designing an enterprise gis security strategy · 2011-03-28 · esri’s security strategy....
Post on 04-Aug-2020
1 Views
Preview:
TRANSCRIPT
Designing an Enterprise GIS Security Strategy
Michael E YoungCISSP
Agenda
• Introduction• Esri’s Security Strategy• Federal Security Metric Tools• Enterprise-Wide Security Mechanisms• Product Security• Cloud Computing Security• Esri Security Compliance• Summary and Next Steps
Introduction
- Michael E Young
- Esri Senior Enterprise Security Architect- FISMA C&A Application Security Officer- Certified Information Systems Security Professional (CISSP)
Application Security Risks Diagram – OWASP 2010
IntroductionWhat is a secure GIS?
• Integration with other enterprise components?- Directory Services / LDAP / MS Active Directory
• Meeting security standards requirements?• Security Certifications & Accreditations?
- FDCC / FISMA / DIACAP
• User Application Interfaces?- ADF, MS Silverlight, Adobe Flex, JavaScript, Rich Clients
• Application built-in vs. separate security products?- ArcGIS Token Service / 3rd Party Single-Sign-On products
So far, nobody has found a silver bullet for security
IntroductionDesigning an Enterprise GIS Security Strategy
• Identify your Security Needs- Assess your environment- Datasets, Systems- Sensitivity, Categorization
• Understand Security Options- Enterprise GIS Resource Center- Enterprise-wide Security Mechanisms- Application Specific Options- Utilize patterns
• Implement Security as a Business Enabler- Improve appropriate availability of information
IntroductionDesigning an Enterprise GIS Security Strategy
Security Risk Management Process Diagram - Microsoft
Esri’s Security Strategy
Esri’s Security StrategyTrends
Isolated Systems
Esri Products
IT Trend
Integrated Systemswith discretionary access
Discrete products and services supplemented by 3rd party security Enterprise system with embedded
and 3rd party security
Esri’s Security Strategy
• Secure GIS Products- Incorporate security industry best practices- Trusted geospatial services across the globe- Meet both individual user needs and entire
organizations
• Secure GIS Solution Guidance- Enterprise Resource Center Website- Esri security patterns
Esri’s Security StrategySecurity Patterns
• Esri provides security implementation patterns
- Best practice security guidance
• Leverages National Institute of Standards and Technology (NIST)
• Patterns based on risk level
- Basic Security
- Standard Security
- Advanced Security
• Identify your risk level
- Formal process – NIST 800-60
- Informal process
To prioritize information security and privacy initiatives, organizations must assess their business needs and risks
Esri’s Security StrategyFoundational Security Principles
• CIA Security Triad
• Defense in Depth
Esri’s Security StrategyDefense in Depth
TechnicalControls
PolicyControls
Physical Controls
Data andAssets
Authentication
Authorization
Encryption
Filters
Logging
Federal Security Metric Tools
Federal Security Metric Tools
The 2010 State of Cybersecurity from theFederal CISO’s Perspective
Federal Security Metric ToolsCAG - Consensus Audit Guidelines
• 20 prioritized IT security controls- Automation is key- Map to NIST 800-53
• Let us know if this is important to your Agency
US State Department demonstrated more than 80% reduction in "measured" security risk through the rigorous automation and measurement of the Top 20 Controls
Federal Security Metric ToolsSCAP – Security Content Automation Protocol
• Standard to communicate vulnerability information - Automate compliance, manage vulnerabilities, perform
security measurements- Evaluate policy compliance for standards
Used by Esri as part of the FDCC self-certification
Federal Security Metric ToolsNIST 800-53 / FISMA
• FISMA C&A utilizes NIST 800-53 security controls• Esri security patterns based on these controls
EnterpriseEnterprise--wide Security wide Security MechanismsMechanisms
Enterprise-Wide Security MechanismsOverview
