Designing an Enterprise GIS Security Strategy

Transcription

1 Esri International User Conference San Diego, California Technical Workshops July 26, 2012 Designing an Enterprise GIS Security Strategy Michael E Young

2 Agenda Introduction Strategy Trends Mechanisms ArcGIS Server Mobile Cloud Compliance

3 Introduction - Michael E Young - Esri Principal Security Architect - Certified Information Systems Security Professional (CISSP)

4 Introduction What is a secure GIS?

5 Introduction Sign in Japan Narita Airport - May 2011 Context is key for identifying the appropriate secure GIS solution for your organization

6 Introduction What is The Answer? Risk Impact

7 Introduction Where Are the Vulnerabilities? * SANS Relative Vulnerabilities

8 Strategy

9 Strategy Identify your Security Needs - Assess your environment - Datasets, Systems - Sensitivity, Categorization Understand Security Options - Enterprise GIS Resource Center - Enterprise-wide Security Mechanisms - Application Specific Options - Utilize patterns Implement Security as a Business Enabler - Improve appropriate availability of information

10 Strategy Enterprise GIS Security Strategy Security Risk Management Process Diagram - Microsoft

11 Strategy Esri s Security Strategy Evolution Enterprise Solution Product Isolated Systems 3 rd Party Security Integrated Systems Embedded Security Cloud Managed Security

12 Strategy Esri Products and Solutions Secure Products - Trusted geospatial services - Individual to organizations - Extending validation Secure Enterprise Guidance - Enterprise Resource Center - Patterns - Online Help Secure Solution Management - SaaS Functions & Controls - ArcGIS Online Security Overview

13 Strategy Expanded Security Online Help and Papers

14 Strategy Security Implementation Patterns Risk based 3 categories / NIST alignment Selection process - Formal NIST Informal To prioritize information security and privacy initiatives, organizations must assess their business needs and risks

15 Strategy Security Principles CIA Security Triad Defense in Depth

16 Strategy Defense in Depth Authentication Authorization Data and Assets Physical Controls Policy Controls Technical Controls Filters Encryption Logging

17 Trends

18 Trends Perception End-User Perception - I don t ever hear about Virus issues in our company anymore Reality - Modern attacks are not as much about being visible - Layers of exploits deployed - Goal is to obtain your company s most value information

19 Trends Modern Attack Websense 2012 Threat Report Don t rely on Anti-Virus and Firewalls Alone to Protect Your Organization

20 Trends Reverse Proxy s Need to Be Maintained CVE Apache Reverse Proxy Exploit Oct 2011 Allows unauthenticated access to information that should be confidential Commonly overlooked component for updates Update Your Reverse Proxy!

21 Trends End of Browser Plug-ins? Migration away from Flash and Silverlight Plug-ins Security experts ready to unload plug-ins HTML5 limitation inconsistencies across browsers slowing migration

22 Trends Mobile Security iphone Twitter PII compromised Mobile device data not secure by default Enterprise Mobile Security Solutions can help

23 Trends Cloud Data breeches of #1 Sony PlayStation Cloud mill - #2 Epsilon Cloud mill - #6 Nasdaq Dashboard Cloud - 10k+ Sr. Execs * An Enterprise Security Strategy can help through cloud data mitigation controls and cloud security policies

24 Trends Events over the last month US loses $250 billion annually in IP theft $338 billion annually in financial theft Result of cyber espionage is the "greatest transfer of wealth in history."

25 Mechanisms

26 Mechanisms

27 Mechanisms Authentication Pre-10.1 Options - Web Traffic via HTTP 1. Web Services 2. Web Applications - Intranet Traffic via DCOM 3. Local Connections

28 Mechanisms Authentication Access Restricted Authentication Method Description Encryption None Default Internet Connections N/A Web Service or Web Application Basic Digest Windows Integrated Java EE Container Browser built-in pop-up logon Web container challenge Basic None, unless using SSL Container Managed PKI / Smartcards Public key certificate* PKI Managed Web Application Only.NET Form-based Java ArcGIS Managed Custom login and error pages. ArcGIS Server provides login None, unless using SSL None, unless using SSL Web Service Only Esri Token Cross Platform, Cross API AES-128bit Local DCOM (Gone in 10.1) Windows Integrated OS Groups AGSUser. AGSAdmin OS Managed *PKI / Smartcard Validation Environment Recently Stood up

29 Mechanisms Authorization Role Based Access Control Esri COTS - Assign access with ArcGIS Manager - Service Level Authorization across web interfaces - Services grouped in folders utilizing inheritance 3 rd Party - RDBMS Row Level or Feature Class Level - Versioning with Row Level degrades RDBM performance - Alternative - SDE Views Custom - Limit GUI - Rich Clients via ArcObjects - Web Applications - Sample code Links in ERC - Microsoft s AzMan tool

30 Mechanisms Filters 3 rd Party Options Firewalls Reverse Proxy Web Application Firewall - Open Source option ModSecurity Anti-Virus Software Intrusion Detection / Prevention Systems Limit applications able to access geodatabase

31 Mechanisms Filters Firewall Friendly Scenario Web Application Firewall in DMZ File Geodatabase (FGDB) in DMZ One-way replication via HTTP(s) Deployed to each web server for performance Internet users access to subset of Geodatabase Internet Same replication model could be used to push data to cloud DMZ Intranet WAF Web Web HTTP HTTP GIS GIS DCOM Use FGDB HTTP Database SQL Author & Publish

32 Mechanisms Filters Why no Reverse Proxy in DMZ? - One-off component / no management, minimal filtering Multi-Function Web Service Gateways - Store SSL Certificates / SSL Acceleration - URL Rewrite - Web Application Firewall External Internal DMZ

