Federal GIS Conference February 9 10, 2015 Washington, DC ArcGIS Security Authorization Advancements Michael Young & Erin Ross
Overview Authorization Past & Present Products - ArcGIS Server - ArcGIS Desktop Solutions - ArcGIS Online - Esri Managed Cloud Services - New FedRAMP Moderate Option Summary
Authorization Historical Issues Every implementation undergoes separate security authorization processes Federal and Defense utilized different frameworks - Authorization (based on risk) vs. certification Standard geospatial system security configurations not agreed upon by government Above items drive deployment delays, stability, and issue reproduction problems - E.g. Mitigating measures, waivers, policy refresh outages, and unable to reproduce issues
Authorization FISMA Federal Information Security Management Act (FISMA) 2002 - All production US Federal government systems must be compliant/authorized - Enforced by the inspector general s office of each agency - References NIST 800-53 Security Controls spanning 17 families including: - Access Control, Training, Auditing, Maintenance, Integrity, Acquisition, Personnel Three categorization levels - Low Non-sensitive information (100+) - Moderate Sensitive information (300+) - High Most sensitive information (350+) Step 1 Categorize Information Collect System Information Perform Privacy Analysis Categorize System Solutions are authorized, not individual products - Datasets and workflows are part of the accreditation Step 2 Select Security Controls Identify Common Controls Select Remaining Controls Tailor and Document in SSP Step 3 Implement Security Controls Implement Security Controls Update the SSP Develop CP, CMP and IRP Step 3 Concurrency Review Step 4 Concurrency Review Step 4 Assess Security Controls Develop Test Plan Assess Security Controls Develop Reports and POA&Ms Step 5 Authorize Security Controls Develop ATO Package AO Reviews POA&M and Risk AO Signs ATO / Denial of Operation Step 6 Monitor Security Controls Monitor for Major Changes Remediate POA&M Items Continuous Monitoring of Controls ArcGIS Online s Low Accreditation Aligns Well with Hybrid Deployments
Authorization FedRAMP Relatively new authorization process aligning with FISMA law Provides a stronger foundation of reciprocity for cloud based offerings Same NIST 800-53 security controls with additional ones added for cloud Security control baselines in place now for Low and Moderate, draft of High released Jan 2015 Cloud.CIO.gov Excellent Resource for FedRAMP Details
Authorization Federal and Defense Security Strategy is Evolving Federal - FISMA -> FedRAMP - Drives improved efficiency of Federal security authorization process for cloud offerings Defense - DIACAP -> Risk Management Framework - Drives improved efficiency of defense and federal departments operating off a common framework and set of baseline security controls
Authorization Esri s Security Strategy is Evolving Enterprise Solution Product Isolated Systems Integrated Systems ArcGIS Cloud 3 rd Party Security Embedded Security Managed Security
Authorization Levels of authorization across software and systems Product Based Initiatives - ArcGIS Server - ArcGIS Desktop Solution/Service Based Initiatives - ArcGIS Online - Esri Managed Cloud Services
Product Based Security Initiatives ArcGIS Server & Desktop
Product Based Security Initiatives ArcGIS Server DISA STIG Sponsored by government to work with DISA - Create a Security Technical Implementation Guides (STIGs) - Non-FOUO therefore information will be publically accessible - First STIG will be Windows based ArcGIS Server 10.3 - Other STIGs will be performed based on demand Expected completion by Esri International User Conference July 2015 Post STIG completion - STIG will be an input for an ArcGIS Server Security Hardening guide for general distribution - Enterprise component integration testing and best practice recommendations incorporated
Product Based Security Initiatives DISA STIG Creation Process Draft STIG Settings Provided to DISA Undergoing SME Review
Product Based Security Initiatives ArcGIS Server Planned STIG Configuration Legend Microsoft Component TCP 443 Web Application Firewall SIEM Log Agent ArcGIS Component Non-Specific Vendor Component Privileged User User TCP 443 TCP 443 Windows Integrated Authentication Accept Client Certificates (PKI) Windows Integrated Authentication Accept Client Certificates (PKI) IIS IIS SIEM Log Agent Web Adaptor (Admin) Web Adaptor (User) SIEM Log Agent AD TCP 6443 TCP 6443 AD SIEM Log Agent ArcGIS Server Site SMB CIFS Config-Store SIEM Log Agent AD SMB CIFS File Store SIEM Log Agent RDBMS Ports RDBMS SIEM Log Agent
