3 Introduction - Michael E Young - Esri Principal Security Architect - AGOL FISMA Information System Security Officer (ISSO) - Certified Information Systems Security Professional (CISSP)
4 Introduction Cloud security affected by many moving parts Cloud Security Standards Evolving Cloud First Initiative Advancing ArcGIS Security Capabilities Evolution of Cloud Provider Capabilities Mobilization of workforce
5 Introduction Choosing an appropriate cloud deployment Not just technical issues/concerns Political push/pull issues - Cloud first vs. We don t trust cloud providers, yet No silver bullet for all cloud security concerns - This session provides a roadmap of options and best practices, not just a Safe button to push
6 Introduction Heightened Cybersecurity Concerns over the last month Executive Order on Improving Critical Infrastructure Cybersecurity Report APT1: Exposing One of China s Espionage Units DHS Recommendation to disable Java
7 Introduction Top Cloud Threats for CSA
8 Introduction Cloud Security Standards Evolving FISMA - Per solution, per agency accreditation since Pre-cloud FedRAMP - Do once, use many times cloud security framework - First IaaS ATO December 2012
9 Introduction Esri s Security Strategy Evolution Enterprise Solution Product Isolated Systems Integrated Systems Cloud 3 rd Party Security Embedded Security Managed Security
10 Introduction Pre-Cloud Deployment Editors Manual Response Analysis Manual Response Collection in the Field SDE Weekly Extract FGDB Desktop/Laptop read-only viewer Paper Maps Ineffective dissemination to field workers and external groups
13 ArcGIS Cloud Capabilities Service Models Each service layer fulfills different business needs ArcGIS Online Biz Process/ Operations App/Svc Usage Scenarios Software as a Service Platform as a Service Application Development Develop, Test, Deploy and Manage Usage Scenarios Cloud Provider IT Infrastructure/ Operation Create/Install, Manage, Monitor Usage Scenarios Infrastructure as a Service ArcGIS Server, Portal for ArcGIS * NIST SRA
14 ArcGIS Cloud Capabilities Service Models Non-Cloud - Traditional systems infrastructure deployment - Portal for ArcGIS & ArcGIS Server IaaS - Portal for ArcGIS & ArcGIS Server - Some Citrix / Desktop SaaS - ArcGIS Online - Business Analyst Online - Community Analyst Agency Responsible End to End Decreasing Agency Responsibility Agency Responsible For Application Settings
15 ArcGIS Cloud Capabilities Deployment Models On-Premises - Information cannot go outside an organizations walls - Solution: Portal for ArcGIS Community - Data / Systems management constraints - Amazon GovCloud ITAR / US Persons - Esri Managed Services Prototype in place - CGI Federal ITAR / US Citizen - Esri Managed Services starting Hybrid - Customer can manage services and data in their walls (Segmentation) - Common implementation Public - Accessible and cost effective - ArcGIS Online - Uses public cloud infrastructure like SalesForce / Google Apps
16 ArcGIS Cloud Capabilities Management Model Self-Managed - Your responsibility for managing IaaS deployment security - Key security controls discussed later Esri Managed - Managed Services - Starting work on FISMA compliant environment capabilities - Government community cloud management now available
17 ArcGIS Cloud Capabilities Hybrid Implementation Public Agency B Gov t IaaS Agency Portal Internal AGS Filtered Content External AGS ArcGIS Online Agency C Agency Database File Geodatabase Public IaaS Field Worker Agency A
18 ArcGIS Cloud Capabilities Implementation options Service Non-Cloud IaaS SaaS Model AGS Your Location AGS in AWS ArcGIS Online Deployment On-Premises Community mun Hybrid Public Model Your location AWS GovCloud Your Loc+AWS AWS/Azure Management Self Managed aged Managed Model You Esri On-premise Cloud *AWS is a placeholder on this slide for any cloud provider such as Azure, CGI, or Terremark
19 ArcGIS Online Security
20 ArcGIS Online Security SaaS Cloud Components
21 ArcGIS Online Security How is it used? Web Map Work Planner Assigns work to field workers Field Workers Gets work via area polygon Polygon set to in progress Creates points Captures picture(s) Sets polygon status to complete Event Center Uses map to find completed field work Develop Material/ Equipment List Organization Views impact of event on the system Working off one map
22 ArcGIS Online Security Deployment Options Online Online Intranet Intranet Intranet Server Server Server Portal Server Server Server Online Server Server Server Read-only Basemaps Intranet Intranet Portal Server Server Server Cloud On-premise
23 ArcGIS Online Security Hybrid Cloud Deployment AGOL Web Map SDE Extracts FGDB Feature Services Mobile View (Esri App) Empty Schemas.mxd ArcGIS Server Desktop View Segment sensitive data internally and public data in cloud
24 ArcGIS Online Security Hybrid Cloud Deployment - Metadata Common reason for hybrid cloud deployment is to prevent storing sensitive data in the cloud Initial FISMA accreditation based on this deployment What is stored in AGOL? - Metadata 5 metadata items that could be deemed sensitive are: 1. Service username & password Default, not saved 2. Service initial extent Adjust to a less specific area 3. Service name & tags Address with organization naming convention 4. Service IP Address Utilize DNS names within URL s 5. Service thumbnail image Replace with any image as appropriate
25 ArcGIS Online Security Hybrid Cloud Deployment Data sources Where are internal and cloud datasets combined? - At the browser - The browser makes separate requests for information to multiple sources and does a mash-up - Token security with SSL or even a VPN connection could be used between the device browser and on-premises system On-Premises Operational Layer Service Cloud Basemap Service ArcGIS Online Browser Combines Layers https://yourserver.com/arcgis/rest...
