Designing a Web GIS Security Strategy

Transcription

1 Designing a Web GIS Security Strategy Michael Young CISO Products Matt Lorrain Security Architect

2 Agenda Introduction Trends Strategy Mechanisms Server Mobile Cloud EMCS Advanced Plus Compliance

3 Introduction What is a secure GIS?

4 Introduction What is The Answer? Risk Impact

5 Introduction Where are the vulnerabilities? *SANS Relative Vulnerabilities Core component vulnerabilities were exposed in the past few years, application risks are still king

6 Trends Michael Young

7 Trends Web Application Attacks *Verizon 2016 DBIR

8 Trends Main threat activities from web app attacks Password based authentication is STILL broken - Use 2-factor Validate inputs Patching process for third party plugins *Verizon 2016 DBIR

9 Trends Trends by Industry Confirmed data breaches by industry Rise of web app attacks across the board since last year due to rise in stolen credentials Privilege Misuse - Defense in Depth approach *Verizon 2016 DBIR

10 Recurring security scenarios Disaster communications modified Scenario - Organization utilizes cloud based services for disseminating disaster communications - Required easy updates from home and at work - Drove allowing public access to modify service information Lesson learned - Enforce strong governance processes for web publication - Don t allow anonymous users to modify web service content - Minimize or eliminate temporary modification rights of anonymous users - If web services are exposed to the internet, just providing security at the application level does not prevent direct service access Lack of strong governance leads to unexpected consequences

11 Recurring security scenarios Long-live the token! Scenario - Developers using access tokens not segmenting them appropriately from their applications and code - Tokens are often configured to have long life in contradiction with secure development best practices - Code is shared through cloud repositories (such as GitHub) and tokens exposed - Result is tokens can be used by malicious users to perform privileged functions, intercept private communications, eavesdrop, etc. Lessons learned - Separate credentials directly from code and do not store in code repositories - Perform routine checks of organization code repositories and applications - Use short-lived tokens when possible

12 Recurring security scenarios Leveraging leaked credentials Scenario - User had account with LinkedIn or Adobe - Account information compromised - User changed password for their compromised service - 4 years later account information offered on dark market - Compromised account info utilized to access other services in May & June 2016, such as: - GitHub, Netflix, Facebook, GoToMyPC, Reddit, TeamViewer, Twitter, and Carbonite Lessons Learned - Avoid utilizing the same password between services - Utilize enterprise strength password management tools to facilitate unique passwords - Check if your has been in a compromise Services like

13 Recurring Security Scenarios QUIZ When was the last ArcGIS Security patch released? Hint The Trust.ArcGIS.com site will always have this answer handy 99.9% of vulnerabilities are exploited more than a year after being released

14 Trends Strategic Shifts in Security Priorities for 2016 and Beyond Identity management priority increasing as security focus moves from network to data level Advanced Persistent Threats driving shift from Protect to Detect Encryption of Internet traffic via SSL v3 broken Utilize only TLS / Configure ciphers Password protection is broken Use 2-factor auth Cloud Access Security Brokers (CASB) Gartner top security tech pick for 2016 Patch! Attackers routinely use unpatched vulnerabilities to compromise organizations Ransomware & Trojans on rise Backups operational & utilize link validation tools Deprecation of MD5 and SHA-1 for certificates and code signing - Use SHA-256 Silverlight died first, now it s Adobe Flash Ensure cross-domain is not trust all

15 Strategy Michael Young

16 Strategy A better answer Identify your security needs - Assess your environment - Datasets, systems, users - Data categorization and sensitivity - Understand your industry attacker motivation Understand security options - Trust.arcgis.com - Enterprise-wide security mechanisms - Application specific options Implement security as a business enabler - Improve appropriate availability of information - Safeguards to prevent attackers, not employees

17 Strategy Enterprise GIS Security Strategy Security Risk Management Process Diagram - Microsoft

18 Strategy Evolution of Esri Products & Services Web GIS Distributed Web GIS Desktop GIS Server GIS 3 rd Party Security Embedded Security Shared Responsibilty Security

19 Strategy Esri Products and Solutions Secure Products - Trusted geospatial services - Individual to organizations - 3 rd party assessments ArcGIS Secure Platform Management - Backed by Certifications / Compliance Secure Enterprise Guidance - Trust.ArcGIS.com site - Online Help

20 Strategy Security Principles CIA Security Triad Availability

21 Strategy Defense in Depth More layers does NOT guarantee more security Understand how layers/technologies integrate Simplify Balance People, Technology, and Operations Holistic approach to security Data and Assets Physical Controls Policy Controls Technical Controls

