[Paul Lorrain] Solutions Manual for Electromagneti(Bookos.org)
Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain...
-
Upload
meagan-perkins -
Category
Documents
-
view
231 -
download
4
Transcript of Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain...
![Page 1: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/1.jpg)
Enterprise GIS: Security Strategy
Michael E. Young
Chief Product Security Officer
Matt Lorrain
Security Architect
![Page 2: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/2.jpg)
Agenda
• Introduction
• Trends
• Strategy
• Mechanisms
• Server
• Mobile
• Cloud
• Compliance
![Page 3: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/3.jpg)
IntroductionWhat is a secure GIS?
![Page 4: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/4.jpg)
IntroductionWhat is “The” Answer?
Risk
Vulnerabilit
y
Thre
atImpact
![Page 5: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/5.jpg)
IntroductionWhere are the vulnerabilities?
Core network component vulnerabilities were exposed last year, but application risks are still king
*SANS Relative Vulnerabilities
![Page 6: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/6.jpg)
Michael Young
Current Real World Scenarios & Trends
![Page 7: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/7.jpg)
TrendsWeb Application Attacks
*Verizon 2015 DBIR
![Page 8: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/8.jpg)
Trends
• Number of mobile devices infected still relatively small
• 96% targeted against Android platform
• Mobile malware short lived- Piggybacks popular apps
• Mobile SDK’s being attacked- Ensure apps built with latest
SDK’s
• What can help?- Enterprise Mobility Management
enables control and visibility
Mobile attacks
* Verizon 2015 DBIR
![Page 9: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/9.jpg)
TrendsTrends by Industry
* Verizon 2015 DBIR
• Frequency of incidents by pattern and industry
• Identify hot spots for your specific industry- Prioritize security
initiatives to mitigate against common threats
![Page 10: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/10.jpg)
Real-world security scenarios
• Scenario- Organization utilizes cloud based services for disseminating disaster communications
- Required easy updates from home and at work
- Drove allowing public access to modify service information
• Lesson learned- Enforce strong governance processes for web publication
- Don’t allow anonymous users to modify web service content
- Minimize or eliminate “temporary” modification rights of anonymous users
- If web services are exposed to the internet, just providing security at the application level does not prevent direct service access
Disaster communications modified
Lack of strong governance leads to unexpected consequences
![Page 11: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/11.jpg)
Real-world security scenarios
• Scenario- Hackers used a third-party vendor’s user name and password to enter network
- Hackers managed to elevate rights and deploy malware on systems
- Result- 56 million credit and debit cards compromised
- 53 million email addresses disclosed
• Lessons learned- Credential management and high-level of trust of “internal” users
- Use an Identity Provider with SAML 2.0 for accessing cloud-based applications
- Enforce 2-factor authentication – At a minimum administrators should do this
Using same username and password between systems leads to compromise
![Page 12: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/12.jpg)
Real-World Security Scenarios
• Hint – The Trust.ArcGIS.com site will always have this answer handy…
QUIZ – When was the last ArcGIS Security patch released?