26 ArcGIS Online Security Responsibility across components Application Customer Configured Web Admin App (Org-wide settings, Management) End-User Org Portal (Create maps, Share, Discover) Application Esri Managed ArcGIS Online Application (Portal, Map Services, Account Management) Data (Portal, Index, Hosted) OS & Middleware Esri & Cloud Provider Managed Middleware Operating System Infrastructure Cloud Provider Managed Server Infrastructure (Servers, Storage, Racks) Network Infrastructure (Switches, Routers, Cables, SAN) Data Center (Physical facility, UPS, Cooling)
27 ArcGIS Online Security Common Questions 1. Where is my data? - All ArcGIS Online data and processing resides within US Data centers on US soil 2. Is my information encrypted? - Organization administrator can force SSL encryption for all communications - ArcGIS Online does not encrypt data at rest; however sensitive items can be encrypted by 3 rd party solutions 3. Is it security accredited? - Actively in progress and expected this year 4. Is my data locked into ArcGIS Online? - Data publishers can extract and download data back to their organization via shapefiles, CSVs, or original publication package.
28 ArcGIS Cloud Providers
29 ArcGIS Cloud Providers ArcGIS Deployments Amazon Web Services CGI Terremark Microsoft Azure
30 ArcGIS Cloud Providers Amazon Web Services Utilized by Esri Cloud Builder solution AWS IaaS is FISMA moderate Actively working towards FedRAMP GovCloud meets US Persons requirements
31 ArcGIS Cloud Providers CGI & Terremark * CGI Architecture Diagram Offer IaaS type capabilities through VMWare CGI Recently Received FedRAMP Provisional ATO Additional layers of security can be added to expedite accreditation efforts Can meet US Citizenship requirements as necessary
32 ArcGIS Cloud Providers Microsoft Azure Cloud IaaS PaaS Actively working towards FedRAMP compliance this year Esri is actively testing ArcGIS Server in IaaS cloud
33 ArcGIS IaaS Security
34 ArcGIS IaaS Security Question - If my cloud IaaS is FISMA/FedRAMP accredited and I deploy my app into that cloud, is the overall implementation FISMA/FedRAMP equivalent? Answer - No IaaS FISMA Default ArcGIS Question Part 2 - Okay, so it s not FISMA/FedRAMP equivalent, but the IaaS by itself ensures the solution is secure enough, right? Answer - No
35 ArcGIS IaaS Security Why is IaaS accreditation by itself not enough? Where are most of the vulnerabilities & who is responsible for mitigating them? Customer Responsibility in IaaS
36 ArcGIS IaaS Security Common ArcGIS IaaS Deployments - Deploy ArcGIS Server Windows AMI to AWS - Deploy ArcGIS Server via Cloud Builder to AWS ArcGIS AWS Security Best Practices - Infrastructure Controls - Big Data Transfer - Application Controls - 5 minute minimum
37 ArcGIS IaaS Security Best Practices in AWS Segment cloud infrastructure - Utilize Amazon Virtual Private Cloud (VPC) - Utilize separate VPC s for DMZ, Web, App, DB, and Admin systems Utilize Amazon Identity & Access Management (IAM) - Implement two-factor authentication Establish a remote admin gateway - Reduce the number of internet facing admin connections
38 ArcGIS IaaS Security Best Practices in AWS Reduce attack surface of all interfaces - Security harden system & disable unused services - Reference GeoCloud instance for policies - Potential future ArcGIS Server STIG Establish change management & logging infrastructure - SIEM & HIDS integration - Patch management deployment (SCCM) Centralized systems authentication & authorization Establish Web Application Firewall capabilities
39 ArcGIS IaaS Security Transferring Big Data to the cloud FTP? Don t do it! Compression Tools - RainStor 1/40 th original size - No time/storage consuming re-inflation TCP / UDP Optimization Tools - Aspera - Utilize UDP for throughput and TCP for error-free Multifunction Optimization Tools - Cloud Opt & Attunity Cloudbeam - Compression, protocol optimization, data de-duplication, SSL acceleration
40 ArcGIS IaaS Security Minimize ArcGIS Server Attack Surface Don t expose Server Manager to public Disable Services Directory Disable Service Query Operation (as feasible) Enable Web Service Request Filtering - Windows 2008 R2+ Request Filtering - XML Security Gateway - Does not intercept POST requests - REST API only requires GET and HEAD verbs Limit utilization of commercial databases under website - File GeoDatabase can be a useful intermediary Require authentication to services File Geo Database New whitelisting capabilities coming