22 Mechanisms Matt Lorrain

23 Mechanisms

24 Mechanisms Users & Authentication User Store Options - Built-in user store - Server, Portal, ArcGIS Online - Enterprise user store - LDAP / Active Directory Authentication Options - Built-in Token Service - Server, Portal, ArcGIS online - Web-tier (IIS/Apache) w/ Web Adaptor - Windows Integrated Auth, PKI, Digest - Identity Provider (IdP) / Enterprise Logins - SAML 2.0 for ArcGIS Online & Portal ArcGIS Server patterns - Server-tier Auth w/ Built-in users - Server-tier Auth w/ Enterprise Users - Web-tier Auth w/ Enterprise Users Portal for ArcGIS patterns - Portal-tier Auth w/ Built-in users - Portal-tier Auth w/ Enterprise users - Web-tier Auth w/ Enterprise users - SAML 2.0 Auth w/ Enterprise Users ArcGIS Online patterns - ArcGIS Online Auth w/ Built-in users - SAML 2.0 Auth w/ Enterprise users

25 Mechanisms Authorization Out-of-box roles (level of permission) - Administrators - Publishers - Users - Custom Only for Portal for ArcGIS & ArcGIS Online ArcGIS for Server Web service authorization set by pub/admin - Assign access with ArcGIS Manager - Service Level Authorization across web interfaces - Services grouped in folders utilizing inheritance Portal for ArcGIS Item authorization set by item owner - Web Map Layers secured independently - Packages & Data Allow downloading - Application Allows opening app

26 Mechanisms Authorization Extending with 3 rd Party components Web services - Conterra s Security Manager (more granular) - Layer and attribute level security RDBMS - Row Level or Feature Class Level - Versioning with Row Level degrades performance - Alternative SDE Views URL Based - Web Server filtering - Security application gateways and intercepts

27 Mechanisms Filters 3 rd Party Options Firewalls - Host-based - Network-based Reverse Proxy Web Application Firewall - Open Source option ModSecurity Anti-Virus Software Intrusion Detection / Prevention Systems Limit applications able to access geodatabase

28 Mechanisms Filters - Web Application Firewall (WAF) Internet 443 Implemented in DMZ Protection from web-based attacks DMZ Security Gateway WAF, SSL Accel, LB Monitors all incoming traffic at the application layer Web servers ArcGIS servers Protection for public facing applications Can be part of a security gateway Internal Infrastructure - SSL Certificates - Load Balancer

29 Mechanisms Encryption 3 rd Party Options Network - IPSec (VPN, Internal Systems) - SSL/TLS (Internal and External System) - Cloud Access Security Brokers (CASB) - Proxy - Only encrypted datasets sent to cloud File Based - Operating System BitLocker - GeoSpatially enabled PDF s with Certificates - Hardware (Disk) RDBMS - Transparent Data Encryption

30 Mechanisms Logging/Auditing Esri COTS - Geodatabase history - May be utilized for tracking changes - ArcGIS Workflow Manager - Track Feature based activities - ArcGIS Server 10+ Logging - User tag tracks user requests - Set to a minimum of INFO 3 rd Party - Web Server, RDBMS, OS, Firewall - Consolidate with a SIEM Geospatial service monitors - Esri System Monitor - Vestra GeoSystems Monitor - Geocortex Optimizer

31 Mechanisms GIS monitoring with System Monitor Network Hardware Web Server Proactive Integrated - Dashboards across all tiers End-to-End ArcGIS Server Geodatabase RDBMS - All tier monitoring Continuous - %Coverage provided Extendable - Custom queries

32 Web GIS Matt Lorrain

33 Web GIS ArcGIS Online or Portal? ArcGIS Online Portal for ArcGIS SaaS Releases often - Upgraded automatically (by Esri) - Esri controls SLA Functionality (smart mapping ) Enterprise Integration - Web SSO via SAML Software - Part of ArcGIS Server - Releases 1-2 times per year - Upgraded manually (by organization) - Organization controls SLA Functionality (smart mapping ) Enterprise Integration - Web SSO via SAML - Web-tier Authentication via Web Adaptor - Enterprise Groups - ArcGIS Server Integration

34 Web GIS Anatomy of a Web GIS User Applications (Desktop, Web & Mobile) Portal (GeoInformation Model) Services (GIS Server) Data Stores (Enterprise GDB)