99.9% of vulnerabilities are exploited more than a year after being released
![Page 13: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/13.jpg)
TrendsStrategic Shifts in Security Priorities for 2015 and Beyond
• Identity management priority increasing as security focus moves from network to data level
• Advanced Persistent Threats driving shift from Protect to Detect
• Encryption of Internet traffic via SSL v3 broken – Ensuring TLS utilized is necessary
• Password protection is broken – Stronger mechanisms required such as 2-factor auth
• Customers balancing security gateways for mobile solutions vs. VPN
• Patching beyond Operating systems critical
• End-of-life OS builds with XP and now Server 2003 present significant risk
![Page 14: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/14.jpg)
Michael Young
Strategy
![Page 15: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/15.jpg)
StrategyA better answer
• Identify your security needs- Assess your environment
- Datasets, systems, users
- Data categorization and sensitivity
- Understand your industry attacker motivation
• Understand security options- Trust.arcgis.com
- Enterprise-wide security mechanisms
- Application specific options
• Implement security as a business enabler- Improve appropriate availability of information
- Safeguards to prevent attackers, not employees
![Page 16: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/16.jpg)
StrategyEnterprise GIS Security Strategy
Security Risk Management Process Diagram - Microsoft
![Page 17: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/17.jpg)
StrategyEvolution of Esri Products & Services
Product
EnterpriseSolution
Isolated Systems
3rd Party Security
Integrated Systems
Embedded Security
Software as a Service
Managed Security
![Page 18: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/18.jpg)
StrategyEsri Products and Solutions
• Secure Products- Trusted geospatial services
- Individual to organizations
- 3rd party assessments
• Secure Platform Management- Backed by Certifications / Compliance
• Secure Enterprise Guidance- Trust.ArcGIS.com site
- Online Help
ArcGIS
![Page 19: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/19.jpg)
StrategySecurity Principles
Con
fiden
tialit
yAvailability
IntegrityCIA Security
Triad
![Page 20: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/20.jpg)
StrategyDefense in Depth
• More layers does NOT guarantee more security
• Understand how layers/technologies integrate
• Simplify
• Balance People, Technology, and Operations
• Holistic approach to security TechnicalControls
PolicyControls
Physical Controls
Data and
Assets
![Page 21: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/21.jpg)
Esri UC 2014 | Technical Workshop |
Mechanisms
![Page 22: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/22.jpg)
Mechanisms
![Page 23: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/23.jpg)
MechanismsUsers & Authentication
• User Store Options- Built-in user store
- Server, Portal, ArcGIS Online
- Enterprise user store- LDAP / Active Directory
• Authentication Options- Built-in Token Service
- Server, Portal, ArcGIS online
- Web-tier (IIS/Apache) w/ Web Adaptor- Windows Integrated Auth, PKI, Digest…
- Identity Provider (IdP) / Enterprise Logins- SAML 2.0 for ArcGIS Online & Portal
• ArcGIS Server patterns- Server-tier Auth w/ Built-in users
- Server-tier Auth w/ Enterprise Users
- Web-tier Auth w/ Enterprise Users
• Portal for ArcGIS patterns- Portal-tier Auth w/ Built-in users
- Portal-tier Auth w/ Enterprise users
- Web-tier Auth w/ Enterprise users
- SAML 2.0 Auth w/ Enterprise Users
• ArcGIS Online patterns- ArcGIS Online Auth w/ Built-in users
- SAML 2.0 Auth w/ Enterprise users
![Page 24: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/24.jpg)
MechanismsAuthorization – Role-Based Access Control
• Out-of-box roles (level of permission)- Administrators
- Publishers
- Users
- Custom – Only for Portal for ArcGIS & ArcGIS Online
• ArcGIS for Server – Web service authorization set by pub/admin- Assign access with ArcGIS Manager
- Service Level Authorization across web interfaces
- Services grouped in folders utilizing inheritance
• Portal for ArcGIS – Item authorization set by item owner- Web Map – Layers secured independently