Product Based Security Initiatives ArcGIS Server Awareness of Relative Risk Security hardening best practices provide insights into relative risk of different services, and optional mitigation measures to reduce risk Service Map Map Feature Feature Feature Geocoding Geodata Geodata Geodata Geoprocessing Image Image Image Relative Service Risk Capability Mapping Query Read Edit Sync Geocode Query Data Extraction Replica Geoprocessing Imaging Edit Upload Default when Enabled Security Hardened Security Hardened Settings Red = Higher risk Yellow = Average risk Green = Low risk Providing new insights
Product Based Security Initiatives Desktop Esri performs self-certification of desktop products - Ensures smooth deployments within security constraints of systems - ArcGIS Desktop with all extensions is primary focus - Typically completed within 6 months of product release FDCC - Federal Desktop Certified Configuration - Versions 9.3-10 - Deprecated due to Windows XP focus USGCB - United States Government Configuration Baseline - Versions 10.1+ ArcGIS Pro (Expected Q1 2015) Eases your desktop deployment headaches
Solutions Based Security Initiatives
Solutions Based Security Initiatives Federal Geospatial Cloud Security Compliance Roadmap 2002 FISMA Law Established Required security baselines for Federal systems Feb 2010 Kundra Announces FedRAMP Security Working Group concept announced May 2013 First Agency Authorization HHS Issues ATO to Amazon June 2014 OMB FedRAMP Mandate FedRAMP now required for all cloud solutions covered by policy memo Planned ArcGIS Online FedRAMP Authorization 2002 2005 2010 2011 2012 2013 2014 2015 2016 Aug 2005 Esri GOS2 FISMA Authorization DOI Issues ATO to Esri May 2010 Esri Participates in First Cloud Computing Forum Esri begins active involvement in cloud standards & security programs Dec 2011 Esri Federal Cloud Computing Security Workshop Esri works with Agencies & FedRAMP to plan SaaS Compliance June 2014 ArcGIS Online FISMA Authorization USDA Issues ATO to Esri Jan 2015 EMCS FedRAMP Compliant Signoff by FedRAMP Director Planned for 2015 ArcGIS Online Hosted Feature Services Authorization DOI working with Esri towards Authorization Esri has actively participated in hosting and advancing secure compliant solutions for over a decade
Solutions Based Security Initiatives Esri Corporate Operations Compliance ISO 27001 - Esri s Corporate Security Charter Privacy Assurance - US EU/Swiss SafeHarbor self-certified - TRUSTed cloud certified SSAE 16 Type 1 Previously SAS 70 - Esri Data Center Operations - Expanded to Managed Services in 2012
Solutions Based Security Initiatives ArcGIS Online Cloud Infrastructure Provider Compliance ArcGIS Online Utilizes World-Class Cloud Infrastructure Providers - Microsoft Azure - Amazon Web Services Cloud Infrastructure Security Compliance SSAE16 SOC1 Type2 Moderate
Solutions Based Security Initiatives Mind the Authorization Gap Common misconception - A cloud providers authorization should be good enough to meet Agency security requirements Useful facts - The majority of vulnerabilities are at the application level - Cloud providers IaaS authorizations don t cover the applications, or even operating system Result - There is a significant security authorization gap
Solutions Based Security Initiatives Options for Addressing the CSP Authorization Gap Generalized Expert Provider - Equivalent to service provider middleware - Lack of depth with advanced API services such as ArcGIS increases both security/availability risks Application Expert Provider - Obtain solutions that incorporate security infrastructure having their own FISMA or FedRAMP compliance that layers on top of the CSP FedRAMP Authorization - Examples - ArcGIS Online and Esri Managed Cloud Services Tunnel - Establish tunnel between on-premises security infrastructure and cloud deployment Do-It-Yourself - Establish your own security infrastructure in the cloud to use with applications Ostrich - Stick head in sand and pretend not a big deal (not recommended)
Solutions Based Security Initiatives Responsibility Across ArcGIS Deployment Options On-premises Esri Images & Cloud Builder Esri Managed Cloud Services FedRAMP Moderate Compliant ArcGIS Online FISMA Low ATO ArcGIS Server ArcGIS Server ArcGIS Server ArcGIS Online OS/DB/Network OS/DB/Network OS/DB/Network OS/DB/Network Security Infrastructure No Security Infrastructure by default Security Infrastructure Security Infrastructure Esri Compliance & ATO Scope Virtual / Physical Servers Cloud Infrastructure (IaaS) Cloud Infrastructure (IaaS) Cloud Infrastructure (IaaS) IaaS ATO Scope Customer Responsibility Esri Responsibility CSP Responsibility
