Designing an Enterprise GIS Security Strategy 2014 Michael E. Young Matt Lorrain
Agenda Introduction Trends Strategy Mechanisms Server Mobile Cloud Compliance Summary
Introduction What is a secure GIS?
Introduction What is The Answer? Risk Impact
Introduction Where are the vulnerabilities? *SANS Relative Vulnerabilities
Current Real World Scenarios & Trends
Trends Application Level Vulnerabilities *Kaspersky Lab Global Research and Analysis Team Kaspersky Security Bulletin 2013
Trends Next generation threats More security controls does not mean more security - Controls can be circumvented individually - Fast-moving attacks bypass traditional defenses New generation of attacks - High-end cybercrime and state sponsored campaigns - Human attackers: motivated, organized, and unpredictable *FireEye: A Real-World Assessment of the Defense-in-Depth Model
Trends Controls by Industry Frequency of incident patterns by industry drives new security control recommendations by industry Focus on the right security controls * Verizon 2014 DBIR
Real-world security scenarios Disaster communications modified Open source security component vulnerability affects 2/3 rd of web services Hacker closes cloud-based business overnight Large retailer breach
Real-world security scenarios Disaster communications modified Scenario - Organization utilize cloud based services for disseminating disaster communications - Required easy updates from home and at work - Drove allowing public access to modify service information Lessons learned - Don t allow anonymous users to modify web service content - Enforce strong governance for web publication process - Minimize or eliminate temporary modification rights of anonymous users - If web services are exposed to the Internet, just providing security through the application does not prevent accessing the services directly Lack of strong governance leads to unexpected consequences
Real-world security scenarios Open source security component vulnerability affects 2/3 rd of web services Scenario OpenSSL vulnerability (HeartBleed) ArcGIS Online was indirectly exposed through utilization of Amazon s Elastic Load Balancer AWS patch their ELB systems within a day of the vulnerability announcement Many ArcGIS components contain the vulnerable version, but do not utilize the vulnerable function ArcGIS Server for Linux was vulnerable Lessons learned 3 rd party / open source components are immersive across cloud and on-premises Many organizations still don t have effective patch management for these underlying components Don t rely on only 1 layer of security, as no individual layer is full-proof Esri s first cross-product vulnerability status KBA minimized confusion Utilize the new Trust.ArcGIS.com site Lack of appropriate funding slows resolution of vulnerabilities
Real-world security scenarios Hacker closed cloud-based business overnight Scenario Hosting provider Code Spaces victim of DoS attack, ransom request, then deletion Solution hosted within Amazon Web Services w/information redundant across regions Hacker gained access to AWS Control interface and was able to delete most data and instances With most customer data gone, and most servers gone, company was forced out of business in 1 day Lessons Learned Anything that's vulnerable to the same threats is not really an offsite backup Utilize 2-factor authentication for access to administrative interfaces Lack of strong authentication can have catastrophic consequences
Real-world security scenarios Large retailer breach Scenario - Theft of personal and credit data - Millions spent on malware detection & analyzing answers for extensive security questionnaires provided to service providers Lessons Learned - Customized and/or overly extensive security questionnaires waste vendor and customer dollars, while not improving security - Utilize standardized questionnaires and accreditations to assess security - ArcGIS Online has the Cloud Security Alliance answers and is FISMA Low accredited - Details available at Trust.ArcGIS.com Misapplied security focus wastes time/money & while increasing risk
