ArcGIS Server
advertisement
Enterprise GIS: Security Strategy Michael E. Young Chief Product Security Officer Matt Lorrain Security Architect Agenda • Introduction • Trends • Strategy • Mechanisms • Server • Mobile • Cloud • Compliance Introduction What is a secure GIS? Introduction What is “The” Answer? Risk Impact Introduction Where are the vulnerabilities? *SANS Relative Vulnerabilities Core network component vulnerabilities were exposed last year, but application risks are still king Current Real World Scenarios & Trends Michael Young Trends Web Application Attacks *Verizon 2015 DBIR Trends Mobile attacks • Number of mobile devices infected still relatively small • 96% targeted against Android platform • Mobile malware short lived - • Mobile SDK’s being attacked - • Piggybacks popular apps Ensure apps built with latest SDK’s What can help? - Enterprise Mobility Management enables control and visibility * Verizon 2015 DBIR Trends Trends by Industry • Frequency of incidents by pattern and industry • Identify hot spots for your specific industry - Prioritize security initiatives to mitigate against common threats * Verizon 2015 DBIR Real-world security scenarios Disaster communications modified • • Scenario - Organization utilizes cloud based services for disseminating disaster communications - Required easy updates from home and at work - Drove allowing public access to modify service information Lesson learned - Enforce strong governance processes for web publication - Don’t allow anonymous users to modify web service content - Minimize or eliminate “temporary” modification rights of anonymous users - If web services are exposed to the internet, just providing security at the application level does not prevent direct service access Lack of strong governance leads to unexpected consequences Real-world security scenarios Using same username and password between systems leads to compromise • • Scenario - Hackers used a third-party vendor’s user name and password to enter network - Hackers managed to elevate rights and deploy malware on systems - Result - 56 million credit and debit cards compromised - 53 million email addresses disclosed Lessons learned - Credential management and high-level of trust of “internal” users - Use an Identity Provider with SAML 2.0 for accessing cloud-based applications - Enforce 2-factor authentication – At a minimum administrators should do this Real-World Security Scenarios QUIZ – When was the last ArcGIS Security patch released? • Hint – The Trust.ArcGIS.com site will always have this answer handy… 99.9% of vulnerabilities are exploited more than a year after being released Trends Strategic Shifts in Security Priorities for 2015 and Beyond • Identity management priority increasing as security focus moves from network to data level • Advanced Persistent Threats driving shift from Protect to Detect • Encryption of Internet traffic via SSL v3 broken – Ensuring TLS utilized is necessary • Password protection is broken – Stronger mechanisms required such as 2-factor auth • Customers balancing security gateways for mobile solutions vs. VPN • Patching beyond Operating systems critical • End-of-life OS builds with XP and now Server 2003 present significant risk Strategy Michael Young Strategy A better answer • Identify your security needs - • • Assess your environment - Datasets, systems, users - Data categorization and sensitivity - Understand your industry attacker motivation Understand security options - Trust.arcgis.com - Enterprise-wide security mechanisms - Application specific options Implement security as a business enabler - Improve appropriate availability of information - Safeguards to prevent attackers, not employees Strategy Enterprise GIS Security Strategy Security Risk Management Process Diagram - Microsoft Strategy Evolution of Esri Products & Services Solution Enterprise Product Isolated Systems Integrated Systems Software as a Service 3rd Party Security Embedded Security Managed Security Strategy Esri Products and Solutions • • Secure Products - Trusted geospatial services - Individual to organizations - 3rd party