35 Web GIS Multiple Portals portal portal portal portal One Portal Many Portals?

36 Web GIS Multiple Portals Enterprise or Public Users portal Department A Users Department B Users Department C Users portal portal portal Shared Services

37 Web GIS References vs. Federated Referenced My Layer Federated My Layer Portal Portal 1 st Login 1 st Login 2 nd Login SSO My Service My Service

38 Web GIS Architecture Options and Security Considerations What are the confidentiality and integrity needs of your GIS? - Drives extent to which cloud is used - Drives potential authentication options used - Drives encryption requirements What are the availability requirements of your GIS? - Benefits of cloud scalability - Redundancy across web tiers, GIS tier, and database tier Authentication requirements - Leverage centralized authentication (AD/LDAP) - For an on premise portal that can be Web-tier authentication or using Enterprise Logins

39 Enterprise deployment Real Permutations Public Business Partner 1 Private IaaS Internal Portal Internal AGS Filtered Content External AGS ArcGIS Online Business Partner 2 Database File Geodatabase Public IaaS Field Worker Enterprise Business

40 Attack surface ArcGIS Server Implementation Guidance Don t expose Server Manager or Admin interfaces to public Attack surface over time Disable Services Directory Disable Service Query Operation (as feasible) Limit utilization of commercial databases under website - File GeoDatabase can be a useful intermediary Require authentication to services Use HTTPS Time - Or at least make it available! Restrict cross-domain requests - Implement a whitelist of trusted domains for communications

41 ArcGIS Server Awareness of Relative Risk Security hardening best practices provide insights into relative risk of different services, and optional mitigation measures to reduce risk Service Map Map Feature Feature Feature Geocoding Geodata Geodata Geodata Geoprocessing Image Image Image Relative Service Risk Capability Mapping Query Read Edit Sync Geocode Query Data Extraction Replica Geoprocessing Imaging Edit Upload Default when Enabled Security Hardened Security Hardened Settings Red = Higher Risk Yellow = Average Risk Green = Low Risk

42 ArcGIS Server 10.4 Enhancements ArcGIS Server and Portal ArcGIS Server Best Practices security scanner Update passwords for registered and managed databases - To meet password policy requirements for cycling passwords ArcGIS Server Read-Only Mode - Disables publishing new services and blocks admin operations HTTP and HTTPS is enabled by default Security fixes and enhancements Enforce and choose cryptographic ciphers and algorithms

43 Mobile Matt Lorrain

44 Mobile What are the mobile concerns? *OWASP Top Ten Mobile:

45 Mobile Security Touch Points Server authentication Communication Device access SDE permissions Storage Service authorization Project access Data access

46 Mobile Challenges Users are beyond corporate firewall - To VPN or not to VPN? Authentication/Authorization challenges Disconnected editing - Local copies of data Management of mobile devices - Enterprise Mobility Management is the answer! - Mobile Device Management - Mobile Application Management - Security Gateways - Examples: MobileIron, MaaS360, Airwatch, and many more

47 Mobile Potential Access Patterns DMZ Web Adaptor IIS Portal ArcGIS VPN ArcGIS Server Security Gateway SQL Server NAS Shared config store AD FS 2.0 External facing GIS Enterprise AD ArcGIS Desktop

48 Mobile Implementation Guidance Encrypt data-in-transit (HTTPS) via TLS Encrypt data-at-rest Segmentation - Use ArcGIS Online, Cloud, or DMZ systems to disseminate public-level data Perform Authentication/Authorization Use an Enterprise Mobility Management (EMM) solution - Secure - Enforce encryption - App distribution - Remote wipe - Control 3 rd party apps & jailbreak detection

49 Cloud Matt Lorrain

50 Decreasing Customer Responsibility Cloud Service Models Non-Cloud - Traditional systems infrastructure deployment - Portal for ArcGIS & ArcGIS Server Customer Responsible End to End IaaS - Portal for ArcGIS & ArcGIS Server - Some Citrix / Desktop SaaS - ArcGIS Online - Business Analyst Online Customer Responsible For Application Settings

51 Cloud Deployment Models Online Online Intranet Intranet Intranet Server Portal Server Public Hybrid 1 On- Premises Online Server Server Server Read-only Basemaps Intranet Intranet Portal Server Cloud Hybrid 2 On-Premises + On-premise

52 Cloud Management Models Self-Managed - Your responsibility for managing IaaS deployment security - Security measures discussed later Provider Managed - Esri Managed Services (Standard Offering) - New Esri Managed Cloud Services (EMCS) Advanced Plus - FedRAMP Moderate environment