Enterprise-Wide Security MechanismsAuthentication
• Three ArcGIS Authentication Schemes
- Web Traffic via HTTP1. Web Services2. Web Applications
- Intranet Traffic via DCOM 3. Local Connections
Enterprise-Wide Security MechanismsAuthentication
Enterprise-Wide Security MechanismsAuthentication – User and Role Storage Options
• Java Options- Default – Apache Derby- External Database- LDAP- MS Active Directory
• .NET Options- Default - Windows Users and Groups- MS SQL Server Express- Custom Provider
- Instructions for Active Directory and Oracle Providers available
UsersUsers RolesRoles
JohnJohnCindyCindyJimJim
LimitedLimitedAdminAdmin
RegionsRegions
Enterprise-Wide Security MechanismsAuthorization – Role Based Access Control
• Esri COTS- Assign access with ArcGIS Manager - Service Level Authorization across web interfaces- Services grouped in folders utilizing inheritance
• 3rd Party- RDBMS – Row Level or Feature Class Level
- Versioning with Row Level degrades RDBM performance - Alternative - SDE Views
• Custom - Limit GUI- Rich Clients via ArcObjects- Web Applications
- Sample code Links in ERC- Microsoft’s AzMan tool
Enterprise-Wide Security MechanismsFilters – 3rd Party Options
• Firewalls• Reverse Proxy
- MS free reverse proxy for IIS 7 (Windows 2008)
• Web Application Firewall- Open Source option ModSecurity
• Anti-Virus Software• Intrusion Detection / Prevention Systems• Limit applications able to access geodatabase
Enterprise-Wide Security MechanismsFilters – Firewall Friendly Scenario
• Web Application Firewall in DMZ• File Geodatabase in DMZ
• One-way replication via HTTP(s)
• Deployed to each web server for performance
• Internet users access to subset of Geodatabase
WAF
IntranetDMZ
DatabaseDatabase
WebWeb
GIS GIS
HTTPHTTP
DCOMDCOM
SQLSQL
UseUse
Author &Author &PublishPublishDatabaseDatabase
WebWeb
GIS GIS
Internet
HTTP
HTTP
Enterprise-Wide Security MechanismsFilters
• Why no Reverse Proxy in DMZ?- One-off component / no management, minimal filtering
• Multi-Function Web Service Gateways- Store SSL Certificates / SSL Acceleration- URL Rewrite- Web Application Firewall
ExternalExternal InternalInternal
DM
ZD
MZ
Enterprise-Wide Security MechanismsEncryption – 3rd Party Options
• Network- IPSec (VPN, Internal Systems)- SSL (Internal and External System)
• File Based- Operating System – BitLocker- GeoSpatially enabled PDF’s combined with Certificates- Hardware (Disk)
• RDBMS- Transparent Data Encryption- Low Cost Portable Solution - SQL Express 2008 w/TDE
Enterprise-Wide Security MechanismsLogging/Auditing
• Esri COTS- Geodatabase history
- May be utilized for tracking changes- ArcGIS Workflow Manager
- Track Feature based activities- ArcGIS Server 10 Logging
- New “user” tag allows tracking of user requests
• 3rd Party- Web Server, RDBMS, OS, Firewall- Consolidate with a SIEM
86 % of victims had evidence of the breach in their logs, yet 61 % of the breaches were discovered by a third party
*Verizon's 2010 Data Breach Investigations Report
Product SecurityProduct Security
Rich Client
Mobile
ArcGIS Server
Cloud Services
Rich Client SecurityDesktop
Explorer
Rich Client SecurityArcGIS Desktop
• Client typically with most access to sensitive data• Variety of system connections
- Direct Connect – RDBMS- Application Connect – SDE- HTTP Service – GeoData Service
- Integration with Token Service- Windows native authentication
- SSL and IPSec Utilization
• ArcObject Development Options- Record user-initiated GIS transactions- Fine-grained access control
- Edit, Copy, Cut, Paste and Print
Rich Client SecurityArcGIS Explorer Communication
• Explorers for different users or topics• Focused data and functions in one place• You manage and customize
Your main office
Sales Explorer
Marketing ExplorerCentrally managed
configurations
Your customers’ Explorer
G:\SalesData
\\MKT\data
http://www.MyStores.com/home
Mobile Phone SecurityArcPad
ArcGIS Mobile
Mobile Phone Security
• More - Platforms