assessments Secure Platform Management - • Backed by Certifications / Compliance Secure Enterprise Guidance - Trust.ArcGIS.com site - Online Help ArcGIS Strategy Security Principles CIA Security Triad Availability Strategy Defense in Depth • More layers does NOT guarantee more security • Understand how layers/technologies integrate • • Simplify Balance People, Technology, and Operations Data and Assets Physical Controls Policy Controls • Holistic approach to security Technical Controls Mechanisms Esri UC 2014 | Technical Workshop | Mechanisms Mechanisms Users & Authentication • • User Store Options - Built-in user store - - • LDAP / Active Directory Built-in Token Service - - - Windows Integrated Auth, PKI, Digest… Identity Provider (IdP) / Enterprise Logins - - Server-tier Auth w/ Enterprise Users - Web-tier Auth w/ Enterprise Users Portal for ArcGIS patterns - Portal-tier Auth w/ Built-in users - Portal-tier Auth w/ Enterprise users - Web-tier Auth w/ Enterprise users - SAML 2.0 Auth w/ Enterprise Users Server, Portal, ArcGIS online Web-tier (IIS/Apache) w/ Web Adaptor - Server-tier Auth w/ Built-in users • Authentication Options - - Server, Portal, ArcGIS Online Enterprise user store - ArcGIS Server patterns SAML 2.0 for ArcGIS Online & Portal • ArcGIS Online patterns - ArcGIS Online Auth w/ Built-in users - SAML 2.0 Auth w/ Enterprise users Mechanisms Authorization – Role-Based Access Control • • • Out-of-box roles (level of permission) - Administrators - Publishers - Users - Custom – Only for Portal for ArcGIS & ArcGIS Online ArcGIS for Server – Web service authorization set by pub/admin - Assign access with ArcGIS Manager - Service Level Authorization across web interfaces - Services grouped in folders utilizing inheritance Portal for ArcGIS – Item authorization set by item owner - Web Map – Layers secured independently - Packages & Data – Allow downloading - Application – Allows opening app Mechanisms Authorization – Extending with 3rd Party components • Web services - Conterra’s Security Manager (more granular) - • RDBMS - Row Level or Feature Class Level - Versioning with Row Level degrades performance - • Layer and attribute level security Alternative – SDE Views URL Based - Web Server filtering - Security application gateways and intercepts Mechanisms Filters – 3rd Party Options • Firewalls - Host-based - Network-based • Reverse Proxy • Web Application Firewall - Open Source option ModSecurity • Anti-Virus Software • Intrusion Detection / Prevention Systems • Limit applications able to access geodatabase Internet Mechanisms Filters - Web Application Firewall (WAF) 443 • Implemented in DMZ Security Gateway WAF, SSL Accel, LB • Protection from web-based attacks DMZ • Monitors all incoming traffic at the application layer • Protection for public facing applications • Can be part of a security gateway - SSL Certificates - Load Balancer Web servers ArcGIS servers Internal Infrastructure Mechanisms Encryption – 3rd Party Options • Network - IPSec (VPN, Internal Systems) - SSL/TLS (Internal and External System) - Cloud Encryption Gateways - • • Only encrypted datasets sent to cloud File Based - Operating System – BitLocker - GeoSpatially enabled PDF’s combined with Certificates - Hardware (Disk) RDBMS - Transparent Data Encryption - Low Cost Portable Solution - SQL Express w/TDE Mechanisms Logging/Auditing • Esri COTS - Geodatabase history - - ArcGIS Workflow Manager - - “User” tag tracks user requests 3rd Party - • Track Feature based activities ArcGIS Server 10+ Logging - • May be utilized for tracking changes Web Server, RDBMS, OS, Firewall Consolidate with a SIEM Geospatial service monitors - Esri – System Monitor Vestra – GeoSystems Monitor Geocortex Optimizer Network Mechanisms GIS monitoring with System Monitor Hardware Web Server • Proactive • Integrated - • End-to-End - • All tier monitoring Continuous - • Dashboards across all tiers %Coverage provided Extendable - Custom queries ArcGIS Server Geodatabase RDBMS ArcGIS Server Matt Lorrain Esri UC 2014 | Technical Workshop | ArcGIS Server 10.3 Enhancements • ArcGIS Server Manager - • New dashboard for