41 Too Much? Scenario: I just have a non-production system and all data is public.
42 ArcGIS IaaS Security Basic Steps for The Overwhelmed 1. Minimize RDP surface - Update OS patches - Many AMI s disable automatic updates - Enable NLA & FIPS for RDP - Set AWS Firewall to Limit RDP access to specific IP s 2. Minimize Application Surface - Disable ArcGIS Services Directory - Don t expose ArcGIS Manager web app to Internet These steps can be completed within 5 minutes Do them!
43 ArcGIS IaaS Security Want more details? Suggest utilizing SANS 20 Critical Security Controls - More specific guidance for Amazon IaaS deployments -
44 ArcGIS Security Advancements
45 ArcGIS Security Advancements Esri Product Federal A&A Roadmap Product Cloud Provider Planned Federal A&A Q Q Q Q ArcGIS Online Amazon Web Services Amazon Web Service & MS Azure FISMA Low FedRAMP Mod Implement ATO FISMA USDA Alignment FedRAMP SaaS Reviews Started Implement ATO ArcGIS Server CSP or AWS GovCloud FISMA Mod Facilitate ATO FISMA Incorporate Lessons Learned Esri Managed AWS,CSP FedRAMP Mod Alignment Establish AGS Fed Image Implement ATO
46 ArcGIS Security Advancements ArcGIS Online Security Certification Efforts In Place - Esri Data Center Operations - SSAE 16 Type 1 - Expanded to Managed Services in 2012 Currently Pursuing - FISMA Low Accreditation - Includes 3 rd party assessment - Expected completion over next several months - Safe Harbor Self-Certification Future - Addresses Privacy - FedRAMP Moderate - Incorporates more advanced security controls
47 ArcGIS Security Advancements Upcoming ArcGIS Online Security Capabilities Federated Identity Management - SAML 2.0 Web SSO Profile - Beta - March Production - Summer ADFS & CA SiteMinder ArcGIS Online Browser Agency More granular role permissions - Allow customization of roles and rights Sign into and use ArcGIS Online using your Enterprise login / identity.
50 ArcGIS Security Advancements Additional ArcGIS Security Resources Available Now - ArcGIS Online Security Flyer - / software/arcgis/arcgis-online/agol-security-overview-flyer.pdf - Enterprise Security Resource Center - Future - ArcGIS Server STIG - DISA / FISMA Alignment - ArcGIS Online Cloud Security Alliance (STAR) - Standardized cloud security control documentation
52 Summary Cloud security is NOT just about technology - Understand your organizations Cloud GIS risk level - Utilize Defense-In-Depth ArcGIS Cloud Capabilities are expanding rapidly - Deployments across numerous cloud providers - Deployments in government community clouds Expect standardized cloud security from Esri - Product Security Capabilities SAML Web SSO - Alignment with Federal Regulations FedRAMP, FISMA - Security Control Documentation CSA - Security Hardened Images Checklist Don t forget to take 5 minutes to check your IaaS!
53 What is still needed? Your Input is Crucial Your Feedback and Insight Today is Essential - Current Security Issues - Upcoming Security Requirements - Areas of concern Not addressed Today Contact Us At: Enterprise Security
54 Wednesday Closing Session Closing and Hosted Lunch 11:30 AM 1:30 PM Ballrooms A C, Third Level Join conference attendees for lunch and closing session Closing Speaker Todd Park, U.S. CTO Wrap-up and request for feedback with Jack Dangermond.