Solutions Based Security Initiatives ArcGIS Online Assurance Layers Customer Web App Consumption ArcGIS Management Esri Web Server & DB software AGOL SaaS FISMA Low (USDA) SafeHarbor (TRUSTe) Operating system Instance Security Management Cloud Provider ISO 27001 SSAE16 FedRAMP Mod Cloud Providers Hypervisor Physical
Solutions Based Security Initiatives ArcGIS Online Federal Use Cases in FISMA Authorization Use Case 1 Public Dissemination - Publish tiles for fast, scalable visualizations - Share information with the public Agency Authoritative Source - Can be used for mashing up services with external non-ssl sites Tiles Public Consumers Use Case 2 USG Operations - Hybrid deployment of ArcGIS Server and ArcGIS Online - Share operational data within or between agencies Agency Consumer - Sensitive data maintained on Agency premises or other authorized environment - ArcGIS Online operates as a discovery portal - Utilize Enterprise Logins Agency Publisher Server Metadata ArcGIS Online
Solutions Based Security Initiatives ArcGIS Online Meeting security needs with Hybrid deployments Users Apps Anonymous Access On-Premises Ready in months/years Behind your firewall You manage & certify Esri Managed Cloud Services Ready in days All ArcGIS capabilities at your disposal in the cloud Dedicated services FedRAMP Moderate ArcGIS Online Ready in minutes Centralized geo discovery Segment anonymous access from your systems FISMA Low... All models can be combined or separate
Solutions Based Security Initiatives ArcGIS Online Value Proposition of FISMA Low offering Outreach and collaboration - Provision of USG non-sensitive content to public, more sensitive content to authorized groups - Easy content discovery (via single metadata catalogue) and integration Flexibility and agility - Rapid stand-up of new content/services, accommodate surge Efficiency - Avoid development/implementation of one-off systems - Off-load systems operations onto more cost effective platform(s)
Solutions Based Security Initiatives ArcGIS Online Authorization efforts going forwards Other agencies are pursuing ArcGIS Online Authorization - DoI is looking into supplementing their Authorization with Hosted Feature Services - EPA & NOAA are also actively pursuing authorization FedRAMP Agency-based Authorization - Low or Moderate based on feedback being gathered from customers now - Is supplementing ArcGIS Online s Low authorization, with a hybrid implementation combining EMCS moderate compliance, adequate for the majority of use-cases? Further discussion in Panel session on Tuesday - Panel being lead by DOI, with EPA and the FedRAMP Director from GSA - Tuesday 2:45pm Room 102B Join us for shaping our future authorization plans
Solutions Based Security Initiatives ArcGIS Online How can agencies obtain necessary assurance to authorize? ArcGIS Platform Authorization Briefing flyer available during Tuesday panel session ArcGIS Online - Esri can share current FISMA authorization materials with agencies under NDA - Contact SecureSoftwareServices@Esri.com Esri Managed Cloud Services (EMCS) - Materials available through FedRAMP Repository Public Info - Trust.ArcGIS.com - Privacy, SLA, Terms of Service, Availability trends, and best practices available - Answers to the most common cloud security questions about ArcGIS Online are addressed in the Cloud Security Alliance matrix
Esri Managed Cloud Services Erin Ross
What is Esri Managed Cloud Services? Esri cloud GIS experts supporting customer apps & data in the cloud
ArcGIS Online and Esri Managed Cloud Services Users Desktop Web Mobile ArcGIS Online Online Basemaps Geocoding, Routing Hosted Feature & Tile Map Services App Templates Esri Managed Cloud Services Custom Web Apps GP, Reporting Services Imagery, Large Datasets Dynamic Map Services RDBMS (Oracle, SQL Server) ArcGIS Online front-end, Managed Cloud Services back-end
What is included? Provide Cloud-based GIS infrastructure support, including: - Enterprise system design - Infrastructure management - Software (Esri & 3 rd Party) Installation, updates and patching - Application deployment - Database management - 24/7 support and monitoring
Benefits of Esri Managed Cloud Services Increase efficiency and business focus High availability, quality and performance Reduce internal costs Preserves data integrity, privacy and availability Increase usage and productivity Cloud GIS experts managing your critical apps and content
How is it delivered? Available on GSA
Basic Packages Sandbox Ready to use cloud instance of ArcGIS for Server Remote access provided to user Ideal for development, prototyping...