Trends 2014 and beyond Focus shifting from network perimeter to data - Drives need for stronger authentication of who is accessing the data Mobile malware continues to grow APTs and malware diversification Unpatched systems (Windows XP end-of-life) Hacking the Internet of Things
Strategy
Strategy A better answer Identify your security needs - Assess your environment - Datasets, systems, users - Data categorization and sensitivity - Understand your industry attacker motivation Understand security options - Trust.arcgis.com - Enterprise-wide security mechanisms - Application specific options Implement security as a business enabler - Improve appropriate availability of information - Safeguards to prevent attackers, not employees
Strategy Enterprise GIS Security Strategy Security Risk Management Process Diagram - Microsoft
Strategy Evolution of Esri Products & Services Enterprise Solution Product Isolated Systems Integrated Systems Software as a Service 3 rd Party Security Embedded Security Managed Security
Strategy Esri Products and Solutions Secure Products - Trusted geospatial services - Individual to organizations - 3 rd party assessments ArcGIS Secure Enterprise Guidance - Trust.ArcGIS.com site - Online Help Secure Platform Management - SaaS Functions & Controls - Certifications / Accreditations
Strategy Security Principles CIA Security Triad Availability
Strategy Defense in Depth More layers does NOT guarantee more security Understand how layers/technologies integrate Simplify Balance People, Technology, and Operations Holistic approach to security Data and Assets Physical Controls Policy Controls Technical Controls
Mechanisms
Mechanisms
Mechanisms Authentication GIS Tier (Default) - Built-in User store - Enterprise (AD / LDAP) - ArcGIS Tokens Web, mobile, and desktop clients Web server Web Adaptor Web Tier (Add web adaptor) - Enterprise (AD / LDAP) - Any authentication supported by web server - HTTP Basic / Digest - PKI - Windows Integrated ArcGIS for Desktop users GIS Server administrators Publish Services Connect to ArcGIS Server Manager + GIS server(s) Data server
Mechanisms Authorization Role-Based Access Control Esri COTS - Assign access with ArcGIS Manager - Service Level Authorization across web interfaces - Services grouped in folders utilizing inheritance 3 rd Party - Web Services Conterra s Security Manager (more granular) - RDBMS Row Level or Feature Class Level - Versioning with Row Level degrades RDBM performance - Alternative - SDE Views URL Based authorization - IIS 7.0 and above - Authorization based on the URL itself
Mechanisms Filters 3 rd Party Options Firewalls Reverse Proxy Web Application Firewall - Open Source option ModSecurity Anti-Virus Software Intrusion Detection / Prevention Systems Limit applications able to access geodatabase
Mechanisms Filters - Web Application Firewall (WAF) Implemented in DMZ WAF, SSL Accel Load Balancer 443 Firewall Internet Network Load Balancing Protection from web-based attacks Port: 80 IIS/Java Web Server Port: 80 IIS/Java Web Server Monitors all incoming traffic at the application layer Web Apps Web Adaptor Web Server A Web Adaptor Web Apps Web Server B Firewall Can be part of a security gateway - SSL Certificates ArcGIS Site - Load Balancer
Mechanisms Encryption 3 rd Party Options Network - IPSec (VPN, Internal Systems) - SSL (Internal and External System) - Cloud Encryption Gateways - Only encrypted datasets sent to cloud File Based - Operating System BitLocker - GeoSpatially enabled PDF s combined with Certificates - Hardware (Disk) RDBMS - Transparent Data Encryption - Low Cost Portable Solution - SQL Express 2012 w/tde