55 Upcoming Events esri.com/events Date Event Location March 21, 2013 Esri DC Meet Up Big Data & Location Analytics Washington, DC April 18, 2013 Esri DC Meet Up Washington, DC March 23 26, 2013 Esri Partner Conference Palm Springs, CA March 25 28, 2013 Esri Developer Summit Palm Springs, CA July 6 9, 2013 Esri National Security Summit San Diego, CA July 8 12, 2013 Esri International User Conference San Diego, CA
56 Thank You Please complete a session evaluation form. #FedGIS
A COALFIRE WHITE PAPER Using s Cloud & Data Center Security Solution to meet PCI DSS 3.0 Compliance Implementing s Deep Security Platform in a Payment Card Environment April 2015 Page 1 Executive Summary...
The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...
WHITE PAPER Informatica Cloud Architecture and Security Overview Independent Analysis of the Architecture and Security Features of Informatica Cloud Prepared by Mercury Consulting, a leader in Ground to
RSA Authentication Manager 8.1 Planning Guide Revision 1 Contact Information Go to the RSA corporate website for regional Customer Support telephone and fax numbers: www.emc.com/domains/rsa/index.htm Trademarks
PeopleSoft Red Paper Series Securing Your PeopleSoft Application Environment July 2010 Including: How to Plan for Security How to Secure Customized System Exposing PeopleSoft outside the Firewall Securing
Seeing Though the Clouds A PM Primer on Cloud Computing and Security NIH Project Management Community Meeting Mark L Silverman Are You Smarter Than a 5 Year Old? 1 Cloud First Policy Cloud First When evaluating
Managed Workplace 2012 Setup Guide On Premise See All. Manage All. Service All. www.levelplatforms.com TABLE OF CONTENTS Welcome... vii About this Document... viii Where To Get More Help... viii Contact
IT@Intel White Paper Intel IT IT Best Practices Cloud Computing and Information Security January 2012 Virtualizing High-Security Servers in a Private Cloud Executive Overview Our HTZ architecture and design
Siebel Security Guide Siebel Innovation Pack 2013 Version 8.1/8.2 September 2013 Copyright 2005, 2013 Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided
Windows Firewall with Advanced Security Design Guide and Deployment Guide Microsoft Corporation Published: October 2008 Author: Dave Bishop Editor: Allyson Adley Reviewers: Bilal Aijazi, Boyd Benson, Shalaka
Cyber Security Planning Guide The below entities collaborated in the creation of this guide. This does not constitute or imply an endorsement by the FCC of any commercial product, service or enterprise
Standard: Version: 2.0 Date: June 2011 Author: PCI Data Security Standard (PCI DSS) Virtualization Special Interest Group PCI Security Standards Council Information Supplement: PCI DSS Virtualization Guidelines
Checklist to Assess Security in IT Contracts Federal Agencies that outsource or contract IT services or solutions must determine if security is adequate in existing and new contracts. Executive Summary
Securing Traditional and Cloud-Based Datacenters With Next-generation Firewalls February 2015 Table of Contents Executive Summary 3 Changing datacenter characteristics 4 Cloud computing depends on virtualization
Enterprise Mobility Management: A Data Security Checklist Executive Summary Secure file sharing, syncing and productivity solutions enable mobile workers to access the files they need from any source at
Acknowledgment to ECSC for guidance and support in the creation of elements of this manual Introduction Rapidly developing information and communication technologies (ICT) are exciting and motivating learning
AKAMAI SERVICES April 20, 2015 The following definitions, billing methodologies, service descriptions and additional terms are applicable to the purchase and use of Akamai s various products and Services
vshield Manager 5.0.1 vshield App 5.0.1 vshield Edge 5.0.1 vshield Endpoint 5.0.1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced
Overview Guide ShareFile Enterprise technical overview Secure data sync and sharing services ShareFile empowers users to securely share files with anyone and to sync files across all of their devices The
FIRST Site Visit Requirements and Assessment Document originally produced by CERT Program at the Software Engineering Institute at Carnegie Mellon University And Cisco Systems PSIRT Revision When Who What
identity as the new perimeter: securely embracing cloud, mobile and social media agility made possible IT transformation and evolving identities A number of technology trends, including cloud, mobility,
Microsoft System Center 2012 R2 Why Microsoft? For Virtualizing & Managing SharePoint July 2014 v1.0 2014 Microsoft Corporation. All rights reserved. This document is provided as-is. Information and views