Standard, Advanced, Advanced Plus Packages Esri loads, publishes and deploys on behalf of customer 24/7 system monitoring and support Ideal for production systems (internal or public facing) Staging Production Test Dev
Esri Managed Cloud Services Use Cases
USGS Historical Topographic Maps More than 175,000 topographic maps published by the USGS since 1884 22 TB data x 2 for redundancy 1.6 million hits during Esri User Conference Consumed by several apps; premium service available in ArcGIS Online
Power Outage Viewers Highly available, scalable systems ready to perform during major events Frequent, automated data updates Bringing critical outage information to the general public
Constellation Brands Improve sales by leveraging tools to drive volume and revenue 4 th of July deadline 2.7M records updated 2x / week via scripted tools Equipping staff with valuable information to increase sales
Who else uses Esri Managed Cloud Services? Manage over 500 servers, many TB of data 80+ customers Leveraged across many sectors
EMCS FedRAMP Moderate Option Michael Young
EMCS FedRAMP Moderate Option Why did Esri pursue FedRAMP Compliance? - Demand - Customers demanded FedRAMP compliance before rolling out future production operations - Risk - Customer risk increasing rapidly without security infrastructure - Mandate - OMB mandate all low and moderate impact cloud services leveraged by more than one office or agency must comply with FedRAMP requirements Accelerates Review and Acceptance of Cloud Based Services
EMCS FedRAMP Moderate Option FedRAMP Government Entities & Process Cross Government Support & Standardized RMF Process
EMCS FedRAMP Moderate Option Documentation FIPS 199 Control Implementation Summary (CIS) System Security Plan (SSP) Information System Security Policies User Guide E-Authentication Template Privacy Threshold Analysis (PTA) Rules of Behavior (ROB) IT Contingency Plan Security Assessment Plan (SAP) Test Case Workbook Security Assessment Report (SAR) Plan of Action and Milestone (POA&M) Policies and procedures Business Impact Analysis Configuration Management Plan Incident Response Plan Interconnection Security Agreement (ISA / MOU) Penetration Test Plan 1000 s of pages ensuring rigorous security
EMCS FedRAMP Moderate Option Assessment Cloud Security Assessor Veris Group - Third Party Assessment Organization (3PAO) accredited by FedRAMP - 1 st to successfully inspect FedRAMP CSP Supplied, JAB, and Agency Approved Solutions - 5 month engagement - Three months of active Technical and Documentation assessments - System level scans - Web Interface scans - Database scans - Penetration testing FedRAMP Advisor Relevant Technologies - Laura Taylor - Wrote the initial Guide to Understanding FedRAMP Great advisors and skilled assessors keep the effort focused
EMCS FedRAMP Moderate Option Authorization 3 Baseline Security Control Levels - Low, Moderate*, High in draft 3 Status Levels - Ready, In Process, Compliant* 3 FedRAMP Authorization Levels - Cloud Service Provider (CSP) Supplied* - Agency Authorization To Operate (ATO) - Joint Agency Board (JAB) Provisional Authority To Operate EMCS is - FedRAMP Moderate - FedRAMP Compliant - CSP Supplied offering EMCS CSP Supplied Package can be consumed by your Agency
EMCS FedRAMP Moderate Option Continuous Monitoring FedRAMP Reporting Workflow Monitoring Workflow Ensures maintenance of acceptable risk posture
EMCS FedRAMP Moderate Option Security Infrastructure Most government systems - Require moderate security baseline controls Most geospatial information sets - Only require low baseline controls - ArcGIS Online Low FISMA is adequate for many customer use cases EMCS FedRAMP Infrastructure Design Goals - Consumable by the widest range of customers - Amazon East-West Regions Not limited to GovCloud - Drive down customer expenses for secure, compliant geospatial services - Customer s can choose level of multi-tenancy vs dedicated services they are comfortable with - Meet and exceed current rigorous FedRAMP requirements for cloud services - First geospatial platform to be compliant with FedRAMP Rev 4 requirements A balance of robust security and business requirements drove infrastructure choices