Mechanisms Logging/Auditing Esri COTS - Geodatabase history - May be utilized for tracking changes - ArcGIS Workflow Manager - Track Feature based activities - ArcGIS Server 10+ Logging - User tag tracks user requests 3 rd Party - Web Server, RDBMS, OS, Firewall - Consolidate with a SIEM 3 rd party geospatial service monitors - Esri System Monitor - Vestra GeoSystems Monitor - Geocortex Optimizer
ArcGIS Server
ArcGIS Server Enterprise Deployment WAF, SSL Accel Load Balancer Network Load Balancing 443 Firewall Internet Port: 443 Port: 80 Port: 80 IIS/Java Web Server IIS/Java Web Server IIS/Java Web Server ADFS Proxy Web Apps Web Adaptor Web Adaptor Web Apps Auth Web Server Web Server A Web Server B Firewall Supporting Infrastructure ArcGIS Site ADFS / SAML 2.0 Port: 6080 Web Adaptor Round-Robin Port: 6080 AD/ LDAP SQL ArcGIS for Server GIS Services GIS Server A Server Request Load Balancing GIS Services ArcGIS for Server GIS Server B Clustered HA NAS Config Store HA DB1 HA DB2 Directories FGDB
ArcGIS Server Minimize Attack Surface Don t expose Server Manager to public Attack surface over time Disable Services Directory Disable Service Query Operation (as feasible) Enable Web Service Request Filtering - Windows 2008 R2+ Request Filtering - XML Security Gateway - Does not intercept POST requests - REST API only requires GET and HEAD verbs - Exception Utilize POST for token requests Attack surface Time Limit utilization of commercial databases under website - File GeoDatabase can be a useful intermediary Require authentication to services
ArcGIS Server 10.2 Enhancements Single-Sign-On (SSO) for Windows Integrated Authentication - Works across ArcGIS for Server, Portal, and Desktop Stronger PKI validation - Leverage multi-factor authentication when accessing applications, computers, and devices - Web adaptor deployed to web server forwards to AGS the request and username Integrated account management and publishing capabilities - Across ArcGIS for Server and Portal in a federated configuration Key SQL Injection vulnerabilities addressed - Changes made in 10.2 may affect some advanced users that were using database-specific SQL statements in their custom applications Add support for - Active Directory nested groups & domain forests - Configuring Private and Public services within the same ArcGIS Server site
ArcGIS Server Single ArcGIS Server machine Desktop, Web, and Mobile Clients Desktop, Web, and Mobile Clients 80/443 Reverse Proxy Server 6080/6443 6080/6443 Site Administrators Connect to Manager GIS server, Data, Server directories, Configuration Store Site Administrators Connect to Manager GIS server, Data, Server directories, Configuration Store Front-ending GIS Server with Reverse Proxy or Web Adapter
ArcGIS Server ArcGIS Server HA - Sites independent of each other Desktop, Web, and Mobile Clients Active-active configuration is shown - Active-passive is also an option Separate configuration stores and management Network Load Balancer (NLB) - Scripts can be used to synchronize Cached map service for better performance 80 80 Web Adaptors (optional) 6080 6080 Load balancer to distribute load Site Administrators Connect to Manager ArcGIS Server site ArcGIS Server site Site Administrators Connect to Manager Server directories, Configuration Store (duplicated between sites)
ArcGIS Server ArcGIS Server HA Shared configuration store Desktop, Web, and Mobile Clients Shared configuration store Network Load Balancer (NLB) Web Adaptor will correct if server fails 80 80 Web Adaptors Config change could affect whole site - Example: publishing a service 6080 6080 GIS servers Site Administrators Connect to Manager Test configuration changes Data server, Data (enterprise geodatabase), Server directories, Configuration Store