33 Mechanisms Encryption 3 rd Party Options Network - IPSec (VPN, Internal Systems) - SSL (Internal and External System) - Cloud Encryption Gateways - Only encrypted datasets sent to cloud File Based - Operating System BitLocker - GeoSpatially enabled PDF s combined with Certificates - Hardware (Disk) RDBMS - Transparent Data Encryption - Low Cost Portable Solution - SQL Express 2008 w/tde

34 Mechanisms Logging/Auditing Esri COTS - Geodatabase history - May be utilized for tracking changes - ArcGIS Workflow Manager - Track Feature based activities - ArcGIS Server 10+ Logging - User tag tracks user requests 3 rd Party - Web Server, RDBMS, OS, Firewall - Consolidate with a SIEM

35 ArcGIS Server

36 DCOM HTTP(s) SQL HTTP(s) HTTP(s) SQL HTTP(s) ArcGIS Server Public Facing Architecture Public WEB Reverse Proxy DMZ WAF Web Adaptor WEB Private SOM SOC DBclient GIS Server DBclient SvrDir DBMS SvrDir DBMS

37 ArcGIS Server 10.1 Changes Goodbye DCOM issues! Token Security enabled by default Added Publisher Role AGSAdmin / AGSUser OS Roles dropped All tier capabilities installed by default - Web, application, data - Ready to run developer platform Deploy Web Adapter to web server for production Editor feature service tracking - Owner based control Integrated Security Model still available Administrator API IIS or Apache Web Adaptor Primary Site Admin Acct Config Store Server Directories GIS Server OS Service Acct ArcGIS Server Site

38 ArcGIS Server 10.1 Deployment Want to know more about ArcGIS Server 10.1 Security? Checkout: 3:15-4:30pm - Building Secure Applications Room 32B

39 Mobile

40 Mobile Just Secure the Web Service Endpoints, Right?

41 Mobile OWASP Top 10 Mobile Issues Issue Solution Question Physical Loss Device Security Options? Malicious App What app stores allowed? Rooted Device Encryption/Strength? Patches How enforced? Insecurely Written App How is code tested? Compromised Password How secured/encrypted? Unprotected Transport TLS/SSL Utilized? Weak Session Management Tokens always passed? Unprotected Services Hardening Guidance? Internal Resource Access VPN Options?

42 Mobile Phone Security ArcGIS Mobile Security Touch Points SDE permissions Server authentication Communication Device access Storage Service authorization Project access Data access

43 Mobile Enterprise Mobile Security Built-in device capabilities - Can store features ios5 encrypted with Flex 3.0 API Enterprise device solutions (InTune, AirWatch, Good, MaaS360) - Benefits: Secure , browser, remote wipe, app distribution Application specific solutions - Benefits: Secure connections and offline device data - Esri ios SDK + Security SDK

44 Cloud

45 Cloud Is cloud right for you? Common deployment delays - Analysis paralysis - Complex Proof-of-Concepts (POC) - Technical details primary focus - Security & performance - Cost predictability concerns What type of cloud - Deployment model (where it s located) - Service model (How much it does)

46 Cloud Responsibility across cloud service models IaaS - ArcGIS Server for Amazon - CSP -> Infrastructure - Cust -> CSP Config, OS, Apps SaaS - ArcGIS Online - CSP -> Infrastructure - Esri -> CSP Config, OS, Apps - Cust -> App Config

47 Cloud Deployment models

48 Cloud SaaS Deployment options Three ArcGIS Online patterns 1. Store data and publish service to cloud 2. Only publish service metadata to cloud 3. Deploy solution on-premises

49 Cloud Amazon

50 Cloud Going Beyond 1 Tier in Amazon

51 Cloud IaaS - ArcGIS Server in Amazon Deployment Options Ease deployment - New Cloud Builder 10.1 Tool - Default not hardened Offload management (Cloud Broker Role) - Esri Managed Services Hardened instances - GeoCloud GSA / FGDC Initiative - Security hardened AMI - Shared security certification focus this year

52 Cloud IaaS Common security issues 1. Access to ports not limited - If you utilize the default image and open RDP to all IP addresses, expect to be compromised in as little as a day 2. System patches not applied - There have been a number of significant RDP vulnerabilities 3. Authentication weak - Multi-factor authentication recommended - Check out AWS Virtual MFA for a free option 4. System not hardened - Turn off/uninstall components you don t use - Utilize built-in capabilities such as NLA for RDP

53 Cloud SaaS - ArcGIS online for Organizations Organization administrator options - Require SSL encryption - Allow anonymous access to org site Consume Token secured ArcGIS Server services - 10 SP1 and later - User name and password prompts upon adding the service to a map, and viewing Transparency - Status.ArcGIS.com Upcoming - Federated Identities (SAML/ADFS)

54 Compliance and Standards

55 Compliance FDCC - Desktop products USGCB - Desktop products 10.1 Almost completed SSAE 16 Type 1 Previously SAS 70 - Esri data center operations - Expanding to Managed Services for 2012 FISMA - ArcGIS Online In progress

56 Summary & Next Steps

57 Summary Security is NOT about just a technology - Understand your organizations GIS risk level - Utilize Defense-In-Depth Secure best practice guidance is available - Check out the Enterprise GIS Resource Center! - Drill into details by mechanism or application type

58 Summary & Next Steps Your feedback and insight today is essential - Current security issues - Upcoming security requirements - Areas of concern not addressed today Contact Us At: Enterprise Security esinfo@esri.com

59 Steps to evaluate UC sessions My UC Homepage > Evaluate Sessions Choose session from planner OR Search for session

60 Thank you for attending Have fun at UC2012 Open for questions Please fill out the evaluation: Offering ID: 986 Contact Us At: Enterprise Security

61