53 Cloud IaaS Amazon Web Services 8 Security Areas to Address - Virtual Private Cloud (VPC) - Identity & Access Management (IAM) - Administrator gateway instance(s) (Bastion) - Reduce attack surface (Hardening) - Security Information Event Management (SIEM) - Patch management (SCCM) - Centralized authentication/authorization - Web application firewall (WAF)

54 Cloud IaaS Reduce your risk in 10 minutes! Minimize RDP surface - Update OS patches - Many AMI s disable automatic updates - Enable NLA for RDP - Set AWS Firewall to Limit RDP access to specific IP s - Use strong passwords, account lockout policies Minimize Application Surface - Disable ArcGIS Services Discovery - Don t expose ArcGIS Manager web app to Internet Enable 2-factor Authentication to your AWS console - The AWS console is a one-stop shop for access to all your instances in the cloud

55 Cloud Hybrid deployment combinations Users Apps Anonymous Access On-Premises Ready in months/years Behind your firewall You manage & certify Esri Managed Cloud Services Ready in days All ArcGIS capabilities at your disposal in the cloud Dedicated services FedRAMP Moderate ArcGIS Online Ready in minutes Centralized geo discovery Segment anonymous access from your systems FISMA Low... All models can be combined or separate

56 Cloud Hybrid ArcGIS Online Users 4. Access Service Group TeamGreen 1. Register Services AGOL Org On-Premises ArcGIS Server Hosted Services, Content Public Dataset Storage ArcGIS Org Accounts External Accounts 2. Enterprise Login (SAML 2.0) User Repository AD / LDAP Segment sensitive data internally and public data in cloud

57 Cloud Hybrid Data sources Where are internal and cloud datasets combined? - At the browser - The browser makes separate requests for information to multiple sources and does a mash-up - Token security with SSL or even a VPN connection could be used between the device browser and on-premises system On-Premises Operational Layer Service Cloud Basemap Service ArcGIS Online Browser Combines Layers

58 Cloud Hybrid Deployment Scenarios Common for large enterprises Primary reason - Data Segmentation / Prevent storing sensitive data in the cloud What is stored in AGOL? Service Metadata - Username & password - Default, not saved - Initial extent - Adjust to a less specific area - Name & tags - Address with organization naming convention - IP Address - Utilize DNS names within URL s - Thumbnail image Replace with any image as appropriate

59 Cloud ArcGIS Online Standards Enterprise Logins - SAML Provides federated identity management - Integrate with your enterprise LDAP / AD New API s to Manage users & app logins - Developers can utilize OAuth 2-based API s -

60 Cloud ArcGIS Online Implementation Guidance Require HTTPS Do not allow anonymous access Allow only standard SQL queries Restrict members for sharing outside of organization (as feasible) Use enterprise logins with SAML 2.0 with existing Identity Provider (IdP) - If unable, use a strong password policy (configurable) in ArcGIS Online - Enable multi-factor authentication for users Use multifactor for admin accounts Use a least-privilege model for roles and permissions - Custom roles

61 Esri Managed Cloud Services Advanced Plus Michael Young

62 Esri Managed Cloud Services Advanced Plus What is it? Cloud-based GIS infrastructure support, including: - Enterprise system design - Infrastructure management - Software (Esri & 3 rd Party) installation, updates, and patching - Application deployment - Database management - 24/7 support and monitoring - FedRAMP Moderate ATO by US Census Bureau - Security infrastructure - Security controls and processes

63 Esri Managed Cloud Services Advanced Plus Why did Esri pursue FedRAMP authorization? Demand - Customers demanded FedRAMP compliance before rolling out future production operations - Risk - Customer risk increasing rapidly without security infrastructure - Mandate - OMB mandate all low and moderate impact cloud services leveraged by more than one office or agency must comply with FedRAMP requirements Accelerates Review and Acceptance of Cloud Based Services

64 Esri Managed Cloud Services Advanced Plus Documentation FIPS 199 Control Implementation Summary (CIS) System Security Plan (SSP) Information System Security Policies User Guide E-Authentication Template Privacy Threshold Analysis (PTA) Rules of Behavior (ROB) IT Contingency Plan Security Assessment Plan (SAP) Test Case Workbook Security Assessment Report (SAR) Plan of Action and Milestone (POA&M) Policies and procedures Business Impact Analysis Configuration Management Plan Incident Response Plan Interconnection Security Agreement (ISA / MOU) Penetration Test Plan 1000 s of pages ensuring rigorous security