ArcGIS Server ArcGIS Server HA Clusters of Dedicated Services Desktop, Web, and Mobile Clients Shared configuration store Network Load Balancer (NLB) Server clusters - Perform same set of functions 80 80 Web Adaptors (optional) GIS servers Example - Cluster A handles geoprocessing services - Cluster B handles less intensive services Site Administrators Connect to Manager Cluster A 6080 6080 6080 Data server, Data (enterprise geodatabase), Server directories, Configuration Store Cluster B
Mobile
Mobile What are the mobile concerns? *OWASP 2013 Top Ten Mobile: https://www.owasp.org/index.php/projects/owasp_mobile_security_project_-_top_ten_mobile_risks
Mobile Security Touch Points Server authentication Communication Device access SDE permissions Storage Service authorization Project access Data access
Mobile Authenticating to ArcGIS Services GIS Tier Auth - ArcGIS Tokens - Pass credentials through UserCredentials / AGSCredential object - Hardcode long-term token into layout XML (Ideally avoid) Web Tier Auth HTTP Basic/Digest - Pass credentials through UserCredentials object - PKI Support 10.1.1 - Android OS version dependent - Not available on Windows phone yet SSL Support - Certificates issued by trusted cert authority - Self-signed certificates (Dev environment)
Mobile Enterprise Mobile Security Top 5 Best Practices Mobile Device Management - Enterprise device solutions (InTune, AirWatch, Good, MaaS360) - Benefits: Secure email, browser, remote wipe, app distribution Anti-malware software Secure communications - Use encryption or VPN Strong authentication - Password at minimum - Future: two-factor authentication Control 3 rd Party Software
Cloud
Cloud Service Models Non-Cloud - Traditional systems infrastructure deployment - Portal for ArcGIS & ArcGIS Server IaaS - Portal for ArcGIS & ArcGIS Server - Some Citrix / Desktop SaaS - ArcGIS Online - Business Analyst Online Customer Responsible End to End Decreasing Customer Responsibility Customer Responsible For Application Settings
Cloud Deployment Models Online Online Intranet Intranet Intranet Server Portal Server Public Hybrid 1 On- Premises Online Server Server Server Read-only Basemaps Intranet Intranet Portal Server Cloud Hybrid 2 On-Premises + On-premise
Cloud Management Models Self-Managed - Your responsibility for managing IaaS deployment security - Security measures discussed later Provider Managed - Esri Managed Services (Standard Offering) - New Esri Managed Cloud Services (ECMS) option - FedRAMP Moderate environment established - Accreditation expected end of year
Cloud EMCS Accredited Offering Customer Instances ArcGIS for Server Portal for ArcGIS ArcGIS Online Customer Databases End Users Security Infrastructure Centralized Authentication (2-factor) Key Management Network Address Translation Virtual Private Cloud (Segmentation) Redundancy (multiple data centers) IDS/SIEM Logging Esri Cloud GIS Administrator ArcGIS Online front-end (Low) Managed Services back-end (Mod)
Cloud Real Permutations Public Business Partner 1 Private IaaS Internal Portal Internal AGS Filtered Content External AGS ArcGIS Online Business Partner 2 Database File Geodatabase Public IaaS Field Worker Enterprise Business
Cloud Hybrid ArcGIS Online Users 4. Access Service Group TeamGreen 1. Register Services AGOL Org On-Premises ArcGIS Server Hosted Services, Content Public Dataset Storage ArcGIS Org Accounts External Accounts 2. Enterprise Login (SAML 2.0) User Repository AD / LDAP Segment sensitive data internally and public data in cloud
Cloud Hybrid Data sources Where are internal and cloud datasets combined? - At the browser - The browser makes separate requests for information to multiple sources and does a mash-up - Token security with SSL or even a VPN connection could be used between the device browser and on-premises system On-Premises Operational Layer Service Cloud Basemap Service ArcGIS Online Browser Combines Layers https://yourserver.com/arcgis/rest... http://services.arcgisonline.com...
