designing an enterprise gis security strategy · 2014-06-04 · can store features ios5 encrypted...
TRANSCRIPT
Hosted by Esri
Official Distributor
Designing an Enterprise GIS Security Strategy
Andrew Sakowicz
Esri European User Conference October 15-17, 2012 | Oslo, Norway
Agenda
• Trends • Strategy • Mechanisms • ArcGIS Server • Mobile • Cloud
Trends
Trends Perception
• End-User Perception - I don’t ever hear about Virus issues in our company anymore
• Reality - Modern attacks are not as much about being visible - Layers of exploits deployed - Goal is to obtain your company’s most value information
Trends Events over the last months
• US loses $250 billion annually in IP theft • $338 billion annually in financial theft
• Result of cyber espionage is the "greatest transfer
of wealth in history."
Trends Mobile Security
• iPhone Twitter PII compromised
• Mobile device data not secure by default
Enterprise Mobile Security Solutions can help
Trends End of Browser Plug-ins?
• Migration away from Flash and Silverlight Plug-ins
• Security experts ready to unload plug-ins
• HTML5 limitation inconsistencies across browsers slowing migration
Trends Reverse Proxy’s Need to Be Maintained
• Apache Reverse Proxy Exploit – Oct 2011 • Allows unauthenticated access to information that should be confidential • Commonly overlooked component for updates
CVE-2011-3368
Update Your Reverse Proxy!
Strategy
Strategy
• Identify your Security Needs and Risks - Assess your environment - Datasets, Systems - Sensitivity, Categorization
• Understand Security Options - Enterprise-wide Security Mechanisms - Application Specific Options - Utilize patterns
• Implement Security as a Business Enabler - Improve appropriate availability of information
Strategy Enterprise GIS Security Strategy
Security Risk Management Process Diagram - Microsoft
Strategy Esri’s Security Strategy Evolution
Product
Enterprise Solution
Isolated Systems
3rd Party Security
Integrated Systems
Embedded Security
Cloud
Managed Security
Strategy Expanded Security Online Help and Papers
Strategy Security Implementation Patterns
• Risk based
• 3 categories / NIST alignment
• Selection process - Formal – NIST 800-60 - Informal
To prioritize information security and privacy initiatives, organizations must assess their business needs and risks
Strategy Security Implementation Patterns
- Basic - No Sensitive data - Public/Non-Privacy related information - All architecture tiers can be deployed on one server
- Standard - Moderate consequences with data loss or integrity - Architecture tiers are deployed to separate systems - Potential need for Federated Services
- Advanced - Sensitive data - All components redundant for high availability - 3rd party enterprise security components utilized
Strategy Security Principles - CIA
• Confidentiality - Preventing intentional or unintentional unauthorized
disclosure
• Integrity - Prevent unauthorized data modifications
• Availability - Ensures reliable and timely access to data
Strategy Security Principles – Defense in Depth
TechnicalControls
PolicyControls
Physical Controls
Data and
Assets
Authentication
Authorization
Encryption
Filters
Logging
Mechanisms
Mechanisms
Authentication ArcGIS Server 10.1
• ArcGIS Server authentication - Built-in users and roles (token authentication) - LDAP or Windows Domain - LDAP or Windows Domain and the built-in store
• Web server authentication - Any identity store for which the web server has built support
Authorization Role Based Access Control
• Esri COTS - Assign access with ArcGIS Manager - Geodatabase roles
• RDBMS – Row Level or Feature Class Level - Versioning with Row Level degrades RDBM performance - Alternative - SDE Views
• Custom - Limit GUI - Rich Clients via ArcObjects - Web Applications
- Sample code Links in ERC - Microsoft’s AzMan tool
Authorization Assign access with ArcGIS Manager
Filters ArcGIS Server
• Firewalls • Reverse proxy • Anti-Virus Software
Filters ArcGIS Server - Integrating an existing proxy
• To select your port, install the Web Adaptor on another web server
Filters Secure production geodatabase – 1 way replication
Editors