- ArcPad- ArcGIS Mobile- iPhone- Android- Windows
- Functionality/Storage- User-base
• Leads to- Increased Hacker Attention
Mobile Phone SecurityArcPad
• AXF Data file- Password protect and encrypt
• Memory Cards- Encrypt
• ArcGIS Server users and groups- Limit publishers
• Internet connection- Secure ArcPad synch traffic
Mobile Phone SecurityArcGIS Mobile Security Touch Points
Communication
Service authorization
Device access
Projectaccess
Dataaccess
Server authenticationSDE
permissions Storage
Mobile Phone SecurityMobile
• GeoData Service- HTTPS (SSL) or VPN tunnel
• Web Service- Credentials- Filter by OS / IP / Unique Device Identifier- Token Service
• Encrypt data at Rest- Windows Mobile Crypto API- 3rd Party tools for entire storage system
ArcGIS Server Security
ArcGIS Server SecurityPop Quiz – Defaults
• Is Communication Across Wire Secure by Default?- No
- Communication via ArcGIS Server and all clients is clear- text by default
- Secure web communication with an SSL Certificate- Secure internal DCOM communication with IPSec
ArcGIS Server SecurityPop Quiz - Filters
• Is a reverse proxy required for secure Internet facing deployments?
- No- Some customers implement to eliminate DCOM traffic
across firewalls- Used with Web Application Firewall improves security
posture
ArcGIS Server SecurityPop Quiz – Guidance
• Is there Security Hardening Guidance?- Yes
- Check out the ERC Implementation Gallery- Next update expected Q1 2011 - Version 10 Win 2k8
ArcGIS Server SecurityPop Quiz - Configuration
• Should Everyone group be assigned to root in ArcGIS Manager?
- Depends- Everyone will have access to your services by default- OK for Basic security risk environments- NOT recommended for any Standard or Advanced security- Deny by default used in higher risk environments
ArcGIS Server SecuritySecurity Model
ArcGIS Server SecurityUser Local Access to SOM
• Windows- Access managed by operating system of SOM machine
• Solaris and Linux- Users managed by ArcGIS Server Manager
• Add users to appropriate group- Simplistic access levels (None, Read, Full)
agsusersView and access servicesagsusersView and access services
agsadminAdd, delete, or modify services Start, stop, or pause services Add, remove, or modify server directoriesCreate Web mapping applicationsAdd or remove SOC machines View statistical information
agsadminAdd, delete, or modify services Start, stop, or pause services Add, remove, or modify server directoriesCreate Web mapping applicationsAdd or remove SOC machines View statistical information
ArcGIS Server SecurityServer Data Access
• Share folders that contain GIS resources- Grant SOC account
Read and/or Write permission to the folder
• Add SOC as a user of your database- Grant SOC account
Read and/or Write permission to each geodatabase
ArcGIS Server SecurityManagement User Interface Access
• ArcGIS Services Directory- Available as part of ArcGIS Server installation- Typically not exposed for Standard security needs to public
• REST API Admin- Manages access to local ArcGIS Services Directory- Maintains REST cache- Requires membership in agsadmin group- Recommend to configure no public access
• ArcGIS Manager- Recommend to configure no public access
Local security
Web security
ArcGISArcGISServerServer
Intranet
http://...
Internet
Web editing
Service capabilities
ArcGIS Server SecurityGIS resource access
ArcGIS Server SecurityImplementing Web Access Control
1. Define user/role store
2. Assign users to roles
3. Assign roles to resources
4. Enable security
ArcGIS Server SecurityAuthenticating to services with Token
• What is a token?
• Why do you need it?
- Services don’t have a logon user interface
• How does it work?
- ArcGIS Server Token Service
• Where do you get it?
- Request a Token from Token Service
Token Token serverserver
User _______User _______
Password ___Password ___
TokenWrite full logon access to the token service(e.g., ArcGIS Desktop, custom application )
https://...