Cloud On-premises Why? - Additional security demands - Federated account management needs between ArcGIS Server and Portal - Registered services (managed and secured via Server) - Federated services (managed via Server, secured via Portal) - Hosted services (managed and secured via Portal) Requires - Infrastructure - Portal & System Administration
Cloud Data Locations On-premises Cloud Provider ArcGIS Online ArcGIS Server ArcGIS Server Feature Services Typically utilized for sensitive data & services Commonly utilized to reduce management costs Commonly utilized for mildly sensitive information and public data/services
Cloud ArcGIS Online Standards Enterprise Logins - SAML 2.0 - Provides federated identity management - Integrate with your enterprise LDAP / AD New API s to Manage users & app logins - Developers can utilize OAuth 2-based API s - https://developers.arcgis.com/en/authentication/
Cloud ArcGIS Online - Settings Organization administrator options - Require SSL encryption - Allow anonymous access to org site Consume Token secured ArcGIS Server services - 10 SP1 and later - User name and password prompts upon adding the service to a map, and viewing Transparency - Trust.ArcGIS.com
Cloud IaaS Common ArcGIS IaaS Deployments - ArcGIS Server Windows AMI to AWS - ArcGIS Server via Cloud Builder to AWS ArcGIS AWS Security Best Practices - 8 main areas - 5 minute minimum
Cloud IaaS AWS 8 Security Areas to Address - Virtual Private Cloud (VPC) - Identity & Access Management (IAM) - Administrator gateway instance(s) (Bastion) - Reduce attack surface (Hardening) - Security Information Event Management (SIEM) - Patch management (SCCM) - Centralized authentication/authorization - Web application firewall (WAF)
Cloud IaaS - AWS Question - Of the 8 security areas on previous slide, how many are handled by AWS for you? Answer - 2 areas, VPC and IAM Question Part 2 - What is *the* key security mechanism to mitigate against someone gaining unauthorized access to your AWS console? Answer - 2-factor authentication
Cloud IaaS AWS 5 minute minimum Minimize RDP surface - Update OS patches - Many AMI s disable automatic updates - Enable NLA for RDP - Set AWS Firewall to Limit RDP access to specific IP s - Use strong passwords, account lockout policies Minimize Application Surface - Disable ArcGIS Services Discovery - Don t expose ArcGIS Manager web app to Internet Enable 2-factor Authentication to your AWS console - The AWS console is a one-stop shop for access to all your instances in the cloud These steps can be completed within 5 minutes Do them!
Compliance
Compliance Products and Services ArcGIS Online - FISMA Low Accredited Authority To Operate (ATO) by USDA - FedRAMP Moderate in future (2015) Managed Services: Esri Managed Cloud Services (EMCS) - FedRAMP Moderate in process (2014) ArcGIS Desktop - FDCC (versions 9.3-10) - USGCB (versions 10.1+)
Compliance Corporate Operations ISO 27001 - Esri s Corporate Security Charter Privacy Assurance - US EU/Swiss SafeHarbor self-certified - TRUSTed cloud certified SSAE 16 Type 1 Previously SAS 70 - Esri Data Center Operations - Expanded to Managed Services in 2012
Compliance Solution Level Geospatial Deployment Patterns to meet stringent security standards - Hybrid deployments - On-premise deployments Supplemented with 3 rd party security components Upcoming best practice alignment guidance - CJIS Law Enforcement - HIPAA Healthcare - STIGs Defense
Compliance Cloud Infrastructure Providers ArcGIS Online Utilizes World-Class Cloud Infrastructure Providers - Microsoft Azure - Amazon Web Services Cloud Infrastructure Security Compliance SSAE16 SOC1 Type2 Moderate
Compliance ArcGIS Online Assurance Layers Customer Web App Consumption ArcGIS Management Esri Web Server & DB software AGOL SaaS FISMA Low (USDA) SafeHarbor (TRUSTe) Operating system Instance Security Management Cloud Provider ISO 27001 SSAE16 FedRAMP Mod Cloud Providers Hypervisor Physical
Compliance Accreditation Roadmap 2014Q4 2015 Complete ArcGIS Online FISMA Low Esri Managed Cloud Services (EMCS) FedRAMP Mod ArcGIS Online FedRAMP Mod
Summary
Summary Security is a Core Component of the ArcGIS Trusted Geospatial Platform Expanding ArcGIS Capabilities Standardized Assurance Operational Excellence... Enables sharing the right information, with the right resources, at the right time
Summary Security is NOT about just a technology - Understand your organizations GIS risk level - Prioritize efforts accord to your industry and needs - Don t just add components, simplified Defense In Depth approach Secure Best Practice Guidance is Available - Check out the ArcGIS Trust Site! - ArcGIS Security Architecture Workshop - SecureSoftwareServices@esri.com