1-Way Replication
or unregister as
versioned
Publication
(Read only)
Production
(Versioned GDB)
Viewers
Viewers
Filters Secure production geodatabase – 2 way replication
Editors
2-Way Replication Geodata Service
External (Versioned GDB)
Internal (Versioned GDB)
Web editors
Viewers
Mechanisms Encryption – 3rd Party Options
• Network - IPSec (VPN, Internal Systems) - SSL (Internal and External System) - Cloud Encryption Gateways
- Only encrypted datasets sent to cloud
• File Based - Disk encryption – BitLocker - GeoSpatially enabled PDF’s combined with Certificates
• RDBMS - Transparent Data Encryption - Low Cost Portable Solution - SQL Express 2008 w/TDE
Encryption ArcGIS Server 10.1 SSL
Mechanisms Logging/Auditing
• Esri COTS - Geodatabase history
- May be utilized for tracking changes - ArcGIS Workflow Manager
- Track Feature based activities - ArcGIS Server 10+ Logging
- “User” tag tracks user requests
• 3rd Party - Web Server, RDBMS, OS, Firewall - Consolidate with a Security Information and Event Management
(SIEM)
ArcGIS Server
ArcGIS Server 10.1
Primary Site Administrator Restrict file permissions
GIS Tier
ArcGIS Server 10.1 Built-in store
GIS Services
Data Tier
Internal Network DMZ Web
HTTPS LAN
Service Authorization
HTTPS
GIS Servers
Built-in store
ArcGIS Server Site
Web Tier Application Tier
Wizard builder
Identity manager
IIS
Web Adaptor
Enterprise Geodatabase
GIS Tier
ArcGIS Server 10.1 Web tier single-sign-on
GIS Services
Data Tier
Internal Network DMZ Web
HTTPS LAN
Service Authorization
HTTPS
GIS Servers
ArcGIS Server Site
Web Tier Application Tier
Single sign-on
IIS
Web Adaptor
Enterprise Geodatabase
Shared key
Active Directory security store
Mobile
Mobile Top 10 Mobile Issues
Source: OWASP
Issue Solution Question Physical Loss Device Security Options? Malicious App What app stores allowed? Rooted Device Encryption/Strength? Patches How enforced? Insecurely Written App How is code tested? Compromised Password How secured/encrypted? Unprotected Transport TLS/SSL Utilized? Weak Session Management Tokens always passed? Unprotected Services Hardening Guidance? Internal Resource Access VPN Options?
Mobile Enterprise Mobile Security
• Built-in device capabilities - Can store features iOS5 encrypted with Flex 3.0 API
• Enterprise device solutions (InTune, AirWatch, Good, MaaS360) - Benefits: Secure email, browser, remote wipe, app distribution
• Application specific solutions - Benefits: Secure connections and offline device data - Esri iOS SDK + Security SDK
Cloud
Cloud deployment options
Internal site
VPN
Private Virtual Cloud
Esri Managed Services -ArcGIS Server -Geodatabase
ArcGISOnline -Portal for ArcGIS -Tile and Feature Services
Public users
External users
VPN
Internal Cloud
Cloud Responsibility across cloud service models
• IaaS - ArcGIS Server for Amazon
• SaaS - ArcGIS Online
Compliance
• FDCC - Desktop products 9.3-10
• USGCB - Desktop products 10.1 – Almost completed
• SSAE 16 Type 1 – Previously SAS 70 - Esri data center operations - Expanding to Managed Services for 2012
• FISMA - ArcGIS Online – In progress
Cloud IaaS – Common security issues
• Access to ports not limited - If you utilize the default image and open RDP to all IP
addresses, expect to be compromised in as little as a day
• System patches not applied - There have been a number of significant RDP
vulnerabilities
• Authentication weak - Multi-factor authentication recommended - Check out AWS Multi-Factor Authentication (AWS MFA)
• System not hardened - Turn off/uninstall components you don’t use - Utilize built-in capabilities such as Network Level
Authentication (NLA) for RDP
Cloud SaaS - ArcGIS online for Organizations
• Organization administrator options - Require SSL encryption - Allow anonymous access to org site
• Consume Token secured ArcGIS Server services - 10 SP1 and later - User name and password prompts upon adding the service
to a map, and viewing
• Transparency - Status.ArcGIS.com
• Upcoming - Federated Identities (SAML/ADFS)
Summary
• Security is NOT about just a technology - Understand your organizations GIS risk level - Utilize Defense-In-Depth
Thank you