65 Esri Managed Cloud Services Advanced Plus Rigorous Third Party Security Assessment - Must occur annually - Third Party Assessment Organization (3PAO) accredited by FedRAMP - Documentation - A security review of all FedRAMP controls and implementation details - Technical Assessment - System level scans - Web Interface scans - Database scans - Penetration testing Great advisors and skilled assessors keep the effort focused

66 Esri Managed Cloud Services Advanced Plus Continuous Monitoring FedRAMP Reporting Workflow Monitoring Workflow Ensures maintenance of acceptable risk posture

67 EMCS Security Infrastructure AWS Customer Infrastructure Active/Active Redundant across two Cloud Data Centers End Users Public-Facing Gateway Web Application Firewall WAF ArcGIS for Portal DMZ Security Ops Center (SOC) Security Service Gateway Intrusion Detection IDS / SIEM ArcGIS Server Cloud Infrastructure Centralized Management Backup, CM, AV, Patch, Monitor Hypervisor, TCP/IP, Network ACLs, Routing, Storage, Hardware Bastion Gateway MFA Relational Database File Servers Authentication/Authorization LDAP, DNS, PKI Dedicated Customer Application Infrastructure Common Security Infrastructure Esri Administrators Esri Admin Gateway Cloud Infrastructure Hypervisor, TCP/IP, Network ACLs, Routing, Storage, Hardware Common Cloud Infrastructure Legend Agency Application Cloud Provider Security

68 Compliance Michael Young

69 Compliance ArcGIS Platform Security Esri Corporate Cloud Infrastructure Providers Products and Services Solution Guidance

70 Compliance Extensive security compliance history FISMA Law Established FedRAMP Announced First FedRAMP Authorization OMB FedRAMP Mandate Planned ArcGIS Online FedRAMP Authorization Esri GOS2 FISMA Authorization Esri Participates in First Cloud Computing Forum Esri Hosts Federal Cloud Computing Security Workshop ArcGIS Online FISMA Authorization EMCS receives FedRAMP ATO Esri has actively participated in hosting and advancing secure compliant solutions for over a decade

71 Compliance Esri Corporate ISO Esri s Corporate Security Charter Privacy Assurance - US EU/Swiss SafeHarbor self-certified - TRUSTed cloud certified

72 Compliance Cloud Infrastructure Providers ArcGIS Online Utilizes World-Class Cloud Infrastructure Providers - Microsoft Azure - Amazon Web Services Cloud Infrastructure Security Compliance

73 Compliance Products and Services ArcGIS Online - FISMA Low Authority to Operate by USDA (2014) - FedRAMP - Upcoming Esri Managed Cloud Services (EMCS) - FedRAMP Moderate (2015) - HIPAA Ready (2016) ArcGIS Server - DISA STIG (2016) ArcGIS Desktop - FDCC (versions ) - USGCB (versions 10.1+)

74 Compliance Solution Level Geospatial Deployment Patterns to meet stringent security standards - Hybrid deployments - On-premise deployments Supplemented with 3 rd party security components - Enterprise Identity management integration - CA SiteMinder (Complete) - Geospatial security constraints ConTerra - Mobile security gateway integration Best practices for compliance alignment - CJIS Law Enforcement - HIPAA Healthcare

75 Compliance Responsibility Across Hosting Options On-premises Esri Images & Cloud Builder Esri Managed Cloud Services FedRAMP Moderate ArcGIS Online FISMA Low ArcGIS Server ArcGIS Server ArcGIS Server ArcGIS Online OS/DB/Network OS/DB/Network OS/DB/Network OS/DB/Network Security Infrastructure No Security Infrastructure by default Security Infrastructure Security Infrastructure Virtual / Physical Servers Cloud Infrastructure (IaaS) Cloud Infrastructure (IaaS) Cloud Infrastructure (IaaS) Customer Responsibility Esri Responsibility CSP Responsibility

76 Compliance Cloud Roadmap 2015 Upcoming 2014 ArcGIS Online FISMA Low Managed Services (EMCS) FedRAMP Mod ArcGIS Online FedRAMP

77 Summary

78 Summary Security demands are rapidly evolving - Prioritize efforts accord to your industry and needs - Don t just add components, simplified Defense In Depth approach Secure best practice guidance is available - Check out the ArcGIS Trust Site! - Security Architecture Workshop - SecureSoftware@esri.com

79 Thank you Please fill out the session survey in your mobile app In the agenda, click on the title of this session - Enterprise GIS: Security Strategy Click Technical Workshop Survey Answer a few short questions and enter any comments

80 Want to learn more?

81