EMCS Security Infrastructure AWS Customer Infrastructure Active/Active Redundant across two Cloud Data Centers End Users Public-Facing Gateway Web Application Firewall WAF ArcGIS for Portal DMZ Security Ops Center (SOC) Security Service Gateway Intrusion Detection IDS / SIEM ArcGIS Server Cloud Infrastructure Centralized Management Backup, CM, AV, Patch, Monitor Hypervisor, TCP/IP, Network ACLs, Routing, Storage, Hardware Bastion Gateway MFA Relational Database File Servers Authentication/Authorization LDAP, DNS, PKI Dedicated Customer Application Infrastructure Common Security Infrastructure Esri Administrators Esri Admin Gateway Cloud Infrastructure Hypervisor, TCP/IP, Network ACLs, Routing, Storage, Hardware Common Cloud Infrastructure Legend Agency Application Cloud Provider Security
EMCS FedRAMP Moderate Option How do I get started? Express an interest in service offering and let your security team know EMCS is FedRAMP compliant Agency Authorized FedRAMP Approver can facilitate download and review of FedRAMP package for EMCS @ - http://cloud.cio.gov/fedramp/agency - If you are unsure of your FedRAMP approver email the FedRAMP PMO: info@fedramp.gov What else is available outside FedRAMP repository? - Cloud Security Alliance (CSA) answers for EMCS coming Complete Agency Authority To Operate (ATO) - Utilize pre-existing EMCS and AWS FedRAMP moderate docs Simplifies obtaining an ATO for your organization
Summary
Summary Resources Available for Agency Review Cloud infrastructure provider - SSAE16 and ISO27001 - Report available from cloud providers under NDA FedRAMP Repository - EMCS FedRAMP Moderate Compliance Package - Cloud Service Provider FedRAMP Moderate Packages Esri - SSAE16 for Esri Datacenter Operations - System Security Plan (SSP) Agency references removed - Reports available from Esri under NDA - Cloud Security Alliance (CSA) Answers Publically Available
Summary Solution/Services Accreditation Roadmap ArcGIS Online FISMA Low Accreditation - Agency Authorization June 6, 2014 Esri Managed Cloud Services (EMCS) FedRAMP Moderate Compliance - CSP Supplied Compliant Package Authorized January 29, 2015 - Establishes validated secure clouds deployment patterns - Documentation and assessment materials enable FISMA or FedRAMP authorization - Initially AWS based, other cloud providers based on demand Upcoming ArcGIS Online FedRAMP Agency Authorization - Cross-cloud provider authorization Azure/AWS - Includes hosted feature services
Summary Esri is working with security leaders to create standardized security hardened deployment guidance for our customers Esri self-certifies desktop based products to ensure alignment with Federal security configurations ArcGIS Online is FIMSA Low authorized and we can work with you to support your Agency s authorization Join the Tuesday Panel session to solidify your authorization roadmap Esri will be pursuing FedRAMP authorization for ArcGIS Online New Esri Managed Cloud Services FedRAMP moderate compliant option ready for your agency to review and authorize Information readily available on Trust.ArcGIS.com We welcome your feedback concerning any authorization needs or gaps not addressed in this presentation
Summary Where do I go for more information? Trust.ArcGIS.com is no longer limited to primarily ArcGIS Online information NEW site expansion rolled out this past weekend - Server, Desktop, Mobile, ArcGIS Online and even the new EMCS FedRAMP compliant offering
Federal GIS Conference February 9 10, 2015 Washington, DC Don t forget to complete a session evaluation form!