ArcGIS Server SecurityWeb Service API Security Options
Web Server ArcGISArcGIS
SOAP/RESTSOAP/RESTToken
Embed Token
Bind token in a proxy page
Secured containerSecured container
ProxyProxypagepage
Token
ArcGIS Server SecurityFlowing web user identity down to the database
• Integrated Security Model (ISM)• Flow web user identity to database via proxy user
- Logging - Non-repudiation across all architecture tiers for high risk security environments
- Row-Level Security - Database driven security model for high-risk security environments
• Current Status- Customer scenarios collected- Simple configuration performance validation completed
- 10-20% performance overhead- More complex scenarios to be validated next- Basic documentation online for Java ArcGIS Server
ArcGIS Server Security ISM Initial Validation Configuration
- Web Server- MS IIS
- Application Server- Java ArcGIS Server 10- LDAP (Derby) Users & Groups Security Provider
- Oracle Database- Proxy user sessions- Table level access
ArcGIS Server SecurityRow Level Security With ISM
• Virtual Private Database (VPD)
- Transparently modifies requests
- Presents partial table view
•Oracle Label Security (OLS)•Optional add-on•Provides interface for row-level security
ArcGIS Server SecurityVersion 10 Security Enhancements
• AGS Manager- Searchable user/roles- Application Level User Activity Logging
• Database level security option- Added to REST API- Passes user context to database- Control all data access at data tier
• Web Service Interface Security Improvements
ArcGIS Server Security Amazon
• ArcGIS Server For Amazon- Esri built ArcGIS Server Amazon Machine Image (AMI)- Deploy to Amazon Elastic Compute Cloud (EC2)
instance
• Addressing Security- Current AMI not hardened beyond Windows 2008 Server
defaults- Typical Firewall Entries for Cloud implementations
- ArcGIS Server- Port 80/443 for IIS & Remote desktop
- Enterprise GeoDB AMI- Port 5151
Biggest Cloud Computing Concern is Security and Privacy…
Cloud Computing Security
Cloud Computing Security
• Is Cloud computing safe?- Classic answer: It depends…
• Security Benefits- Virtualization / Automation
- Expedite secure configurations with images- Broad network access
- Reduce removable media needs- Segmentation - Public data -> Cloud & sensitive -> Internal
- Potential economies of scale- Lower cost backup copies of data
- Self-service technologies- Apply security controls on demand
Cloud Computing Security2010 Cloud Computing Risks
Cloud Computing SecurityRisks
• Vendor Practice Dependence- Potential sub-standard security controls
- Loss of governance over data
• Vendor Lock-In- Services termination data loss
- Portability
- Lost internal capabilities to support
• Sharing resources (Multi-tenancy)- Access to other’s data
- Unclear security responsibilities
- Increased data transmitted = Increased disclosure risk
• Deployment Model Threat Exposure Levels- Private = Lowest Community = More Highest = Public
Cloud Computing SecurityWhich cloud service model?
• System Admin Access (IaaS)- ArcGIS Server on Amazon EC2- Federal Terremark Cloud- Private Cloud
• Developer Access (PaaS)- Esri Web Mapping APIs (JavaScript, Flex, Silverlight)- Microsoft Azure ArcGIS Applications
• End User Solutions (SaaS)- ArcGIS.com- Business Analyst Online- ArcGIS Explorer Online
Cloud Computing SecurityWhich cloud deployment model?
• Cloud Deployment Location- Public (e.g Amazon)- Private (e.g. Internal Corporate)
• Primary driver -> Security• Agencies segmenting datasets to mitigate cloud risks
- Public clouds for public datasets- Private clouds for sensitive datasets
• June 2010 IDC IT Executive Survey- Preference for using a private versus a public cloud
- 55% - Private cloud was more appealing than a public cloud- 22% - Equally appealing
Organizations from the midmarket up, will have a mix of public & private
Cloud Computing SecurityWhat are your security needs?
