Esri Managed Cloud Services and FedRAMP

Transcription

1 Federal GIS Conference February 9 10, 2015 Washington, DC Esri Managed Cloud Services and FedRAMP Erin Ross & Michael Young

2 Agenda Esri Managed Services Program Overview Example Deployments New FedRAMP Compliant Option Esri Managed Cloud Services FedRAMP Process Esri Managed Cloud Services Security Infrastructure How to Get Started Summary

3 Program Overview

4 ArcGIS Cloud Options SaaS PaaS ArcGIS Online or Custom Esri Apps and Data on fully Managed Cloud Services ArcGIS for Server on Esri managed cloud infrastructure IaaS ArcGIS for Server images available to use on cloud infrastructure

5 ArcGIS for Server on [Fill in the Blank] Supported on multiple cloud platforms - Virtual or bare metal Full ArcGIS for Server capabilities User-provisioned cloud infrastructure resources Pay for what you use BYOL or ArcGIS term licensing available

6 ArcGIS Online Create, share, collaborate Subscription-based - Named User - Credits pay as you go Updates and enhancements occur behind the scenes

7 Esri Managed Cloud Services Cloud-based GIS infrastructure support, including: - Enterprise system design - Infrastructure management - Software (Esri & 3 rd Party) Installation, updates and patching - Application deployment - Database management - 24/7 support and monitoring

8 ArcGIS Deployment Models Users Apps Anonymous Access Portal ArcGIS Online Server On-Premises Portal Server Esri Managed Cloud Services

9 Benefits of Esri Managed Cloud Services Increase efficiency and business focus High availability, quality and performance Reduce internal costs Preserves data integrity, privacy and availability Increase usage and productivity Cloud GIS experts managing your critical apps and content

10 How is it delivered? Available on GSA

11 Basic Packages Sandbox Ready to use cloud instance of ArcGIS for Server Remote access provided to user Ideal for development, prototyping...

12 Standard, Advanced, Advanced Plus Packages Esri loads, publishes and deploys on behalf of customer 24/7 system monitoring and support Ideal for production systems (internal or public facing) Staging Production Test Dev

13 Example Deployments

14 USGS Historical Topographic Maps More than 175,000 topographic maps published by the USGS since TB data x 2 for redundancy 1.6 million hits during Esri User Conference Consumed by several apps; premium service available in ArcGIS Online

15 Constellation Brands Improve sales by leveraging tools to drive volume and revenue 4 th of July deadline 2.7M records updated 2x / week via scripted tools Equipping staff with valuable information to increase sales

16 Power Outage Viewers Highly available, scalable systems ready to perform during major events Frequent, automated data updates Bringing critical outage information to the general public

17 Hurricane Sandy 14 additional servers (17 total) Central Maine Power - 34 million hits over 3 days New York State Electric & Gas 76 million hits over 3 days 2/10/ :30 am Peak Sandy Hours

18 Maine October 29

19 Maine October 30

20 Maine Ocbober 31

21 Maine November 1

22 Maine November 2

23 Who else uses Esri Managed Cloud Services? 80+ customers Leveraged across many sectors Manage over 500 servers, several TB of data

24 New FedRAMP Compliant Offering Michael Young

25 Federal Geospatial Cloud Security Compliance Roadmap 2002 FISMA Law Established Required security baselines for Federal systems Feb 2010 Kundra Announces FedRAMP Security Working Group concept announced May 2013 First Agency Authorization HHS Issues ATO to Amazon June 2014 OMB FedRAMP Mandate FedRAMP now required for all cloud solutions covered by policy memo Planned ArcGIS Online FedRAMP Authorization Aug 2005 Esri GOS2 FISMA Authorization DOI Issues ATO to Esri May 2010 Esri Participates in First Cloud Computing Forum Esri begins active involvement in cloud standards & security programs Dec 2011 Esri Federal Cloud Computing Security Workshop Esri works with Agencies & FedRAMP to plan SaaS Compliance June 2014 ArcGIS Online FISMA Authorization USDA Issues ATO to Esri Jan 2015 EMCS FedRAMP Compliant Signoff by FedRAMP Director Planned for 2015 ArcGIS Online Hosted Feature Services Authorization DOI working with Esri towards Authorization Esri has actively participated in hosting and advancing secure compliant solutions for over a decade

26 FedRAMP What does FedRAMP do? - Replace varied and duplicative procedures across government by providing agencies with a standard approach for conducting security assessments of cloud services What is core of FedRAMP? - An accepted set of baseline security controls and consistent processes that have been vetted and agreed upon by agencies across the government Why did Esri pursue FedRAMP Compliance? - Customers demanded FedRAMP compliance before rolling out future production operations - Customer risk has been increasing rapidly without security infrastructure - OMB mandate all low and moderate impact cloud services leveraged by more than one office or agency must comply with FedRAMP requirements Accelerates Review and Acceptance of Cloud Based Services

27 FedRAMP Government Entities Cross Government Support

28 EMCS FedRAMP Benefits What does EMCS provide? Contingency planning and risk management Patch and key management Data encryption and intrusion detection System logging and reporting Centralized identity and access management Regular security audits Well documented policies and procedures What are the benefits? Preserve data integrity Protect sensitive datasets Ensure availability and reliability Builds assurance and awareness Save costs by embracing Cloud First Shift the burden of managing enterprise GIS systems to the experts Penetration testing and vulnerability scanning CONTINUOUS MONITORING!