- Packages & Data – Allow downloading
- Application – Allows opening app
![Page 25: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/25.jpg)
MechanismsAuthorization – Extending with 3rd Party components
• Web services- Conterra’s Security Manager (more granular)
- Layer and attribute level security
• RDBMS- Row Level or Feature Class Level
- Versioning with Row Level degrades performance- Alternative – SDE Views
• URL Based- Web Server filtering
- Security application gateways and intercepts
![Page 26: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/26.jpg)
MechanismsFilters – 3rd Party Options
• Firewalls- Host-based
- Network-based
• Reverse Proxy
• Web Application Firewall- Open Source option ModSecurity
• Anti-Virus Software
• Intrusion Detection / Prevention Systems
• Limit applications able to access geodatabase
![Page 27: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/27.jpg)
MechanismsFilters - Web Application Firewall (WAF)
• Implemented in DMZ
• Protection from web-based attacks
• Monitors all incoming traffic at the application layer
• Protection for public facing applications
• Can be part of a security gateway- SSL Certificates
- Load Balancer
Internet
Security GatewayWAF, SSL Accel, LB
Web servers
Internal Infrastructure
ArcGIS servers
443
DMZ
![Page 28: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/28.jpg)
MechanismsEncryption – 3rd Party Options
• Network- IPSec (VPN, Internal Systems)
- SSL/TLS (Internal and External System)
- Cloud Encryption Gateways
- Only encrypted datasets sent to cloud
• File Based- Operating System – BitLocker
- GeoSpatially enabled PDF’s combined with Certificates
- Hardware (Disk)
• RDBMS- Transparent Data Encryption
- Low Cost Portable Solution - SQL Express w/TDE
![Page 29: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/29.jpg)
MechanismsLogging/Auditing
• Esri COTS- Geodatabase history
- May be utilized for tracking changes- ArcGIS Workflow Manager
- Track Feature based activities- ArcGIS Server 10+ Logging
- “User” tag tracks user requests
• 3rd Party- Web Server, RDBMS, OS, Firewall- Consolidate with a SIEM
• Geospatial service monitors- Esri – System Monitor- Vestra – GeoSystems Monitor- Geocortex Optimizer
![Page 30: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/30.jpg)
MechanismsGIS monitoring with System Monitor
• Proactive
• Integrated- Dashboards across all tiers
• End-to-End- All tier monitoring
• Continuous- %Coverage provided
• Extendable- Custom queries
![Page 31: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/31.jpg)
Esri UC 2014 | Technical Workshop |
ArcGIS ServerMatt Lorrain
![Page 32: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/32.jpg)
ArcGIS Server10.3 Enhancements
• ArcGIS Server Manager - New dashboard for administrators
• Portal for ArcGIS extension is included with ArcGIS for Server Standard and Advanced licenses- Support for SAML 2.0 authentication
- Management of group membership based on an enterprise identity store
- Custom roles to better control privileges of users
- Activity Dashboard to understand metrics for your portal
- More streamlined approach to configuring a high-availability portal configuration
- As of 10.3.1- Query and view portal logs using Portal Directory for identifying errors, issues or troubleshooting.
![Page 33: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/33.jpg)
ArcGIS ServerSingle ArcGIS Server machine
Front-ending GIS Server with ReverseProxy or Web Adapter
Site AdministratorsConnect to Manager
GIS server, Data, Server directories, Configuration Store
Desktop, Web, and Mobile Clients
6080/6443
Site AdministratorsConnect to Manager
GIS server, Data, Server directories, Configuration Store
Desktop, Web, and Mobile Clients
6080/6443
80/443 Reverse Proxy Server
![Page 34: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/34.jpg)
ArcGIS ServerArcGIS Server HA - Sites independent of each other
Site AdministratorsConnect to Manager
80
6080 6080
80
Server directories, Configuration Store
(duplicated between sites)
Site AdministratorsConnect to Manager
ArcGIS Server site ArcGIS Server site
Web Adaptors(optional)
Network Load Balancer (NLB)
Desktop, Web, and Mobile Clients
• Active-active configuration is shown- Active-passive is also an option