• Assess your security needs- Data sensitivity
- Public domain, sensitive, classified- User types
- Public, internal- Categorize security needs
- Basic, standard, advanced
• Most public cloud implementations are basic- Security similar to social networking sites (Facebook)- Most GIS users have only basic security needs
Cloud Computing SecurityBest practices
• Similar to internal ops- Break up tiers- Protect in transit- Protect at rest- Credential management- Built-in OS Firewalls- AGS App Security
Cloud Computing SecurityArcGIS Server on Amazon EC2
• Default- Web and App Tiers combined
• Scaling out- Elastic Load Balancing- What about supporting
infrastructure?
Default Deployment
Scaling Out
Cloud Computing SecurityArcGIS Server on Amazon EC2
• Minimize your administrative attack surface
Cloud Computing SecurityAmazon EC2 Security
• Secured physical facilities• Logically secure EC2 instances• Configurable firewall to control ingress access• Standard ArcGIS Server security• Optional multifactor authentication
Cloud Computing SecurityCloud Directive
• White House urging Federal agencies to adopt- Clear focus on streamlining infrastructure management,
improving service, and saving money- Security concerns continue to hold agencies back
• Cloud Security Status- Half of those who have implemented cloud apps DO
NOT KNOW if they have experienced a breach
• Are government cloud information security standards available?
- Requested by 91% of Agencies
Statistics from 2010 Symantec Break in the Cloud Report
Cloud Computing SecurityFedRAMP
• Work in Progress Standard
• Cross-agency Cloud security C&A process- Initial standard for Low and Moderate security
• Esri actively engaged in working groups & commenting period
• Esri actively identifying interested Agencies- FedRAMP initially focused on large user base systems
or used by multiple Federal agencies
Esri Security Compliance
Esri Security ComplianceSecurity Patterns
• Esri security implementation patterns- Leverage NIST 800-53 security controls- Based on same standards as FISMA C&A process- Not provided as full certification compliance representations
• As validated, patterns released in Enterprise GIS Resource Center
Esri Security ComplianceDesktop Software
• FDCC (Federal Desktop Core Configuration) certified- Esri fully supports and tests product compatibility since 9.2- Starting with Windows 7 name changing to USGCB
- United States Government Configuration Baseline
• PKI (Public Key Infrastructure) w/ CAC or PIV- Common customer deployment
Esri Security ComplianceArcGIS Server
• Configurable for FIPS 140-2 encryption requirements- ArcGIS Server .NET requires a workaround procedure
• Security hardening guidelines available- Whitepaper update in couple months
- Win 2k8 and ArcGIS 10- Based on in-the-field lessons learned and test environment
Esri Security ComplianceHosting Services
• 2010 SAS 70 type 1 audit of ArcGIS.com
• FISMA certification and accreditation- Esri hosts low risk category environments- Each solution currently requires a separate certification
• FedRAMP standard for cloud deployments- Actively reviewing / feedback this due this week- Let us know if you are interested
Esri Security ComplianceSummary
• Esri provides security due diligence with our solutions, but is not a security software company
• Utilize 3rd party security software for high level IA functions
• Many successful Esri high risk security deployments- International - ISO 17799/2700X, BS 7799, Common Criteria (CC) - Federal - FISMA (NIST), DITSCAP/DIACAP - Industry - HIPPA, SOX, PCI
Esri is Fully Committed to Federal Security Requirements
Summary and Next Steps
Summary
• Security is NOT about just a technology- Understand your organizations GIS risk level- Utilize Defense-In-Depth
• Secure Best Practice Guidance is Available- Check out the Enterprise GIS Resource Center!- Drill into details by mechanism or application type- Professional Services Enterprise GIS Security
Assessment
• Cloud Computing for GIS Has Arrived- Security is evolving quickly- Security in the cloud is a shared responsibility
Next Steps Supporting Secure Solutions
• Your Feedback and Insight Today is Essential- Current Security Issues- Upcoming Security Requirements- Feedback on Integrated Security Model- Suggestions for the Enterprise Resource Center- Areas of concern Not addressed Today
Contact Us At:Enterprise Security esinfo@esri.comMichael Young myoung@esri.com
Session Evaluation Reminder
Session Attendees:Please turn in your session evaluations.
. . . Thank you
top related