administrators Portal for ArcGIS extension is included with ArcGIS for Server Standard and Advanced licenses - Support for SAML 2.0 authentication - Management of group membership based on an enterprise identity store - Custom roles to better control privileges of users - Activity Dashboard to understand metrics for your portal - More streamlined approach to configuring a high-availability portal configuration - As of 10.3.1 - Query and view portal logs using Portal Directory for identifying errors, issues or troubleshooting. ArcGIS Server Desktop, Web, and Mobile Clients Single ArcGIS Server machine Desktop, Web, and Mobile Clients 80/443 6080/6443 Site Administrators Connect to Manager GIS server, Data, Server directories, Configuration Store Reverse Proxy Server 6080/6443 Site Administrators Connect to Manager GIS server, Data, Server directories, Configuration Store Front-ending GIS Server with Reverse Proxy or Web Adapter ArcGIS Server ArcGIS Server HA - Sites independent of each other • Active-active configuration is shown - • • Active-passive is also an option Network Load Balancer (NLB) Separate configuration stores and management - • Desktop, Web, and Mobile Clients Scripts can be used to synchronize 80 80 6080 6080 Cached map service for better performance Load balancer to distribute load Site Administrators Connect to Manager Web Adaptors (optional) ArcGIS Server site ArcGIS Server site Site Administrators Connect to Manager Server directories, Configuration Store (duplicated between sites) Desktop, Web, and Mobile Clients ArcGIS Server ArcGIS Server HA – Shared configuration store • Shared configuration store • Web Adaptor will correct if server fails • Network Load Balancer (NLB) 80 Config change could affect whole site - 6080 Example: publishing a service 80 6080 Web Adaptors GIS servers Site Administrators Connect to Manager • Test configuration changes Data server, Data (enterprise geodatabase), Server directories, Configuration Store Desktop, Web, and Mobile Clients ArcGIS Server ArcGIS Server HA – Clusters of Dedicated Services • Shared configuration store • Server clusters - Network Load Balancer (NLB) 80 80 Web Adaptors (optional) Perform same set of functions GIS servers Cluster A • Example - - Cluster A handles geoprocessing services Cluster B handles less intensive services 6080 Cluster B 6080 Site Administrators Connect to Manager Data server, Data (enterprise geodatabase), Server directories, Configuration Store 6080 Enterprise deployment Real Permutations Public Business Partner 1 Private IaaS Internal Portal Internal AGS Filtered Content External AGS Business Partner 2 ArcGIS Online File Geodatabase Database Public IaaS Enterprise Business Field Worker WAF, SSL Accel Load Balancer ArcGIS Server Enterprise Deployment Port: 443 Port: 80 IIS/Java Web Server IIS/Java Web Server Web Adaptor ADFS Proxy DMZ Auth Web Server Supporting Infrastructure 443 Internet Port: 6080 ArcGIS for Server GIS Services Web Apps GIS Server B Public Web Server ArcGIS Site Network Load Balancing ADFS / SAML 2.0 Port: 80 Port: 80 IIS/Java Web Server IIS/Java Web Server Web Apps AD/ LDAP Web Adaptor Web Adaptor Web Apps Web Server B Web Server A HA NAS Config Store Clustered Port: 6080 SQL HA DB1 HA DB2 ArcGIS for Server GIS Services GIS Server A Web Adaptor Round-Robin Server Request Load Balancing Directories Port: 6080 GIS Services ArcGIS for Server GIS Server B FGDB ArcGIS Server Implementation Guidance Don’t expose Server Manager or Admin interfaces to public • Disable Services Directory • Disable Service Query Operation (as feasible) • Limit utilization of commercial databases under website - File GeoDatabase can be a useful intermediary • Require authentication to services • Deploy ArcGIS Server(s) to DMZ if external users require access - • One-way replication from enterprise database Restrict cross-domain requests - Attack surface over time Attack surface • Implement a whitelist of trusted domains for communications Time Mobile Matt Lorrain Esri UC 2014 | Technical Workshop | Mobile What are the mobile concerns? *OWASP Top Ten Mobile: https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks Mobile Security Touch Points Server authentication Communication SDE permissions Device access Storage Service authorization Project access Data access Mobile Challenges • Users are beyond corporate firewall - To VPN or not to VPN? • Authentication/Authorization challenges • Disconnected editing • Management of mobile devices - Enterprise Mobility Management is the answer! - Mobile Device Management - Mobile Application Management - Security Gateways - Examples: MobileIron, MaaS360, Airwatch, and many more… Mobile Potential Access Patterns DMZ Web Adaptor IIS Portal VPN ArcGIS ArcGIS Server Security Gateway NAS Shared config store SQL Server AD FS 2.0 External facing GIS Enterprise AD ArcGIS Desktop Mobile Implementation Guidance • Encrypt data-in-transit (HTTPS) via TLS • Encrypt data-at-rest • Segmentation - Use ArcGIS Online, Cloud, or DMZ systems to disseminate public-level data • Perform Authentication/Authorization • Use an Enterprise Mobility Management (EMM) solution - Secure e-mail - Enforce encryption - App distribution - Remote wipe - Control 3rd party apps & jailbreak detection Cloud Matt Lorrain Esri UC 2014 | Technical Workshop | Cloud • Non-Cloud - • IaaS - • Traditional systems infrastructure deployment Portal for ArcGIS & ArcGIS Server Portal for ArcGIS & ArcGIS Server Some Citrix / Desktop SaaS - ArcGIS Online Business Analyst Online Customer Responsible End to End Decreasing Customer Responsibility Service Models Customer Responsible For Application Settings Cloud Deployment Models Online Online Intranet Intranet Intranet Portal Server Public On- Premises Hybrid 1 Online Read-only Server Server Server Intranet Basemaps Intranet Portal Hybrid 2 Cloud Server Server On-Premises + On-premise Cloud Management Models • Self-Managed - • Your responsibility for managing IaaS deployment security Security measures discussed later Provider Managed - Esri Managed Services (Standard Offering) New Esri Managed Cloud Services (EMCS) Advanced Plus - FedRAMP Moderate environment Cloud IaaS – Amazon Web Services • 8 Security Areas to Address - Virtual Private Cloud (VPC) - Identity & Access Management (IAM) - Administrator gateway instance(s) (Bastion) - Reduce attack surface (Hardening) - Security Information Event Management (SIEM) - Patch management (SCCM) - Centralized authentication/authorization - Web application firewall (WAF) Cloud EMCS Advanced Plus Offering Customer Instances ArcGIS Portal for Server for ArcGIS Customer Databases ArcGIS Online Security Infrastructure Centralized Key Authentication (2-factor) Management Network Address End Users Virtual Translation Private Cloud (Segmentation) Redundancy Esri Cloud GIS Administrator (multiple data centers) IDS/SIEM/WAF Logging ArcGIS Online front-end (Low) Managed Services back-end (Mod) Cloud Hybrid deployment combinations Users Anonymous Access Apps ArcGIS Online On-Premises • • • Ready in months/years Behind your firewall You manage & certify • Esri Managed Cloud Services • Ready in days • All ArcGIS capabilities at your disposal in the cloud • Dedicated services • FedRAMP Moderate • • • Ready in minutes Centralized geo discovery Segment anonymous access from your systems FISMA Low . . . All models can be combined or separate Cloud Hybrid ArcGIS Online Users 1. Register Services Group “TeamGreen” On-Premises ArcGIS Server AGOL Org Hosted Services, Content Public Dataset Storage 4. Access Service 2. Enterprise Login (SAML 2.0) User Repository AD / LDAP ArcGIS Org Accounts External Accounts Segment sensitive data internally and public data in cloud Cloud Hybrid – Data sources • Where are internal and cloud datasets combined? - At the browser The browser makes separate requests for information to multiple sources and does a “mash-up” Token security with SSL or even a VPN connection could be used between the device browser and on-premises system On-Premises Operational Layer Service https://YourServer.com/arcgis/rest... Cloud Basemap Service ArcGIS Online http://services.arcgisonline.com... Browser Combines Layers Cloud ArcGIS Online – Implementation Guidance • Require HTTPS • Do not allow anonymous access • Allow only standard SQL queries • Restrict members for sharing outside of organization (as feasible) • Use enterprise logins with SAML 2.0 with existing Identity Provider (IdP) If unable, use a strong password policy (configurable) in ArcGIS Online - Enable multi-factor authentication for users - • Use multifactor for admin accounts • Use a least-privilege model for roles and permissions - Custom roles Compliance Esri UC 2014 | Technical Workshop | Compliance ArcGIS Platform Security • Esri Corporate • Cloud Infrastructure Providers • Products and Services • Solution Guidance Compliance Extensive security compliance history FISMA Law Established 2002… 2005… Esri GOS2 FISMA Authorization First FedRAMP Authorization FedRAMP Announced 2010 2011 Esri Participates in First Cloud Computing Forum 2012 Esri Hosts Federal Cloud Computing Security Workshop 2013 OMB FedRAMP Mandate 2014 ArcGIS Online FISMA Authorization Planned ArcGIS Online FedRAMP Authorization 2015 2016 EMCS FedRAMP Compliant Esri has actively participated in hosting and advancing secure compliant solutions for over a decade Compliance Esri Corporate • ISO 27001 - • Esri’s Corporate Security Charter Privacy Assurance - US EU/Swiss SafeHarbor self-certified - TRUSTed cloud certified Compliance Cloud Infrastructure Providers • ArcGIS Online Utilizes World-Class Cloud Infrastructure Providers - Microsoft Azure - Amazon Web Services Cloud Infrastructure Security Compliance Compliance Products and Services • • ArcGIS Online - FISMA Low Authority to Operate by USDA (Jun 2014) - FedRAMP - Upcoming Esri Managed Cloud Services (EMCS) - • ArcGIS Server - • FedRAMP Moderate (Jan 2015) DISA STIG – (Expected 2015) ArcGIS Desktop - FDCC (versions 9.3-10) - USGCB (versions 10.1+) - ArcGIS Pro (Expected 2015) Compliance Solution Level • • • Geospatial Deployment Patterns to meet stringent security standards - Hybrid deployments - On-premise deployments Supplemented with 3rd party security components - Enterprise Identity management integration - CA SiteMinder (Complete) - Geospatial security constraints – ConTerra (Started) - Mobile security gateway integration – (Upcoming) Upcoming best practice security compliance alignment guidance - CJIS – Law Enforcement (Started) - STIGs – Defense (Started) - HIPAA – Healthcare (Future) Compliance ArcGIS Online Assurance Layers Customer Web App Consumption ArcGIS Management Esri AGOL SaaS FISMA Low (USDA) SafeHarbor (TRUSTe) Web Server & DB software Operating system Instance Security Management Cloud Provider ISO 27001 SSAE16 FedRAMP Mod Cloud Providers Hypervisor Physical Compliance Deployment Model Responsibility Compliance Cloud Roadmap 2015 2014 ArcGIS Online FISMA Low Managed Services (EMCS) FedRAMP Mod Upcoming ArcGIS Online FedRAMP Summary Esri UC 2014 | Technical Workshop | Summary • Security demands are rapidly evolving - • Prioritize efforts accord to your industry and needs Don’t just add components, simplified Defense In Depth approach Secure Best Practice Guidance is Available - - Check out the ArcGIS Trust Site! Security Architecture Workshop - SecureSoftwareServices@esri.com Thank you… • Please fill out the session survey in your mobile app • In the agenda, click on the title of this session - Enterprise GIS: Security Strategy • Click “Technical Workshop Survey” • Answer a few short questions and enter any comments Want to Learn More? • ArcGIS Online: A Security, Privacy, and Compliance Overview - • ArcGIS Server & Portal for ArcGIS: An Introduction to Security - • Tues 4:30pm Implementation Center Oauth 2 and Authentication in ArcGIS Online Demystified - • Tues 5:30pm Demo Theater 14 Building Security into your System - • Wed 3:!5pm Room 3, Thurs Room 4 Best Practices in Setting up Secured Services in ArcGIS for Server - • Tues 3:15pm Room 4, Thurs 1:30pm Room 4 ArcGIS Server: Advanced Security - • Wed 10:15am Room 17B Tues 2:30pm Demo Theater 11 Using Enterprise Logins for Portal in ArcGIS via SAML - Tues 5:30pm, Wed 2:30pm Demo Theater 7 Esri Security Standards & Architecture Team SecureSoftwareServices@Esri.com