• Separate configuration stores and management- Scripts can be used to synchronize
• Cached map service for better performance
• Load balancer to distribute load
![Page 35: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/35.jpg)
ArcGIS ServerArcGIS Server HA – Shared configuration store
80
6080 6080
80
Site AdministratorsConnect to Manager
Web Adaptors
Network Load Balancer (NLB)
Desktop, Web, and Mobile Clients
GIS servers
Data server, Data (enterprise geodatabase), Server directories, Configuration Store
•Shared configuration store
•Web Adaptor will correct if server fails
•Config change could affect whole site- Example: publishing a service
•Test configuration changes
![Page 36: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/36.jpg)
ArcGIS ServerArcGIS Server HA – Clusters of Dedicated Services
80
6080 6080
80
Site AdministratorsConnect to Manager
Web Adaptors(optional)
Network Load Balancer (NLB)
Desktop, Web, and Mobile Clients
6080
Cluster A
Data server, Data (enterprise geodatabase), Server directories, Configuration Store
GIS servers
Cluster B
•Shared configuration store
•Server clusters- Perform same set of functions
•Example- Cluster A handles geoprocessing
services
- Cluster B handles less intensive services
![Page 37: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/37.jpg)
Public IaaS
Enterprise deploymentReal Permutations
DatabaseFile
Geodatabase
FilteredContent
FieldWorker
EnterpriseBusiness
InternalPortal
InternalAGS
ExternalAGS
Business Partner 1
Business Partner 2
Public
ArcGIS Online
Private IaaS
![Page 38: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/38.jpg)
DMZ
WAF, SSL AccelLoad Balancer
ArcGIS Site
HA NAS
Config Store
Directories
ArcGIS for Server
FGDB
Web Adaptor Round-Robin
ArcGIS for Server
GIS Services
GIS ServicesServer Request
Load Balancing
Port: 6080Port: 6080
GIS Server A GIS Server B
443
Clustered
HA DB1 HA DB2
Supporting Infrastructure
AD/ LDAP
IIS/Java Web Server
Port: 443
Auth Web Server
SQL
ADFS / SAML 2.0
ADFS Proxy
IIS/Java Web Server
Web Apps
WebAdaptor
Web Apps
IIS/Java Web Server
Network Load Balancing
Port: 80
WebAdaptor
Port: 80
Web Server A Web Server B
WebAdaptor
Web Apps
IIS/Java Web Server
Port: 80
Public Web Server
ArcGIS for ServerGIS
Services
Port: 6080
GIS Server B
Internet
ArcGIS ServerEnterprise Deployment
![Page 39: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/39.jpg)
ArcGIS ServerImplementation Guidance
• Don’t expose Server Manager or Admin interfaces to public
• Disable Services Directory
• Disable Service Query Operation (as feasible)
• Limit utilization of commercial databases under website- File GeoDatabase can be a useful intermediary
• Require authentication to services
• Deploy ArcGIS Server(s) to DMZ if external users require access- One-way replication from enterprise database
• Restrict cross-domain requests- Implement a whitelist of trusted domains for
communications
Attack surface over time
Att
ack
surf
ace
Time
![Page 40: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/40.jpg)
Esri UC 2014 | Technical Workshop |
MobileMatt Lorrain
![Page 41: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/41.jpg)
MobileWhat are the mobile concerns?
*OWASP Top Ten Mobile: https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks
![Page 42: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/42.jpg)
MobileSecurity Touch Points
Communication
Device access
Storage
Project access
Data access
Server authentication
SDE permissions
Service authorization
![Page 43: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/43.jpg)
MobileChallenges
• Users are beyond corporate firewall- To VPN or not to VPN?
• Authentication/Authorization challenges
• Disconnected editing
• Management of mobile devices- Enterprise Mobility Management is the answer!
- Mobile Device Management
- Mobile Application Management
- Security Gateways
- Examples: MobileIron, MaaS360, Airwatch, and many more…
![Page 44: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/44.jpg)
MobilePotential Access Patterns
DMZ
Web AdaptorIIS
NASShared config storeSQL Server
Portal
ArcGIS Server
Enterprise AD
AD FS 2.0
ArcGIS Desktop
VPN
Security Gateway
External facing GIS
ArcGIS
![Page 45: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/45.jpg)
