At:
Enterprise Security [email protected]
Related Documents