29 FedRAMP What is the process? Risk Management Framework (RMF) centric process

30 Esri Managed Cloud Services FedRAMP Documentation FIPS 199 Control Implementation Summary (CIS) System Security Plan (SSP) Information System Security Policies User Guide E-Authentication Template Privacy Threshold Analysis (PTA) Rules of Behavior (ROB) IT Contingency Plan Security Assessment Plan (SAP) Test Case Workbook Security Assessment Report (SAR) Plan of Action and Milestone (POA&M) Policies and procedures Business Impact Analysis Configuration Management Plan Incident Response Plan Interconnection Security Agreement (ISA / MOU) Penetration Test Plan 1000 s of pages ensuring rigorous security

31 EMCS FedRAMP Assessment Cloud Security Assessor Veris Group - Third Party Assessment Organization (3PAO) accredited by FedRAMP - 1 st to successfully inspect FedRAMP CSP Supplied, JAB, and Agency Approved Solutions - 5 month engagement - Three months of active Technical and Documentation assessments - System level scans - Web Interface scans - Database scans - Penetration testing FedRAMP Advisor Relevant Technologies - Laura Taylor - Wrote the initial Guide to Understanding FedRAMP Great advisors and skilled assessors keep the effort focused

32 EMCS FedRAMP Authorization 3 Baseline Security Control Levels - Low, Moderate*, High in draft 3 Status Levels - Ready, In Process, Compliant* 3 FedRAMP Authorization Levels - Cloud Service Provider (CSP) Supplied* - Agency Authorization To Operate (ATO) - Joint Agency Board (JAB) Provisional Authority To Operate Esri Managed Cloud Services is - FedRAMP Moderate - FedRAMP Compliant - CSP Supplied offering EMCS CSP Supplied Package can be consumed by your Agency

33 EMCS FedRAMP Continuous Monitoring FedRAMP Reporting Workflow Monitoring Workflow Ensures maintenance of acceptable risk posture

34 Esri Managed Cloud Services Security Infrastructure

35 Esri Managed Cloud Services - Security Infrastructure Overview Most government systems - Require moderate security baseline controls Most geospatial information sets - Only require low baseline controls - ArcGIS Online Low FISMA is adequate for many customer use cases Esri Managed Cloud Services FedRAMP Infrastructure Design Goals - Consumable by the widest range of customers - Amazon East-West Regions Not limited to GovCloud - Drive down customer expenses for secure, compliant geospatial services - Customer s can choose level of multi-tenancy vs dedicated services they are comfortable with - Meet and exceed current rigorous FedRAMP requirements for cloud services - First geospatial platform to be compliant with FedRAMP Rev 4 requirements A balance of robust security and business requirements drove infrastructure choices

36 Esri Managed Cloud Services - Security Infrastructure AWS Customer Infrastructure Active/Active Redundant across two Cloud Data Centers End Users Public-Facing Gateway Web Application Firewall WAF ArcGIS for Portal DMZ Security Ops Center (SOC) Security Service Gateway Intrusion Detection IDS / SIEM ArcGIS Server Cloud Infrastructure Centralized Management Backup, CM, AV, Patch, Monitor Hypervisor, TCP/IP, Network ACLs, Routing, Storage, Hardware Bastion Gateway MFA Relational Database File Servers Authentication/Authorization LDAP, DNS, PKI Dedicated Customer Application Infrastructure Common Security Infrastructure Esri Administrators Esri Admin Gateway Cloud Infrastructure Hypervisor, TCP/IP, Network ACLs, Routing, Storage, Hardware Common Cloud Infrastructure Legend Agency Application Cloud Provider Security

37 Esri Managed Cloud Services - Security Infrastructure Foundation built on FedRAMP Rev 4 Security controls First Geospatial solution to be assessed for compliance against latest cloud security controls

38 Esri Managed Cloud Services - Security Infrastructure (cont.) Technical, Operational, and Managerial Components Formalize Policies and Procedures Incorporate Security Components - Intrusion Detection System (IDS) - Web Application Firewall (WAF) - Multi-factor Authentication NSA Suite B alignment - Bastion Gateway / Jump Hosts Reduce administrative interface attack surface - Centralized advanced server and application monitoring and updates Incorporate Security Hardening Standards - Utilize pre-existing Center for Internet Security (CIS) benchmarks as feasible - Create a draft ArcGIS Server 10.3 STIG

39 Esri Managed Cloud Services - Security Infrastructure (cont.) DISA STIG for ArcGIS Server 10.3 Draft STIG Settings Provided to DISA - Undergoing SME Review

40 Esri Managed Cloud Services - Security Infrastructure (cont.) Separation of duties Security Operating Center backed by Certified Security Experts Applications managed by Certified ArcGIS Platform Experts Managed by certified experts in their field

41 How to get started

42 How do I get started? Express an interest in service offering and let your security team know EMCS is FedRAMP compliant Agency Authorized FedRAMP Approver can facilitate download and review of FedRAMP package for If you are unsure of your FedRAMP approver the FedRAMP PMO: info@fedramp.gov What else is available outside FedRAMP repository? - Cloud Security Alliance (CSA) answers for EMCS coming Complete Agency Authority To Operate (ATO) - Utilize pre-existing EMCS and AWS FedRAMP moderate docs Simplifies obtaining an ATO for your organization

43 Summary Erin Ross

44 Summary Esri Managed Cloud Services is FedRAMP compliant Esri has experts available to support your cloud GIS and security infrastructure Esri Managed Cloud Services has a range of options available to meet your operational needs Customer s can now visit the FedRAMP repository and request our Esri Managed Cloud Services security package

45 Federal GIS Conference February 9 10, 2015 Washington, DC Don t forget to complete a session evaluation form!

46