MobileImplementation Guidance
• Encrypt data-in-transit (HTTPS) via TLS
• Encrypt data-at-rest
• Segmentation- Use ArcGIS Online, Cloud, or DMZ systems to disseminate public-level data
• Perform Authentication/Authorization
• Use an Enterprise Mobility Management (EMM) solution- Secure e-mail
- Enforce encryption
- App distribution
- Remote wipe
- Control 3rd party apps & jailbreak detection
![Page 46: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/46.jpg)
Esri UC 2014 | Technical Workshop |
CloudMatt Lorrain
![Page 47: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/47.jpg)
CloudService Models
• Non-Cloud- Traditional systems infrastructure deployment- Portal for ArcGIS & ArcGIS Server
• IaaS- Portal for ArcGIS & ArcGIS Server- Some Citrix / Desktop
• SaaS- ArcGIS Online- Business Analyst Online
Dec
reas
ing
Cu
sto
mer
Res
po
nsi
bil
ity
Dec
reas
ing
Cu
sto
mer
Res
po
nsi
bil
ity
Customer ResponsibleEnd to End
Customer ResponsibleFor Application Settings
![Page 48: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/48.jpg)
CloudDeployment Models
Cloud On-premise
IntranetIntranetIntranetIntranet
PortalPortalServerServer
On- Premises
IntranetIntranetIntranetIntranet
PortalPortalServerServer
Read-only
Basemaps
On-Premises +
IntranetIntranetIntranetIntranet
ServerServer
OnlineOnline
Hybrid 1Public
IntranetIntranetIntranetIntranet
OnlineOnline
IntranetIntranetIntranetIntranet
OnlineOnline ServerServerServerServerServerServer
Hybrid 2
![Page 49: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/49.jpg)
CloudManagement Models
• Self-Managed- Your responsibility for managing IaaS deployment
security- Security measures discussed later
• Provider Managed- Esri Managed Services (Standard Offering)- New Esri Managed Cloud Services (EMCS) Advanced Plus
- FedRAMP Moderate environment
![Page 50: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/50.jpg)
CloudIaaS – Amazon Web Services
• 8 Security Areas to Address- Virtual Private Cloud (VPC)
- Identity & Access Management (IAM)
- Administrator gateway instance(s) (Bastion)
- Reduce attack surface (Hardening)
- Security Information Event Management (SIEM)
- Patch management (SCCM)
- Centralized authentication/authorization
- Web application firewall (WAF)
![Page 51: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/51.jpg)
CloudEMCS Advanced Plus Offering
ArcGIS Online front-end (Low)Managed Services back-end (Mod)
Centralized Authentication (2-factor)
Key Management
Network Address Translation
Virtual Private Cloud (Segmentation)
Redundancy (multiple data centers)
IDS/SIEM/WAF
Logging
Customer Databases
Customer Instances
ArcGIS for Server
Portal for ArcGIS
Security Infrastructure
ArcGIS Online
End Users
Esri Cloud GIS Administrator
![Page 52: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/52.jpg)
CloudHybrid deployment combinations
On-Premises
Users
AppsAnonymous
Access
Esri Managed Cloud Services
• Ready in days
• All ArcGIS capabilities at your disposal in the cloud
• Dedicated services
• FedRAMP Moderate
• Ready in months/years• Behind your firewall• You manage & certify
• Ready in minutes• Centralized geo discovery• Segment anonymous
access from your systems• FISMA Low
ArcGIS Online
. . . All models can be combined or separate
![Page 53: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/53.jpg)
ArcGIS Online
CloudHybrid
AGOLOrg
Group“TeamGreen”
Group“TeamGreen”
Hosted Services,Content
Public DatasetStorage
On-PremisesArcGIS Server
User RepositoryAD / LDAP
2. Enterprise Login(SAML 2.0)
1. Register Services
Users
3. Request to View 4. Access Service
ArcGIS OrgAccounts
External Accounts
Segment sensitive data internally and public data in cloud
![Page 54: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/54.jpg)
CloudHybrid – Data sources
• Where are internal and cloud datasets combined?- At the browser - The browser makes separate requests for information to multiple
sources and does a “mash-up”- Token security with SSL or even a VPN connection could be used
between the device browser and on-premises system
On-Premises Operational Layer Service
Cloud Basemap ServiceArcGIS Online
Browser Combines Layers
http://services.arcgisonline.com...https://YourServer.com/arcgis/rest...
![Page 55: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/55.jpg)
CloudArcGIS Online – Implementation Guidance
• Require HTTPS
• Do not allow anonymous access
• Allow only standard SQL queries
• Restrict members for sharing outside of organization (as feasible)
• Use enterprise logins with SAML 2.0 with existing Identity Provider (IdP)- If unable, use a strong password policy (configurable) in ArcGIS Online- Enable multi-factor authentication for users
• Use multifactor for admin accounts
• Use a least-privilege model for roles and permissions- Custom roles
![Page 56: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/56.jpg)
Esri UC 2014 | Technical Workshop |
Compliance
![Page 57: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/57.jpg)
ComplianceArcGIS Platform Security
• Esri Corporate
• Cloud Infrastructure Providers
• Products and Services
• Solution Guidance
![Page 58: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/58.jpg)
ComplianceExtensive security compliance history
Esri has actively participated in hosting and advancing secure compliant solutions for over a decade
2010 2011 2012 2013 2014
FedRAMP Announced
ArcGIS Online FISMA Authorization
OMB FedRAMP Mandate
First FedRAMP Authorization
2012 2013 2014 2015 2016
EMCS FedRAMP Compliant
Esri Hosts FederalCloud Computing Security Workshop
PlannedArcGIS OnlineFedRAMPAuthorization
Esri Participates in First Cloud Computing Forum
2002…
2005…
FISMA Law Established
Esri GOS2 FISMAAuthorization
![Page 59: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/59.jpg)
Compliance
• ISO 27001- Esri’s Corporate Security Charter
• Privacy Assurance- US EU/Swiss SafeHarbor self-certified
- TRUSTed cloud certified
Esri Corporate
![Page 60: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/60.jpg)
Compliance
• ArcGIS Online Utilizes World-Class Cloud Infrastructure Providers- Microsoft Azure
- Amazon Web Services
Cloud Infrastructure Security Compliance
Cloud Infrastructure Providers
![Page 61: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/61.jpg)
ComplianceProducts and Services
• ArcGIS Online- FISMA Low Authority to Operate by USDA (Jun 2014)
- FedRAMP - Upcoming
• Esri Managed Cloud Services (EMCS)- FedRAMP Moderate (Jan 2015)
• ArcGIS Server- DISA STIG – (Expected 2015)
• ArcGIS Desktop- FDCC (versions 9.3-10)
- USGCB (versions 10.1+)
- ArcGIS Pro (Expected 2015)
![Page 62: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/62.jpg)
ComplianceSolution Level
• Geospatial Deployment Patterns to meet stringent security standards- Hybrid deployments
- On-premise deployments
• Supplemented with 3rd party security components- Enterprise Identity management integration - CA SiteMinder (Complete)
- Geospatial security constraints – ConTerra (Started)
- Mobile security gateway integration – (Upcoming)
• Upcoming best practice security compliance alignment guidance- CJIS – Law Enforcement (Started)
- STIGs – Defense (Started)
- HIPAA – Healthcare (Future)
![Page 63: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/63.jpg)
ComplianceArcGIS Online Assurance Layers
Web Server & DB software
Operating system
Instance Security
Management
Hypervisor
ArcGISManagement
Cloud Providers
Physical
Web App Consumption
Customer
Esri
Cloud ProviderISO 27001 SSAE16FedRAMP Mod
AGOL SaaSFISMA Low(USDA)SafeHarbor(TRUSTe)
![Page 64: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/64.jpg)
ComplianceDeployment Model Responsibility
![Page 65: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/65.jpg)
ComplianceCloud Roadmap
ArcGIS OnlineFISMA
Low
Managed Services (EMCS)
FedRAMPMod
ArcGIS OnlineFedRAMP
2014
2015Upcoming
![Page 66: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/66.jpg)
Esri UC 2014 | Technical Workshop |
Summary
![Page 67: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/67.jpg)
Summary
• Security demands are rapidly evolving- Prioritize efforts accord to your industry and needs- Don’t just add components, simplified Defense In Depth approach
• Secure Best Practice Guidance is Available- Check out the ArcGIS Trust Site!- Security Architecture Workshop
![Page 68: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/68.jpg)
• Please fill out the session survey in your mobile app
• In the agenda, click on the title of this session- Enterprise GIS: Security Strategy
• Click “Technical Workshop Survey”
• Answer a few short questions and enter any comments
Thank you…
![Page 69: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/69.jpg)
Want to Learn More?
• ArcGIS Online: A Security, Privacy, and Compliance Overview- Wed 10:15am Room 17B
• ArcGIS Server & Portal for ArcGIS: An Introduction to Security- Tues 3:15pm Room 4, Thurs 1:30pm Room 4
• ArcGIS Server: Advanced Security- Wed 3:!5pm Room 3, Thurs Room 4
• Best Practices in Setting up Secured Services in ArcGIS for Server- Tues 5:30pm Demo Theater 14
• Building Security into your System- Tues 4:30pm Implementation Center
• Oauth 2 and Authentication in ArcGIS Online Demystified- Tues 2:30pm Demo Theater 11
• Using Enterprise Logins for Portal in ArcGIS via SAML- Tues 5:30pm, Wed 2:30pm Demo Theater 7
Esri Security Standards & Architecture [email protected]
![Page 70: Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649e605503460f94b5a808/html5/thumbnails/70.jpg)